Right. But your post shows that you can reliably get the browser to crash. It doesn't demonstrate that the crash is exploitable, unless I'm missing something.

I was able to prove that it was potentially exploitable to MSRC, which is how I got them to fix it. There are a lot of non-exploitable crashes such as null pointer dereferences that MSRC will not consider as security bugs.