Use the following Windbg command to observe the progression of the exploit:
bu jscript9!Js::Math::Atan2 ".printf \"LOG: %mu\",poi(poi(esp+14)+c);.echo;g;"


Other Windbg commands of interest will allow you to see the creation and deletion of CMarkup objects:
bu mshtml!CMarkup::CMarkup ".printf\"LOG: Alloc CMarkup\t%p\", @esi;.echo;g;"
bu mshtml!CMarkup::~CMarkup ".printf\"LOG: Free CMarkup\t%p\", @ecx;.echo;g;"