[inspector] Fix crash due to misuse of embedder fields.

The contract between V8 and Blink is that embedder fields belong to Blink, at least when the object has two or more of them. Now we had 2-3 embedder fields used by the debug proxies and that was confusing Blink, since it expects the first slot to hold an aligned pointer in that case and we had a HeapObject reference stored there. This is a quickfix, which avoids internal fields completely for the context extension proxy (using interceptors on the prototype instead) and changes the named proxies to store the name table under a private symbol instead of using a second internal field. A proper but way more involved fix is to introduce a proper instance type here and use space in the header instead of misusing embedder fields. Fixed: chromium:1170283 Bug: chromium:1159402 Change-Id: I6c4bbe2fe88fef29a6b9946708588245efbbe72b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2649033 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#72323}
2021-01-26 14:49:29 +01:00 · 2021-01-26 14:49:29 +01:00 · 7e2f11082b
commit 7e2f11082b
parent f30c268173
3 changed files with 136 additions and 156 deletions
--- a/src/debug/debug-wasm-support.cc
+++ b/src/debug/debug-wasm-support.cc
@ -255,12 +255,6 @@ struct IndexedDebugProxy {
 // of functions in them.
 template <typename T, DebugProxyId id, typename Provider = WasmInstanceObject>
 struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {
-  enum {
-    kProviderField,
-    kNameTableField,
-    kFieldCount,
-  };
-
  static v8::Local<v8::FunctionTemplate> CreateTemplate(v8::Isolate* isolate) {
    auto templ = IndexedDebugProxy<T, id, Provider>::CreateTemplate(isolate);
    templ->InstanceTemplate()->SetHandler(v8::NamedPropertyHandlerConfiguration(
@ -275,8 +269,9 @@ struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {

  static Handle<NameDictionary> GetNameTable(Handle<JSObject> holder,
                                             Isolate* isolate) {
-    Handle<Object> table_or_undefined(holder->GetEmbedderField(kNameTableField),
-                                      isolate);
+    Handle<Symbol> symbol = isolate->factory()->wasm_debug_proxy_names_symbol();
+    Handle<Object> table_or_undefined =
+        JSObject::GetProperty(isolate, holder, symbol).ToHandleChecked();
    if (!table_or_undefined->IsUndefined(isolate)) {
      return Handle<NameDictionary>::cast(table_or_undefined);
    }
@ -291,7 +286,7 @@ struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {
      table = NameDictionary::Add(isolate, table, key, value,
                                  PropertyDetails::Empty());
    }
-    holder->SetEmbedderField(kNameTableField, *table);
+    Object::SetProperty(isolate, holder, symbol, table).Check();
    return table;
  }

@ -593,33 +588,17 @@ Handle<JSObject> GetOrCreateInstanceProxy(Isolate* isolate,
 //
 // See http://doc/1VZOJrU2VsqOZe3IUzbwQWQQSZwgGySsm5119Ust1gUA and
 // http://bit.ly/devtools-wasm-entities for more details.
