Chrome suffers from a copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess.