Here is a non-exhaustive list of bugs that were found by Fuzzlyn:
NullReferenceException thrown for multi-dimensional arrays in releaseWrong integer promotion in releaseCast to ushort is dropped in releaseWrong value passed to generic interface method in release- Constant-folding int.MinValue % -1
Deterministic program outputs indeterministic results on Linux in releaseRyuJIT incorrectly reorders expression containing a CSE, resulting in exception thrown in releaseRyuJIT incorrectly narrows value on ARM32/x86 in releaseInvalid value numbering when morphing casts that changes signedness after global morphRyuJIT spills 16 bit value but reloads as 32 bits in ARM32/x86 in releaseRyuJIT fails to preserve variable allocated to RCX around shift on x64 in releaseRyuJIT: Invalid ordering when assigning ref-returnRyuJIT: Argument written to stack too early on LinuxRyuJIT: Morph forgets about side effects when optimizing casted shiftRyuJIT: By-ref assignment with null leads to runtime crashRyuJIT: Mishandling of subrange assertion for rewritten call parameterRyuJIT: Incorrect ordering around Interlocked.Exchange and Interlocked.CompareExchangeRyuJIT: Missing zeroing of upper bits for small struct used in Volatile.ReadRyuJIT: Incorrect 4-byte immediate emitted for shift causes access violationFinally block belonging to unexecuted try runs anywayRyuJIT: Bad codegen with multiple field assignmentsRuntime crash during JIT register allocation in .NET 5[JIT] Runtime crash in fgMakeOutgoingStructArgCopyJIT EH write thru crashInvalid hoisting with refs/array elements proven to be constantJIT misses a zero extension in series of castsInvalid assertion prop in finallyJIT incorrectly reorders method call and static field loadAssertion failed 'src->IsCnsIntOrI()' with contained bitcast in field storeJIT forgets to normalize arg on loadJIT: flow opts does an incorrect pred list updateARM64 multiplication/anding by zero seems to be discardedARM64 incorrect result when expression involves modulo by 1JIT performs invalid jump threadingARM32: runtime crash inside JITARM32: Incorrect split passing of promoted structs with paddingARM64: Incorrect sub expression reordering of tree containing CSE defJIT: Invalid negated resultJIT: Assertion failed '!m_VariableLiveRanges->back().m_EndEmitLocation.Valid()'JIT: Assertion failed 'offset != BAD_STK_OFFS'JIT: Assertion failed 'm_compGenTreeID == m_compiler->compGenTreeID'ARM64: Assertion failed 'interval->isWriteThru'/runtime crash in releaseARM32: Runtime crash with interfacesJIT still seems to be hoisting some modified indirsRyuJIT: Invalidly optimized negated divisionJIT: Discarded cast on RHS of assignment leads to missing sign extensionJIT ARM32: Assertion failed 'size == EA_4BYTE' during 'Generate code'Assertion failed '!parentStruct->lvUndoneStructPromotion' during 'Mark local vars'JIT: Invalid optimization of (-1 * -A) + AARM32 JIT: Assertion failed '!"NYI: odd sized struct in fgMorphMultiregStructArg"' during 'Morph - Global'JIT: Incorrectly optimized double-negation in face of inliningAssertion failed 'compiler->opts.IsOSR() || ((genInitStkLclCnt > 0) == hasUntrLcl)'Assertion failed '!"Write to unaliased local overlaps outstanding read"' during 'Rationalize IR'JIT: Incorrect results for programs in win-x86 releaseJIT: Incorrect result computed with forward subAssertion failed '!"Write to unaliased local overlaps outstanding read"' during 'Lowering nodeinfo' (IL size 7)- Assertion failed '(emitThisGCrefRegs & regMask) == 0' during 'Emit code' (IL size 129)
JIT: Invalid result on x86 with forward subJIT: Assertion failed 'type == genActualType(type)' during 'Morph - Global'JIT: Illegal reordering of field read and call on implicit byref- Assertion failed 'interval->isSpilled' during 'LSRA allocate'
- Assertion failed 'inVarToRegMap[varIndex] == REG_STK' during 'LSRA allocate'
- Assertion failed '!foundMismatch' during 'LSRA allocate'
ushort argument mysteriously mutatedJIT: Incorrect optimization of x & -x on x86JIT: Writes to small args on macOS can (still) overwrite adjacent argsJIT: Too narrow store for argument passed on stack on macOS ARM64Assertion failed 'lclNode->GetSsaNum() == SsaConfig::FIRST_SSA_NUM' during 'VN based copy prop'JIT: Wrong result computed with forward sub enabled on x64 Windows/LinuxAssertion failed 'divMod->OperGet() != GT_UMOD' during 'Lowering nodeinfo'Assertion failed '!"Shouldn't see an integer typed GT_MOD node in ARM64"' during 'Linear scan register alloc'Assertion failed '!foundDiff' during 'Linear scan register alloc'JIT: Invalid results/assertion errors with modulo opsJIT: Assertion failed '(tree->AsCast()->gtCastType == m_tailcall->gtReturnType) && "Expected cast after tailcall to be no-op"'- x86: Assertion failed '!"Too many unreachable block removal loops"' during 'Global local var liveness'
JIT: BBF_HAS_NULLCHECK is not set on BB but is requiredAssert failure: heapSize >= initialRequestSize with collectible assemblies on linux-x64- JIT ARM32: Assertion failed 'varDsc->lvRefCnt() == 0' during 'Generate code'
Assertion failed 'i < BitSetTraits::GetSize(env)' in during 'Redundant branch opts'JIT: Invalid result computed with modulo operation
Fuzzlyn is actively used to test the .NET JIT compiler and runs automatically every week in dotnet/runtime's CI. For a more exhaustive list of issues see this search.