WebKit vulnerability CVE-2016-4657, the first of the “Trident” suite of vulnerability disclosures, originally targeted Safari running on iOS prior to 9.3.5.
CVE-2016-4657 allows an attacker to cause an object to be culled by the garbage collector while remaining active in the Javascript engine. By loading a large number of other objects into memory, you can have two objects pointing to the same memory region.
This PDF describes details of exploiting this bug, although some of it is wrong according to Daeken. [specify?]