[sandbox] Refactor and sandboxify WasmInternalFunction::call_target

This CL refactors WasmInternalFunction to no longer inherit from Foreign but instead contain a (sandboxed) ExternalPointer field for the call target. Bug: v8:10391 Change-Id: Iaaf25e635a275d7570e09699be3c8dec6108d4b3 Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3782675 Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#81957}
2022-07-25 17:49:39 +02:00 · 2022-07-25 17:49:39 +02:00 · 2eb73988a3
commit 2eb73988a3
parent cb5c1b8a1f
15 changed files with 168 additions and 134 deletions
--- a/include/v8-internal.h
+++ b/include/v8-internal.h
@ -379,7 +379,8 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
  V(kCallHandlerInfoJsCallbackTag,        unsandboxed, TAG(16)) \
  V(kAccessorInfoGetterTag,               unsandboxed, TAG(17)) \
  V(kAccessorInfoJsGetterTag,             unsandboxed, TAG(18)) \
-  V(kAccessorInfoSetterTag,               unsandboxed, TAG(19))
+  V(kAccessorInfoSetterTag,               unsandboxed, TAG(19)) \
+  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(20))

 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \
--- a/src/builtins/wasm.tq
+++ b/src/builtins/wasm.tq
@ -522,7 +522,7 @@ struct TargetAndInstance {

 macro GetTargetAndInstance(funcref: WasmInternalFunction): TargetAndInstance {
  const ref = funcref.ref;
-  let target = funcref.foreign_address_ptr;
+  let target = funcref.call_target_ptr;
  if (Signed(target) == IntPtrConstant(0)) {
    target = GetCodeEntry(funcref.code);
  }
--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@ -3706,8 +3706,8 @@ void GenericJSToWasmWrapperHelper(MacroAssembler* masm, bool stack_switch) {
      FieldOperand(function_data, WasmExportedFunctionData::kInternalOffset));
  __ LoadExternalPointerField(
      function_entry,
-      FieldOperand(function_entry, WasmInternalFunction::kForeignAddressOffset),
-      kForeignForeignAddressTag, scratch);
+      FieldOperand(function_entry, WasmInternalFunction::kCallTargetOffset),
+      kWasmInternalFunctionCallTargetTag, scratch);
  function_data = no_reg;
  scratch = no_reg;

--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@ -30,10 +30,6 @@
 #include "src/objects/property-cell.h"
 #include "src/roots/roots.h"

-#if V8_ENABLE_WEBASSEMBLY
-#include "src/wasm/wasm-objects.h"
-#endif  // V8_ENABLE_WEBASSEMBLY
-
 namespace v8 {
 namespace internal {

--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -33,6 +33,10 @@
 #include "src/roots/roots.h"
 #include "torque-generated/exported-macros-assembler.h"

+#if V8_ENABLE_WEBASSEMBLY
+#include "src/wasm/wasm-objects.h"
+#endif  // V8_ENABLE_WEBASSEMBLY
+
 namespace v8 {
 namespace internal {

@ -1156,6 +1160,15 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
                                         kExternalStringResourceDataTag);
  }

+#if V8_ENABLE_WEBASSEMBLY
+  TNode<RawPtrT> LoadWasmInternalFunctionCallTargetPtr(
+      TNode<WasmInternalFunction> object) {
+    return LoadExternalPointerFromObject(
+        object, WasmInternalFunction::kCallTargetOffset,
+        kWasmInternalFunctionCallTargetTag);
+  }
+#endif  // V8_ENABLE_WEBASSEMBLY
+
  TNode<RawPtrT> LoadJSTypedArrayExternalPointerPtr(
      TNode<JSTypedArray> holder) {
    return LoadSandboxedPointerFromObject(holder,
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@ -2915,7 +2915,8 @@ Node* WasmGraphBuilder::BuildLoadCallTargetFromExportedFunctionData(
      MachineType::TaggedPointer(), function,
      wasm::ObjectAccess::ToTagged(WasmExportedFunctionData::kInternalOffset));
  return BuildLoadExternalPointerFromObject(
-      internal, WasmInternalFunction::kForeignAddressOffset);
+      internal, WasmInternalFunction::kCallTargetOffset,
+      kWasmInternalFunctionCallTargetTag);
 }

 // TODO(9495): Support CAPI function refs.
@ -2939,7 +2940,8 @@ Node* WasmGraphBuilder::BuildCallRef(const wasm::FunctionSig* sig,
      wasm::ObjectAccess::ToTagged(WasmInternalFunction::kRefOffset));

  Node* target = BuildLoadExternalPointerFromObject(
-      function, WasmInternalFunction::kForeignAddressOffset);
+      function, WasmInternalFunction::kCallTargetOffset,
+      kWasmInternalFunctionCallTargetTag);
  Node* is_null_target = gasm_->WordEqual(target, gasm_->IntPtrConstant(0));
  gasm_->GotoIfNot(is_null_target, &end_label, target);
  {
@ -6777,7 +6779,8 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
            MachineType::TaggedPointer(), function_data,
            wasm::ObjectAccess::ToTagged(WasmFunctionData::kInternalOffset));
        args[0] = BuildLoadExternalPointerFromObject(
-            internal, WasmInternalFunction::kForeignAddressOffset);
+            internal, WasmInternalFunction::kCallTargetOffset,
+            kWasmInternalFunctionCallTargetTag);
        Node* instance_node = gasm_->LoadFromObject(
            MachineType::TaggedPointer(), internal,
            wasm::ObjectAccess::ToTagged(WasmInternalFunction::kRefOffset));
--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@ -2070,7 +2070,8 @@ void WasmApiFunctionRef::WasmApiFunctionRefPrint(std::ostream& os) {

 void WasmInternalFunction::WasmInternalFunctionPrint(std::ostream& os) {
  PrintHeader(os, "WasmInternalFunction");
-  os << "\n - call target: " << reinterpret_cast<void*>(foreign_address());
+  Isolate* isolate = GetIsolateForSandbox(*this);
+  os << "\n - call target: " << reinterpret_cast<void*>(call_target(isolate));
  os << "\n - ref: " << Brief(ref());
  os << "\n - external: " << Brief(external());
  os << "\n - code: " << Brief(code());
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -1667,7 +1667,7 @@ Handle<WasmInternalFunction> Factory::NewWasmInternalFunction(
  WasmInternalFunction result = WasmInternalFunction::cast(raw);
  DisallowGarbageCollection no_gc;
  result.AllocateExternalPointerEntries(isolate());
-  result.set_foreign_address(isolate(), opt_call_target);
+  result.set_call_target(isolate(), opt_call_target);
  result.set_ref(*ref);
  // Default values, will be overwritten by the caller.
  result.set_code(*BUILTIN_CODE(isolate(), Abort));
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@ -750,8 +750,8 @@ class WasmInternalFunction::BodyDescriptor final : public BodyDescriptorBase {
  template <typename ObjectVisitor>
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
-    Foreign::BodyDescriptor::IterateBody<ObjectVisitor>(map, obj, object_size,
-                                                        v);
+    v->VisitExternalPointer(obj, obj.RawExternalPointerField(kCallTargetOffset),
+                            kWasmInternalFunctionCallTargetTag);
    IteratePointers(obj, kStartOfStrongFieldsOffset, kEndOfStrongFieldsOffset,
                    v);
  }
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -7250,13 +7250,13 @@ class LiftoffCompiler {
 #ifdef V8_ENABLE_SANDBOX
      LOAD_INSTANCE_FIELD(temp.gp(), IsolateRoot, kSystemPointerSize, pinned);
      __ LoadExternalPointer(target.gp(), func_ref.gp(),
-                             WasmInternalFunction::kForeignAddressOffset,
-                             kForeignForeignAddressTag, temp.gp());
+                             WasmInternalFunction::kCallTargetOffset,
+                             kWasmInternalFunctionCallTargetTag, temp.gp());
 #else
-      __ Load(target, func_ref.gp(), no_reg,
-              wasm::ObjectAccess::ToTagged(
-                  WasmInternalFunction::kForeignAddressOffset),
-              kPointerLoadType);
+      __ Load(
+          target, func_ref.gp(), no_reg,
+          wasm::ObjectAccess::ToTagged(WasmInternalFunction::kCallTargetOffset),
+          kPointerLoadType);
 #endif

