Awesome, thanks! Sorry I didn't get around to digging into this one. We should get a reproducer committed into atf. Have you drafted a small reproducer that we could adapt?
I tried hard, but no I couldn't. The buggy code conditionally branched based on a value read from an uninitialized part of memory, and most of the time the value it read was zero, which prevented the bug from rising up to the surface. The reason why it hit Firefox so frequently was apparently that Firefox allocated unusually many TLS blocks.
If only we had MSAN...