Created attachment 82932 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=73379 findPlaceForCounter & makeCounterNode can call eachother recursively: static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString& identifier, bool isReset, CounterNode*& parent, CounterNode*& previousSibling) <snip> RenderObject* currentRenderer = previousInPreOrder(counterOwner); previousSibling = 0; while (currentRenderer) { CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false); <snip> static CounterNode* makeCounterNode(RenderObject* object, const AtomicString& identifier, bool alwaysCreateCounter) <snip> CounterNode* newParent = 0; CounterNode* newPreviousSibling = 0; RefPtr<CounterNode> newNode = CounterNode::create(object, isReset, value); if (findPlaceForCounter(object, identifier, isReset, newParent, newPreviousSibling)) <snip> id: chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c4402f7beabe57) description: Recursive function calls in chrome.dll!WebCore::findPlaceForCounter and chrome.dll!WebCore::makeCounterNode: 9205 loops application: Chromium 11.0.671.0 Repro: <html> <head> <script> function go() { document.write('x<dd><strike style="counter-increment:r"></dd>x'); document.open(); } </script> </head> <body onload="go()"></body> </html>