-class ContextProxy {
+class ContextProxyPrototype {
 public:
-  static Handle<JSObject> Create(WasmFrame* frame) {
-    Isolate* isolate = frame->isolate();
+  static Handle<JSObject> Create(Isolate* isolate) {
    auto object_map =
        GetOrCreateDebugProxyMap(isolate, kContextProxy, &CreateTemplate);
-    auto object = isolate->factory()->NewJSObjectFromMap(object_map);
-    Handle<WasmInstanceObject> instance(frame->wasm_instance(), isolate);
-    object->SetEmbedderField(kInstanceField, *instance);
-    Handle<JSObject> locals = LocalsProxy::Create(frame);
-    object->SetEmbedderField(kLocalsField, *locals);
-    Handle<JSObject> stack = StackProxy::Create(frame);
-    object->SetEmbedderField(kStackField, *stack);
-    return object;
+    return isolate->factory()->NewJSObjectFromMap(object_map);
  }

 private:
-  enum {
-    kInstanceField,
-    kLocalsField,
-    kStackField,
-    kFieldCount,
-  };
-
  static v8::Local<v8::FunctionTemplate> CreateTemplate(v8::Isolate* isolate) {
    Local<v8::FunctionTemplate> templ = v8::FunctionTemplate::New(isolate);
-    templ->InstanceTemplate()->SetInternalFieldCount(kFieldCount);
    templ->InstanceTemplate()->SetHandler(v8::NamedPropertyHandlerConfiguration(
        &NamedGetter, {}, {}, {}, {}, {}, {}, {},
        static_cast<v8::PropertyHandlerFlags>(
@ -631,44 +610,16 @@ class ContextProxy {
  }

  static MaybeHandle<Object> GetNamedProperty(Isolate* isolate,
-                                              Handle<JSObject> holder,
+                                              Handle<JSObject> receiver,
                                              Handle<String> name) {
-    if (name->length() == 0) return {};
-    Handle<WasmInstanceObject> instance(
-        WasmInstanceObject::cast(holder->GetEmbedderField(kInstanceField)),
-        isolate);
-    if (name->IsOneByteEqualTo(StaticCharVector("instance"))) {
-      return instance;
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("module"))) {
-      return handle(instance->module_object(), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("locals"))) {
-      return handle(holder->GetEmbedderField(kLocalsField), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("stack"))) {
-      return handle(holder->GetEmbedderField(kStackField), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("memories"))) {
-      return GetOrCreateInstanceProxy<MemoriesProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("tables"))) {
-      return GetOrCreateInstanceProxy<TablesProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("globals"))) {
-      return GetOrCreateInstanceProxy<GlobalsProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("functions"))) {
-      return GetOrCreateInstanceProxy<FunctionsProxy>(isolate, instance);
-    }
-    if (name->Get(0) == '$') {
+    if (name->length() != 0 && name->Get(0) == '$') {
      const char* kDelegateNames[] = {"memories", "locals", "tables",
                                      "functions", "globals"};
      for (auto delegate_name : kDelegateNames) {
        Handle<Object> delegate;
        ASSIGN_RETURN_ON_EXCEPTION(
            isolate, delegate,
-            JSObject::GetProperty(isolate, holder, delegate_name), Object);
+            JSObject::GetProperty(isolate, receiver, delegate_name), Object);
        if (!delegate->IsUndefined(isolate)) {
          Handle<Object> value;
          ASSIGN_RETURN_ON_EXCEPTION(
@ -685,14 +636,42 @@ class ContextProxy {
                          const PropertyCallbackInfo<v8::Value>& info) {
    auto name_string = Handle<String>::cast(Utils::OpenHandle(*name));
