In this challenge, a patch is applied to ComputeDataFieldAccessInfo, which removes some elements that should have been added to unrecorded_dependencies, which also makes constness to be always kConst. The problem is JIT code that depends on some specific map will not be deoptimized when it should be, and this further causes type confusion in JIT code. Then, we can regard a object pointer as an unboxed double, and vice versa, which gives leak and ability to fake object, so we can fake an ArrayBuffer to achieve arbitrary R&W.

Original writeup (https://mem2019.github.io/jekyll/update/2019/09/16/Real-World-2019-Accessible.html).