      FREEZE_STATE(frozen);
--- a/src/wasm/c-api.cc
+++ b/src/wasm/c-api.cc
@ -1670,7 +1670,7 @@ auto Func::call(const Val args[], Val results[]) const -> own<Trap> {
      instance->module()->functions[function_index].sig;
  PrepareFunctionData(isolate, function_data, sig, instance->module());
  i::Handle<i::CodeT> wrapper_code(function_data->c_wrapper_code(), isolate);
-  i::Address call_target = function_data->internal().foreign_address();
+  i::Address call_target = function_data->internal().call_target(isolate);

  i::wasm::CWasmArgumentsPacker packer(function_data->packed_args_size());
  PushArgs(sig, args, &packer, store);
--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@ -286,6 +286,16 @@ WasmExportedFunction::WasmExportedFunction(Address ptr) : JSFunction(ptr) {
 }
 CAST_ACCESSOR(WasmExportedFunction)

+// WasmInternalFunction
+EXTERNAL_POINTER_ACCESSORS(WasmInternalFunction, call_target, Address,
+                           kCallTargetOffset,
+                           kWasmInternalFunctionCallTargetTag)
+
+void WasmInternalFunction::AllocateExternalPointerEntries(Isolate* isolate) {
+  InitExternalPointerField<kWasmInternalFunctionCallTargetTag>(
+      kCallTargetOffset, isolate);
+}
+
 // WasmFunctionData
 ACCESSORS(WasmFunctionData, internal, WasmInternalFunction, kInternalOffset)

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@ -747,19 +747,26 @@ class WasmApiFunctionRef

 class WasmInternalFunction
    : public TorqueGeneratedWasmInternalFunction<WasmInternalFunction,
-                                                 Foreign> {
+                                                 HeapObject> {
 public:
  // Returns a handle to the corresponding WasmInternalFunction if {external} is
  // a WasmExternalFunction, or an empty handle otherwise.
  static MaybeHandle<WasmInternalFunction> FromExternal(Handle<Object> external,
                                                        Isolate* isolate);

+  DECL_EXTERNAL_POINTER_ACCESSORS(call_target, Address);
+
  // Dispatched behavior.
  DECL_PRINTER(WasmInternalFunction)

  class BodyDescriptor;

  TQ_OBJECT_CONSTRUCTORS(WasmInternalFunction)
+
+ private:
+  friend class Factory;
+
+  inline void AllocateExternalPointerEntries(Isolate* isolate);
 };

 // Information for a WasmJSFunction which is referenced as the function data of
--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@ -29,9 +29,9 @@ extern class WasmApiFunctionRef extends HeapObject {

 // This is the representation that is used internally by wasm to represent
 // function references.
-// The {foreign_address} field inherited from {Foreign} points to the call
-// target.
-extern class WasmInternalFunction extends Foreign {
+extern class WasmInternalFunction extends HeapObject {
+  // The call target. Tagged with the kWasmInternalFunctionCallTargetTag
+  call_target: ExternalPointer;
  // This is the "reference" value that must be passed along in the "instance"
  // register when calling the given function. It is either the target instance
  // (for wasm functions), or a WasmApiFunctionRef object (for functions defined
@ -46,6 +46,9 @@ extern class WasmInternalFunction extends Foreign {
  @ifnot(V8_EXTERNAL_CODE_SPACE) code: Code;
 }

