[wasm] Do not sandbox isolate root pointer

The isolate root pointer in a WasmApiFuncionRef cannot be sandboxed, because we would need the isolate root in the first place to decode it. Therefore we do not use Foreign as the parent class of WasmApiFunctionRef. Bug: v8:11510 Change-Id: Idcbe654274c543ee571a335cb8e212ca3492d973 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3262134 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#77751}
2021-11-08 03:01:32 +00:00 · 2021-11-08 03:01:32 +00:00 · 02b73c9424
commit 02b73c9424
parent 77599ffe0a
7 changed files with 252 additions and 249 deletions
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@ -660,9 +660,12 @@ Node* WasmGraphBuilder::BuildLoadIsolateRoot() {
      // that the generated code is Isolate independent.
      return LOAD_INSTANCE_FIELD(IsolateRoot, MachineType::Pointer());
    case kWasmApiFunctionRefMode:
-      return gasm_->Load(MachineType::Pointer(), Param(0),
-                         wasm::ObjectAccess::ToTagged(
-                             WasmApiFunctionRef::kForeignAddressOffset));
+      // Note: Even if V8_HEAP_SANDBOX, the pointer to the isolate root is not
+      // encoded, much like the case above. TODO(manoskouk): Decode the pointer
+      // here if that changes.
+      return gasm_->Load(
+          MachineType::Pointer(), Param(0),
+          wasm::ObjectAccess::ToTagged(WasmApiFunctionRef::kIsolateRootOffset));
    case kNoSpecialParameterMode:
      return mcgraph()->IntPtrConstant(isolate_->isolate_root());
  }
--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@ -1939,7 +1939,7 @@ void WasmJSFunctionData::WasmJSFunctionDataPrint(std::ostream& os) {

 void WasmApiFunctionRef::WasmApiFunctionRefPrint(std::ostream& os) {
  PrintHeader(os, "WasmApiFunctionRef");
-  os << "\n - isolate_root: " << reinterpret_cast<void*>(foreign_address());
+  os << "\n - isolate_root: " << reinterpret_cast<void*>(isolate_root());
  os << "\n - native_context: " << Brief(native_context());
  os << "\n - callable: " << Brief(callable());
  os << "\n";
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -1483,7 +1483,7 @@ Handle<WasmApiFunctionRef> Factory::NewWasmApiFunctionRef(
  auto result = WasmApiFunctionRef::cast(AllocateRawWithImmortalMap(
      map.instance_size(), AllocationType::kOld, map));
  DisallowGarbageCollection no_gc;
-  result.set_foreign_address(isolate(), isolate()->isolate_root());
+  result.set_isolate_root(isolate()->isolate_root());
  result.set_native_context(*isolate()->native_context());
  if (!callable.is_null()) {
    result.set_callable(*callable);
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@ -651,8 +651,6 @@ class WasmApiFunctionRef::BodyDescriptor final : public BodyDescriptorBase {
  template <typename ObjectVisitor>
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
-    Foreign::BodyDescriptor::IterateBody<ObjectVisitor>(map, obj, object_size,
-                                                        v);
    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
                    v);
  }
--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@ -733,7 +733,7 @@ class WasmExportedFunctionData
 };

 class WasmApiFunctionRef
-    : public TorqueGeneratedWasmApiFunctionRef<WasmApiFunctionRef, Foreign> {
+    : public TorqueGeneratedWasmApiFunctionRef<WasmApiFunctionRef, HeapObject> {
 public:
  // Dispatched behavior.
  DECL_PRINTER(WasmApiFunctionRef)
--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@ -14,9 +14,11 @@ extern class WasmInstanceObject extends JSObject;
 // Represents the context of a function that is defined through the JS or C
 // APIs. Corresponds to the WasmInstanceObject passed to a Wasm function
 // reference.
-// The {foreign_address} field inherited from {Foreign} points the IsolateRoots
-// of the defining isolate.
-extern class WasmApiFunctionRef extends Foreign {
+// TODO(manoskouk): If V8_HEAP_SANDBOX, we cannot encode the isolate_root as a
+// sandboxed pointer, because that would require having access to the isolate
+// root in the first place.
