Caching the window reference of an IFrame, calling execScript on it to prime the scripting engine, and then destroying the IFrame’s DOM node before calling location.reload() on the cached window caused a crash in IE9.

wIFrame = window[0];
wIFrame.execScript();
document.getElementById("oIFrame").outerHTML = 1;
wIFrame.location.reload(); // Crash

The reload attempted to navigate a window whose backing DOM node no longer existed. The scripting engine had a live reference to the window object, but the MSHTML layer expected the IFrame element to be present in the document tree when processing a reload, and the mismatch caused an access violation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.