Thu May 16 2024 16:52:24 PDT
  • Classification: Client Software, Developer Infrastructure, Components, Server Software, Other
  • Reporter: nth10sd@gmail.com
  • Keywords: sec-
  • Keywords: (does not contain the string) sec-audit
  • Keywords: (does not contain the string) sec-other
  • Keywords: (does not contain the string) sec-want
305 bugs found.
ID Type Summary Product Comp Assignee Status Resolution Updated
1607665 Crash [@ ??] with BigInt64Array and --no-ggc Core JavaScript Engine andrebargull RESO FIXE 2020-06-05
1571918 Differential Testing: Different output message on ARM32 involving Math.atan2 Core JavaScript Engine: J iireland RESO FIXE 2022-01-10
1870925 Assertion failure: [barrier verifier] Unmarked edge: JS Script 38d5a84660b0 'baseline-ic-stub-code' edge to JS JitCode 38d5a84672e0, at gc/Verifier.cpp:385 Core JavaScript Engine: J iireland RESO FIXE Tue 21:13
1510145 Assertion failure: arena->bufferedCells()->isEmpty(), at js/src/gc/GC.cpp:2433 with recomputeWrappers Core JavaScript Engine jcoppeard RESO FIXE 2019-08-07
1542387 Assertion failure: WeakMapBase::checkMarkingForZone(zone), at js/src/gc/GC.cpp:5286 Core JavaScript: GC jcoppeard RESO DUPL 2023-10-23
1796901 Assertion failure: zoneIsDead, at js/src/gc/GC.cpp:2083 Core JavaScript: GC jcoppeard RESO FIXE 2024-04-09
1404636 Differential Testing: Different output message involving typed arrays Core JavaScript Engine: J jdemooij RESO FIXE 2018-08-28
1592524 Assertion failure: mir->resumePoint(), at js/src/jit/CodeGenerator.cpp:296 Core JavaScript Engine jdemooij RESO FIXE 2020-06-05
1667685 [warp] Assertion failure: !icScript_->hasInlinedChild(entry.pcOffset()), at jit/TrialInlining.cpp:358 with gc Core JavaScript Engine jdemooij RESO FIXE 2024-04-09
1576969 thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `68`, right: `64`: Invalid registers for REX-less Op1 encoding', third_party/rust/cranelift-codegen/src/isa/x86/binemit.rs:75:5 Core JavaScript: WebAssem jseward RESO FIXE 2020-06-05
995704 Crash [@ EnterIon] or [@ js::jit::IonCannon] or [@ js::RunScript] Core JavaScript Engine: J kvijayan RESO FIXE 2016-06-04
1423173 Differential Testing: Different output message involving Object.freeze and __proto__ Core JavaScript Engine: J kvijayan RESO FIXE 2018-08-28
1516738 Assertion failure: size_t(reg) < mozilla::ArrayLength(names), at js/src/jit/x86-shared/Constants-x86-shared.h:194 with wasm Core JavaScript: WebAssem lhansen RESO FIXE 2019-08-07
1518331 Assertion failure: false (offset.isValid()), at js/src/jit/shared/Assembler-shared.h:286 Core JavaScript: WebAssem lhansen RESO FIXE 2020-04-06
1707774 Live range splitting can lead to conflicting assignments (was: Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp:257) Core JavaScript Engine: J lhansen RESO FIXE 2024-04-09
1710312 AddressSanitizer: SEGV or Crash [@ js::jit::MachineState::read] Core JavaScript Engine: J lhansen RESO FIXE 2024-04-09
1877357 Assertion failure: v.isUndefined(), at vm/StringType.cpp:2467 Core JavaScript Engine: J nicolas.b.pierron RESO FIXE 2024-04-09
994281 Assertion failure: bufferByteLength - arrayByteOffset >= arrayByteLength, at vm/TypedArrayObject.cpp or Assertion failure: arrayByteOffset <= bufferByteLength, at vm/TypedArrayObject.cpp Core JavaScript Engine: J terrence.d.cole RESO FIXE 2016-06-04
1766806 Assertion failure: *def->output() == alloc, at jit/RegisterAllocator.cpp:270 Core JavaScript: WebAssem ydelendik RESO FIXE 2024-04-09
1678785 AddressSanitizer: SEGV [@ vixl::Memory::Read] Core JavaScript: WebAssem jseward RESO FIXE 2024-04-09
1524692 Assertion failure: expect != replace && replace != output && output != expect, at js/src/jit/arm/MacroAssembler-arm.cpp:5333 with wasm Core JavaScript: WebAssem lhansen RESO FIXE 2019-08-07
1535194 Silent overflow in diffB during far jump setup leads to branch-to-wild-location Core JavaScript: WebAssem lhansen RESO FIXE 2020-06-04
1535482 Assertion failure: !used(), at js/src/jit/Label.h:85 with --arm-asm-nop-fill=1 Core JavaScript: WebAssem lhansen RESO FIXE 2020-06-05
1535848 Crash [@ js::jit::MacroAssembler::patchCall] or Assertion failure: vixl::is_int26(relTarget00), at js/src/jit/arm64/MacroAssembler-arm64.cpp:672 Core JavaScript: WebAssem lhansen RESO FIXE 2020-06-05
1777604 Assertion failure: instCache_[offset] == instValue, at jit/arm64/vixl/MozCachingDecoder.h:77 Core JavaScript: WebAssem rhunt RESO FIXE 2024-04-09
1666051 Test cases (was: Crash at weird memory address on 32-bit builds) Core JavaScript Engine lhansen RESO FIXE 2024-04-09
1463501 Assertion failure: !IsInsideNursery(cell), at js/src/jit/VMFunctions.cpp:695 Core JavaScript Engine sphink RESO FIXE 2019-05-24
1684020 Assertion failure: next == JSOp::CheckThis || next == JSOp::CheckReturn || next == JSOp::CheckThisReinit || next == JSOp::CheckLexical, at vm/Interpreter.cpp:3715 or Assertion failure: v.isSymbol() || v.isBigInt(), at jsnum.cpp:1944 Core JavaScript Engine andrebargull RESO FIXE 2024-04-09
1263558 Assertion failure: isObject(), at dist/include/js/Value.h:1281 Core JavaScript Engine arai.unmht RESO FIXE 2016-05-24
1272523 Assertion failure: args[0].isString(), at js/src/builtin/Intl.cpp:835 Core JavaScript Engine arai.unmht RESO FIXE 2017-02-09
1750935 Differential Testing: Different output message involving RegExp and --fast-warmup Core JavaScript Engine arai.unmht RESO FIXE 2024-04-09
923892 Crash [@ getGeneric] Core JavaScript Engine: J bhackett1024 RESO FIXE 2015-02-25
1190272 Assertion failure: isInt32(), at dist/include/js/Value.h or Assertion failure: isString(), at dist/include/js/Value.h or Assertion failure: isObjectOrNull(), at dist/include/js/Value.h or Assertion failure: isNumber(), at dist/include/js/Value.h Core JavaScript Engine: J bhackett1024 RESO FIXE 2015-11-05
768732 "Assertion failure: [barrier verifier] Unmarked edge: element," Core JavaScript Engine bill.mccloskey RESO FIXE 2013-01-14
