Created attachment 541767 [details]
testcase (crashes Firefox when loaded)
Regression between Jun 23 and Jun 24 nightly builds, I think.
Created attachment 541768 [details]
With nsContainerFrame::RemoveFrame on stack, bug 654002 is the likely culprit.
Confirmed - reverting bug 654002 in a local build makes the crash go away.
I suspect that it's the "!mPrevContinuation" on line 3837 that is now
true in cases where it didn't use to be...
Created attachment 541884 [details]
Frame dump + stack
The problem is that ClearAllTextRunReferences() depends on an intact
next-continuation in order to clear mTextRun on the frames.
I think this is worse than the problem bug 654002 was trying to solve,
so I'll just back that out for now.
Someone please mark bug 654002 as backed out on central since I can't access it.