Another of the three crashes found on 2010-05-17. Caching a Range object obtained via getSelection().getRangeAt(0) from an IFrame and then reloading that IFrame left a range pointing into freed markup. Using the range afterward caused a crash.

badRange = window[0].getSelection().getRangeAt(0);
window[0].location.reload();
alert(badRange); // Crash

Even something as innocuous as converting the range to a string triggered the access violation, since the toString path had to dereference the underlying markup pointers that had already been freed by the reload.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.