855536 Crash [@ js::EncapsulatedValue::writeBarrierPre] with [@ js::CloneFunctionAtCallsite] and [@ js::gc::MarkString] on the stack Core JavaScript Engine bill.mccloskey RESO FIXE 2013-06-26
1566992 Cranelift: Segfault crash Core JavaScript: WebAssem bugzilla RESO FIXE 2020-06-05
1546881 Assertion failure: !mArena || arena == mArena, at memory/build/mozjemalloc.cpp:3960 Core JavaScript Engine cmartin RESO FIXE 2020-01-22
1023758 Incremental cycle collection does not properly handle dead traversed nodes, leading to CSS use-after-free Core XPCOM continuation RESO FIXE 2014-10-09
1030667 AddressSanitizer: double-free with zero-length XHR, depending on behavior of realloc(p, 0) Core DOM: Core & HTML continuation RESO FIXE 2020-02-28
1001569 Valgrind detects Mismatched free() / delete / delete with testcase involving YARR Core JavaScript Engine dtc-moz RESO FIXE 2015-08-30
771398 IonMonkey: Crash at weird location of 0x08d966e8 with testcase and --no-jm Core JavaScript Engine dvander RESO FIXE 2015-05-18
791814 Crash [@ DoDeferredRelease] Core XPConnect dvander RESO DUPL 2012-11-07
769499 "Assertion failure: tc->sc->bodyid < blockid," or "Assertion failure: adjust < blockid," or "Assertion failure: tc->bodyid < blockid," Core JavaScript Engine general RESO WORK 2017-10-26
793805 Crash [@ js_SuppressDeletedElements] Core JavaScript Engine general RESO FIXE 2013-04-18
805300 IonMonkey: Crash [@ compartment] or [@ js::gc::MarkIonCodeRoot] with --enable-more-deterministic and --ion-licm=off Core JavaScript Engine general RESO DUPL 2015-06-17
808023 Crash [@ js::EncapsulatedPtr] Core JavaScript Engine general RESO DUPL 2015-06-17
808140 "Assertion failure: needsBarrier_," Core JavaScript Engine general RESO DUPL 2015-06-17
822941 IonMonkey: Valgrind detects "Conditional jump or move depends on uninitialised value(s)" with js::detail::BumpChunk::new or js::LifoAlloc::getOrCreateChunk on the stack Core JavaScript Engine general RESO FIXE 2014-11-19
831055 "Assertion failure: [infer failure] Missing type in object [0x241d1f0] lastIndex: float," Core JavaScript Engine general RESO FIXE 2013-11-25
873660 Assertion failure: (ptrBits & 0x7) == 0, at ../dist/include/js/Value.h with --ion-regalloc=backtracking Core JavaScript Engine general RESO FIXE 2014-05-05
885988 Assertion failure: !InFreeList(thing->arenaHeader(), thing), at gc/Marking.cpp or Assertion failure: addr % CellSize == 0, at gc/Heap.h Core JavaScript Engine general RESO WORK 2017-10-26
902253 Crash [@ js::types::UseNewTypeForClone] or [@ JSScript::hasBaselineScript] or [@ js::ion::DoCallFallback] Core JavaScript Engine general RESO FIXE 2015-05-18
908867 Crash with SIGTRAP involving --ion-eager --ion-gvn=off --ion-check-range-analysis Core JavaScript Engine general RESO DUPL 2016-10-11
908948 Crash [@ execute] or [@ js::RegExpShared::execute] or Assertion failure: m_value, at assembler/assembler/MacroAssemblerCodeRef.h Core JavaScript Engine general RESO DUPL 2013-10-01
910929 Assertion failure: pt && pt->associatedWith(zone->runtime_), at vm/Runtime.cpp Core JavaScript Engine general RESO WORK 2017-10-26
803386 Valgrind on tbpl detects mismatched free with mozilla::gfx::Scale on the stack Core Graphics gw RESO WORK 2017-10-26
1092947 Crash [@ EnterIon] or [@ js::jit::IonCannon] Core JavaScript Engine: J hv1989 RESO FIXE 2016-06-04
1101576 Assertion failure: Integer input should be equal or higher than Lowerbound., at jit/IonMacroAssembler.cpp Core JavaScript Engine: J hv1989 RESO FIXE 2015-05-18
806291 Use of uninitialised value of size 4 in js::Int32ToString MailNews Core Backend ishikawa RESO FIXE 2016-06-04
825326 "Assertion failure: (obj)->compartment()->isGCMarking()," Core JavaScript Engine jcoppeard RESO FIXE 2013-01-14
1116306 Assertion failure: [barrier verifier] Unmarked edge: allocation log SavedFrame, at gc/Verifier.cpp Core JavaScript: GC jcoppeard RESO FIXE 2016-06-04
1271110 Assertion failure: fop->runtime()->gc.nursery.isEmpty(), at js/src/jit/BaselineJIT.cpp:492 Core JavaScript Engine jcoppeard RESO FIXE 2016-06-06
1833517 Assertion failure: !templateObj->hasDynamicSlots(), at jit/WarpBuilder.cpp:325 Core JavaScript Engine: J jcoppeard RESO FIXE 2024-04-09
1086842 Assertion failure: [infer failure] Missing type in object [0x10512ecf0] value: [0x10512e858], at js/src/jsinfer.cpp Core JavaScript Engine: J jdemooij RESO FIXE 2016-06-04
1285186 Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:313 Core JavaScript Engine jdemooij RESO FIXE 2016-11-21
1308346 Crash [@ __pthread_kill] with [@ free] on the stack Core JavaScript Engine jdemooij RESO FIXE 2017-02-09
1397071 Assertion failure: this->is<T>(), at js/src/jsobj.h:575 Core JavaScript Engine jdemooij RESO FIXE 2018-02-01
1484905 Assertion failure: Length should be greater than 0., at js/src/jit/MacroAssembler.cpp:2031 Core JavaScript Engine jdemooij RESO FIXE 2019-08-07
1527148 Differential Testing: Different output message involving Array.prototype Core JavaScript Engine: J jdemooij RESO FIXE 2019-08-08
1769410 Assertion failure: (offset % sizeof(FloatRegisters::RegisterContent)) == 0, at jit/JitFrames.cpp:2293 Core JavaScript Engine: J jdemooij RESO FIXE 2024-04-09
1871618 AddressSanitizer: heap-use-after-free involving js::jit::ICScript::active or Assertion failure: findInlinedChild(fallback->pcOffset())->active(), at jit/JitScript.cpp:521 Core JavaScript Engine: J jdemooij RESO FIXE Tue 21:14
1037890 CID 1225481: Out-of-bounds read as found by Coverity Core JavaScript Engine jorendorff RESO DUPL 2018-07-06
1150837 Crash [@ GetterSetterWriteBarrierPost] or [@ js::NativeDefineProperty] or [@ js::Nursery::moveToTenured] Assertion failure: !has(SHADOWABLE), at jsapi.h Core JavaScript Engine jorendorff RESO DUPL 2015-04-08
770089 "Assertion failure: lifetime && lifetime->head == uint32_t(head - outerScript->code) && lifetime->entry == uint32_t(entryTarget - outerScript->code)," Core JavaScript Engine jwalden RESO DUPL 2014-05-05
