chromium/third_party/blink/web_tests/http/tests/fetch/chromium/release-handle-crash.html

<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="resources/stack-overflow.js"></script>
<script>
// Trigger the following crash:

// #0 0x7ffff7d8092c base::debug::StackTrace::StackTrace()
// #1 0x7ffff7d80491 base::debug::(anonymous namespace)::StackDumpSignalHandler()
// #2 0x7ffff00130c0 <unknown>
// #3 0x7ffff41c113d v8::internal::GlobalHandles::MakeWeak()
// #4 0x7ffff308198e blink::ReadableStreamBytesConsumer::ReadableStreamBytesConsumer()
// #5 0x7ffff306bc6f blink::BodyStreamBuffer::ReleaseHandle()
// #6 0x7ffff306b883 blink::BodyStreamBuffer::StartLoading()
// #7 0x7ffff306914d blink::Body::blob()
// #8 0x7ffff37a9d20 blink::V8Response::blobMethodCallback()
// #9 0x7ffff3f02097 v8::internal::FunctionCallbackArguments::Call()
// #10 0x7ffff3f015a3 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
// #11 0x7ffff3f00ca6 v8::internal::Builtin_Impl_HandleApiCall()

// This happens on Linux release build at 70ddf623, no DCHECK. It may be
// possible to reproduce in other environments by bisecting the second argument
// to fillStackAndRun() until you get the above crash.

// See https://bugs.chromium.org/p/chromium/issues/detail?id=829790#c5

test(() => {
  const rs = new ReadableStream();
  const response = new Response(rs);
  try {
    // This throws an exception in debug builds but not in release builds.
    // If the process doesn't crash, the test passed.
    fillStackAndRun(() => response.blob(), 784);
  } catch (e) {
  }
}, 'stack overflow in response.blob() should not crash the browser');
</script>