+extern operator '.call_target_ptr' macro LoadWasmInternalFunctionCallTargetPtr(
+    WasmInternalFunction): RawPtr;
+
 extern class WasmFunctionData extends HeapObject {
  // The wasm-internal representation of this function object.
  internal: WasmInternalFunction;
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@ -109,64 +109,64 @@ INSTANCE_TYPES = {
  202: "ABSTRACT_INTERNAL_CLASS_SUBCLASS1_TYPE",
  203: "ABSTRACT_INTERNAL_CLASS_SUBCLASS2_TYPE",
  204: "FOREIGN_TYPE",
-  205: "WASM_INTERNAL_FUNCTION_TYPE",
-  206: "WASM_TYPE_INFO_TYPE",
-  207: "AWAIT_CONTEXT_TYPE",
-  208: "BLOCK_CONTEXT_TYPE",
-  209: "CATCH_CONTEXT_TYPE",
-  210: "DEBUG_EVALUATE_CONTEXT_TYPE",
-  211: "EVAL_CONTEXT_TYPE",
-  212: "FUNCTION_CONTEXT_TYPE",
-  213: "MODULE_CONTEXT_TYPE",
-  214: "NATIVE_CONTEXT_TYPE",
-  215: "SCRIPT_CONTEXT_TYPE",
-  216: "WITH_CONTEXT_TYPE",
-  217: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
-  218: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_AND_JOB_TYPE",
-  219: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
-  220: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_WITH_JOB_TYPE",
-  221: "WASM_FUNCTION_DATA_TYPE",
-  222: "WASM_CAPI_FUNCTION_DATA_TYPE",
-  223: "WASM_EXPORTED_FUNCTION_DATA_TYPE",
-  224: "WASM_JS_FUNCTION_DATA_TYPE",
-  225: "EXPORTED_SUB_CLASS_BASE_TYPE",
-  226: "EXPORTED_SUB_CLASS_TYPE",
-  227: "EXPORTED_SUB_CLASS2_TYPE",
-  228: "SMALL_ORDERED_HASH_MAP_TYPE",
-  229: "SMALL_ORDERED_HASH_SET_TYPE",
-  230: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
-  231: "DESCRIPTOR_ARRAY_TYPE",
-  232: "STRONG_DESCRIPTOR_ARRAY_TYPE",
-  233: "SOURCE_TEXT_MODULE_TYPE",
-  234: "SYNTHETIC_MODULE_TYPE",
-  235: "WEAK_FIXED_ARRAY_TYPE",
-  236: "TRANSITION_ARRAY_TYPE",
-  237: "ACCESSOR_INFO_TYPE",
-  238: "CALL_HANDLER_INFO_TYPE",
-  239: "CELL_TYPE",
-  240: "CODE_TYPE",
-  241: "CODE_DATA_CONTAINER_TYPE",
-  242: "COVERAGE_INFO_TYPE",
-  243: "EMBEDDER_DATA_ARRAY_TYPE",
-  244: "FEEDBACK_METADATA_TYPE",
-  245: "FEEDBACK_VECTOR_TYPE",
-  246: "FILLER_TYPE",
-  247: "FREE_SPACE_TYPE",
-  248: "INTERNAL_CLASS_TYPE",
-  249: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
-  250: "MAP_TYPE",
-  251: "MEGA_DOM_HANDLER_TYPE",
-  252: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
-  253: "PREPARSE_DATA_TYPE",
-  254: "PROPERTY_ARRAY_TYPE",
-  255: "PROPERTY_CELL_TYPE",
-  256: "SCOPE_INFO_TYPE",
