<!DOCTYPE html>
<html>
Test passes if it does not crash.
<script>
if (window.testRunner)
testRunner.dumpAsText();
Object.prototype.__defineSetter__('foo', function() {
history.replaceState('', '')
});
history.replaceState({foo:1, zzz:Array(1<<22).join('a')}, '');
history.state.length;
</script>
</html>
Codebase Browser
chromium