diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
index 21cac7bb28e..4423a19cc8b 100644
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -10802,8 +10802,12 @@ nsCSSFrameConstructor::ReplicateFixedFrames(nsPageContentFrame* aParentFrame)
   }
 
   //XXXbz Should mInitialContainingBlock be docRootFrame? It probably doesn't matter.
+  // Don't allow abs-pos descendants of the fixed content to escape the content.
+  // This should not normally be possible (because fixed-pos elements should
+  // be absolute containers) but fixed-pos tables currently aren't abs-pos
+  // containers.
   nsFrameConstructorState state(mPresShell, aParentFrame,
-                                mInitialContainingBlock,
+                                nsnull,
                                 mInitialContainingBlock);
 
   // Iterate across fixed frames and replicate each whose placeholder is a
diff --git a/layout/generic/nsBlockReflowState.cpp b/layout/generic/nsBlockReflowState.cpp
index e97452a47a4..8f30364e691 100644
--- a/layout/generic/nsBlockReflowState.cpp
+++ b/layout/generic/nsBlockReflowState.cpp
@@ -203,7 +203,10 @@ nsBlockReflowState::ComputeBlockAvailSpace(nsIFrame* aFrame,
   aResult.y = mY;
   aResult.height = GetFlag(BRS_UNCONSTRAINEDHEIGHT)
     ? NS_UNCONSTRAINEDSIZE
-    : mBottomEdge - mY;
+    : PR_MAX(0, mBottomEdge - mY);
+  // mY might be greater than mBottomEdge if the block's top margin pushes
+  // it off the page/column. Negative available height can confuse other code
+  // and is nonsense in principle.
 
   const nsMargin& borderPadding = BorderPadding();