diff --git a/layout/generic/crashtests/660416.html b/layout/generic/crashtests/660416.html
new file mode 100644
index 000000000000..d9a42d419ea5
--- /dev/null
+++ b/layout/generic/crashtests/660416.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  document.documentElement.offsetHeight;
+  var n = document.getElementById("a").firstChild;
+  n.data = "";
+  n.data = "z";
+}
+
+</script>
+</head>
+<body onload="boom();" style="-moz-column-count: 3;"><span id="a">x&#x202E;</span><span>y</span></body>
+</html>
diff --git a/layout/generic/crashtests/crashtests.list b/layout/generic/crashtests/crashtests.list
index a42bddf71259..cc5cfe644c21 100644
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -359,3 +359,4 @@ load 646561-1.html
 load 646983-1.html
 load 647332-1.html
 load 650499-1.html
+load 660416.html
diff --git a/layout/generic/nsTextFrameThebes.cpp b/layout/generic/nsTextFrameThebes.cpp
index 1d807700e114..e8baf8f0b845 100644
--- a/layout/generic/nsTextFrameThebes.cpp
+++ b/layout/generic/nsTextFrameThebes.cpp
@@ -626,28 +626,27 @@ PRInt32 nsTextFrame::GetInFlowContentLength() {
     return mContent->TextLength() - mContentOffset;
   }
 
-  nsTextFrame* nextBidi = nsnull;
-  PRInt32      start = -1, end, endFlow;
   FlowLengthProperty* flowLength =
     static_cast<FlowLengthProperty*>(mContent->GetProperty(nsGkAtoms::flowlength));
 
-  if (flowLength && flowLength->mStartOffset <= mContentOffset &&
+  /**
+   * This frame must start inside the cached flow. If the flow starts at
+   * mContentOffset but this frame is empty, logically it might be before the
+   * start of the cached flow.
+   */
+  if (flowLength && 
+      (flowLength->mStartOffset < mContentOffset ||
+       (flowLength->mStartOffset == mContentOffset && GetContentEnd() > mContentOffset)) &&
       flowLength->mEndFlowOffset > mContentOffset) {
 #ifdef DEBUG
-    GetOffsets(start, end);
-    NS_ASSERTION(flowLength->mEndFlowOffset >= end,
-                 "frame crosses fixed continuation boundary");
+    NS_ASSERTION(flowLength->mEndFlowOffset >= GetContentEnd(),
+		 "frame crosses fixed continuation boundary");
 #endif
     return flowLength->mEndFlowOffset - mContentOffset;
   }
 
-  nextBidi = static_cast<nsTextFrame*>(GetLastInFlow()->GetNextContinuation());
-  if (nextBidi) {
-    nextBidi->GetOffsets(start, end);
-    endFlow = start;
-  } else {
-    endFlow = mContent->TextLength();
-  }
+  nsTextFrame* nextBidi = static_cast<nsTextFrame*>(GetLastInFlow()->GetNextContinuation());
+  PRInt32 endFlow = nextBidi ? nextBidi->GetContentOffset() : mContent->TextLength();
 
   if (!flowLength) {
     flowLength = new FlowLengthProperty;