Created attachment 541767 [details] testcase (crashes Firefox when loaded) bp-4b872138-932e-4dbf-b72b-134d42110624 Regression between Jun 23 and Jun 24 nightly builds, I think.
With nsContainerFrame::RemoveFrame on stack, bug 654002 is the likely culprit.
Confirmed - reverting bug 654002 in a local build makes the crash go away.
I suspect that it's the "!mPrevContinuation" on line 3837 that is now true in cases where it didn't use to be... http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsTextFrameThebes.cpp#3823
Created attachment 541884 [details] Frame dump + stack The problem is that ClearAllTextRunReferences() depends on an intact next-continuation in order to clear mTextRun on the frames. I think this is worse than the problem bug 654002 was trying to solve, so I'll just back that out for now.
http://hg.mozilla.org/mozilla-central/rev/12b5e82f6ffd http://hg.mozilla.org/mozilla-central/rev/25c5fc68db1f Someone please mark bug 654002 as backed out on central since I can't access it.