-  257: "SHARED_FUNCTION_INFO_TYPE",
-  258: "SMI_BOX_TYPE",
-  259: "SMI_PAIR_TYPE",
-  260: "SORT_STATE_TYPE",
-  261: "SWISS_NAME_DICTIONARY_TYPE",
-  262: "WASM_API_FUNCTION_REF_TYPE",
+  205: "WASM_TYPE_INFO_TYPE",
+  206: "AWAIT_CONTEXT_TYPE",
+  207: "BLOCK_CONTEXT_TYPE",
+  208: "CATCH_CONTEXT_TYPE",
+  209: "DEBUG_EVALUATE_CONTEXT_TYPE",
+  210: "EVAL_CONTEXT_TYPE",
+  211: "FUNCTION_CONTEXT_TYPE",
+  212: "MODULE_CONTEXT_TYPE",
+  213: "NATIVE_CONTEXT_TYPE",
+  214: "SCRIPT_CONTEXT_TYPE",
+  215: "WITH_CONTEXT_TYPE",
+  216: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
+  217: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_AND_JOB_TYPE",
+  218: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
+  219: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_WITH_JOB_TYPE",
+  220: "WASM_FUNCTION_DATA_TYPE",
+  221: "WASM_CAPI_FUNCTION_DATA_TYPE",
+  222: "WASM_EXPORTED_FUNCTION_DATA_TYPE",
+  223: "WASM_JS_FUNCTION_DATA_TYPE",
+  224: "EXPORTED_SUB_CLASS_BASE_TYPE",
+  225: "EXPORTED_SUB_CLASS_TYPE",
+  226: "EXPORTED_SUB_CLASS2_TYPE",
+  227: "SMALL_ORDERED_HASH_MAP_TYPE",
+  228: "SMALL_ORDERED_HASH_SET_TYPE",
+  229: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
+  230: "DESCRIPTOR_ARRAY_TYPE",
+  231: "STRONG_DESCRIPTOR_ARRAY_TYPE",
+  232: "SOURCE_TEXT_MODULE_TYPE",
+  233: "SYNTHETIC_MODULE_TYPE",
+  234: "WEAK_FIXED_ARRAY_TYPE",
+  235: "TRANSITION_ARRAY_TYPE",
+  236: "ACCESSOR_INFO_TYPE",
+  237: "CALL_HANDLER_INFO_TYPE",
+  238: "CELL_TYPE",
+  239: "CODE_TYPE",
+  240: "CODE_DATA_CONTAINER_TYPE",
+  241: "COVERAGE_INFO_TYPE",
+  242: "EMBEDDER_DATA_ARRAY_TYPE",
+  243: "FEEDBACK_METADATA_TYPE",
+  244: "FEEDBACK_VECTOR_TYPE",
+  245: "FILLER_TYPE",
+  246: "FREE_SPACE_TYPE",
+  247: "INTERNAL_CLASS_TYPE",
+  248: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
+  249: "MAP_TYPE",
+  250: "MEGA_DOM_HANDLER_TYPE",
+  251: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
+  252: "PREPARSE_DATA_TYPE",
+  253: "PROPERTY_ARRAY_TYPE",
+  254: "PROPERTY_CELL_TYPE",
+  255: "SCOPE_INFO_TYPE",
+  256: "SHARED_FUNCTION_INFO_TYPE",
+  257: "SMI_BOX_TYPE",
+  258: "SMI_PAIR_TYPE",
+  259: "SORT_STATE_TYPE",
+  260: "SWISS_NAME_DICTIONARY_TYPE",
+  261: "WASM_API_FUNCTION_REF_TYPE",
+  262: "WASM_INTERNAL_FUNCTION_TYPE",
  263: "WASM_RESUME_DATA_TYPE",
  264: "WASM_STRING_VIEW_ITER_TYPE",
  265: "WEAK_ARRAY_LIST_TYPE",
@ -279,16 +279,16 @@ INSTANCE_TYPES = {

