Caching the document object from an IFrame and then destroying the IFrame via outerHTML replacement left a dangling document reference. Writing to the body of that stale document caused an access violation in IE9’s MSHTML.

iDoc = window[0].document;
document.getElementById("oIFrame").outerHTML = 1;
iDoc.body.innerText = 1; // Crash

This was one of three related crashes found on the same day (all dated 2010-05-17). The pattern — cache a reference, destroy the owning container, then use the reference — was a reliable method for triggering use-after-free conditions across multiple object types in the IE9 beta.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.