+extern class WasmApiFunctionRef extends HeapObject {
+  isolate_root: RawPtr;
  native_context: NativeContext;
  callable: JSReceiver|Undefined;
 }
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@ -36,123 +36,123 @@ INSTANCE_TYPES = {
  72: "WASM_CAPI_FUNCTION_DATA_TYPE",
  73: "WASM_EXPORTED_FUNCTION_DATA_TYPE",
  74: "WASM_JS_FUNCTION_DATA_TYPE",
-  75: "WASM_API_FUNCTION_REF_TYPE",
-  76: "WASM_TYPE_INFO_TYPE",
-  77: "PROMISE_FULFILL_REACTION_JOB_TASK_TYPE",
-  78: "PROMISE_REJECT_REACTION_JOB_TASK_TYPE",
-  79: "CALLABLE_TASK_TYPE",
-  80: "CALLBACK_TASK_TYPE",
-  81: "PROMISE_RESOLVE_THENABLE_JOB_TASK_TYPE",
-  82: "LOAD_HANDLER_TYPE",
-  83: "STORE_HANDLER_TYPE",
-  84: "FUNCTION_TEMPLATE_INFO_TYPE",
-  85: "OBJECT_TEMPLATE_INFO_TYPE",
-  86: "ACCESS_CHECK_INFO_TYPE",
-  87: "ACCESSOR_INFO_TYPE",
-  88: "ACCESSOR_PAIR_TYPE",
-  89: "ALIASED_ARGUMENTS_ENTRY_TYPE",
-  90: "ALLOCATION_MEMENTO_TYPE",
-  91: "ALLOCATION_SITE_TYPE",
-  92: "ARRAY_BOILERPLATE_DESCRIPTION_TYPE",
-  93: "ASM_WASM_DATA_TYPE",
-  94: "ASYNC_GENERATOR_REQUEST_TYPE",
-  95: "BREAK_POINT_TYPE",
-  96: "BREAK_POINT_INFO_TYPE",
-  97: "CACHED_TEMPLATE_OBJECT_TYPE",
-  98: "CALL_HANDLER_INFO_TYPE",
-  99: "CLASS_POSITIONS_TYPE",
-  100: "DEBUG_INFO_TYPE",
-  101: "ENUM_CACHE_TYPE",
-  102: "FEEDBACK_CELL_TYPE",
-  103: "FUNCTION_TEMPLATE_RARE_DATA_TYPE",
-  104: "INTERCEPTOR_INFO_TYPE",
-  105: "INTERPRETER_DATA_TYPE",
-  106: "MODULE_REQUEST_TYPE",
-  107: "PROMISE_CAPABILITY_TYPE",
-  108: "PROMISE_REACTION_TYPE",
-  109: "PROPERTY_DESCRIPTOR_OBJECT_TYPE",
-  110: "PROTOTYPE_INFO_TYPE",
-  111: "REG_EXP_BOILERPLATE_DESCRIPTION_TYPE",
-  112: "SCRIPT_TYPE",
-  113: "SCRIPT_OR_MODULE_TYPE",
-  114: "SOURCE_TEXT_MODULE_INFO_ENTRY_TYPE",
-  115: "STACK_FRAME_INFO_TYPE",
-  116: "TEMPLATE_OBJECT_DESCRIPTION_TYPE",
-  117: "TUPLE2_TYPE",
-  118: "WASM_CONTINUATION_OBJECT_TYPE",
-  119: "WASM_EXCEPTION_TAG_TYPE",
-  120: "WASM_INDIRECT_FUNCTION_TABLE_TYPE",
-  121: "FIXED_ARRAY_TYPE",
-  122: "HASH_TABLE_TYPE",
-  123: "EPHEMERON_HASH_TABLE_TYPE",
-  124: "GLOBAL_DICTIONARY_TYPE",
-  125: "NAME_DICTIONARY_TYPE",
-  126: "NUMBER_DICTIONARY_TYPE",
-  127: "ORDERED_HASH_MAP_TYPE",
-  128: "ORDERED_HASH_SET_TYPE",
-  129: "ORDERED_NAME_DICTIONARY_TYPE",
-  130: "SIMPLE_NUMBER_DICTIONARY_TYPE",
-  131: "CLOSURE_FEEDBACK_CELL_ARRAY_TYPE",
-  132: "OBJECT_BOILERPLATE_DESCRIPTION_TYPE",
-  133: "SCRIPT_CONTEXT_TABLE_TYPE",
-  134: "BYTE_ARRAY_TYPE",
-  135: "BYTECODE_ARRAY_TYPE",
-  136: "FIXED_DOUBLE_ARRAY_TYPE",
-  137: "INTERNAL_CLASS_WITH_SMI_ELEMENTS_TYPE",
-  138: "SLOPPY_ARGUMENTS_ELEMENTS_TYPE",
-  139: "AWAIT_CONTEXT_TYPE",
-  140: "BLOCK_CONTEXT_TYPE",
-  141: "CATCH_CONTEXT_TYPE",
-  142: "DEBUG_EVALUATE_CONTEXT_TYPE",
-  143: "EVAL_CONTEXT_TYPE",
-  144: "FUNCTION_CONTEXT_TYPE",
-  145: "MODULE_CONTEXT_TYPE",
-  146: "NATIVE_CONTEXT_TYPE",
-  147: "SCRIPT_CONTEXT_TYPE",
-  148: "WITH_CONTEXT_TYPE",
-  149: "TURBOFAN_BITSET_TYPE_TYPE",
-  150: "TURBOFAN_HEAP_CONSTANT_TYPE_TYPE",
-  151: "TURBOFAN_OTHER_NUMBER_CONSTANT_TYPE_TYPE",
-  152: "TURBOFAN_RANGE_TYPE_TYPE",
-  153: "TURBOFAN_UNION_TYPE_TYPE",
-  154: "EXPORTED_SUB_CLASS_BASE_TYPE",
-  155: "EXPORTED_SUB_CLASS_TYPE",
-  156: "EXPORTED_SUB_CLASS2_TYPE",
-  157: "SMALL_ORDERED_HASH_MAP_TYPE",
-  158: "SMALL_ORDERED_HASH_SET_TYPE",
-  159: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
-  160: "DESCRIPTOR_ARRAY_TYPE",
-  161: "STRONG_DESCRIPTOR_ARRAY_TYPE",
-  162: "SOURCE_TEXT_MODULE_TYPE",
-  163: "SYNTHETIC_MODULE_TYPE",
-  164: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
-  165: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
-  166: "WEAK_FIXED_ARRAY_TYPE",
-  167: "TRANSITION_ARRAY_TYPE",