 # List of known V8 maps.
 KNOWN_MAPS = {
-    ("read_only_space", 0x02139): (250, "MetaMap"),
+    ("read_only_space", 0x02139): (249, "MetaMap"),
    ("read_only_space", 0x02161): (131, "NullMap"),
-    ("read_only_space", 0x02189): (232, "StrongDescriptorArrayMap"),
+    ("read_only_space", 0x02189): (231, "StrongDescriptorArrayMap"),
    ("read_only_space", 0x021b1): (265, "WeakArrayListMap"),
    ("read_only_space", 0x021f5): (155, "EnumCacheMap"),
    ("read_only_space", 0x02229): (177, "FixedArrayMap"),
    ("read_only_space", 0x02275): (8, "OneByteInternalizedStringMap"),
-    ("read_only_space", 0x022c1): (247, "FreeSpaceMap"),
-    ("read_only_space", 0x022e9): (246, "OnePointerFillerMap"),
-    ("read_only_space", 0x02311): (246, "TwoPointerFillerMap"),
+    ("read_only_space", 0x022c1): (246, "FreeSpaceMap"),
+    ("read_only_space", 0x022e9): (245, "OnePointerFillerMap"),
+    ("read_only_space", 0x02311): (245, "TwoPointerFillerMap"),
    ("read_only_space", 0x02339): (131, "UninitializedMap"),
    ("read_only_space", 0x023b1): (131, "UndefinedMap"),
    ("read_only_space", 0x023f5): (130, "HeapNumberMap"),
@ -299,15 +299,15 @@ KNOWN_MAPS = {
    ("read_only_space", 0x0257d): (178, "HashTableMap"),
    ("read_only_space", 0x025a5): (128, "SymbolMap"),
    ("read_only_space", 0x025cd): (40, "OneByteStringMap"),
-    ("read_only_space", 0x025f5): (256, "ScopeInfoMap"),
-    ("read_only_space", 0x0261d): (257, "SharedFunctionInfoMap"),
-    ("read_only_space", 0x02645): (240, "CodeMap"),
-    ("read_only_space", 0x0266d): (239, "CellMap"),
-    ("read_only_space", 0x02695): (255, "GlobalPropertyCellMap"),
+    ("read_only_space", 0x025f5): (255, "ScopeInfoMap"),
+    ("read_only_space", 0x0261d): (256, "SharedFunctionInfoMap"),
+    ("read_only_space", 0x02645): (239, "CodeMap"),
+    ("read_only_space", 0x0266d): (238, "CellMap"),
+    ("read_only_space", 0x02695): (254, "GlobalPropertyCellMap"),
    ("read_only_space", 0x026bd): (204, "ForeignMap"),
-    ("read_only_space", 0x026e5): (236, "TransitionArrayMap"),
+    ("read_only_space", 0x026e5): (235, "TransitionArrayMap"),
    ("read_only_space", 0x0270d): (45, "ThinOneByteStringMap"),
-    ("read_only_space", 0x02735): (245, "FeedbackVectorMap"),
+    ("read_only_space", 0x02735): (244, "FeedbackVectorMap"),
    ("read_only_space", 0x0276d): (131, "ArgumentsMarkerMap"),
    ("read_only_space", 0x027cd): (131, "ExceptionMap"),
    ("read_only_space", 0x02829): (131, "TerminationExceptionMap"),
@ -315,17 +315,17 @@ KNOWN_MAPS = {
    ("read_only_space", 0x028f1): (131, "StaleRegisterMap"),
    ("read_only_space", 0x02951): (191, "ScriptContextTableMap"),
    ("read_only_space", 0x02979): (189, "ClosureFeedbackCellArrayMap"),
-    ("read_only_space", 0x029a1): (244, "FeedbackMetadataArrayMap"),
+    ("read_only_space", 0x029a1): (243, "FeedbackMetadataArrayMap"),
    ("read_only_space", 0x029c9): (177, "ArrayListMap"),
    ("read_only_space", 0x029f1): (129, "BigIntMap"),
    ("read_only_space", 0x02a19): (190, "ObjectBoilerplateDescriptionMap"),
    ("read_only_space", 0x02a41): (193, "BytecodeArrayMap"),
-    ("read_only_space", 0x02a69): (241, "CodeDataContainerMap"),
-    ("read_only_space", 0x02a91): (242, "CoverageInfoMap"),
+    ("read_only_space", 0x02a69): (240, "CodeDataContainerMap"),
+    ("read_only_space", 0x02a91): (241, "CoverageInfoMap"),
