See also

I have bolded what seem like the most useful lessons and recommendations.

Bug 626631 - WebWorker + GC crash
Bug 622318
Bug 621202 - Crash in rope-flattening after string-replace
Found by LangFuzz.
Bug 601102 - Crash when exception bubbles through same-origin compartments
Found as a topcrash and diagnosed by adding an assertion.
Bug 584650 - gczeal compartment crash
A fatvals regression. Found by jsfunfuzz, but not quickly.
Bug 579273 - A fatvals crash
Bug 564937 - fast iterators shouldn't touch regs.sp[0]
Old bug made evident by a new patch.
Bug 559256 - Bad OOM-handling in js_GrowSlots, js_AllocSlots
Identified through code inspection.
Various bugs involving non-canonical NaN values, 2 of which were likely-exploitable