seg fault in cell_queue_append()

moria1 running git master (e1d3b444) seg faults reliably, soon after startup.

#0  0x000000000042181f in cell_queue_append (queue=0x56e9cf8,
    cell=0x7fffad841db0, wide_circ_ids=1, use_stats=0) at src/or/relay.c:2141
#1  cell_queue_append_packed_copy (queue=0x56e9cf8, cell=0x7fffad841db0,
    wide_circ_ids=1, use_stats=0) at src/or/relay.c:2181
#2  0x000000000048003d in circuitmux_append_destroy_cell (chan=0x56e9b70,
    cmux=0x56e9cd0, circ_id=2147507178, reason=<value optimized out>)
    at src/or/circuitmux.c:1874
#3  0x000000000046ae09 in channel_send_destroy (circ_id=2147507178,
    chan=0x56e9b70, reason=<value optimized out>) at src/or/channel.c:2687
#4  0x000000000047f39c in circuit_mark_for_close_ (circ=0x53d7170, reason=0,
    line=1250, file=0x53f9fb "src/or/circuituse.c")
    at src/or/circuitlist.c:1568
#5  0x0000000000478db8 in circuit_send_next_onion_skin (circ=0x53d7170)
    at src/or/circuitbuild.c:808
#6  0x000000000042595a in connection_edge_process_relay_cell (
    cell=0x7fffad842970, circ=0x53d7170, conn=<value optimized out>,
    layer_hint=<value optimized out>) at src/or/relay.c:1443
#7  0x00000000004264a0 in circuit_receive_relay_cell (cell=0x7fffad842970,
    circ=0x53d7170, cell_direction=CELL_DIRECTION_IN) at src/or/relay.c:226
#8  0x000000000048d9ae in command_process_relay_cell (chan=0x56e9b70,
    cell=0x7fffad842970) at src/or/command.c:462
#9  command_process_cell (chan=0x56e9b70, cell=0x7fffad842970)
    at src/or/command.c:148
#10 0x000000000047249b in channel_tls_handle_cell (cell=0x7fffad842970, 
    conn=0x56e9dd0) at src/or/channeltls.c:924
#11 0x00000000004af256 in connection_or_process_cells_from_inbuf (
    conn=0x56e9dd0) at src/or/connection_or.c:1972
#12 0x00000000004a4008 in connection_handle_read_impl (conn=0x56e9dd0)
    at src/or/connection.c:2949
#13 connection_handle_read (conn=0x56e9dd0) at src/or/connection.c:2990
#14 0x000000000040c076 in conn_read_callback (fd=<value optimized out>, 
    event=8112, _conn=0x1) at src/or/main.c:716
#15 0x00007f5b3a481344 in event_base_loop () from /usr/lib/libevent-1.4.so.2
#16 0x0000000000409e81 in do_main_loop () at src/or/main.c:1996
#17 0x000000000040a1dd in tor_main (argc=<value optimized out>, 
    argv=<value optimized out>) at src/or/main.c:2720
#18 0x00007f5b39732c8d in __libc_start_main (main=<value optimized out>, 
    argc=<value optimized out>, ubp_av=<value optimized out>, 
    init=<value optimized out>, fini=<value optimized out>, 
    rtld_fini=<value optimized out>, stack_end=0x7fffad8430b8)
    at libc-start.c:228
#19 0x0000000000408789 in _start ()

(gdb) print *queue               
$1 = {head = {sqh_first = 0x362c323700000000, sqh_last = 0x1799620}, 
  n = 24820072, insertion_times = 0x17bd00424603d237}

First noticed on #9286 (moved) (unrelated), and you can see another very similar backtrace over there.