Issue 866245 link

Starred by 1 user

Issue metadata

Status:	Assigned
Owner:	ishell@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	2
Type:	Bug
Stability-Crash Arch-x86_64 Via-Wizard-Crashes

StackOverflow while setting property of recursively defined class

Reported by gksgudtj...@gmail.com, Jul 21

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
Execute attached JavaScript code

What is the expected behavior?

What went wrong?
class c{}
for(var i =0; i < 312260; i++){
  c = (class extends c {});
}
c.x = 42

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? N/A 

Chrome version: 67.0.3396.99  Channel: stable
OS Version: 10.0
Flash Version: 

If recursive definition of class c is not in the loop, it is okay. But, if it is in the loop (maybe jitted?), it crashes with StackOverflow.

Comment 1 by woxxom@gmail.com, Jul 21

Simplified repro:
1. open the attached test.html

Expected: SUCCESS is shown immediately
Observed: the tab crashes

Bisected to r519670 "Update V8 to version 6.4.377."
In V8 log suspecting 888acb2f3c43a92fe3134983d2722b1417d045e4
"[runtime] Properly deal with prototype setup mode during class literal instantiation."
Landed in 64.0.3280.0

Note, prior to r517690 (specifically ed53f05c830fba8300163acec9ef08b8dc8f33e7) the test could never complete.

test.html
213 bytes View Download

Comment 2 by tkent@chromium.org, Jul 23

Components: Blink>JavaScript
Owner: ishell@chromium.org
Status: Assigned (was: Unconfirmed)

►

Issue 866245 link

Issue metadata

StackOverflow while setting property of recursively defined class

Issue description

Comment 1 by woxxom@gmail.com, Jul 21

Comment 1 Deleted

Comment 2 by tkent@chromium.org, Jul 23

Comment 2 Deleted

Sign in to add a comment