-  168: "CALL_REF_DATA_TYPE",
-  169: "CELL_TYPE",
-  170: "CODE_TYPE",
-  171: "CODE_DATA_CONTAINER_TYPE",
-  172: "COVERAGE_INFO_TYPE",
-  173: "EMBEDDER_DATA_ARRAY_TYPE",
-  174: "FEEDBACK_METADATA_TYPE",
-  175: "FEEDBACK_VECTOR_TYPE",
-  176: "FILLER_TYPE",
-  177: "FREE_SPACE_TYPE",
-  178: "INTERNAL_CLASS_TYPE",
-  179: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
-  180: "MAP_TYPE",
-  181: "MEGA_DOM_HANDLER_TYPE",
-  182: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
-  183: "PREPARSE_DATA_TYPE",
-  184: "PROPERTY_ARRAY_TYPE",
-  185: "PROPERTY_CELL_TYPE",
-  186: "SCOPE_INFO_TYPE",
-  187: "SHARED_FUNCTION_INFO_TYPE",
-  188: "SMI_BOX_TYPE",
-  189: "SMI_PAIR_TYPE",
-  190: "SORT_STATE_TYPE",
-  191: "SWISS_NAME_DICTIONARY_TYPE",
+  75: "WASM_TYPE_INFO_TYPE",
+  76: "PROMISE_FULFILL_REACTION_JOB_TASK_TYPE",
+  77: "PROMISE_REJECT_REACTION_JOB_TASK_TYPE",
+  78: "CALLABLE_TASK_TYPE",
+  79: "CALLBACK_TASK_TYPE",
+  80: "PROMISE_RESOLVE_THENABLE_JOB_TASK_TYPE",
+  81: "LOAD_HANDLER_TYPE",
+  82: "STORE_HANDLER_TYPE",
+  83: "FUNCTION_TEMPLATE_INFO_TYPE",
+  84: "OBJECT_TEMPLATE_INFO_TYPE",
+  85: "ACCESS_CHECK_INFO_TYPE",
+  86: "ACCESSOR_INFO_TYPE",
+  87: "ACCESSOR_PAIR_TYPE",
+  88: "ALIASED_ARGUMENTS_ENTRY_TYPE",
+  89: "ALLOCATION_MEMENTO_TYPE",
+  90: "ALLOCATION_SITE_TYPE",
+  91: "ARRAY_BOILERPLATE_DESCRIPTION_TYPE",
+  92: "ASM_WASM_DATA_TYPE",
+  93: "ASYNC_GENERATOR_REQUEST_TYPE",
+  94: "BREAK_POINT_TYPE",
+  95: "BREAK_POINT_INFO_TYPE",
+  96: "CACHED_TEMPLATE_OBJECT_TYPE",
+  97: "CALL_HANDLER_INFO_TYPE",
+  98: "CLASS_POSITIONS_TYPE",
+  99: "DEBUG_INFO_TYPE",
+  100: "ENUM_CACHE_TYPE",
+  101: "FEEDBACK_CELL_TYPE",
+  102: "FUNCTION_TEMPLATE_RARE_DATA_TYPE",
+  103: "INTERCEPTOR_INFO_TYPE",
+  104: "INTERPRETER_DATA_TYPE",
+  105: "MODULE_REQUEST_TYPE",
+  106: "PROMISE_CAPABILITY_TYPE",
+  107: "PROMISE_REACTION_TYPE",
+  108: "PROPERTY_DESCRIPTOR_OBJECT_TYPE",
+  109: "PROTOTYPE_INFO_TYPE",
+  110: "REG_EXP_BOILERPLATE_DESCRIPTION_TYPE",
+  111: "SCRIPT_TYPE",
+  112: "SCRIPT_OR_MODULE_TYPE",
+  113: "SOURCE_TEXT_MODULE_INFO_ENTRY_TYPE",
+  114: "STACK_FRAME_INFO_TYPE",
+  115: "TEMPLATE_OBJECT_DESCRIPTION_TYPE",
+  116: "TUPLE2_TYPE",
+  117: "WASM_CONTINUATION_OBJECT_TYPE",
+  118: "WASM_EXCEPTION_TAG_TYPE",
+  119: "WASM_INDIRECT_FUNCTION_TABLE_TYPE",
+  120: "FIXED_ARRAY_TYPE",
+  121: "HASH_TABLE_TYPE",
+  122: "EPHEMERON_HASH_TABLE_TYPE",
+  123: "GLOBAL_DICTIONARY_TYPE",
+  124: "NAME_DICTIONARY_TYPE",
+  125: "NUMBER_DICTIONARY_TYPE",
+  126: "ORDERED_HASH_MAP_TYPE",
+  127: "ORDERED_HASH_SET_TYPE",
+  128: "ORDERED_NAME_DICTIONARY_TYPE",
+  129: "SIMPLE_NUMBER_DICTIONARY_TYPE",
+  130: "CLOSURE_FEEDBACK_CELL_ARRAY_TYPE",
+  131: "OBJECT_BOILERPLATE_DESCRIPTION_TYPE",
+  132: "SCRIPT_CONTEXT_TABLE_TYPE",
+  133: "BYTE_ARRAY_TYPE",
+  134: "BYTECODE_ARRAY_TYPE",
+  135: "FIXED_DOUBLE_ARRAY_TYPE",
+  136: "INTERNAL_CLASS_WITH_SMI_ELEMENTS_TYPE",
+  137: "SLOPPY_ARGUMENTS_ELEMENTS_TYPE",
+  138: "AWAIT_CONTEXT_TYPE",
+  139: "BLOCK_CONTEXT_TYPE",
+  140: "CATCH_CONTEXT_TYPE",
+  141: "DEBUG_EVALUATE_CONTEXT_TYPE",
+  142: "EVAL_CONTEXT_TYPE",
+  143: "FUNCTION_CONTEXT_TYPE",
+  144: "MODULE_CONTEXT_TYPE",
+  145: "NATIVE_CONTEXT_TYPE",
+  146: "SCRIPT_CONTEXT_TYPE",
+  147: "WITH_CONTEXT_TYPE",
+  148: "TURBOFAN_BITSET_TYPE_TYPE",
+  149: "TURBOFAN_HEAP_CONSTANT_TYPE_TYPE",
+  150: "TURBOFAN_OTHER_NUMBER_CONSTANT_TYPE_TYPE",
+  151: "TURBOFAN_RANGE_TYPE_TYPE",
+  152: "TURBOFAN_UNION_TYPE_TYPE",
+  153: "EXPORTED_SUB_CLASS_BASE_TYPE",
+  154: "EXPORTED_SUB_CLASS_TYPE",
+  155: "EXPORTED_SUB_CLASS2_TYPE",
+  156: "SMALL_ORDERED_HASH_MAP_TYPE",
+  157: "SMALL_ORDERED_HASH_SET_TYPE",
+  158: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