1280246 Crash [@ void js::CheckTracedThing<js::Shape>] with [@ js::ProxyObject::trace] on the stack Core JavaScript Engine jwalden RESO DUPL 2017-07-31
1350464 Crash [@ js::frontend::TokenStream::getTokenInternal] Core JavaScript Engine jwalden RESO FIXE 2017-04-11
819635 IonMonkey: "Assertion failure: [barrier verifier] Unmarked edge: <unknown>," Core JavaScript Engine kvijayan RESO FIXE 2013-11-25
865471 Crash at null with EnterBaseline on the stack involving enableSPSProfilingAssertions Core JavaScript Engine kvijayan RESO FIXE 2015-05-18
909586 Assertion failure: frame->script->code <= pc && pc < frame->script->code + frame->script->length, at vm/SPSProfiler.h Core JavaScript Engine kvijayan RESO FIXE 2015-02-25
1132265 Assertion failure: entry.isIon() || entry.isBaseline() || entry.isIonCache(), at jit/JitFrames.cpp Core JavaScript Engine: J kvijayan RESO FIXE 2016-07-02
1526579 Assertion failure: IsWordAligned(pc_), at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:191 or Assertion failure: entryStack == exitStack, at js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:279 Core JavaScript: WebAssem lhansen RESO FIXE 2019-08-07
893684 OdinMonkey: Assertion failure: (size_t) (dst - src) >= len, at jsutil.h Core JavaScript Engine mail RESO FIXE 2014-11-19
1054538 Crash [@ interpExitTrampoline] with js::jit::IonScript::unlinkFromRuntime and GC on the stack Core JavaScript Engine: J mail RESO FIXE 2016-06-04
1395100 Assertion failure: cmpret == 0, at js/src/jit/arm/Simulator-arm.cpp:1074 Core JavaScript Engine mail RESO FIXE 2017-10-03
854807 Crash [@ js::gc::Cell::tenuredZone] with [@ js::CloneFunctionAtCallsite] on the stack Core JavaScript Engine n.nethercote RESO FIXE 2013-06-26
1137624 MArrayJoin misbehaves when array elements override toString Core JavaScript Engine: J nicolas.b.pierron RESO FIXE 2016-07-02
1204700 Assertion failure: !has(reg), at jit/RegisterSets.h Core JavaScript Engine: J nicolas.b.pierron RESO FIXE 2016-07-02
994406 Crash [@ js::ProfileEntry::setPC] or Assertion failure: size_before == *profiler->size_, at vm/SPSProfiler.cpp Core JavaScript Engine: J nobody RESO DUPL 2016-10-14
1015766 Crash [@ MarkInternal] Core JavaScript Engine nobody RESO WORK 2017-10-26
1034383 Assertion failure: hasScript(), at jsfun.h Core JavaScript Engine: J nobody RESO FIXE 2016-06-04
1101600 Crash at a weird memory address Core JavaScript Engine: J nobody RESO DUPL 2016-10-14
1109517 Assertion failure: [barrier verifier] Unmarked edge: reference-val, at gc/Verifier.cpp Core JavaScript Engine: J nobody RESO WORK 2017-11-15
1125658 Crash [@ JSScript::formalIsAliased] or [@ js::frontend::BytecodeEmitter::isAliasedName] or Assertion failure: argSlot < bindings.numArgs(), at jsscript.cpp Core JavaScript Engine nobody RESO DUPL 2016-11-02
1126032 Crash at SIGTRAP or Assertion failure: Integer input should be lower or equal than Upperbound., at jit/MacroAssembler.cpp Core JavaScript Engine: J nobody RESO DUPL 2016-11-02
1126518 Crash [@ js::HeapPtr] or [@ js::frontend::CGObjectList::finish] or Assertion failure: !*cursor, at frontend/BytecodeEmitter.cpp Core JavaScript Engine nobody RESO DUPL 2016-11-02
1126555 Crash [@ js::HeapPtr] or [@ js::frontend::CGObjectList::finish] or Assertion failure: !objbox->emitLink, at frontend/BytecodeEmitter.cpp Core JavaScript Engine nobody RESO DUPL 2016-11-02
1131267 Assertion failure: bindingIndex < count(), at jsscript.cpp or Assertion failure: !isSingleton(), at jsobjinlines.h Core JavaScript Engine nobody RESO DUPL 2016-11-02
1131342 Crash [@ js::jit::JitProfilingFrameIterator::JitProfilingFrameIterator] Core JavaScript Engine nobody RESO DUPL 2016-11-02
1133354 Assertion failure: (LookupAliasedNameSlot(bceOfDef, bceOfDef->script, pn->name(), &sc)), at frontend/BytecodeEmitter.cpp Core JavaScript Engine nobody RESO DUPL 2016-11-02
1183448 Crash [@ NativeSetExistingDataProperty] or [@ GetExistingProperty] or [@ js::NativeGetProperty] Core JavaScript Engine nobody RESO DUPL 2016-11-02
1190147 Assertion failure: Incompatible write to unboxed property, at jit/MacroAssembler.cpp Core JavaScript Engine: J nobody RESO DUPL 2016-11-02
1193521 Crash [@ js::TraceRoot] Core JavaScript Engine nobody RESO WORK 2019-03-31
1193543 Malloc error with testcase involving --unboxed-arrays Core JavaScript Engine: J nobody RESO DUPL 2015-08-21
1218986 Assertion failure: *p->value().unsafeGet() == ObjectValue(*proxy), at proxy/Proxy.cpp Core JavaScript Engine: J nobody RESO DUPL 2016-11-02
1220915 Crash [@ js::CompartmentChecker::check] Core JavaScript Engine: J nobody RESO DUPL 2015-11-05
1224895 Assertion failure: !constant(), at jit/RegisterSets.h Core JavaScript Engine: J nobody RESO DUPL 2016-11-02
1260405 Crash [@ js::ShapeTable::checkAfterMovingGC] Core JavaScript Engine nobody RESO DUPL 2017-01-12
1314175 Crash at a weird memory address or Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:365 Core JavaScript Engine nobody RESO DUPL 2019-08-07
1460065 Assertion failure: JS::ValueIsNotGray(vp), at js/src/vm/JSCompartment-inl.h:141 Core JavaScript Engine nobody RESO DUPL 2020-12-18
1535901 Crash [@ js::gc::Cell::storeBuffer] or Assertion failure: (asBits_ >> 47) <= JSVAL_TAG_OBJECT, at dist/include/js/Value.h:622 Core JavaScript Engine nobody RESO DUPL 2023-10-23
1831232 AddressSanitizer: heap-buffer-overflow [@JSRope::flatten] or Assertion failure: pos == wholeChars + wholeLength, at vm/StringType.cpp:867 Core JavaScript: GC nobody RESO DUPL 2024-04-09
826588 Differential Testing: Getting different output on 64-bit Windows js shells involving lastIndex Core JavaScript Engine sean.stangl RESO FIXE 2014-05-05
859008 IonMonkey: Crash [@ scopeChain] or [@ js::AbstractFramePtr::evalPrevScopeChain] or Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h or Assertion failure: false (Unexpected state), at vm/Stack.cpp Core JavaScript Engine sean.stangl RESO FIXE 2014-05-05
