Yep - was able to trigger it by running on Solaris and using dtrace to fire a
signal in auth_initialize between the call to register_signals() and the malloc
of iceauth_filename.

Stack trace showed crash in:

program terminated by signal SEGV (no mapping at the fault address)
0xfef74e0f: IceUnlockAuthFile+0x0027:   repnz scasb  
Current function is auth_finalize
  726           IceUnlockAuthFile (iceauth_filename);
(dbx) where
  [1] IceUnlockAuthFile(0x0), at 0xfef74e0f 
=>[2] auth_finalize(), line 726 in "process.c"
  [3] die(sig = 1), line 501 in "process.c"
  [4] catchsig(sig = 1), line 523 in "process.c"
  [5] __sighndlr(0x1, 0x0, 0x8047860, 0x80534a0), at 0xfef1d39f 
  [6] call_user_handler(0x1, 0x0, 0x8047860), at 0xfef128ab 
  [7] sigacthandler(0x1, 0x0, 0x8047860, 0xf, 0x0, 0x0), at 0xfef12a52 
  ---- called from signal handler with signal 1 (SIGHUP) ------
  [8] auth_initialize(authfilename = 0x80681d0 "/.ICEauthority"), line 584 in "process.c"
  [9] main(argc = 1, argv = 0x8047af0), line 157 in "iceauth.c"

Adding a test for NULL filename before calling IceUnlockAuthFile cleared the 
crash, but left the lock file behind.    Moving the initialization of 
authfilename to earlier in auth_initialize allowed the locks to be cleaned up
as well.

Committed fix to git master in commit 0022cf7baf11bccea0024d0dc8c1ecc37e46ef3d.