The deoptimization condition for when a different map is encountered is removed in Turbofan. We can use this to confuse 64 bit float and 32 bit pointer compressed arrays when we trigger JIT optimization, from which we can leak float and object array maps to create our addrof, fakeobj primitives to create arb_read and arb_write primitives. Trigger the creation of a rwx page by making a wasm instance, then use arb_read to leak the page from the object, and arb_write to write an open read write shellcode there.

Original writeup (https://www.willsroot.io/2021/04/turboflan-picoctf-2021-writeup-v8.html).