diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc index 684496ad67..a2a9e6435d 100644 --- a/src/compiler/js-call-reducer.cc +++ b/src/compiler/js-call-reducer.cc @@ -4935,6 +4935,8 @@ Reduction JSCallReducer::ReduceJSCallWithSpread(Node* node) { } Reduction JSCallReducer::ReduceJSConstruct(Node* node) { + if (broker()->StackHasOverflowed()) return NoChange(); + JSConstructNode n(node); ConstructParameters const& p = n.Parameters(); int arity = p.arity_without_implicit_args(); diff --git a/test/mjsunit/compiler/regress-crbug-1226264.js b/test/mjsunit/compiler/regress-crbug-1226264.js new file mode 100644 index 0000000000..e345bc1751 --- /dev/null +++ b/test/mjsunit/compiler/regress-crbug-1226264.js @@ -0,0 +1,18 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo() { +}; +for (var i = 0; i < 40000; i++) { + foo = foo.bind(); +} +function bar() { + new foo(); +}; +%PrepareFunctionForOptimization(bar); +bar(); +%OptimizeFunctionOnNextCall(bar); +bar();