    ("read_only_space", 0x02ab9): (194, "FixedDoubleArrayMap"),
    ("read_only_space", 0x02ae1): (180, "GlobalDictionaryMap"),
    ("read_only_space", 0x02b09): (157, "ManyClosuresCellMap"),
-    ("read_only_space", 0x02b31): (251, "MegaDomHandlerMap"),
+    ("read_only_space", 0x02b31): (250, "MegaDomHandlerMap"),
    ("read_only_space", 0x02b59): (177, "ModuleInfoMap"),
    ("read_only_space", 0x02b81): (181, "NameDictionaryMap"),
    ("read_only_space", 0x02ba9): (157, "NoClosuresCellMap"),
@ -336,29 +336,29 @@ KNOWN_MAPS = {
    ("read_only_space", 0x02c71): (182, "NameToIndexHashTableMap"),
    ("read_only_space", 0x02c99): (187, "RegisteredSymbolTableMap"),
    ("read_only_space", 0x02cc1): (186, "OrderedNameDictionaryMap"),
-    ("read_only_space", 0x02ce9): (253, "PreparseDataMap"),
-    ("read_only_space", 0x02d11): (254, "PropertyArrayMap"),
-    ("read_only_space", 0x02d39): (237, "AccessorInfoMap"),
-    ("read_only_space", 0x02d61): (238, "SideEffectCallHandlerInfoMap"),
-    ("read_only_space", 0x02d89): (238, "SideEffectFreeCallHandlerInfoMap"),
-    ("read_only_space", 0x02db1): (238, "NextCallSideEffectFreeCallHandlerInfoMap"),
+    ("read_only_space", 0x02ce9): (252, "PreparseDataMap"),
+    ("read_only_space", 0x02d11): (253, "PropertyArrayMap"),
+    ("read_only_space", 0x02d39): (236, "AccessorInfoMap"),
+    ("read_only_space", 0x02d61): (237, "SideEffectCallHandlerInfoMap"),
+    ("read_only_space", 0x02d89): (237, "SideEffectFreeCallHandlerInfoMap"),
+    ("read_only_space", 0x02db1): (237, "NextCallSideEffectFreeCallHandlerInfoMap"),
    ("read_only_space", 0x02dd9): (188, "SimpleNumberDictionaryMap"),
-    ("read_only_space", 0x02e01): (228, "SmallOrderedHashMapMap"),
-    ("read_only_space", 0x02e29): (229, "SmallOrderedHashSetMap"),
-    ("read_only_space", 0x02e51): (230, "SmallOrderedNameDictionaryMap"),
-    ("read_only_space", 0x02e79): (233, "SourceTextModuleMap"),
-    ("read_only_space", 0x02ea1): (261, "SwissNameDictionaryMap"),
-    ("read_only_space", 0x02ec9): (234, "SyntheticModuleMap"),
-    ("read_only_space", 0x02ef1): (262, "WasmApiFunctionRefMap"),
-    ("read_only_space", 0x02f19): (222, "WasmCapiFunctionDataMap"),
-    ("read_only_space", 0x02f41): (223, "WasmExportedFunctionDataMap"),
-    ("read_only_space", 0x02f69): (205, "WasmInternalFunctionMap"),
-    ("read_only_space", 0x02f91): (224, "WasmJSFunctionDataMap"),
+    ("read_only_space", 0x02e01): (227, "SmallOrderedHashMapMap"),
+    ("read_only_space", 0x02e29): (228, "SmallOrderedHashSetMap"),
+    ("read_only_space", 0x02e51): (229, "SmallOrderedNameDictionaryMap"),
+    ("read_only_space", 0x02e79): (232, "SourceTextModuleMap"),
+    ("read_only_space", 0x02ea1): (260, "SwissNameDictionaryMap"),
+    ("read_only_space", 0x02ec9): (233, "SyntheticModuleMap"),
+    ("read_only_space", 0x02ef1): (261, "WasmApiFunctionRefMap"),
+    ("read_only_space", 0x02f19): (221, "WasmCapiFunctionDataMap"),
+    ("read_only_space", 0x02f41): (222, "WasmExportedFunctionDataMap"),
+    ("read_only_space", 0x02f69): (262, "WasmInternalFunctionMap"),
+    ("read_only_space", 0x02f91): (223, "WasmJSFunctionDataMap"),
    ("read_only_space", 0x02fb9): (263, "WasmResumeDataMap"),
-    ("read_only_space", 0x02fe1): (206, "WasmTypeInfoMap"),
-    ("read_only_space", 0x03009): (235, "WeakFixedArrayMap"),
+    ("read_only_space", 0x02fe1): (205, "WasmTypeInfoMap"),
+    ("read_only_space", 0x03009): (234, "WeakFixedArrayMap"),