+  159: "DESCRIPTOR_ARRAY_TYPE",
+  160: "STRONG_DESCRIPTOR_ARRAY_TYPE",
+  161: "SOURCE_TEXT_MODULE_TYPE",
+  162: "SYNTHETIC_MODULE_TYPE",
+  163: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
+  164: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
+  165: "WEAK_FIXED_ARRAY_TYPE",
+  166: "TRANSITION_ARRAY_TYPE",
+  167: "CALL_REF_DATA_TYPE",
+  168: "CELL_TYPE",
+  169: "CODE_TYPE",
+  170: "CODE_DATA_CONTAINER_TYPE",
+  171: "COVERAGE_INFO_TYPE",
+  172: "EMBEDDER_DATA_ARRAY_TYPE",
+  173: "FEEDBACK_METADATA_TYPE",
+  174: "FEEDBACK_VECTOR_TYPE",
+  175: "FILLER_TYPE",
+  176: "FREE_SPACE_TYPE",
+  177: "INTERNAL_CLASS_TYPE",
+  178: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
+  179: "MAP_TYPE",
+  180: "MEGA_DOM_HANDLER_TYPE",
+  181: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
+  182: "PREPARSE_DATA_TYPE",
+  183: "PROPERTY_ARRAY_TYPE",
+  184: "PROPERTY_CELL_TYPE",
+  185: "SCOPE_INFO_TYPE",
+  186: "SHARED_FUNCTION_INFO_TYPE",
+  187: "SMI_BOX_TYPE",
+  188: "SMI_PAIR_TYPE",
+  189: "SORT_STATE_TYPE",
+  190: "SWISS_NAME_DICTIONARY_TYPE",
+  191: "WASM_API_FUNCTION_REF_TYPE",
  192: "WEAK_ARRAY_LIST_TYPE",
  193: "WEAK_CELL_TYPE",
  194: "WASM_ARRAY_TYPE",
@ -256,81 +256,81 @@ INSTANCE_TYPES = {

 # List of known V8 maps.
 KNOWN_MAPS = {
-  ("read_only_space", 0x02119): (180, "MetaMap"),
+  ("read_only_space", 0x02119): (179, "MetaMap"),
  ("read_only_space", 0x02141): (67, "NullMap"),
-  ("read_only_space", 0x02169): (161, "StrongDescriptorArrayMap"),
-  ("read_only_space", 0x02191): (166, "WeakFixedArrayMap"),
-  ("read_only_space", 0x021d1): (101, "EnumCacheMap"),
-  ("read_only_space", 0x02205): (121, "FixedArrayMap"),
+  ("read_only_space", 0x02169): (160, "StrongDescriptorArrayMap"),
+  ("read_only_space", 0x02191): (165, "WeakFixedArrayMap"),
+  ("read_only_space", 0x021d1): (100, "EnumCacheMap"),
+  ("read_only_space", 0x02205): (120, "FixedArrayMap"),
  ("read_only_space", 0x02251): (8, "OneByteInternalizedStringMap"),
-  ("read_only_space", 0x0229d): (177, "FreeSpaceMap"),
-  ("read_only_space", 0x022c5): (176, "OnePointerFillerMap"),
-  ("read_only_space", 0x022ed): (176, "TwoPointerFillerMap"),
+  ("read_only_space", 0x0229d): (176, "FreeSpaceMap"),
+  ("read_only_space", 0x022c5): (175, "OnePointerFillerMap"),
+  ("read_only_space", 0x022ed): (175, "TwoPointerFillerMap"),
  ("read_only_space", 0x02315): (67, "UninitializedMap"),
  ("read_only_space", 0x0238d): (67, "UndefinedMap"),
  ("read_only_space", 0x023d1): (66, "HeapNumberMap"),
  ("read_only_space", 0x02405): (67, "TheHoleMap"),
  ("read_only_space", 0x02465): (67, "BooleanMap"),
-  ("read_only_space", 0x02509): (134, "ByteArrayMap"),
-  ("read_only_space", 0x02531): (121, "FixedCOWArrayMap"),
-  ("read_only_space", 0x02559): (122, "HashTableMap"),
+  ("read_only_space", 0x02509): (133, "ByteArrayMap"),
+  ("read_only_space", 0x02531): (120, "FixedCOWArrayMap"),
+  ("read_only_space", 0x02559): (121, "HashTableMap"),
  ("read_only_space", 0x02581): (64, "SymbolMap"),
  ("read_only_space", 0x025a9): (40, "OneByteStringMap"),
-  ("read_only_space", 0x025d1): (186, "ScopeInfoMap"),
-  ("read_only_space", 0x025f9): (187, "SharedFunctionInfoMap"),
-  ("read_only_space", 0x02621): (170, "CodeMap"),
-  ("read_only_space", 0x02649): (169, "CellMap"),
-  ("read_only_space", 0x02671): (185, "GlobalPropertyCellMap"),
+  ("read_only_space", 0x025d1): (185, "ScopeInfoMap"),
+  ("read_only_space", 0x025f9): (186, "SharedFunctionInfoMap"),
+  ("read_only_space", 0x02621): (169, "CodeMap"),
+  ("read_only_space", 0x02649): (168, "CellMap"),
+  ("read_only_space", 0x02671): (184, "GlobalPropertyCellMap"),
  ("read_only_space", 0x02699): (70, "ForeignMap"),
