The intermittent failures in bug 1608600 and bug 1625031 are (hopefully) about a poorly written test, but they also revealed a problem with the way I implemented cleaning up dangling remote window proxies.
When we change a BC from remote to local in BrowsingContext::SetDocShell(), we set mDanglingRemoteOuterProxies to true. Then later in nsGlobalWindowOuter::SetNewDocument(), if that flag is true, we use transplanting to turn all of the old remote window proxies into a local window proxy (or CCWs to that window proxy).
The problem is that if we try to wrap one of the old remote window proxies in between those two steps, then we hit a release assert in MaybeWrapWindowProxy(), because it seems bad that we're returning a remote window proxy for a local BC.
Now, maybe we shouldn't actually assert in that case, because that remote window proxy will eventually get turned into a proper local window proxy. Arguably, the real problem would happen if somebody tries to use the remote window proxy where the bc is local, but maybe we have other checks for that?
I'm not sure how much of a problem in practice this is. As this is a release assert, it should show up as crash reports where the crash reason is MOZ_RELEASE_ASSERT(isWindowProxy), but I don't see any. But maybe my searching is just bad.
This should also get a test.