diff --git a/layout/generic/crashtests/503961-1.xhtml b/layout/generic/crashtests/503961-1.xhtml
new file mode 100644
index 000000000000..920b73824568
--- /dev/null
+++ b/layout/generic/crashtests/503961-1.xhtml
@@ -0,0 +1,25 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<style type="text/css">
+  #colset    { -moz-column-count: 3; }
+  #a         { height: 0px; }
+  #b         { height: 2px; }
+  #c         { height: 1px; }
+  #d         { height: 2px; }
+  #e         { height: 2px; }
+</style>
+<script type="text/javascript">
+function boom()
+{
+  document.getElementById("a").style.height = "auto";
+  document.getElementById("d").style.height = "auto";
+}
+</script>
+</head>
+<body onload="boom();"
+  ><div id="colset"
+    ><div id="a"><div id="b"/></div
+    ><div id="c"><div id="d"/><div id="e"/></div
+  ></div
+></body>
+</html>
diff --git a/layout/generic/crashtests/503961-2.html b/layout/generic/crashtests/503961-2.html
new file mode 100644
index 000000000000..5b87b5855ff9
--- /dev/null
+++ b/layout/generic/crashtests/503961-2.html
@@ -0,0 +1,32 @@
+<html>
+<head>
+  <style>
+    #colset { -moz-column-count: 3; }
+    #a { height: 0;   }
+    #x { height: 3px; }
+    #b { height: 0;   }
+    #c { height: 2px; }
+    #d { height: 2px; }
+
+    /* Following style is just for visualization -- doesn't affect assertion */
+    #colset { -moz-column-gap: 0px; width: 18px; }
+    div { width: 5px;         }
+    #a  { background: purple; }
+    #x  { background: orange; }
+    #b  { background: blue;   }
+    #c  { background: black;  }
+    #d  { background: lime;   }
+  </style>
+  <script>
+    function boom()
+    {
+      document.getElementById("a").style.height = "auto";
+      document.getElementById("c").style.height = "0";
+    }
+  </script>
+</head>
+<body onload="boom()" id="colset"
+  ><div id="a"><div id="x"></div></div
+  ><div id="b"><div id="c"></div><div id="d"></div></div
+></body>
+</html>
diff --git a/layout/generic/crashtests/crashtests.list b/layout/generic/crashtests/crashtests.list
index 1efdf1105b78..884224c76097 100644
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -264,6 +264,8 @@ load 493118-1.html
 load 494300-1.xul
 load 494332-1.html
 load 501535-1.html
+load 503961-1.xhtml
+load 503961-2.html
 load 505912-1.html
 # load 508115-1.html
 load 511482.html
diff --git a/layout/generic/nsBlockFrame.cpp b/layout/generic/nsBlockFrame.cpp
index 83cb90d3bad4..7eed2844c9e3 100644
--- a/layout/generic/nsBlockFrame.cpp
+++ b/layout/generic/nsBlockFrame.cpp
@@ -935,17 +935,6 @@ nsBlockFrame::Reflow(nsPresContext*           aPresContext,
     return NS_OK;
   }
 
-  // Handle paginated overflow (see nsContainerFrame.h)
-  // Note: We use a temporary reflow status, which we'll merge into the state's
-  // reflow status down below.
-  nsRect ocBounds;
-  nsReflowStatus ocStatus = NS_FRAME_COMPLETE;
-  if (GetPrevInFlow()) {
-    ReflowOverflowContainerChildren(aPresContext, aReflowState, ocBounds, 0,
-                                    ocStatus);
-  }
-
-
   PRBool marginRoot = BlockIsMarginRoot(this);
   nsBlockReflowState state(aReflowState, aPresContext, this, aMetrics,
                            marginRoot, marginRoot, needFloatManager);
@@ -965,9 +954,22 @@ nsBlockFrame::Reflow(nsPresContext*           aPresContext,
   // overflow lines hanging around; block reflow depends on the
   // overflow line lists being cleared out between reflow passes.
   DrainOverflowLines(state);
-  DrainFloatContinuations(state);
 