1195590 Crash [@ js::jit::Simulator::decodeType01] or Assertion failure: Invalid caller frame type when exiting from Ion frame., at jit/MacroAssembler.cpp Core JavaScript Engine: J sean.stangl RESO FIXE 2015-11-05
886102 Crash [@ js::detail::HashTable] or Assertion failure: outermostScript->hasParallelIonScript(), at ion/ParallelFunctions.cpp Core JavaScript Engine shu RESO FIXE 2014-05-05
888470 Assertion failure: target, at ion/x64/Assembler-x64.cpp Core JavaScript Engine shu RESO FIXE 2014-05-05
888618 Assertion failure: InSequentialOrExclusiveParallelSection(), at gc/Heap.h or Assertion failure: hasScript(), at jsfun.h Core JavaScript Engine shu RESO FIXE 2015-05-18
903028 Assertion failure: pt && pt->associatedWith(zone->runtime_), at vm/Runtime.cpp Core JavaScript Engine shu RESO FIXE 2015-02-25
925777 Crash [@ js::types::UseNewTypeForClone] Core JavaScript Engine: J shu RESO FIXE 2015-02-25
942480 Crash [@ js::gc::Cell::runtimeFromAnyThread] or Assertion failure: table, at dist/include/js/HashTable.h or Assertion failure: object->runtimeFromMainThread()->isHeapBusy(), at vm/Debugger.cpp Core JavaScript Engine shu RESO FIXE 2015-02-25
1119579 Assertion failure: !comp.ref().done(), at gc/Zone.h Core JavaScript Engine shu RESO FIXE 2016-06-04
1122833 Assertion failure: !isInterpretedLazy(), at jsfun.h or Assertion failure: hasScript(), at jsfun.h Core JavaScript Engine shu RESO FIXE 2015-02-25
1342261 Assertion failure: comp == compartment || runtime()->isAtomsCompartment(comp) || (srcKind == JS::TraceKind::Object && InCrossCompartmentMap(static_cast<JSObject*>(src), thing)), at js/src/jsgc.cpp:3725 Core JavaScript Engine sphink RESO FIXE 2017-04-11
936737 Crash with SIGTRAP involving --ion-check-range-analysis Core JavaScript Engine: J sunfish RESO FIXE 2014-09-29
944321 --ion-check-range-analysis failure with Float32Array (SIGTRAP) Core JavaScript Engine: J sunfish RESO FIXE 2015-02-25
1454285 Crash [@ js::Shape::numFixedSlots] or [@ js::jit::BaselineCompiler::getEnvironmentCoordinateAddressFromObject] Core JavaScript Engine arai.unmht VERI FIXE 2023-12-06
1325344 Hit MOZ_CRASH(ToInt32 invalid input type) at js/src/jit/Lowering.cpp:2159 Core JavaScript Engine hv1989 VERI FIXE 2023-12-06
1329933 Assertion failure: Double input should be equal or higher than Lowerbound., at js/src/jit/MacroAssembler.cpp:1598 Core JavaScript Engine hv1989 VERI FIXE 2023-12-06
1459568 Assertion failure: InternalBarrierMethods<T>::thingIsNotGray(v) || CurrentThreadIsTouchingGrayThings(), at js/src/gc/Barrier.h:339 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
999759 Crash [@ js::jit::IonBailoutIterator::IonBailoutIterator] Core JavaScript Engine: J marty.rosenberg VERI FIXE 2015-08-30
1345427 Assertion failure: ins->type() == inputType, at js/src/jit/Lowering.cpp:1440 Core JavaScript Engine nobody VERI FIXE 2023-12-06
1410683 Crash [@ JSScript::pcToOffset] involving super Core JavaScript Engine nobody VERI FIXE 2023-12-06
1562102 Assertion failure: *stack == reinterpret_cast<Rooted<void*>*>(this), at dist/include/js/RootingAPI.h:1061 with ES6 classes Core JavaScript Engine nobody VERI FIXE 2023-12-06
1343723 Crash [@ js::jit::MachineState::read] involving Promise Core JavaScript Engine: J tcampbell VERI FIXE 2023-12-06
1551128 Crash [@ JS::BigInt::digit] or Assertion failure: idx < storage_.size(), at dist/include/mozilla/Span.h:679 with BigInt Core JavaScript Engine wingo VERI FIXE 2023-12-06
1556220 Hit MOZ_CRASH(Invalid typed array type) at js/src/jit/MacroAssembler.h:2715 or Crash [@ js::jit::MacroAssembler::storeToTypedIntArray] Core JavaScript Engine: J wingo VERI FIXE 2023-12-06
1517158 Assertion failure: !JS::RuntimeHeapIsCollecting(), at js/src/gc/Cell.h:356 Core JavaScript Engine allstars.chh VERI FIXE 2023-12-06
1335619 Assertion failure: !keyVal.isMagic(JS_ELEMENTS_HOLE), at js/src/builtin/MapObject.cpp:1185 Core JavaScript Engine andrebargull VERI FIXE 2023-12-06
1460436 Assertion failure: ins->input()->type() == MIRType::Double, at js/src/jit/Lowering.cpp:1671 or Assertion failure: ins->type() == MIRType::Int32, at jit/Lowering.cpp:1670 Core JavaScript Engine andrebargull VERI FIXE 2023-12-06
1268034 Assertion failure: isObject(), at dist/include/js/Value.h:1281 Core JavaScript Engine arai.unmht VERI FIXE 2017-02-09
1268740 Crash [@ js::TypedArrayMethods] Core JavaScript Engine arai.unmht VERI FIXE 2016-06-04
1524755 AddressSanitizer: Crash [@ bool InflateUTF8ToUTF16] or Assertion failure: mRangeStart <= mPtr, at dist/include/mozilla/RangedPtr.h:52 Core MFBT arai.unmht VERI FIXE 2023-12-06
762324 "Assertion failure: pc == bce->code(top + tableSize)," Core JavaScript Engine benjamin VERI FIXE 2013-01-19
777776 Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren] Core JavaScript Engine benjamin VERI FIXE 2014-12-10
788701 Invalid read of size 2 [@ str_contains] involving map Core JavaScript Engine benjamin VERI FIXE 2012-12-13
831846 Compartment mismatch with evalcx and watch Core JavaScript Engine benjamin VERI FIXE 2013-03-31
785776 "Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX," Core JavaScript Engine bhackett1024 VERI FIXE 2013-01-19
808481 "Assertion failure: lifetime->entry == uint32_t(entryTarget - outerScript->code)," Core JavaScript Engine bhackett1024 VERI FIXE 2013-04-30
822858 Crash [@ js::EncapsulatedPtr] or [@ js::types::TypeObject::print] or "Assertion failure: [infer failure] Missing type in object [0x10172f070] lastIndex: int," Core JavaScript Engine bhackett1024 VERI FIXE 2013-11-25
851635 Assertion failure: obj->lastProperty() == p->value.shape, at jsinfer.cpp with gcPreserveCode and gc Core JavaScript Engine bhackett1024 VERI FIXE 2013-06-26
878293 Assertion failure: mark <= bump, at ds/LifoAlloc.h Core JavaScript Engine bhackett1024 VERI FIXE 2014-05-05
897202 Crash [@ ToPrimitive] or [@ js::ToNumberSlow] or Assertion failure: v.isObject(), at jsnum.cpp Core JavaScript Engine bhackett1024 VERI FIXE 2014-05-05
