moria1 running git master (e1d3b444) seg faults reliably, soon after startup. ``` #0 0x000000000042181f in cell_queue_append (queue=0x56e9cf8, cell=0x7fffad841db0, wide_circ_ids=1, use_stats=0) at src/or/relay.c:2141 #1 cell_queue_append_packed_copy (queue=0x56e9cf8, cell=0x7fffad841db0, wide_circ_ids=1, use_stats=0) at src/or/relay.c:2181 #2 0x000000000048003d in circuitmux_append_destroy_cell (chan=0x56e9b70, cmux=0x56e9cd0, circ_id=2147507178, reason=<value optimized out>) at src/or/circuitmux.c:1874 #3 0x000000000046ae09 in channel_send_destroy (circ_id=2147507178, chan=0x56e9b70, reason=<value optimized out>) at src/or/channel.c:2687 #4 0x000000000047f39c in circuit_mark_for_close_ (circ=0x53d7170, reason=0, line=1250, file=0x53f9fb "src/or/circuituse.c") at src/or/circuitlist.c:1568 #5 0x0000000000478db8 in circuit_send_next_onion_skin (circ=0x53d7170) at src/or/circuitbuild.c:808 #6 0x000000000042595a in connection_edge_process_relay_cell ( cell=0x7fffad842970, circ=0x53d7170, conn=<value optimized out>, layer_hint=<value optimized out>) at src/or/relay.c:1443 #7 0x00000000004264a0 in circuit_receive_relay_cell (cell=0x7fffad842970, circ=0x53d7170, cell_direction=CELL_DIRECTION_IN) at src/or/relay.c:226 #8 0x000000000048d9ae in command_process_relay_cell (chan=0x56e9b70, cell=0x7fffad842970) at src/or/command.c:462 #9 command_process_cell (chan=0x56e9b70, cell=0x7fffad842970) at src/or/command.c:148 #10 0x000000000047249b in channel_tls_handle_cell (cell=0x7fffad842970, conn=0x56e9dd0) at src/or/channeltls.c:924 #11 0x00000000004af256 in connection_or_process_cells_from_inbuf ( conn=0x56e9dd0) at src/or/connection_or.c:1972 #12 0x00000000004a4008 in connection_handle_read_impl (conn=0x56e9dd0) at src/or/connection.c:2949 #13 connection_handle_read (conn=0x56e9dd0) at src/or/connection.c:2990 #14 0x000000000040c076 in conn_read_callback (fd=<value optimized out>, event=8112, _conn=0x1) at src/or/main.c:716 #15 0x00007f5b3a481344 in event_base_loop () from /usr/lib/libevent-1.4.so.2 #16 0x0000000000409e81 in do_main_loop () at src/or/main.c:1996 #17 0x000000000040a1dd in tor_main (argc=<value optimized out>, argv=<value optimized out>) at src/or/main.c:2720 #18 0x00007f5b39732c8d in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fffad8430b8) at libc-start.c:228 #19 0x0000000000408789 in _start () ``` ``` (gdb) print *queue $1 = {head = {sqh_first = 0x362c323700000000, sqh_last = 0x1799620}, n = 24820072, insertion_times = 0x17bd00424603d237} ``` First noticed on legacy/trac#9286 (unrelated), and you can see another very similar backtrace over there.