I can reproduce with the downloaded binary, but not yet with a local build. Need investigate more.

mstarzinger: Would you mind taking another look or closing if this isn't actionable? (Need an owner since it's in the security queue)

I managed to reproduce it, looking...

What is happening here is when we are near the stack limit we call a function with so many arguments that it "overflows" the allocated JS stack buffer including the stack protection area before we manage to do a call (which will do a next stack limit check).

This is a simulator-only issue because on the real hardware where we use normal stack as a JS stack we will trigger the real stack overflow during attempt to push a next argument on the stack.
I think we can remove the security labels and decrease the priority.


In order to make V8 throw a StackOverflowError we could emit additional stack overflow checks after every Nth argument pushed on the stack.

Even simplier, if the number of arguments is bigger that some limit we can generate a stack overflow check before pushing all the arguments (we do similar check if the number of locals is too big).

Or we can check the worst case: if the maximum length of expression stack + current stack state will overflow. I'm not sure that we calculate the expression stack limit though.

Re comment #7: As discussed offline, AFAIK we don't know the maximum operand stack size ahead of time. But the full code generator keeps track of the current operand stack size (i.e. FullCodeGenerator::OperandStackDepthIncrement and Decrement), so at least we know the depth while generating code.

Removing security labels since this is a simulator only issue as per c#6.

 Issue 620251  has been merged into this issue.

 Issue 656816  has been merged into this issue.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 801790  has been merged into this issue.