JSTests/ChakraCore/test/Closures/closure-qmark.js - WebKit - Git at Google

 //-------------------------------------------------------------------------------------------------------
 // Copyright (C) Microsoft. All rights reserved.
 // Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
 //-------------------------------------------------------------------------------------------------------

 // Try variants of a pattern known to cause exploitable trashing of the Null
 // object's vtable: access a local var/function only within the non-evaluated
 // branch of a ?: operator, then do instanceof null to force virtual call using
 // the Null object's vtable.

 function write(x) { WScript.Echo(x + ''); }

 (function () {
     (function () {
         return true ? true : x;
     })();
     function x() { };
 })();
 try {
     var z = Object instanceof null;
 }
 catch (e) {
     write(e.message);
 }

 (function () {
     (function () {
         return true ? true : x;
     })();
     var x;
 })();
 try {
     var z = Object instanceof null;
 }
 catch (e) {
     write(e.message);
 }

 (function () {
     (function () {
         return false ? x : false;
     })();
     function x() { };
 })();
 try {
     var z = Object instanceof null;
 }
 catch (e) {
     write(e.message);
 }

 (function () {
     (function () {
         return false ? x : false;
     })();
     var x;
 })();
 try {
     var z = Object instanceof null;
 }
 catch (e) {
     write(e.message);
 }
	//-------------------------------------------------------------------------------------------------------
	// Copyright (C) Microsoft. All rights reserved.
	// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
	//-------------------------------------------------------------------------------------------------------

	// Try variants of a pattern known to cause exploitable trashing of the Null
	// object's vtable: access a local var/function only within the non-evaluated
	// branch of a ?: operator, then do instanceof null to force virtual call using
	// the Null object's vtable.

	function write(x) { WScript.Echo(x + ''); }

	(function () {
	(function () {
	return true ? true : x;
	})();
	function x() { };
	})();
	try {
	var z = Object instanceof null;
	}
	catch (e) {
	write(e.message);
	}

	(function () {
	(function () {
	return true ? true : x;
	})();
	var x;
	})();
	try {
	var z = Object instanceof null;
	}
	catch (e) {
	write(e.message);
	}

	(function () {
	(function () {
	return false ? x : false;
	})();
	function x() { };
	})();
	try {
	var z = Object instanceof null;
	}
	catch (e) {
	write(e.message);
	}

	(function () {
	(function () {
	return false ? x : false;
	})();
	var x;
	})();
	try {
	var z = Object instanceof null;
	}
	catch (e) {
	write(e.message);
	}