Given that I wrote both the test harness and the code the crashes this falls firmly on me. I'll take a look.

Can't get it to crash on either stable or canary on windows 10. Do you happen to know which test cases a crash?

Descendant selector crashes reliably and immediately for me. More crash IDs:

6a09e30900000000
8a11e30900000000
6059e30900000000

Not the same function, but various font functions.

Interesting. Thank you.

All crashes are EXCEPTION_STACK_OVERFLOW. Not sure why it would cause a stock overflow all of a sudden though!

Happens only on Chrome x64.
Chrome x86 (running on win10 x64) runs the test fine.

lots of nested layout happening in these stacks. 64-bit has less stack space as the frames are larger, so could explain this happening only on that platform.

Is the page being rendered very complex with lots of deep nested html elements?

Lots of deeply nested elements, yes. This might be WAI.

I can confirm this causes a crash on stable 52.0.2743.116 (Official Build) m (64-bit) but it doens't on Canary 54.0.2835.0 (Official Build) canary (64-bit)

So I think this needs a bisect.

Depth of 1000 nodes. 
See http://www.robohornet.org/tests/descendantselector.html source

Right. The combination of the reduced stack space on 64bit and the increase in call stack depth due to text shaping pushes us over the limit.

LayoutNG will fix this by not having a recursive layout implementation but until then there isn't much we can do I'm afraid.

Thanks for your help wfh & mlregs.