Modern Web browsers introduce just-in-time (JIT) compilation mechanism to improve their performance on executing JavaScript applications. However, this mechanism has already been abused by attackers to inject malicious code. For instance, as JIT compilers may place JavaScript integers into code-cache in the form of operands of machine instructions, attackers can inject return-oriented programming (ROP) gadgets by crafting JavaScript integers. Fortunately, integer-based injection attacks have already been mitigated by techniques such as constant blinding. This work demonstrates that attackers can also inject ROP gadgets by using JavaScript code blocks instead of integer values. The idea of this injection scheme is based on the observation that the dynamic code generated by JIT compilers for a given JavaScript code snippet always has some immutable machine instruction sequences. The existence of these sequences is not affected by security mechanisms including constant blinding and address randomization. Moreover, these instruction sequences may contain ROP gadgets needed by attackers. Therefore, attackers can use JavaScript code blocks to obtain these gadgets in their attacks. The proposed injection scheme on SpiderMonkey and GoogleV8 is evaluated by running on x86-64 architecture. These two JIT engines are fed with JavaScript applications from well-known benchmarks and got a great many of dynamic code blocks. Statistical results show that Turing-complete sets of gadgets can be got in these code blocks. In real word attack senarios, the available JavaScript applications can be used by an adversary contain and are far more than those from benchmarks. Therefore, an adversary can apply the proposed scheme to inject gadgets for constructing ROP code to conduct arbitrary computation.