要回答你的问题我们首先需要定义，数据执行预防，及时编译和 JIT Spraying 。

To answer your question we first need to define, Data Execution Prevention, Just In Time Compilation and JIT Spraying.

数据执行保护是一种安全功能，禁止从非可执行内存区域执行代码。 DEP可以通过硬件机制（如NX位）和/或软件机制通过添加运行时检查来实现。

Data Execution Prevention is a security feature that prohibits the execution of code from a non-executable memory area. DEP can be implemented by hardware mechanisms such the NX bit and/or by software mechanism by adding runtime checks.

及时（JIT）编译器是动态编译器，它将运行时的字节代码转换为机器代码。目标是结合解释代码的优点和编译代码的速度。只有在编译中花费的额外时间可以通过编译代码所期望的性能增益来分摊时，它才应该编译方法。 [1]

Just In Time (JIT) compilers are dynamic compilers that translate byte codes during run time to machine code. The goal is to combine the advantages of interpreted code and the speed of compiled code. It should compile methods only if the extra time spent in compilation can be amortized by the performance gain expected from the compiled code. [1]

JIT spray 是强制JIT引擎写入许多带有嵌入式shellcode的可执行页面的过程。

JIT spraying is the process of coercing the JIT engine to write many executable pages with embedded shellcode.

[....]

例如，一个Javascript语句，例如var x = 0x41414141 + 0x42424242;可能被编译为在可执行映像中包含两个4字节常量（例如，mov eax，0x41414141; mov ecx，0x42424242; add eax，ecx）。 通过在这些常量的中间开始执行，会显示完全不同的指令流。

For example, a Javascript statement such as "var x = 0x41414141 + 0x42424242;" might be compiled to contain two 4 byte constants in the executable image (for example, "mov eax, 0x41414141; mov ecx, 0x42424242; add eax, ecx"). By starting execution in the middle of these constants, a completely different instructions stream is revealed.

[.. ..]

关键的见解是JIT是可预测的，必须将一些常量复制到可执行页面。给定一个统一的语句（例如长和或任何重复模式），这些常量可以编码小指令，然后控制流到下一个常量的位置。 [2]

The key insight is that the JIT is predictable and must copy some constants to the executable page. Given a uniform statement (such as a long sum or any repeating pattern), those constants can encode small instructions and then control flow to the next constant's location. [2]

超出本答案范围的高级技术必须用于查找JIT喷涂块的地址和触发漏洞。

Advanced techniques, beyond the scope of this answer, must then be used to find the address of the JIT sprayed block and trigger the exploit.

现在应该很清楚

如果是攻击者的话代码由JIT引擎生成，它也将驻留在可执行区域中。换句话说，DEP不参与JIT编译器发出的代码的保护。 [3]

If the attacker’s code is generated by JIT engine it will also reside in the executable area. In other words, DEP is not involved in the protection of code emitted by the JIT compiler. [3]

参考文献

[ 1] Java即时编译器的动态优化框架

[2] 口译员利用：指针推理和JIT喷涂

[3] JIT喷洒和缓解措施