773 bytes, text/plain
The following testcase asserts on mozilla-central revision 18467a85acf6 (run with --fuzzing-safe --ion-eager): var buf = serialize(new Date(NaN)); var n = -(8.64e15 + 1); var nbuf = serialize(n); for (var j = 0; j < 8; j++) buf[j + (0.00000000123)] = nbuf[j];
Marked s-s because I don't know what the type mismatch in this assertion could cause.
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/0670cdaf7e9c user: Brian Hackett date: Thu Jul 11 15:08:26 2013 -0600 summary: Bug 891400 - Improve pattern matching on static typed array accesses, r=jandem. This iteration took 341.676 seconds to run.
Needinfo from Brian based on comment 3 :)
This is slightly different from bug 893732 (affects stores rather than loads) but will be fixed by that bug.