+++ This bug was initially created as a clone of Bug #846096 +++ I'm filing a new bug so we don't have to deal with the noise while we fix it. From Bug 846096: > So the problem is roughly this. > > We have an nsRange whose root is a <textarea>, and whose start and end > pointers are in the native anonymous content for that <textarea>. When we > tear down the frame tree we end up in HTMLTextAreaElement::UnbindFromFrame, > and then nsTextEditorState::UnbindFromFrame. That ends up calling > nsContentUtils::DestroyAnonymousContent on the root anonymous node. We set > up an AnonymousContentDestroyer to run off a script runner and it calls > UnbindFromTree on the root anonymous node. This mStart/EndParent no longer > chain up to mRoot. But no ContentRemoved notification was ever fired, so > the nsRange has no idea that its messed up. > > This bug manifests because later the cycle collector runs and it unlinks the > NAC before it unlinks the nsRange. The start and end parent end up with > null parent pointers and this assertion fires. I believe that if we > asserted that mStartParent and mEndParent chain up to mRoot that assertion > would fire 100% of the time. Attached is a patch that adds that assertion. If you apply this and run /toolkit/content/tests/chrome/test_bug451540.xul you'll see the problem.