-  ("read_only_space", 0x026c1): (167, "TransitionArrayMap"),
+  ("read_only_space", 0x026c1): (166, "TransitionArrayMap"),
  ("read_only_space", 0x026e9): (45, "ThinOneByteStringMap"),
-  ("read_only_space", 0x02711): (175, "FeedbackVectorMap"),
+  ("read_only_space", 0x02711): (174, "FeedbackVectorMap"),
  ("read_only_space", 0x02749): (67, "ArgumentsMarkerMap"),
  ("read_only_space", 0x027a9): (67, "ExceptionMap"),
  ("read_only_space", 0x02805): (67, "TerminationExceptionMap"),
  ("read_only_space", 0x0286d): (67, "OptimizedOutMap"),
  ("read_only_space", 0x028cd): (67, "StaleRegisterMap"),
-  ("read_only_space", 0x0292d): (133, "ScriptContextTableMap"),
-  ("read_only_space", 0x02955): (131, "ClosureFeedbackCellArrayMap"),
-  ("read_only_space", 0x0297d): (174, "FeedbackMetadataArrayMap"),
-  ("read_only_space", 0x029a5): (121, "ArrayListMap"),
+  ("read_only_space", 0x0292d): (132, "ScriptContextTableMap"),
+  ("read_only_space", 0x02955): (130, "ClosureFeedbackCellArrayMap"),
+  ("read_only_space", 0x0297d): (173, "FeedbackMetadataArrayMap"),
+  ("read_only_space", 0x029a5): (120, "ArrayListMap"),
  ("read_only_space", 0x029cd): (65, "BigIntMap"),
-  ("read_only_space", 0x029f5): (132, "ObjectBoilerplateDescriptionMap"),
-  ("read_only_space", 0x02a1d): (135, "BytecodeArrayMap"),
-  ("read_only_space", 0x02a45): (171, "CodeDataContainerMap"),
-  ("read_only_space", 0x02a6d): (172, "CoverageInfoMap"),
-  ("read_only_space", 0x02a95): (136, "FixedDoubleArrayMap"),
-  ("read_only_space", 0x02abd): (124, "GlobalDictionaryMap"),
-  ("read_only_space", 0x02ae5): (102, "ManyClosuresCellMap"),
-  ("read_only_space", 0x02b0d): (181, "MegaDomHandlerMap"),
-  ("read_only_space", 0x02b35): (121, "ModuleInfoMap"),
-  ("read_only_space", 0x02b5d): (125, "NameDictionaryMap"),
-  ("read_only_space", 0x02b85): (102, "NoClosuresCellMap"),
-  ("read_only_space", 0x02bad): (126, "NumberDictionaryMap"),
-  ("read_only_space", 0x02bd5): (102, "OneClosureCellMap"),
-  ("read_only_space", 0x02bfd): (127, "OrderedHashMapMap"),
-  ("read_only_space", 0x02c25): (128, "OrderedHashSetMap"),
-  ("read_only_space", 0x02c4d): (129, "OrderedNameDictionaryMap"),
-  ("read_only_space", 0x02c75): (183, "PreparseDataMap"),
-  ("read_only_space", 0x02c9d): (184, "PropertyArrayMap"),
-  ("read_only_space", 0x02cc5): (98, "SideEffectCallHandlerInfoMap"),
-  ("read_only_space", 0x02ced): (98, "SideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02d15): (98, "NextCallSideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02d3d): (130, "SimpleNumberDictionaryMap"),
-  ("read_only_space", 0x02d65): (157, "SmallOrderedHashMapMap"),
-  ("read_only_space", 0x02d8d): (158, "SmallOrderedHashSetMap"),
-  ("read_only_space", 0x02db5): (159, "SmallOrderedNameDictionaryMap"),
-  ("read_only_space", 0x02ddd): (162, "SourceTextModuleMap"),
-  ("read_only_space", 0x02e05): (191, "SwissNameDictionaryMap"),
-  ("read_only_space", 0x02e2d): (163, "SyntheticModuleMap"),
+  ("read_only_space", 0x029f5): (131, "ObjectBoilerplateDescriptionMap"),
+  ("read_only_space", 0x02a1d): (134, "BytecodeArrayMap"),
+  ("read_only_space", 0x02a45): (170, "CodeDataContainerMap"),
+  ("read_only_space", 0x02a6d): (171, "CoverageInfoMap"),
+  ("read_only_space", 0x02a95): (135, "FixedDoubleArrayMap"),
+  ("read_only_space", 0x02abd): (123, "GlobalDictionaryMap"),
+  ("read_only_space", 0x02ae5): (101, "ManyClosuresCellMap"),
+  ("read_only_space", 0x02b0d): (180, "MegaDomHandlerMap"),
+  ("read_only_space", 0x02b35): (120, "ModuleInfoMap"),
+  ("read_only_space", 0x02b5d): (124, "NameDictionaryMap"),
+  ("read_only_space", 0x02b85): (101, "NoClosuresCellMap"),
+  ("read_only_space", 0x02bad): (125, "NumberDictionaryMap"),