969702 Crash [@ PodAssign<char16_t>] or [@ js::CurrentThreadCanAccessRuntime] Core JavaScript Engine: J bhackett1024 VERI FIXE 2015-05-18
969778 Crash [@ js::jit::LiveInterval::addRangeAtHead] or Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp Core JavaScript Engine: J bhackett1024 VERI FIXE 2015-05-18
984766 Crash [@ js::CurrentThreadCanAccessZone] or Assertion failure: addr % CellSize == 0, at gc/Heap.h or Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at dist/include/js/HeapAPI.h Core JavaScript Engine: J bhackett1024 VERI FIXE 2016-06-04
1113744 Assertion failure: isInt32(), at dist/include/js/Value.h Core JavaScript Engine: J bhackett1024 VERI FIXE 2015-02-25
1183375 Assertion failure: !IsInsideNursery(&lir->object()->toConstant()->toObject()), at jit/CodeGenerator.cpp Core JavaScript Engine bhackett1024 VERI FIXE 2015-11-04
896126 Assertion failure: parent, at jswrapper.cpp Core JavaScript Engine bholley VERI FIXE 2014-11-19
758408 "Assertion failure: &obj->getSlotRef(slot) == this," Core JavaScript Engine bill.mccloskey VERI FIXE 2013-02-04
1014973 Assertion failure: ins->input()->type() == MIRType_Double, at jit/Lowering.cpp Core JavaScript Engine: J bugzilla VERI FIXE 2014-09-03
1005590 Crash [@ js::jit::MacroAssembler::branchIfTrueBool] or Assertion failure: lir->mir()->operand()->mightBeType(MIRType_Object), at jit/CodeGenerator.cpp Core JavaScript Engine: J bzbarsky VERI FIXE 2014-09-03
795395 Valgrind on tbpl detects: Invalid read of size 4 with nsGSettingsService on the stack Core Widget: Gtk chrisccoulson VERI FIXE 2013-04-18
735869 IonMonkey: Crash [@ js::shadow::Object::numFixedSlots] or [@ js_SuppressDeletedProperty] Core JavaScript Engine dvander VERI FIXE 2013-01-14
805747 IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, Core JavaScript Engine dvander VERI FIXE 2013-04-18
824856 Crash [@ QuoteString] or [@ js_NewStringCopyN] or "Assertion failure: limit >= start," Core JavaScript Engine dvander VERI FIXE 2013-11-25
785576 "Assertion failure: [infer failure] Missing type in object [0x101f1a3a0] (index): <0x101f1d060>," with evalcx and gc Core JavaScript Engine efaustbmo VERI FIXE 2013-01-19
911707 Assertion failure: arr->lengthIsWritable() (setter shouldn't be called if property is non-writable), at jsarray.cpp Core JavaScript Engine efaustbmo VERI FIXE 2015-02-25
911708 Assertion failure: !isFloat(), at jit/RegisterSets.h Core JavaScript Engine efaustbmo VERI FIXE 2015-02-25
757149 "Assertion failure: (ptrBits & 0x7) == 0," Core JavaScript Engine general VERI FIXE 2015-05-18
811612 Crash [@ strlen] or [@ js_ExpandErrorArguments] Core JavaScript Engine general VERI FIXE 2013-01-19
811616 "Assertion failure: [infer failure] Missing type pushed 0: string," or "Assertion failure: [infer failure] Missing type pushed 0: int," Core JavaScript Engine general VERI FIXE 2013-01-19
831658 "Assertion failure: inUse_.empty()," Core JavaScript Engine general VERI FIXE 2013-03-31
832103 Crash [@ PropertyAccess<(PropertyAccessKind)1>] or [@ js::types::TypeCompartment::resolvePending] or "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK)," Core JavaScript Engine general VERI FIXE 2013-03-31
855960 Compartment mismatch crashes or Assertion failure: cx->compartment == proto.toObject()->compartment(), at vm/Shape.cpp Core JavaScript Engine general VERI FIXE 2013-06-26
879096 Crash [@ js::ObjectImpl::getOps] or [@ js::EncapsulatedPtr] Core JavaScript Engine general VERI FIXE 2014-05-05
825705 IonMonkey: Crash [@ JSScript::ensureRanAnalysis] or [@ AnalyzeNewScriptProperties] or [@ js_CreateThisForFunctionWithProto] or "Assertion failure: JS_ObjectIsFunction(0, this)," or "Assertion failure: JS_ObjectIsFunction(__null, this)," Core JavaScript Engine hv1989 VERI FIXE 2013-11-25
881470 Crash [@ JSRuntime::needsBarrier] or [@ js::EncapsulatedValue::runtime] Core JavaScript Engine hv1989 VERI FIXE 2014-05-05
952984 Crash [@ js::gc::Cell::chunk] or [@ js::GCMarker::drainMarkStack] or Assertion failure: addr % CellSize == 0, at gc/Heap.h Core JavaScript Engine hv1989 VERI FIXE 2014-11-17
1054512 Crash [@ js::jit::LIRGenerator::visitToInt32] Core JavaScript Engine hv1989 VERI FIXE 2014-10-07
1055762 Assertion failure: conversion != MToDouble::NumbersOnly, at jit/Lowering.cpp Core JavaScript Engine: J hv1989 VERI FIXE 2014-10-08
1055864 Assertion failure: def->type() != MIRType_Object, at jit/MIR.h Core JavaScript Engine: J hv1989 VERI FIXE 2014-10-08
1103032 Crash [@ js::jit::LinearScanAllocator::assign] or Assertion failure: req->kind() == Requirement::NONE, at jit/LinearScan.cpp or Assertion failure: !minimalInterval(interval), at jit/BacktrackingAllocator.cpp Core JavaScript Engine: J hv1989 VERI FIXE 2015-05-18
817002 Crash [@ js::shadow::Object::numFixedSlots] or "Assertion failure: (l.asBits & 0x8000000000000000LL) == 0," or "Assertion failure: JSVAL_IS_DOUBLE_IMPL(data)," Core JavaScript Engine jcoppeard VERI FIXE 2014-05-05
820186 Various crashes/assertions with gczeal(10) and random recursion Core JavaScript Engine jcoppeard VERI FIXE 2014-05-05
986864 Crash [@ memmove] or [@ mozilla::PodCopy] or [@ js_NewStringCopyN] or Assertion failure: PointerRangeSize(src, static_cast<const T*>(dst)) >= nelem, at dist/include/mozilla/PodOperations.h Core JavaScript Engine: J jcoppeard VERI FIXE 2015-08-30
1035371 Crash [@ js::gc::MarkKind] or Assertion failure: kind == MapAllocToTraceKind(cell->tenuredGetAllocKind()), at gc/Marking.cpp Core JavaScript: GC jcoppeard VERI FIXE 2014-09-28
1075546 Assertion failure: entry_ == makeIndex(clasp, key, kind), at vm/Runtime.h Core JavaScript: GC jcoppeard VERI FIXE 2016-06-04
1124563 Assertion failure: obj->lastProperty() == p->value().shape, at jsinfer.cpp Core JavaScript Engine jcoppeard VERI FIXE 2016-06-04
1137341 Assertion failure: ptr.found() && &*ptr == &e.front(), at vm/ObjectGroup.cpp Core JavaScript Engine jcoppeard VERI FIXE 2016-07-02
