Marking the above issue as RB-Stable as this is a recent regression.

Thank you!

r373777 doesn't relate this crash.

Just to update.

Able to repro this issue on Windows 7 for Google Chrome Canary Version - 53.0.2750.0 

Screen-recording is attached.

Deleted: 613091.mp4 1.4 MB

613091.mp4 1.4 MB Download

@adharap: Could you please look into this issue as per the comment #2

Issue still(crash Id : 7326305a00000000 reproduced on canary 53.0.2753.0.

Stack trace:
-------------
Thread 0 CRASHED [EXCEPTION_STACK_OVERFLOW @ 0x000007feda740f94 ] MAGIC SIGNATURE THREAD
0x000007feda740f94	(chrome_child.dll -isolate.cc:360 )	v8::internal::Isolate::CaptureSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::Handle<v8::internal::Object>)
0x000007feda741938	(chrome_child.dll -isolate.cc:474 )	v8::internal::Isolate::CaptureAndSetSimpleStackTrace(v8::internal::Handle<v8::internal::JSReceiver>,v8::internal::Handle<v8::internal::Object>)
0x000007feda74359e	(chrome_child.dll -isolate.cc:931 )	v8::internal::Isolate::StackOverflow()
0x000000d6911063ca		
0x000007fedaa4864f	(chrome_child.dll + 0x0115864f )	

From code search on the crashes file suspecting the below.
Suspect : https://codereview.chromium.org/1741893003
dgozman@ : Could you please take a look into this if its related to your change.

Able to reproduce the crash on win8.1 latest canary #53.0.2760.0

ccing dev whose change may be related to this crash.

As per #7 , this issue is still manually reproducible, adharap@ could you please confirm and we need a re-bisect too.

Don't think the patch mentioned in #6 is the right suspect.

I can't reproduce this on Linux. I suspect though that it might be related to running out of stack space.

The default stack size for windows seems to be 984kB. If you can reproduce this reliably, can you test whether it still reproduces if you run chrome with --js-flags="--stack-size=900"?

====================================

Good Build:

48.0.2556.0    Base Position: 358220


Bad Build:

48.0.2557.0    Base Position: 358475

=====================================

Able to repro this issue on Windows 7 for the Google Chrome Stable Version - 51.0.2704.84

This is a regression issue broken in M48, below mentioned is the bisect info:

CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/22f9fa2f7ba87632cdc5cfbfea2ce25fad2b0c83..d7dea63fb209a6a0379eadbd0682b88ceaf9a67c

Suspecting Commit: ff2c226ca3987bd30241845a4292da693214290d	

Review URL: https://codereview.chromium.org/1419093004

@dgozman: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

If the bisect is correct, I'm pretty sure it's v8 roll https://chromium.googlesource.com/chromium/src/+/059b808ec2c8a0a1be0fb53f71b93b9f60f90957.

But anyway this looks like a stack overflow crash. Not sure we can do something (similar to out-of-memory in v8). Yang, could you please route to someone from v8 team?

Adam, could this be related to shipping of @@toStringTag somehow?

https://chromium.googlesource.com/v8/v8/+/2fa4732739907bd8e52a421a5243184cd4e765d3

Except for the bisect, this sounds to me like  issue 615485 .

I'm confused by the bisect info: the changelog doesn't even mention dgozman's ff2c226ca3987bd30241845a4292da693214290d. Are we sure this bisect is correct?

I wonder if reducing the stack size artificially causes this to bisect incorrectly.

This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot