Created attachment 119851 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=108054 <html> <head> <style> * { position: absolute; } </style> <script> window.onload = function() { document.designMode="on"; document.execCommand("selectall"); document.execCommand("insertparagraph"); document.execCommand("insertimage"); document.execCommand("selectall"); document.execCommand("strikethrough"); document.execCommand("InsertNewlineInQuotedContent"); document.execCommand("InsertHorizontalRule"); // The following line can be removed, in which case the repro only // consumes CPU exponentially, but does not trigger a stack exhaustion. document.execCommand("InsertOrderedList"); // Things start to get exponentially slower from here on until we hit // a stack exhaustion after only a few executions: var i = 0; while (1) { var iStartTime = new Date().valueOf(); document.execCommand("insertunorderedlist"); var nTime = (new Date().valueOf() - iStartTime) / 1000; document.title = ('Loop #' + ++i + ' took ' + nTime + ' seconds.'); } }; </script> </head> <body> x </body> </html> Loop run time seems to increase exponentially. The repro as-is results in a stack overflow after about 10 loops for me. Remove one line (mentioned in the repro) and it will not crash, but only consume CPU. There seem to be two loops involved, the first is seen a few tens of times at the top of the stack, the later is seen a few thousand times below it on the stack (and probably the true cause): chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutPositionedObjects chrome.dll!WebCore::RenderBlock::simplifiedLayout chrome.dll!WebCore::RenderBlock::layoutBlock chrome.dll!WebCore::RenderBlock::layout chrome.dll!WebCore::RenderBlock::layoutPositionedObjects