TEST 1 (setting up and triggering the vulneability?)

TEST 2 (Some sort of deallocation of arr object? i ain't got any knowledge about javascript tbh)

TEST 3 (test if succesfully triggered?)

TEST 4 (acquiring an arbitary read/write primitive?)

TEST 5 (native code execution?)

TEST 6 (evading detection?)

PDF about the iOS 9 Pegasus exploit (CREDITS TO PSXHAX member vettegast for finding)