    auto isolate = reinterpret_cast<Isolate*>(info.GetIsolate());
-    auto holder = Handle<JSObject>::cast(Utils::OpenHandle(*info.Holder()));
+    auto receiver = Handle<JSObject>::cast(Utils::OpenHandle(*info.This()));
    Handle<Object> value;
-    if (GetNamedProperty(isolate, holder, name_string).ToHandle(&value)) {
+    if (GetNamedProperty(isolate, receiver, name_string).ToHandle(&value)) {
      info.GetReturnValue().Set(Utils::ToLocal(value));
    }
  }
 };

+class ContextProxy {
+ public:
+  static Handle<JSObject> Create(WasmFrame* frame) {
+    Isolate* isolate = frame->isolate();
+    auto object = isolate->factory()->NewJSObjectWithNullProto();
+    Handle<WasmInstanceObject> instance(frame->wasm_instance(), isolate);
+    JSObject::AddProperty(isolate, object, "instance", instance, FROZEN);
+    Handle<WasmModuleObject> module_object(instance->module_object(), isolate);
+    JSObject::AddProperty(isolate, object, "module", module_object, FROZEN);
+    auto locals = LocalsProxy::Create(frame);
+    JSObject::AddProperty(isolate, object, "locals", locals, FROZEN);
+    auto stack = StackProxy::Create(frame);
+    JSObject::AddProperty(isolate, object, "stack", stack, FROZEN);
+    auto memories = GetOrCreateInstanceProxy<MemoriesProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "memories", memories, FROZEN);
+    auto tables = GetOrCreateInstanceProxy<TablesProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "tables", tables, FROZEN);
+    auto globals = GetOrCreateInstanceProxy<GlobalsProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "globals", globals, FROZEN);
+    auto functions =
+        GetOrCreateInstanceProxy<FunctionsProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "functions", functions, FROZEN);
+    Handle<JSObject> prototype = ContextProxyPrototype::Create(isolate);
+    JSObject::SetPrototype(object, prototype, false, kDontThrow).Check();
+    return object;
+  }
+};
+
 class DebugWasmScopeIterator final : public debug::ScopeIterator {
 public:
  explicit DebugWasmScopeIterator(WasmFrame* frame)
--- a/src/init/heap-symbols.h
+++ b/src/init/heap-symbols.h
@ -336,39 +336,40 @@
  V(_, writable_string, "writable")                                  \
  V(_, zero_string, "0")

-#define PRIVATE_SYMBOL_LIST_GENERATOR(V, _)           \
-  V(_, call_site_frame_array_symbol)                  \
-  V(_, call_site_frame_index_symbol)                  \
-  V(_, console_context_id_symbol)                     \
-  V(_, console_context_name_symbol)                   \
-  V(_, class_fields_symbol)                           \
-  V(_, class_positions_symbol)                        \
-  V(_, detailed_stack_trace_symbol)                   \
-  V(_, elements_transition_symbol)                    \
-  V(_, error_end_pos_symbol)                          \
-  V(_, error_script_symbol)                           \
-  V(_, error_start_pos_symbol)                        \
-  V(_, frozen_symbol)                                 \
-  V(_, interpreter_trampoline_symbol)                 \
-  V(_, megamorphic_symbol)                            \
-  V(_, native_context_index_symbol)                   \
-  V(_, nonextensible_symbol)                          \
-  V(_, not_mapped_symbol)                             \
-  V(_, promise_debug_marker_symbol)                   \
-  V(_, promise_debug_message_symbol)                  \
-  V(_, promise_forwarding_handler_symbol)             \
-  V(_, promise_handled_by_symbol)                     \
-  V(_, regexp_result_names_symbol)                    \
