Off-bye-one causing type confusion. Here is the challenge. Environment building according to https://github.com/m1ghtym0/browser-pwn. Then change to version 7.5.0 and apply the patch.
Incorrectly getting the array's length causing AAR and AAW. See readme. I write the exploit after reading the official writeup and the v8 exploit tutorial.
JIT bug causing type confusion. Exploiting via abusing FastProperties and DictionaryProperties. http://www.phrack.org/papers/jit_exploitation.html