In particular, this callstack:
#8 0x0349fa4c in DocumentViewerImpl::CallChildren (this=0x2472de70, aFunc=0x349d7d8 <SetChildFullZoom(nsIMarkupDocumentViewer*, void*)>, aClosure=0xbfffc774) at /Users/bzbarsky/mozilla/vanilla/mozilla/layout/base/nsDocumentViewer.cpp:2816
#9 0x034a59df in DocumentViewerImpl::SetFullZoom (this=0x2472de70, aFullZoom=1) at /Users/bzbarsky/mozilla/vanilla/mozilla/layout/base/nsDocumentViewer.cpp:2956
#10 0x03ebf58d in nsDocShell::SetupNewViewer (this=0x7c49030, aNewViewer=0x2472de70) at /Users/bzbarsky/mozilla/vanilla/mozilla/docshell/base/nsDocShell.cpp:7343
causes us to get kids off the docshell, but since the docshell hasn't dropped its old kids yet we end up traversing kids that don't actually belong to us. This triggers assertions in nsDocShell::GetVisibility in the kids, since we can't find the content node in the parent (the new viewer!) that contains the kid.
Created attachment 418100 [details] [diff] [review]
This will be in-testsuite once bug 500882 lands, effectively.