+  ("read_only_space", 0x02bd5): (101, "OneClosureCellMap"),
+  ("read_only_space", 0x02bfd): (126, "OrderedHashMapMap"),
+  ("read_only_space", 0x02c25): (127, "OrderedHashSetMap"),
+  ("read_only_space", 0x02c4d): (128, "OrderedNameDictionaryMap"),
+  ("read_only_space", 0x02c75): (182, "PreparseDataMap"),
+  ("read_only_space", 0x02c9d): (183, "PropertyArrayMap"),
+  ("read_only_space", 0x02cc5): (97, "SideEffectCallHandlerInfoMap"),
+  ("read_only_space", 0x02ced): (97, "SideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02d15): (97, "NextCallSideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02d3d): (129, "SimpleNumberDictionaryMap"),
+  ("read_only_space", 0x02d65): (156, "SmallOrderedHashMapMap"),
+  ("read_only_space", 0x02d8d): (157, "SmallOrderedHashSetMap"),
+  ("read_only_space", 0x02db5): (158, "SmallOrderedNameDictionaryMap"),
+  ("read_only_space", 0x02ddd): (161, "SourceTextModuleMap"),
+  ("read_only_space", 0x02e05): (190, "SwissNameDictionaryMap"),
+  ("read_only_space", 0x02e2d): (162, "SyntheticModuleMap"),
  ("read_only_space", 0x02e55): (72, "WasmCapiFunctionDataMap"),
  ("read_only_space", 0x02e7d): (73, "WasmExportedFunctionDataMap"),
  ("read_only_space", 0x02ea5): (74, "WasmJSFunctionDataMap"),
-  ("read_only_space", 0x02ecd): (75, "WasmApiFunctionRefMap"),
-  ("read_only_space", 0x02ef5): (76, "WasmTypeInfoMap"),
+  ("read_only_space", 0x02ecd): (191, "WasmApiFunctionRefMap"),
+  ("read_only_space", 0x02ef5): (75, "WasmTypeInfoMap"),
  ("read_only_space", 0x02f1d): (192, "WeakArrayListMap"),
-  ("read_only_space", 0x02f45): (123, "EphemeronHashTableMap"),
-  ("read_only_space", 0x02f6d): (173, "EmbedderDataArrayMap"),
+  ("read_only_space", 0x02f45): (122, "EphemeronHashTableMap"),
+  ("read_only_space", 0x02f6d): (172, "EmbedderDataArrayMap"),
  ("read_only_space", 0x02f95): (193, "WeakCellMap"),
  ("read_only_space", 0x02fbd): (32, "StringMap"),
  ("read_only_space", 0x02fe5): (41, "ConsOneByteStringMap"),
@ -349,75 +349,75 @@ KNOWN_MAPS = {
  ("read_only_space", 0x031ed): (58, "UncachedExternalOneByteStringMap"),
  ("read_only_space", 0x03215): (67, "SelfReferenceMarkerMap"),
  ("read_only_space", 0x0323d): (67, "BasicBlockCountersMarkerMap"),
-  ("read_only_space", 0x03281): (92, "ArrayBoilerplateDescriptionMap"),
-  ("read_only_space", 0x03381): (104, "InterceptorInfoMap"),
-  ("read_only_space", 0x05c15): (77, "PromiseFulfillReactionJobTaskMap"),
-  ("read_only_space", 0x05c3d): (78, "PromiseRejectReactionJobTaskMap"),
-  ("read_only_space", 0x05c65): (79, "CallableTaskMap"),
-  ("read_only_space", 0x05c8d): (80, "CallbackTaskMap"),
-  ("read_only_space", 0x05cb5): (81, "PromiseResolveThenableJobTaskMap"),
-  ("read_only_space", 0x05cdd): (84, "FunctionTemplateInfoMap"),
-  ("read_only_space", 0x05d05): (85, "ObjectTemplateInfoMap"),
-  ("read_only_space", 0x05d2d): (86, "AccessCheckInfoMap"),
-  ("read_only_space", 0x05d55): (87, "AccessorInfoMap"),
-  ("read_only_space", 0x05d7d): (88, "AccessorPairMap"),
-  ("read_only_space", 0x05da5): (89, "AliasedArgumentsEntryMap"),
-  ("read_only_space", 0x05dcd): (90, "AllocationMementoMap"),
-  ("read_only_space", 0x05df5): (93, "AsmWasmDataMap"),
-  ("read_only_space", 0x05e1d): (94, "AsyncGeneratorRequestMap"),
-  ("read_only_space", 0x05e45): (95, "BreakPointMap"),
-  ("read_only_space", 0x05e6d): (96, "BreakPointInfoMap"),
-  ("read_only_space", 0x05e95): (97, "CachedTemplateObjectMap"),
-  ("read_only_space", 0x05ebd): (99, "ClassPositionsMap"),
-  ("read_only_space", 0x05ee5): (100, "DebugInfoMap"),
-  ("read_only_space", 0x05f0d): (103, "FunctionTemplateRareDataMap"),
-  ("read_only_space", 0x05f35): (105, "InterpreterDataMap"),