1146696 Crash [@ JSObject::finalize] or [@ js::gc::GCRuntime::sweepBackgroundThings] Core JavaScript Engine jcoppeard VERI FIXE 2016-07-02
1217593 Assertion failure: Modified registers between VM call and OsiPoint, at jit/MacroAssembler.cpp Core JavaScript Engine: J jcoppeard VERI FIXE 2015-11-10
1264575 Assertion failure: [barrier verifier] Unmarked edge: object slot, at js/src/gc/Verifier.cpp:301 Core JavaScript Engine jcoppeard VERI FIXE 2016-09-22
1308048 Crash [@ js::CompartmentChecker::fail] or Assertion failure: arena()->allocated(), at js/src/gc/Heap.h:1211 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
1312525 Assertion failure: [barrier verifier] Unmarked edge: lazyScript, at js/src/gc/Verifier.cpp:311 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
1322420 [@ js::Scope::environmentChainLength] or Assertion failure: allocated(), at js/src/gc/Heap.h:591 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
1498980 Crash [@ js::gc::IsAboutToBeFinalizedInternal] or Assertion failure: false (IsAboutToBeFinalized(&scope_)), at js/src/vm/EnvironmentObject.cpp:1499 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
1514927 Assertion failure: !auxNextLink && !hasDelayedMarking, at js/src/gc/Heap.h:397 Core JavaScript Engine jcoppeard VERI FIXE 2023-12-06
797163 "Assertion failure: lifetime->entry == uint32_t(entryTarget - outerScript->code)," Core JavaScript Engine jdemooij VERI FIXE 2013-03-19
798819 Crash [@ js::gc::Cell::compartment] or [@ js::ion::FastInvoke] or "Assertion failure: enterJIT_," Core JavaScript Engine jdemooij VERI FIXE 2013-04-18
798823 Crash [@ js::ion::IonJSFrameLayout::calleeToken] or [@ js::ion::SnapshotIterator::SnapshotIterator] Core JavaScript Engine jdemooij VERI FIXE 2013-04-18
801831 IonMonkey: Crash [@ js::gc::Cell::compartment] or [@ js::gc::MarkInternal] or "Assertion failure: thing," Core JavaScript Engine jdemooij VERI FIXE 2013-04-18
855236 Crash with SIGTRAP Core JavaScript Engine jdemooij VERI FIXE 2013-11-25
866611 Assertion failure: length <= MAX_LENGTH, at vm/String.h Core JavaScript Engine jdemooij VERI FIXE 2014-05-05
867482 Crash [@ js::types::Type::ObjectType] or [@ GetValueType] or Assertion failure: !val.isMagic(), at jsobj.cpp Core JavaScript Engine jdemooij VERI FIXE 2014-11-19
877986 Assertion failure: bce->stackDepth >= 0, at frontend/BytecodeEmitter.cpp Core JavaScript Engine jdemooij VERI FIXE 2014-05-05
955850 Assertion failure: safepoint->hasNunboxPayload(alloc), at jit/RegisterAllocator.cpp Core JavaScript Engine: J jdemooij VERI FIXE 2015-02-25
986678 Assertion failure: MIR instruction returned value with unexpected type, at jit/IonMacroAssembler.cpp Core JavaScript Engine: J jdemooij VERI FIXE 2015-08-30
1085464 Crash [@ js::GeneratorObject::suspend] or Assertion failure: isObject(), at dist/include/js/Value.h Core JavaScript Engine: J jdemooij VERI FIXE 2015-05-18
1100129 Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp Core JavaScript: GC jdemooij VERI FIXE 2015-05-18
1182711 Crash [@ js::ScopeIter::operator++] or Assertion failure: ssi_.type() == StaticScopeIter<CanGC>::Function, at vm/ScopeObject.cpp Core JavaScript Engine jdemooij VERI FIXE 2016-07-02
1221385 Crash [@ js::jit::ExecutableAllocator::releasePoolPages] or Assertion failure: m_refCount == 1, at jit/ExecutableAllocator.h or Assertion failure: jrt_->mutatingBackedgeList_, at jit/JitCompartment.h Core JavaScript Engine jdemooij VERI FIXE 2016-09-22
1222917 Crash [@ array_length_setter] Core JavaScript Engine: J jdemooij VERI FIXE 2016-02-29
1268626 Crash [@ ??] or Assertion failure: MIR instruction returned value with unexpected type, at js/src/jit/MacroAssembler.cpp:1454 Core JavaScript Engine jdemooij VERI FIXE 2016-09-22
1287063 Crash [@ js::EnqueuePendingParseTasksAfterGC] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:313 Core JavaScript Engine jdemooij VERI FIXE 2016-11-21
1035438 AddressSanitizer: stack-buffer-overflow with gfxUserFontSet::OTSMessage on the stack Core Graphics: Text jfkthame VERI FIXE 2020-02-28
677032 Crash [@ js::Interpret] or "Assertion failure: isObject()," with e4x Core JavaScript Engine jorendorff VERI FIXE 2013-01-10
787703 "Assertion failure: src->length() > 0 && chars[0] == '('," involving gczeal Core JavaScript Engine jorendorff VERI FIXE 2013-01-10
788364 Invalid write of size 8 [@ js::SetIteratorObject::finalize] Core JavaScript Engine jorendorff VERI DUPL 2013-03-11
1042567 Crash [@ js::FetchName] or Assertion failure: shape->hasSlot(), at vm/Interpreter-inl.h Core JavaScript Engine jorendorff VERI FIXE 2016-06-04
1053676 Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp Core JavaScript Engine jorendorff VERI FIXE 2015-12-01
1141329 Crash [@ JSObject::getGroup] or [@ js::jit::SetPropertyIC::update] Core JavaScript Engine jorendorff VERI FIXE 2015-05-18
1147655 Crash [@ js::Invoke] or [@ js::InvokeGetterOrSetter] or Assertion failure: shape->hasDefaultSetter(), at vm/NativeObject.cpp Core JavaScript Engine jorendorff VERI FIXE 2015-05-18
880591 Assertion failure: lengthShape->writable() == lengthIsWritable, at jsarray.cpp Core JavaScript Engine jwalden VERI FIXE 2013-09-12
995679 Differential Testing: Different output message involving ArrayBuffer and neuter Core JavaScript Engine: J jwalden VERI FIXE 2015-08-30
1001547 Assertion failure: index < tarray.length(), at vm/TypedArrayObject.cpp Core JavaScript Engine jwalden VERI FIXE 2016-06-04
1140196 Crash [@ EnterNestedScope] or Assertion failure: getReservedSlot(LOCAL_OFFSET_SLOT).isUndefined(), at vm/ScopeObject.h Core JavaScript Engine jwalden VERI FIXE 2016-07-02
798589 Crash [@ JSScript::ionScript] or "Assertion failure: hasIonScript()," Core JavaScript Engine kvijayan VERI FIXE 2013-04-18
947070 Assertion failure: containsPC(pc), at jsscript.h Core JavaScript Engine: J kvijayan VERI FIXE 2015-02-25
951528 Crash [@ js::assertSameCompartment] or [@ js::ScopedThreadSafeStringInspector::ensureChars] Core JavaScript Engine: J kvijayan VERI FIXE 2015-02-25
