- Published on
Coming from V8 and landing in JavaScriptCore. Building the addrof/fakeobj/read64/write64 ladder from a single out-of-bounds write, and the JSC-specific walls (the gigacage, butterflies, NaN-boxing) that make the last step harder than it is in V8.