I got some sg:critical looking crashes while reducing this, but I wasn't able to get it crashing again once I had a reduced testcase. Because of the crashes with intermediate testcases, and because most bugs that trigger "ASSERTION: Some frame destructors were not called" can be used to cause exploitable crashes, I'm making this security-sensitive.

So I dunno what's going on here, but if I uncomment the code at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1278&mark=12936#12929 the assertion goes away. It also goes away on the reflow branch. I wonder whether this warning in non-reflow-branch builds: WARNING: blowing an incremental reflow targeted at a nested inline: file ../../../mozilla/layout/generic/nsBlockFrame.cpp, line 1735 is relevant...

I can't test whether the reflow branch landing fixed this bug until bug 363149 is fixed.

WFM with Mac trunk. Probably fixed by the reflow branch landing.

Sorry, I meant to add this: Jess told me that I needed to apply the patch in bug 334514 to test whether this assertion existed on the branch. I did so on the 1.8 branch and did not see the assertion in my build.

sounds like this one is ready to close. right?

Yeah, WFM based on comment 4 and comment 5.

Crashtest checked in.

Mass-assigning the new rtl keyword to RTL-related (see bug 349193).