-  // Handle float continuations
+  // Handle paginated overflow (see nsContainerFrame.h)
+  nsRect ocBounds;
+  nsReflowStatus ocStatus = NS_FRAME_COMPLETE;
+  if (GetPrevInFlow()) {
+    ReflowOverflowContainerChildren(aPresContext, aReflowState, ocBounds, 0,
+                                    ocStatus);
+  }
+
+  // Now that we're done cleaning up our overflow container lists, we can
+  // give |state| its nsOverflowContinuationTracker.
+  nsOverflowContinuationTracker tracker(aPresContext, this, PR_FALSE);
+  state.mOverflowTracker = &tracker;
+
+  // Drain & handle float continuations
+  DrainFloatContinuations(state);
   nsRect fcBounds;
   nsReflowStatus fcStatus = NS_FRAME_COMPLETE;
   rv = ReflowFloatContinuations(state, fcBounds, fcStatus);
@@ -1947,7 +1949,7 @@ nsBlockFrame::ReflowDirtyLines(nsBlockReflowState& aState)
       // further on the reflow before interrupting.
       aState.mPresContext->CheckForInterrupt(this);
     } else {
-      aState.mOverflowTracker.Skip(line->mFirstChild, aState.mReflowStatus);
+      aState.mOverflowTracker->Skip(line->mFirstChild, aState.mReflowStatus);
         // Nop except for blocks (we don't create overflow container
         // continuations for any inlines atm), so only checking mFirstChild
         // is enough
@@ -3164,7 +3166,7 @@ nsBlockFrame::ReflowBlockFrame(nsBlockReflowState& aState,
             // If nextFrame used to be an overflow container, make it a normal block
             if (!madeContinuation &&
                 (NS_FRAME_IS_OVERFLOW_CONTAINER & nextFrame->GetStateBits())) {
-              aState.mOverflowTracker.Finish(frame);
+              aState.mOverflowTracker->Finish(frame);
               nsContainerFrame* parent =
                 static_cast<nsContainerFrame*>(nextFrame->GetParent());
               rv = parent->StealFrame(aState.mPresContext, nextFrame);
@@ -3245,7 +3247,7 @@ nsBlockFrame::ReflowBlockFrame(nsBlockReflowState& aState,
             }
 
             // Put it in our overflow list
-            aState.mOverflowTracker.Insert(nextFrame, frameReflowStatus);
+            aState.mOverflowTracker->Insert(nextFrame, frameReflowStatus);
             NS_MergeReflowStatusInto(&aState.mReflowStatus, frameReflowStatus);
 
 #ifdef NOISY_VERTICAL_MARGINS
diff --git a/layout/generic/nsBlockReflowContext.cpp b/layout/generic/nsBlockReflowContext.cpp
index d3ab508e90e5..f9d4637eb09d 100644
--- a/layout/generic/nsBlockReflowContext.cpp
+++ b/layout/generic/nsBlockReflowContext.cpp
@@ -349,7 +349,7 @@ nsBlockReflowContext::ReflowBlock(const nsRect&       aSpace,
         // Floats will eventually be removed via nsBlockFrame::RemoveFloat
         // which detaches the placeholder from the float.
 /* XXX promote DeleteChildsNextInFlow to nsIFrame to elminate this cast */
-        aState.mOverflowTracker.Finish(mFrame);
+        aState.mOverflowTracker->Finish(mFrame);
         static_cast<nsHTMLContainerFrame*>(kidNextInFlow->GetParent())
           ->DeleteNextInFlowChild(mPresContext, kidNextInFlow, PR_TRUE);
       }
diff --git a/layout/generic/nsBlockReflowState.cpp b/layout/generic/nsBlockReflowState.cpp
index dc07b8f6c617..4822ad9e8607 100644
--- a/layout/generic/nsBlockReflowState.cpp
+++ b/layout/generic/nsBlockReflowState.cpp
@@ -68,7 +68,7 @@ nsBlockReflowState::nsBlockReflowState(const nsHTMLReflowState& aReflowState,
   : mBlock(aFrame),
     mPresContext(aPresContext),
     mReflowState(aReflowState),
-    mOverflowTracker(aPresContext, aFrame, PR_FALSE),
+    mOverflowTracker(nsnull),
     mPrevBottomMargin(),
     mLineNumber(0),
     mFlags(0),
diff --git a/layout/generic/nsBlockReflowState.h b/layout/generic/nsBlockReflowState.h
index 31bc19d130a1..a7880ef8409e 100644
--- a/layout/generic/nsBlockReflowState.h
+++ b/layout/generic/nsBlockReflowState.h
@@ -240,7 +240,7 @@ public:
   }
 
   // Track child overflow continuations.
-  nsOverflowContinuationTracker mOverflowTracker;
+  nsOverflowContinuationTracker* mOverflowTracker;
 
   //----------------------------------------