-  V(_, regexp_result_regexp_input_symbol)             \
-  V(_, regexp_result_regexp_last_index_symbol)        \
-  V(_, sealed_symbol)                                 \
-  V(_, stack_trace_symbol)                            \
-  V(_, strict_function_transition_symbol)             \
-  V(_, wasm_exception_tag_symbol)                     \
-  V(_, wasm_exception_values_symbol)                  \
-  V(_, wasm_uncatchable_symbol)                       \
-  V(_, wasm_wrapped_object_symbol)                    \
-  V(_, wasm_debug_proxy_cache_symbol)                 \
+#define PRIVATE_SYMBOL_LIST_GENERATOR(V, _)    \
+  V(_, call_site_frame_array_symbol)           \
+  V(_, call_site_frame_index_symbol)           \
+  V(_, console_context_id_symbol)              \
+  V(_, console_context_name_symbol)            \
+  V(_, class_fields_symbol)                    \
+  V(_, class_positions_symbol)                 \
+  V(_, detailed_stack_trace_symbol)            \
+  V(_, elements_transition_symbol)             \
+  V(_, error_end_pos_symbol)                   \
+  V(_, error_script_symbol)                    \
+  V(_, error_start_pos_symbol)                 \
+  V(_, frozen_symbol)                          \
+  V(_, interpreter_trampoline_symbol)          \
+  V(_, megamorphic_symbol)                     \
+  V(_, native_context_index_symbol)            \
+  V(_, nonextensible_symbol)                   \
+  V(_, not_mapped_symbol)                      \
+  V(_, promise_debug_marker_symbol)            \
+  V(_, promise_debug_message_symbol)           \
+  V(_, promise_forwarding_handler_symbol)      \
+  V(_, promise_handled_by_symbol)              \
+  V(_, regexp_result_names_symbol)             \
+  V(_, regexp_result_regexp_input_symbol)      \
+  V(_, regexp_result_regexp_last_index_symbol) \
+  V(_, sealed_symbol)                          \
+  V(_, stack_trace_symbol)                     \
+  V(_, strict_function_transition_symbol)      \
+  V(_, wasm_exception_tag_symbol)              \
+  V(_, wasm_exception_values_symbol)           \
+  V(_, wasm_uncatchable_symbol)                \
+  V(_, wasm_wrapped_object_symbol)             \
+  V(_, wasm_debug_proxy_cache_symbol)          \
+  V(_, wasm_debug_proxy_names_symbol)          \
  V(_, uninitialized_symbol)

 #define PUBLIC_SYMBOL_LIST_GENERATOR(V, _)                \
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@ -319,68 +319,68 @@ KNOWN_MAPS = {
  ("read_only_space", 0x03151): (67, "BasicBlockCountersMarkerMap"),
  ("read_only_space", 0x03195): (87, "ArrayBoilerplateDescriptionMap"),
  ("read_only_space", 0x03269): (99, "InterceptorInfoMap"),
-  ("read_only_space", 0x053c5): (72, "PromiseFulfillReactionJobTaskMap"),
-  ("read_only_space", 0x053ed): (73, "PromiseRejectReactionJobTaskMap"),
-  ("read_only_space", 0x05415): (74, "CallableTaskMap"),
-  ("read_only_space", 0x0543d): (75, "CallbackTaskMap"),
-  ("read_only_space", 0x05465): (76, "PromiseResolveThenableJobTaskMap"),
-  ("read_only_space", 0x0548d): (79, "FunctionTemplateInfoMap"),
-  ("read_only_space", 0x054b5): (80, "ObjectTemplateInfoMap"),
-  ("read_only_space", 0x054dd): (81, "AccessCheckInfoMap"),
-  ("read_only_space", 0x05505): (82, "AccessorInfoMap"),
-  ("read_only_space", 0x0552d): (83, "AccessorPairMap"),
-  ("read_only_space", 0x05555): (84, "AliasedArgumentsEntryMap"),
-  ("read_only_space", 0x0557d): (85, "AllocationMementoMap"),
-  ("read_only_space", 0x055a5): (88, "AsmWasmDataMap"),
-  ("read_only_space", 0x055cd): (89, "AsyncGeneratorRequestMap"),
-  ("read_only_space", 0x055f5): (90, "BreakPointMap"),