-  ("read_only_space", 0x05f5d): (106, "ModuleRequestMap"),
-  ("read_only_space", 0x05f85): (107, "PromiseCapabilityMap"),
-  ("read_only_space", 0x05fad): (108, "PromiseReactionMap"),
-  ("read_only_space", 0x05fd5): (109, "PropertyDescriptorObjectMap"),
-  ("read_only_space", 0x05ffd): (110, "PrototypeInfoMap"),
-  ("read_only_space", 0x06025): (111, "RegExpBoilerplateDescriptionMap"),
-  ("read_only_space", 0x0604d): (112, "ScriptMap"),
-  ("read_only_space", 0x06075): (113, "ScriptOrModuleMap"),
-  ("read_only_space", 0x0609d): (114, "SourceTextModuleInfoEntryMap"),
-  ("read_only_space", 0x060c5): (115, "StackFrameInfoMap"),
-  ("read_only_space", 0x060ed): (116, "TemplateObjectDescriptionMap"),
-  ("read_only_space", 0x06115): (117, "Tuple2Map"),
-  ("read_only_space", 0x0613d): (118, "WasmContinuationObjectMap"),
-  ("read_only_space", 0x06165): (119, "WasmExceptionTagMap"),
-  ("read_only_space", 0x0618d): (120, "WasmIndirectFunctionTableMap"),
-  ("read_only_space", 0x061b5): (138, "SloppyArgumentsElementsMap"),
-  ("read_only_space", 0x061dd): (160, "DescriptorArrayMap"),
-  ("read_only_space", 0x06205): (165, "UncompiledDataWithoutPreparseDataMap"),
-  ("read_only_space", 0x0622d): (164, "UncompiledDataWithPreparseDataMap"),
-  ("read_only_space", 0x06255): (182, "OnHeapBasicBlockProfilerDataMap"),
-  ("read_only_space", 0x0627d): (149, "TurbofanBitsetTypeMap"),
-  ("read_only_space", 0x062a5): (153, "TurbofanUnionTypeMap"),
-  ("read_only_space", 0x062cd): (152, "TurbofanRangeTypeMap"),
-  ("read_only_space", 0x062f5): (150, "TurbofanHeapConstantTypeMap"),
-  ("read_only_space", 0x0631d): (151, "TurbofanOtherNumberConstantTypeMap"),
-  ("read_only_space", 0x06345): (178, "InternalClassMap"),
-  ("read_only_space", 0x0636d): (189, "SmiPairMap"),
-  ("read_only_space", 0x06395): (188, "SmiBoxMap"),
-  ("read_only_space", 0x063bd): (154, "ExportedSubClassBaseMap"),
-  ("read_only_space", 0x063e5): (155, "ExportedSubClassMap"),
+  ("read_only_space", 0x03281): (91, "ArrayBoilerplateDescriptionMap"),
+  ("read_only_space", 0x03381): (103, "InterceptorInfoMap"),
+  ("read_only_space", 0x05c15): (76, "PromiseFulfillReactionJobTaskMap"),
+  ("read_only_space", 0x05c3d): (77, "PromiseRejectReactionJobTaskMap"),
+  ("read_only_space", 0x05c65): (78, "CallableTaskMap"),
+  ("read_only_space", 0x05c8d): (79, "CallbackTaskMap"),
+  ("read_only_space", 0x05cb5): (80, "PromiseResolveThenableJobTaskMap"),
+  ("read_only_space", 0x05cdd): (83, "FunctionTemplateInfoMap"),
+  ("read_only_space", 0x05d05): (84, "ObjectTemplateInfoMap"),
+  ("read_only_space", 0x05d2d): (85, "AccessCheckInfoMap"),
+  ("read_only_space", 0x05d55): (86, "AccessorInfoMap"),
+  ("read_only_space", 0x05d7d): (87, "AccessorPairMap"),
+  ("read_only_space", 0x05da5): (88, "AliasedArgumentsEntryMap"),
+  ("read_only_space", 0x05dcd): (89, "AllocationMementoMap"),
+  ("read_only_space", 0x05df5): (92, "AsmWasmDataMap"),
+  ("read_only_space", 0x05e1d): (93, "AsyncGeneratorRequestMap"),
+  ("read_only_space", 0x05e45): (94, "BreakPointMap"),
+  ("read_only_space", 0x05e6d): (95, "BreakPointInfoMap"),
+  ("read_only_space", 0x05e95): (96, "CachedTemplateObjectMap"),
+  ("read_only_space", 0x05ebd): (98, "ClassPositionsMap"),
+  ("read_only_space", 0x05ee5): (99, "DebugInfoMap"),
+  ("read_only_space", 0x05f0d): (102, "FunctionTemplateRareDataMap"),
+  ("read_only_space", 0x05f35): (104, "InterpreterDataMap"),
+  ("read_only_space", 0x05f5d): (105, "ModuleRequestMap"),
+  ("read_only_space", 0x05f85): (106, "PromiseCapabilityMap"),
+  ("read_only_space", 0x05fad): (107, "PromiseReactionMap"),
+  ("read_only_space", 0x05fd5): (108, "PropertyDescriptorObjectMap"),
