Setting a built-in window method to null and then calling it inside a modeless dialog caused a crash in IE. The engine did not validate that a method was still callable before dispatching through the null pointer.

win = showModelessDialog("dummy.html", window);
win.execScript("window.alert = null; alert();"); // Crash

Assigning null to window.alert replaced the native method reference. When the engine subsequently tried to call alert(), it found null where it expected a function pointer and dereferenced it, causing an access violation. Proper null-checking before native method dispatch would have prevented this.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.