-  ("read_only_space", 0x0561d): (91, "BreakPointInfoMap"),
-  ("read_only_space", 0x05645): (92, "CachedTemplateObjectMap"),
-  ("read_only_space", 0x0566d): (94, "ClassPositionsMap"),
-  ("read_only_space", 0x05695): (95, "DebugInfoMap"),
-  ("read_only_space", 0x056bd): (98, "FunctionTemplateRareDataMap"),
-  ("read_only_space", 0x056e5): (100, "InterpreterDataMap"),
-  ("read_only_space", 0x0570d): (101, "ModuleRequestMap"),
-  ("read_only_space", 0x05735): (102, "PromiseCapabilityMap"),
-  ("read_only_space", 0x0575d): (103, "PromiseReactionMap"),
-  ("read_only_space", 0x05785): (104, "PropertyDescriptorObjectMap"),
-  ("read_only_space", 0x057ad): (105, "PrototypeInfoMap"),
-  ("read_only_space", 0x057d5): (106, "ScriptMap"),
-  ("read_only_space", 0x057fd): (107, "SourceTextModuleInfoEntryMap"),
-  ("read_only_space", 0x05825): (108, "StackFrameInfoMap"),
-  ("read_only_space", 0x0584d): (109, "StackTraceFrameMap"),
-  ("read_only_space", 0x05875): (110, "TemplateObjectDescriptionMap"),
-  ("read_only_space", 0x0589d): (111, "Tuple2Map"),
-  ("read_only_space", 0x058c5): (112, "WasmExceptionTagMap"),
-  ("read_only_space", 0x058ed): (113, "WasmExportedFunctionDataMap"),
-  ("read_only_space", 0x05915): (114, "WasmIndirectFunctionTableMap"),
-  ("read_only_space", 0x0593d): (115, "WasmJSFunctionDataMap"),
-  ("read_only_space", 0x05965): (134, "SloppyArgumentsElementsMap"),
-  ("read_only_space", 0x0598d): (151, "DescriptorArrayMap"),
-  ("read_only_space", 0x059b5): (156, "UncompiledDataWithoutPreparseDataMap"),
-  ("read_only_space", 0x059dd): (155, "UncompiledDataWithPreparseDataMap"),
-  ("read_only_space", 0x05a05): (171, "OnHeapBasicBlockProfilerDataMap"),
-  ("read_only_space", 0x05a2d): (180, "WasmCapiFunctionDataMap"),
-  ("read_only_space", 0x05a55): (168, "InternalClassMap"),
-  ("read_only_space", 0x05a7d): (177, "SmiPairMap"),
-  ("read_only_space", 0x05aa5): (176, "SmiBoxMap"),
-  ("read_only_space", 0x05acd): (145, "ExportedSubClassBaseMap"),
-  ("read_only_space", 0x05af5): (146, "ExportedSubClassMap"),
-  ("read_only_space", 0x05b1d): (68, "AbstractInternalClassSubclass1Map"),
-  ("read_only_space", 0x05b45): (69, "AbstractInternalClassSubclass2Map"),
-  ("read_only_space", 0x05b6d): (132, "InternalClassWithSmiElementsMap"),
-  ("read_only_space", 0x05b95): (169, "InternalClassWithStructElementsMap"),
-  ("read_only_space", 0x05bbd): (147, "ExportedSubClass2Map"),
-  ("read_only_space", 0x05be5): (178, "SortStateMap"),
-  ("read_only_space", 0x05c0d): (86, "AllocationSiteWithWeakNextMap"),
-  ("read_only_space", 0x05c35): (86, "AllocationSiteWithoutWeakNextMap"),
-  ("read_only_space", 0x05c5d): (77, "LoadHandler1Map"),
-  ("read_only_space", 0x05c85): (77, "LoadHandler2Map"),
-  ("read_only_space", 0x05cad): (77, "LoadHandler3Map"),
-  ("read_only_space", 0x05cd5): (78, "StoreHandler0Map"),
-  ("read_only_space", 0x05cfd): (78, "StoreHandler1Map"),
-  ("read_only_space", 0x05d25): (78, "StoreHandler2Map"),
-  ("read_only_space", 0x05d4d): (78, "StoreHandler3Map"),
+  ("read_only_space", 0x053d5): (72, "PromiseFulfillReactionJobTaskMap"),
+  ("read_only_space", 0x053fd): (73, "PromiseRejectReactionJobTaskMap"),
+  ("read_only_space", 0x05425): (74, "CallableTaskMap"),
+  ("read_only_space", 0x0544d): (75, "CallbackTaskMap"),
+  ("read_only_space", 0x05475): (76, "PromiseResolveThenableJobTaskMap"),
+  ("read_only_space", 0x0549d): (79, "FunctionTemplateInfoMap"),
+  ("read_only_space", 0x054c5): (80, "ObjectTemplateInfoMap"),
+  ("read_only_space", 0x054ed): (81, "AccessCheckInfoMap"),