    ("read_only_space", 0x03031): (179, "EphemeronHashTableMap"),
-    ("read_only_space", 0x03059): (243, "EmbedderDataArrayMap"),
+    ("read_only_space", 0x03059): (242, "EmbedderDataArrayMap"),
    ("read_only_space", 0x03081): (266, "WeakCellMap"),
    ("read_only_space", 0x030a9): (32, "StringMap"),
    ("read_only_space", 0x030d1): (41, "ConsOneByteStringMap"),
@ -422,28 +422,28 @@ KNOWN_MAPS = {
    ("read_only_space", 0x064f9): (175, "WasmExceptionTagMap"),
    ("read_only_space", 0x06521): (176, "WasmIndirectFunctionTableMap"),
    ("read_only_space", 0x06549): (196, "SloppyArgumentsElementsMap"),
-    ("read_only_space", 0x06571): (231, "DescriptorArrayMap"),
-    ("read_only_space", 0x06599): (219, "UncompiledDataWithoutPreparseDataMap"),
-    ("read_only_space", 0x065c1): (217, "UncompiledDataWithPreparseDataMap"),
-    ("read_only_space", 0x065e9): (220, "UncompiledDataWithoutPreparseDataWithJobMap"),
-    ("read_only_space", 0x06611): (218, "UncompiledDataWithPreparseDataAndJobMap"),
-    ("read_only_space", 0x06639): (252, "OnHeapBasicBlockProfilerDataMap"),
+    ("read_only_space", 0x06571): (230, "DescriptorArrayMap"),
+    ("read_only_space", 0x06599): (218, "UncompiledDataWithoutPreparseDataMap"),
+    ("read_only_space", 0x065c1): (216, "UncompiledDataWithPreparseDataMap"),
+    ("read_only_space", 0x065e9): (219, "UncompiledDataWithoutPreparseDataWithJobMap"),
+    ("read_only_space", 0x06611): (217, "UncompiledDataWithPreparseDataAndJobMap"),
+    ("read_only_space", 0x06639): (251, "OnHeapBasicBlockProfilerDataMap"),
    ("read_only_space", 0x06661): (197, "TurbofanBitsetTypeMap"),
    ("read_only_space", 0x06689): (201, "TurbofanUnionTypeMap"),
    ("read_only_space", 0x066b1): (200, "TurbofanRangeTypeMap"),
    ("read_only_space", 0x066d9): (198, "TurbofanHeapConstantTypeMap"),
    ("read_only_space", 0x06701): (199, "TurbofanOtherNumberConstantTypeMap"),
-    ("read_only_space", 0x06729): (248, "InternalClassMap"),
-    ("read_only_space", 0x06751): (259, "SmiPairMap"),
-    ("read_only_space", 0x06779): (258, "SmiBoxMap"),
-    ("read_only_space", 0x067a1): (225, "ExportedSubClassBaseMap"),
-    ("read_only_space", 0x067c9): (226, "ExportedSubClassMap"),
+    ("read_only_space", 0x06729): (247, "InternalClassMap"),
+    ("read_only_space", 0x06751): (258, "SmiPairMap"),
+    ("read_only_space", 0x06779): (257, "SmiBoxMap"),
+    ("read_only_space", 0x067a1): (224, "ExportedSubClassBaseMap"),
+    ("read_only_space", 0x067c9): (225, "ExportedSubClassMap"),
    ("read_only_space", 0x067f1): (202, "AbstractInternalClassSubclass1Map"),
    ("read_only_space", 0x06819): (203, "AbstractInternalClassSubclass2Map"),
    ("read_only_space", 0x06841): (195, "InternalClassWithSmiElementsMap"),
-    ("read_only_space", 0x06869): (249, "InternalClassWithStructElementsMap"),
-    ("read_only_space", 0x06891): (227, "ExportedSubClass2Map"),
-    ("read_only_space", 0x068b9): (260, "SortStateMap"),
+    ("read_only_space", 0x06869): (248, "InternalClassWithStructElementsMap"),
+    ("read_only_space", 0x06891): (226, "ExportedSubClass2Map"),
+    ("read_only_space", 0x068b9): (259, "SortStateMap"),
    ("read_only_space", 0x068e1): (264, "WasmStringViewIterMap"),
    ("read_only_space", 0x06909): (145, "AllocationSiteWithWeakNextMap"),
    ("read_only_space", 0x06931): (145, "AllocationSiteWithoutWeakNextMap"),