1111251 Assertion failure: stack_[i].pc() != nullptr, at vm/SPSProfiler.cpp Core JavaScript Engine: J kvijayan VERI FIXE 2016-07-02
1122886 Assertion failure: Baseline OSR lastProfilingFrame mismatch., at jit/MacroAssembler.cpp Core JavaScript Engine kvijayan VERI FIXE 2015-05-05
1124036 Crash [@ JS::ProfilingFrameIterator::extractStack] or Assertion failure: stubFrame->prevType() == JitFrame_BaselineJS, at jit/JitFrames.cpp Core JavaScript Engine kvijayan VERI FIXE 2015-05-05
1134515 Assertion failure: entry.isJs(), at vm/SPSProfiler.cpp Core JavaScript Engine kvijayan VERI FIXE 2016-07-02
1024756 Crash [@ js::jit::JitFrameIterator::script] or Assertion failure: [crash diagnostics] Marking invalid pointer 600 @ 7fff5fbfbb60 of type JSTRACE_OBJECT, named "ion-callee", at gc/Marking.cpp Core JavaScript Engine: J lhansen VERI FIXE 2014-09-03
1033115 Crash [@ js::jit::AssertValidObjectPtr] or Assertion failure: obj->compartment() == cx->compartment(), at jit/VMFunctions.cpp Core JavaScript Engine: J lhansen VERI FIXE 2014-09-28
1120063 Assertion failure: idx < getDenseInitializedLength(), at vm/NativeObject.h Core JavaScript Engine lhansen VERI FIXE 2016-06-04
1199578 Assertion failure: AnyTypedArrayLength(source) <= target->length() - offset, at vm/TypedArrayCommon.h Core JavaScript Engine lhansen VERI FIXE 2016-02-29
755916 Assertion failure: enumerators == cx->enumerators, Core JavaScript Engine mail VERI FIXE 2012-10-21
780712 Crash [@ JSC::Yarr::execute] or [@ js::RegExpShared::execute] Core JavaScript Engine mail VERI FIXE 2013-01-14
952022 Crash [@ js::AsmJSModule::detachIonCompilation] or Assertion failure: exit.interpCodeOffset_, at jit/AsmJSModule.h Core JavaScript Engine: J mail VERI FIXE 2015-05-18
1057248 Crash at a weird memory address or Assertion failure: [infer failure] Missing type in object [0x101d9e740] fileName: float, Core JavaScript Engine: J mail VERI FIXE 2014-12-08
1100237 Assertion failure: memcmp(reinterpret_cast<void*>(instr), cache_page->cachedData(offset), SimInstruction::kInstrSize) == 0, at jit/arm/Simulator-arm.cpp Core JavaScript Engine: J mail VERI FIXE 2015-05-18
1111327 Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h Core JavaScript Engine: J mail VERI FIXE 2016-06-04
1353763 Crash [@ js::gc::IsInsideNursery] Core JavaScript Engine mail VERI FIXE 2023-12-06
1011781 Crash [@ js::jit::CompactBufferReader::readVariableLength] with js::jit::Simulator::instructionDecode on the stack Core JavaScript Engine: J marty.rosenberg VERI FIXE 2015-08-30
1013056 Crash at a weird memory address involving RegExp and filterPar Core JavaScript Engine marty.rosenberg VERI FIXE 2016-06-04
1027359 Differential Testing: Incorrect codegen for mod (%) on ARM sim Core JavaScript Engine: J marty.rosenberg VERI FIXE 2016-06-04
1021612 AddressSanitizer: heap-buffer-overflow [@ mozilla::net::CacheFileMetadata::OnDataRead] Core Networking: Cache michal.novotny VERI FIXE 2020-02-28
757304 IonMonkey: "Assertion failure: trc->runtime->gcIncrementalState == NO_INCREMENTAL || trc->runtime->gcIncrementalState == MARK_ROOTS," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2012-06-27
776687 IonMonkey: Crash [@ js::ion::LIRGeneratorShared::visitConstant] or "Assertion failure: false (unexpected constant type)," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2013-01-14
780274 JM/IonMonkey: Crash [@ js::mjit::EnterMethodJIT] or "Assertion failure: info.isValid()," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2014-05-05
780451 IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: pcdepth + ndefs <= StackDepth(script)," or "Assertion failure: pcdepth >= nuses," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2015-05-18
780936 IonMonkey: Crash at weird address and !exploitable shows an Exploitable Data Execution Prevention Violation Core JavaScript Engine nicolas.b.pierron VERI FIXE 2015-05-18
799185 IonMonkey: "Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth)," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2013-04-18
807047 IonMonkey: "Assertion failure: [infer failure] Missing type pushed 0: void," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2014-05-05
822938 IonMonkey: Crash [@ js::ion::GetPropertyCache] or near null or "Assertion failure: live->empty()," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2013-11-25
844305 IonMonkey: "Assertion failure: callerObs->hasType(excluded->type)," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2013-06-26
849014 IonMonkey: Crash [@ js::RegExpGuard::operator*] or "Assertion failure: isRegExp()," Core JavaScript Engine nicolas.b.pierron VERI FIXE 2013-11-25
995816 Differential Testing: Different output message involving gc Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2015-08-30
995817 Differential Testing: Incorrect result when division-by-zero is used in an indirectly-truncated context Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2015-08-30
1003694 Assertion failure: snapshot_.numAllocationsRead() == numAllocations(), at jit/JitFrameIterator.h or Crash [@ js::jit::InlineFrameIteratorMaybeGC<(js::AllowGC)1>::findNextFrame] Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2014-09-03
1011745 Crash [@ js::jit::BacktrackingAllocator::tryGroupRegisters] or Assertion failure: entryDef->block() == this, at jit/MIRGraph.cpp or Assertion failure: oldDef == entry->getSlot(slot), at jit/IonBuilder.cpp Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2014-09-03
1022232 Crash [@ js::jit::LinearScanAllocator::populateSafepoints] or Assertion failure: IsCompatibleLIRCoercion(def->type(), as->type()), at jit/shared/Lowering-shared-inl.h Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2014-09-03
1034349 Assertion failure: MIR instruction returned value with unexpected type, at jit/IonMacroAssembler.cpp Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2014-09-03