+  ("read_only_space", 0x05515): (82, "AccessorInfoMap"),
+  ("read_only_space", 0x0553d): (83, "AccessorPairMap"),
+  ("read_only_space", 0x05565): (84, "AliasedArgumentsEntryMap"),
+  ("read_only_space", 0x0558d): (85, "AllocationMementoMap"),
+  ("read_only_space", 0x055b5): (88, "AsmWasmDataMap"),
+  ("read_only_space", 0x055dd): (89, "AsyncGeneratorRequestMap"),
+  ("read_only_space", 0x05605): (90, "BreakPointMap"),
+  ("read_only_space", 0x0562d): (91, "BreakPointInfoMap"),
+  ("read_only_space", 0x05655): (92, "CachedTemplateObjectMap"),
+  ("read_only_space", 0x0567d): (94, "ClassPositionsMap"),
+  ("read_only_space", 0x056a5): (95, "DebugInfoMap"),
+  ("read_only_space", 0x056cd): (98, "FunctionTemplateRareDataMap"),
+  ("read_only_space", 0x056f5): (100, "InterpreterDataMap"),
+  ("read_only_space", 0x0571d): (101, "ModuleRequestMap"),
+  ("read_only_space", 0x05745): (102, "PromiseCapabilityMap"),
+  ("read_only_space", 0x0576d): (103, "PromiseReactionMap"),
+  ("read_only_space", 0x05795): (104, "PropertyDescriptorObjectMap"),
+  ("read_only_space", 0x057bd): (105, "PrototypeInfoMap"),
+  ("read_only_space", 0x057e5): (106, "ScriptMap"),
+  ("read_only_space", 0x0580d): (107, "SourceTextModuleInfoEntryMap"),
+  ("read_only_space", 0x05835): (108, "StackFrameInfoMap"),
+  ("read_only_space", 0x0585d): (109, "StackTraceFrameMap"),
+  ("read_only_space", 0x05885): (110, "TemplateObjectDescriptionMap"),
+  ("read_only_space", 0x058ad): (111, "Tuple2Map"),
+  ("read_only_space", 0x058d5): (112, "WasmExceptionTagMap"),
+  ("read_only_space", 0x058fd): (113, "WasmExportedFunctionDataMap"),
+  ("read_only_space", 0x05925): (114, "WasmIndirectFunctionTableMap"),
+  ("read_only_space", 0x0594d): (115, "WasmJSFunctionDataMap"),
+  ("read_only_space", 0x05975): (134, "SloppyArgumentsElementsMap"),
+  ("read_only_space", 0x0599d): (151, "DescriptorArrayMap"),
+  ("read_only_space", 0x059c5): (156, "UncompiledDataWithoutPreparseDataMap"),
+  ("read_only_space", 0x059ed): (155, "UncompiledDataWithPreparseDataMap"),
+  ("read_only_space", 0x05a15): (171, "OnHeapBasicBlockProfilerDataMap"),
+  ("read_only_space", 0x05a3d): (180, "WasmCapiFunctionDataMap"),
+  ("read_only_space", 0x05a65): (168, "InternalClassMap"),
+  ("read_only_space", 0x05a8d): (177, "SmiPairMap"),
+  ("read_only_space", 0x05ab5): (176, "SmiBoxMap"),
+  ("read_only_space", 0x05add): (145, "ExportedSubClassBaseMap"),
+  ("read_only_space", 0x05b05): (146, "ExportedSubClassMap"),
+  ("read_only_space", 0x05b2d): (68, "AbstractInternalClassSubclass1Map"),
+  ("read_only_space", 0x05b55): (69, "AbstractInternalClassSubclass2Map"),
+  ("read_only_space", 0x05b7d): (132, "InternalClassWithSmiElementsMap"),
+  ("read_only_space", 0x05ba5): (169, "InternalClassWithStructElementsMap"),
+  ("read_only_space", 0x05bcd): (147, "ExportedSubClass2Map"),
+  ("read_only_space", 0x05bf5): (178, "SortStateMap"),
+  ("read_only_space", 0x05c1d): (86, "AllocationSiteWithWeakNextMap"),
+  ("read_only_space", 0x05c45): (86, "AllocationSiteWithoutWeakNextMap"),
+  ("read_only_space", 0x05c6d): (77, "LoadHandler1Map"),
+  ("read_only_space", 0x05c95): (77, "LoadHandler2Map"),
+  ("read_only_space", 0x05cbd): (77, "LoadHandler3Map"),
+  ("read_only_space", 0x05ce5): (78, "StoreHandler0Map"),
+  ("read_only_space", 0x05d0d): (78, "StoreHandler1Map"),
+  ("read_only_space", 0x05d35): (78, "StoreHandler2Map"),
+  ("read_only_space", 0x05d5d): (78, "StoreHandler3Map"),
  ("map_space", 0x02119): (1057, "ExternalMap"),
  ("map_space", 0x02141): (1098, "JSMessageObjectMap"),
  ("map_space", 0x02169): (181, "WasmRttEqrefMap"),