Charles — The IE7 crash looks like a stack overflow in MSHTML (I reproduced it in an old virtual machine). It goes into some sort of infinite (or at least ridiculously deep) recursion doing some sort of DOM/CSS/notification-something style handling. Any way there could somehow be a recursive or utterly insanely deep DOM or CSS structure?

Have a stack trace:

0:005> kv 2000
ChildEBP RetAddr Args to Child
02516fb4 6d312293 06998090 069868a0 02516ff0 mshtml!_chkstk+0x27
02516fe8 6d2f8b00 00000000 80011389 0000001f mshtml!ApplyFormatInfoProperty+0x158d (FPO: [9,5,4])
0251703c 6d30e726 025176c8 04b0e3f4 02517074 mshtml!ApplyAttrArrayValues+0xbe (FPO: [8,7,4])
02517570 6d2f8481 025176c8 00000002 00000400 mshtml!CStyleSheetArray::Apply+0x47a (FPO: [4,320,4])
025175d0 6d3ce1ec 00000400 06981ea0 025176c8 mshtml!CElement::ApplyDefaultFormat+0x2a0 (FPO: [1,15,4])
02517658 6d2f8900 025176c8 06981ea0 06b44340 mshtml!CButton::ApplyDefaultFormat+0x1aa (FPO: [1,28,4])
02517698 6d2f538a 086f9120 06b44340 02517aac mshtml!CElement::ComputeFormatsVirtual+0xaa3 (FPO: [2,10,4])
025176b4 6d30cab8 025176c8 06b44340 06b44340 mshtml!CElement::ComputeFormats+0x3a (FPO: [2,0,4])
02517944 6d32b77e 06981ea0 6d3355c2 00000000 mshtml!CTreeNode::GetFancyFormatHelper+0x4b (FPO: [0,159,4])
0251794c 6d3355c2 00000000 6d335d9f 00000000 mshtml!CElement::IsBlockElement+0x14 (FPO: [0,0,4])
02517954 6d335d9f 00000000 02517aac 00000001 mshtml!CElement::BreaksLine+0xa (FPO: [0,0,4])
025179a4 6d335cad 00000000 00000000 06b44360 mshtml!CLineBreakCompat::HandleText+0xa1 (FPO: [2,15,4])
025179c4 6d335854 02517f78 06981ea0 00000002 mshtml!CLineBreakCompat::ComputeNextBreaks+0x17b (FPO: [0,1,4])
025179dc 6d3360b9 00000004 025179fc 02517f78 mshtml!CLineBreakCompat::QueryBreaks+0xc2 (FPO: [2,1,4])
02517a00 6d335fee 02517f78 00000000 06981ea0 mshtml!CTreeSaver::LineBreakChar+0xad (FPO: [1,2,4])
02517a20 6d3364f7 06981ea0 02517a40 00000000 mshtml!CTreeSaver::CTreeSaver+0xc6 (FPO: [3,2,4])
02518004 6d57a7f6 02518024 00000202 6d2fec2c mshtml!CElement::GetText+0xcd (FPO: [2,369,4])
02518028 6d3287c0 06981ea0 02518078 6d57a7d4 mshtml!CButton::GetValueHelper+0x22 (FPO: [2,2,4])
0251803c 6d470d1e 06981ea0 02518078 00000000 mshtml!BASICPROPPARAMS::GetString+0x21 (FPO: [3,1,0])
0251806c 6d300196 6d2fec18 00000000 025180b8 mshtml!PROPERTYDESC::HandleStringProperty+0x266 (FPO: [5,4,4])
02518088 6d47a6cd 06981ea0 00080002 025180b8 mshtml!PROPERTYDESC::CallHandler+0x21 (FPO: [3,0,0])
025180bc 6d3be357 06981ea0 0251816c 06b44340 mshtml!CAttributeSelector::Match+0xdf (FPO: [1,5,4])
025180dc 6d30e39f 06981ea0 02518820 0251823c mshtml!CStyleSelector::MatchSimple+0x237 (FPO: [5,2,4])
025181a4 6d2f90f7 02518820 00000002 0251823c mshtml!CStyleSelector::Match+0x80 (FPO: [4,40,4])
025186c8 6d2f8481 02518820 00000002 00000400 mshtml!CStyleSheetArray::Apply+0x1e1 (FPO: [4,320,4])
…
…