Opening a blank window and then navigating it to a real URL caused a crash in the VMware SVGA 3D driver (vm3dum.dll) when IE9 was running inside a VMware virtual machine. The IE WebGraphics team requested the bug be filed, as it was unclear whether the fault lay in the driver or in IE9’s Direct3D rendering path.
win = window.open('about:blank', '_myWindow');
setTimeout('win.location.replace("http://www.google.com");', 100);The crash occurred in vm3dum!OpenAdapter+0xfdda while IE9 was drawing underlined text during the first paint of the new page. The call stack went from MSHTML!CLineServicesClient::DrawUnderline through d2d1!CD3DDeviceLevel1::DrawDynamicVB into the VMware driver, where a null pointer was dereferenced. The !analyze -v output classified it as NULL_CLASS_PTR_DEREFERENCE_PROBABLYEXPLOITABLE.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.