I also experience that sudden terminations of Icedove since some days.
Today I attached gdb to find the reason, got a stack trace and found this
bug report with identical results.
The crash is caused by a NULL pointer access: oldArray = this->objectSet
== NULL.
Details here:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fbf740 (LWP 19091)]
js::ConstraintTypeSet::sweep (this=this@entry=0x7fffd6081580,
zone=0x7fffcf7a3000, oom=...) at
/build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/vm/TypeInference.cpp:4077
(gdb)
(gdb) i s
#0 js::ConstraintTypeSet::sweep (this=this@entry=0x7fffd6081580,
zone=0x7fffcf7a3000, oom=...)
at
/build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/vm/TypeInference.cpp:4077
#1 0x00007ffff294a551 in JSScript::maybeSweepTypes
(this=0x7fffca2b8300, oom=oom@entry=0x7fffffffc2a0)
at
/build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/vm/TypeInference.cpp:4305
#2 0x00007ffff279e405 in SweepThing (oom=0x7fffffffc2a0,
script=<optimized out>) at
/build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/jsgc.cpp:5361
#3 SweepArenaList<JSScript, js::AutoClearTypeInferenceStateOnOOM*>
(sliceBudget=..., arenasToSweep=0x7fffcf7a34f0)
at /build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/jsgc.cpp:5376
#4 js::gc::GCRuntime::sweepPhase (this=this@entry=0x7fffdf1683f8,
sliceBudget=...) at
/build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/jsgc.cpp:5417
#5 0x00007ffff27a309f in js::gc::GCRuntime::incrementalCollectSlice
(this=this@entry=0x7fffdf1683f8, budget=...,
reason=reason@entry=JS::gcreason::REFRESH_FRAME)
at /build/icedove-tNL3mB/icedove-45.1.0/mozilla/js/src/jsgc.cpp:6086
...
(gdb) p *this
$5 = {<js::TypeSet> = {flags = 3592946040, objectSet = 0x0},
constraintList = 0x0}
(gdb) l
4072 ObjectKey** oldArray = objectSet;
4073
4074 clearObjects();
4075 objectCount = 0;
4076 for (unsigned i = 0; i < oldCapacity; i++) {
4077 ObjectKey* key = oldArray[i];
4078 if (!key)
4079 continue;
4080 if (!IsObjectKeyAboutToBeFinalized(&key)) {
4081 ObjectKey** pentry =
