Wed Jul 17 2024 20:47:37 PDT
  • Keywords: csectype-jit
23 bugs found.
ID Type Summary Product Comp Assignee Status Resolution Updated
1593971 Assertion failure: input->type() == MIRType::Double, at js/src/jit/Lowering.cpp:2893 Core JavaScript Engine: J andrebargull RESO FIXE 2022-01-10
1614704 Alias-set for MCreateThis should record property loads Core JavaScript Engine: J andrebargull RESO FIXE 2020-08-08
1616535 Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:416 Core JavaScript Engine: J andrebargull RESO FIXE 2020-06-05
1619229 Assertion failure: !cx->runtime()->jitRuntime()->disallowArbitraryCode(), at vm/Interpreter.cpp:416 Core XPCOM continuation RESO FIXE 2020-12-18
1544386 Spidermonkey: IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusions Core JavaScript Engine: J jdemooij RESO FIXE 2020-11-03
1608994 Assertion failure: LoadUnboxedObjectOrNull instruction returned object with unexpected type, at jit/MacroAssembler.cpp:1881 Core JavaScript Engine jdemooij RESO FIXE 2020-08-28
1808352 Crash in [@ mozilla::dom::Element::ClassList] on JS_SWEPT_TENURED_PATTERN poison values Core JavaScript Engine: J jdemooij RESO FIXE 2023-10-24
1820602 Remaining crashes on JS_SWEPT_TENURED_PATTERN values in DOM bindings Core JavaScript Engine: J jdemooij RESO FIXE 2023-10-24
1766283 InlineTable does not provide any deterministic order (HashTable previous resize change the ordering of entries) Core JavaScript Engine nicolas.b.pierron RESO FIXE 2023-01-19
1631508 Fix IonMonkey LEA on ARM64 Core JavaScript Engine: J tcampbell RESO FIXE 2020-08-08
1757476 Assertion failure: isDouble(), at dist/include/js/Value.h:494 Core JavaScript Engine: J iireland RESO FIXE 2022-08-27
1862782 CycleCollectedJSRuntime::FinalizeDeferredThings should respect DeferredFinalizeType for the old mFinalizeRunnable Core XPCOM continuation RESO FIXE 2024-04-28
1886849 [pwn2own-2024] MObjectKeysLength::computeRange is incorrect Core JavaScript Engine: J iireland RESO FIXE 2024-07-03
1769410 Assertion failure: (offset % sizeof(FloatRegisters::RegisterContent)) == 0, at jit/JitFrames.cpp:2293 Core JavaScript Engine: J jdemooij RESO FIXE 2024-05-30
1736307 Assertion failure: ins->compareType() == MCompare::Compare_String, at js/src/jit/MIR.cpp:3847 Core JavaScript Engine: J andrebargull VERI FIXE 2022-09-27
1811803 Crash [@ ??] in JIT code Core JavaScript Engine: J dothayer VERI FIXE 2023-12-06
1842617 Crash [@ js::NativeObject::allocDictionarySlot(JSContext*, JS::Handle<js::NativeObject*>, unsigned int*)] or Assertion failure: isInt32(), at js/Value.h:914 Core JavaScript Engine: J iireland VERI FIXE 2024-01-03
1607443 In-the-wild 0-day reported by Qihoo 360 Core JavaScript Engine: J jdemooij VERI FIXE 2021-09-23
1620203 Assertion failure: whyMagic() == why, at js/Value.h:651 with Reflect and Proxy Core JavaScript Engine: J jdemooij VERI FIXE 2022-07-11
1837686 Call instruction in try is ignored by alias analysis Core JavaScript: WebAssem jseward VERI FIXE 2024-06-02
1768660 Crash [@ js::jit::DoToBoolFallback] or Assertion failure: v.isObject(), at builtin/Boolean.cpp:172 Core JavaScript Engine: J iireland VERI FIXE 2022-05-18
1841082 Assertion failure: icEntry->firstStub() == stub, at jit/BaselineIC.cpp:469 Core JavaScript Engine: J iireland VERI FIXE 2024-02-02
1675905 Write side effects in MCallGetProperty opcode not accounted for Core JavaScript Engine: J tcampbell VERI FIXE 2021-04-04
23 bugs found.
REST | CSV | Feed | iCalendar
Change Columns 		Edit Search

File a new bug in the "Core" product