Enumerating the properties of a reference to an HTML Object element that hosted non-HTML content (XAML, XPS, PDF, etc.) via a for...in loop caused a crash in IE9’s JScript9 engine. The crash occurred in ForInObjectEnumerator::MoveNext when walking the dispatch ID list of the COM object.
<iframe name="iFrame" src="xaml.xaml"></iframe>function main() {
iFrameXamlObject = iFrame.Image().ownerDocument.all[0];
for (var i in iFrameXamlObject) 1; // Crash
}The XAML-hosting Object element exposed a COM dispatch interface that did not handle the GetNextDispID → MoveNext enumeration chain safely. Accessing iFrame.Image().ownerDocument.all[0] obtained a reference to the Object element inside the XAML IFrame, and iterating its properties caused jscript9!Js::ForInObjectEnumerator::MoveNext to dereference a null pointer.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.