Check out the new USENIX Web site. next up previous
Next: Trigger Allocation and Overflow Up: Technique Previous: Make Holes

Prepare the Blocks

This step is straightforward. We use the following JavaScript. 
for(i=901; i<1000; i+=2){
   bigdummy[i][0] = new Number(i);
}
The code bigdummy[i][0] = new Number(i), creates a new NumberInstance object, and stores a pointer to this object in the ArrayStorage object corresponding to bigdummy[i]. Figure 5 depicts a portion of the heap after this JavaScript runs.


jake 2008-07-14