+  ("read_only_space", 0x05ffd): (109, "PrototypeInfoMap"),
+  ("read_only_space", 0x06025): (110, "RegExpBoilerplateDescriptionMap"),
+  ("read_only_space", 0x0604d): (111, "ScriptMap"),
+  ("read_only_space", 0x06075): (112, "ScriptOrModuleMap"),
+  ("read_only_space", 0x0609d): (113, "SourceTextModuleInfoEntryMap"),
+  ("read_only_space", 0x060c5): (114, "StackFrameInfoMap"),
+  ("read_only_space", 0x060ed): (115, "TemplateObjectDescriptionMap"),
+  ("read_only_space", 0x06115): (116, "Tuple2Map"),
+  ("read_only_space", 0x0613d): (117, "WasmContinuationObjectMap"),
+  ("read_only_space", 0x06165): (118, "WasmExceptionTagMap"),
+  ("read_only_space", 0x0618d): (119, "WasmIndirectFunctionTableMap"),
+  ("read_only_space", 0x061b5): (137, "SloppyArgumentsElementsMap"),
+  ("read_only_space", 0x061dd): (159, "DescriptorArrayMap"),
+  ("read_only_space", 0x06205): (164, "UncompiledDataWithoutPreparseDataMap"),
+  ("read_only_space", 0x0622d): (163, "UncompiledDataWithPreparseDataMap"),
+  ("read_only_space", 0x06255): (181, "OnHeapBasicBlockProfilerDataMap"),
+  ("read_only_space", 0x0627d): (148, "TurbofanBitsetTypeMap"),
+  ("read_only_space", 0x062a5): (152, "TurbofanUnionTypeMap"),
+  ("read_only_space", 0x062cd): (151, "TurbofanRangeTypeMap"),
+  ("read_only_space", 0x062f5): (149, "TurbofanHeapConstantTypeMap"),
+  ("read_only_space", 0x0631d): (150, "TurbofanOtherNumberConstantTypeMap"),
+  ("read_only_space", 0x06345): (177, "InternalClassMap"),
+  ("read_only_space", 0x0636d): (188, "SmiPairMap"),
+  ("read_only_space", 0x06395): (187, "SmiBoxMap"),
+  ("read_only_space", 0x063bd): (153, "ExportedSubClassBaseMap"),
+  ("read_only_space", 0x063e5): (154, "ExportedSubClassMap"),
  ("read_only_space", 0x0640d): (68, "AbstractInternalClassSubclass1Map"),
  ("read_only_space", 0x06435): (69, "AbstractInternalClassSubclass2Map"),
-  ("read_only_space", 0x0645d): (137, "InternalClassWithSmiElementsMap"),
-  ("read_only_space", 0x06485): (179, "InternalClassWithStructElementsMap"),
-  ("read_only_space", 0x064ad): (156, "ExportedSubClass2Map"),
-  ("read_only_space", 0x064d5): (190, "SortStateMap"),
-  ("read_only_space", 0x064fd): (168, "CallRefDataMap"),
-  ("read_only_space", 0x06525): (91, "AllocationSiteWithWeakNextMap"),
-  ("read_only_space", 0x0654d): (91, "AllocationSiteWithoutWeakNextMap"),
-  ("read_only_space", 0x06575): (82, "LoadHandler1Map"),
-  ("read_only_space", 0x0659d): (82, "LoadHandler2Map"),
-  ("read_only_space", 0x065c5): (82, "LoadHandler3Map"),
-  ("read_only_space", 0x065ed): (83, "StoreHandler0Map"),
-  ("read_only_space", 0x06615): (83, "StoreHandler1Map"),
-  ("read_only_space", 0x0663d): (83, "StoreHandler2Map"),
-  ("read_only_space", 0x06665): (83, "StoreHandler3Map"),
+  ("read_only_space", 0x0645d): (136, "InternalClassWithSmiElementsMap"),
+  ("read_only_space", 0x06485): (178, "InternalClassWithStructElementsMap"),
+  ("read_only_space", 0x064ad): (155, "ExportedSubClass2Map"),
+  ("read_only_space", 0x064d5): (189, "SortStateMap"),
+  ("read_only_space", 0x064fd): (167, "CallRefDataMap"),
+  ("read_only_space", 0x06525): (90, "AllocationSiteWithWeakNextMap"),
+  ("read_only_space", 0x0654d): (90, "AllocationSiteWithoutWeakNextMap"),
+  ("read_only_space", 0x06575): (81, "LoadHandler1Map"),
+  ("read_only_space", 0x0659d): (81, "LoadHandler2Map"),
+  ("read_only_space", 0x065c5): (81, "LoadHandler3Map"),
+  ("read_only_space", 0x065ed): (82, "StoreHandler0Map"),
+  ("read_only_space", 0x06615): (82, "StoreHandler1Map"),
+  ("read_only_space", 0x0663d): (82, "StoreHandler2Map"),
+  ("read_only_space", 0x06665): (82, "StoreHandler3Map"),
  ("map_space", 0x02119): (1057, "ExternalMap"),
  ("map_space", 0x02141): (2114, "JSMessageObjectMap"),
 }