The addrof and fakeobj internal functions have to be called twice because they call AddrGetter too many times.
The fix was to make it so that it is only called 10,000 times instead of 100,000.
Change:
for (var i = 0; i < 100000; ++i)
AddrGetter(array);
to
for (var i = 0; i < 10000; ++i) // fixed
AddrGetter(array);
This happens because the function is compiled with the DFG and FTL JIT when you call it 100,000 times and when it is called only 10,000 times it is only compiled with the DFG JIT.
I don't know why this works but it does.
The addrof and fakeobj internal functions have to be called twice because they call AddrGetter too many times. The fix was to make it so that it is only called 10,000 times instead of 100,000. Change:
to
This happens because the function is compiled with the DFG and FTL JIT when you call it 100,000 times and when it is called only 10,000 times it is only compiled with the DFG JIT. I don't know why this works but it does.
All this work was done by @LiveOverflow. He made these changes in his browser exploitation video series and I just decided to make then into a pull request. The original code is at https://gist.github.com/LiveOverflow/ee5fb772334ec985094f77c91be60492.