1063653 Crash [@ js::jit::LRecoverInfo::appendResumePoint] Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2014-12-08
1113940 Crash [@ js::HeapSlot::set] or Assertion failure: !(*instructionResults_)[index].isMagic(JS_ION_BAILOUT), at jit/JitFrames.cpp Core JavaScript Engine: J nicolas.b.pierron VERI FIXE 2016-03-17
976697 Assertion failure: obj->getPrivate() == nullptr, at vm/ArrayBufferObject.cpp Core JavaScript Engine: J nmatsakis VERI FIXE 2015-05-18
990247 Conditional jump or move depends on uninitialised value(s) and Use of uninitialised value of size 4 [@ dosprintf] Core JavaScript Engine: J nobody VERI FIXE 2016-06-04
1011730 Assertion failure: containsPC(pc), at jsscript.h Core JavaScript Engine: J nobody VERI FIXE 2014-09-03
1301496 Crash [@ js::gc::TenuredCell::arena] Core JavaScript Engine nobody VERI FIXE 2023-12-06
1310418 Assertion failure: this->is<MIRType>(), at js/src/jit/MIR.h:891 Core JavaScript Engine nobody VERI FIXE 2023-12-06
1313807 Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:365 Core JavaScript Engine nobody VERI FIXE 2023-12-06
1366903 Crash [@ JSObject::finalize] or Assertion failure: obj->getElementsHeader()->ownerObject() != obj, at js/src/vm/NativeObject.cpp:977 Core JavaScript Engine nobody VERI FIXE 2023-12-06
1368576 Assertion failure: !ins->hasDefUses(), at js/src/jit/TypePolicy.cpp:302 Core JavaScript Engine nobody VERI FIXE 2023-12-06
1465695 Crash [@ mozilla::LinkedListElement<js::ParseTask>::asT] or Assertion failure: addr % CellAlignBytes == 0, at js/src/gc/Cell.h:242 with evalInWorker Core JavaScript Engine nobody VERI FIXE 2023-12-06
1519037 Assertion failure: !used(), at js/src/jit/Label.h:85 with --dump-bytecode Core JavaScript Engine nobody VERI FIXE 2023-12-06
1492685 Assertion failure: val->type() == MIRType::Int32, at js/src/jit/IonBuilder.cpp:12987 Core JavaScript Engine robin VERI FIXE 2023-12-06
1296249 Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357 Core JavaScript Engine sandervv VERI FIXE 2016-11-21
826581 Crash [@ js::RegExpShared::compile] Core JavaScript Engine sean.stangl VERI FIXE 2013-11-25
832197 Crash [@ js::gc::Cell::zone] or "Assertion failure: shared->activeUseCount == 0," Core JavaScript Engine sean.stangl VERI FIXE 2013-03-31
783924 Crash [@ js::ParallelArrayObject::IndexInfo::initialize] or "Assertion failure: dimensions.length() > 0," or "Assertion failure: !unknownProperties()," Core JavaScript Engine shu VERI FIXE 2013-01-10
1029440 Assertion failure: script_->hasBaselineScript(), at jit/IonFrames.cpp Core JavaScript Engine: J shu VERI FIXE 2014-09-28
1143194 for-of loops should emit trynotes Core JavaScript Engine shu VERI FIXE 2016-07-02
1362590 Crash at weird memory address or Assertion failure: index < length_, at js/src/jit/FixedList.h:83 Core JavaScript Engine shu VERI FIXE 2023-12-06
743000 Crash [@ JSCompartment::wrap] or [@ TypedArrayTemplate<int>::copyFromTypedArray] or "Assertion failure: IsFastOrSlowTypedArray(obj)," Core JavaScript Engine sphink VERI FIXE 2013-01-19
769192 "Assertion failure: !(*attrsp & (0x10 | 0x20))," Core JavaScript Engine sphink VERI FIXE 2014-02-26
787709 Crash [@ js::ArrayBufferObject::removeFinalizedView] or "Assertion failure: linkObj," Core JavaScript Engine sphink VERI FIXE 2012-12-19
794494 Crash [@ js::shadow::Object::numFixedSlots] or "Assertion failure: (l.asBits & 0x8000000000000000LL) == 0," or "Assertion failure: slot < numFixedSlots()," Core JavaScript Engine sphink VERI FIXE 2013-04-18
914511 Invalid read of size 8 [@ js::gc::MarkIonCodeUnbarriered] or [@ js::jit::Assembler::TraceJumpRelocations] Core JavaScript Engine sunfish VERI FIXE 2015-02-25
950438 Assertion failure: Double input should be equal or higher than Lowerbound., at jit/IonMacroAssembler.cpp Core JavaScript Engine: J sunfish VERI FIXE 2015-02-25
1006301 Assertion failure: ins->lhs()->type() == MIRType_Int32, at jit/Lowering.cpp or Assertion failure: lhs->type() == MIRType_Int32, at jit/Lowering.cpp Core JavaScript Engine: J sunfish VERI FIXE 2014-09-03
1011283 Assertion failure: *to != *moves_[i].to(), at jit/LIR.cpp Core JavaScript Engine: J sunfish VERI FIXE 2016-06-04
1016137 Assertion failure: numOperands() > 1, at jit/MIR.cpp Core JavaScript Engine: J sunfish VERI FIXE 2014-09-03
1096138 Assertion failure: *to != *moves_[i].to(), at jit/LIR.cpp Core JavaScript Engine: J sunfish VERI FIXE 2016-06-04
1099216 Assertion failure: from->toStackSlot()->slot() % SimdStackAlignment == 0, at jit/LIR.cpp Core JavaScript Engine: J sunfish VERI FIXE 2015-06-19
1103389 Assertion failure: from->toArgument()->index() % SimdStackAlignment == 0, at jit/LIR.cpp Core JavaScript Engine: J sunfish VERI FIXE 2015-06-19
777992 "Assertion failure: [barrier verifier] Unmarked edge: element," Core JavaScript Engine terrence.d.cole VERI FIXE 2013-01-14
1070638 Assertion failure: state() == IDLE, at jsgc.cpp Core JavaScript: GC terrence.d.cole VERI FIXE 2015-05-18
1114058 Crash [@ js::RegExpShared::~RegExpShared] Core JavaScript Engine: J terrence.d.cole VERI FIXE 2016-06-04
1251922 Assertion failure: isNurseryAllocAllowed(), at js/src/gc/Allocator.cpp:153 Core JavaScript Engine terrence.d.cole VERI FIXE 2016-09-22
1259490 Crash involving gczeal(8) with Interpret on the stack Core JavaScript Engine terrence.d.cole VERI FIXE 2016-04-15
756851 "Assertion failure: hasAllFlags(OBJECT_FLAG_DYNAMIC_MASK)," Core JavaScript Engine till VERI FIXE 2013-03-13
974751 Crash [@ ArgGetter] or [@ js::Shape::get] or Assertion failure: hasScript(), at jsfun.h Core JavaScript Engine till VERI FIXE 2015-05-18
1289040 Crash [@ js::Wrapper::wrappedObject] or Assertion failure: IsWrapper(&args[0].toObject()), at js/src/vm/SelfHosting.cpp:206 Core JavaScript Engine till VERI FIXE 2016-11-21
908920 Crash [@ js::CloseIterator] or Assertion failure: hasScript(), at jsfun.h Core JavaScript Engine wingo VERI FIXE 2015-02-25
305 bugs found.
REST | CSV | Feed | iCalendar
Change Columns 		Edit Search
as