[sandbox] Sandboxify WasmTypeInfo

This CL changes the WasmTypeInfo class to have a direct ExternalPointer to the native type structure instead of using a Foreign. This in turn makes it possible to use a unique pointer tag for that external pointer when the sandbox is enabled. Bug: v8:10391, v8:12949 Change-Id: Ifee4d2103cabfa6a7299d0d09e06d387034e5f8f Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3829085 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#82504}
2022-08-16 12:06:49 +02:00 · 2022-08-16 12:06:49 +02:00 · f1033c43b7
commit f1033c43b7
parent 8d76f6d7cb
11 changed files with 156 additions and 137 deletions
--- a/include/v8-internal.h
+++ b/include/v8-internal.h
@ -389,7 +389,8 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
  V(kAccessorInfoJsGetterTag,               sandboxed, TAG(18)) \
  V(kAccessorInfoSetterTag,                 sandboxed, TAG(19)) \
  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(20)) \
-  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(21))
+  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(21)) \
  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(22))
 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \
--- a/src/builtins/wasm.tq
+++ b/src/builtins/wasm.tq
@ -738,7 +738,7 @@ const kWasmValueTypeBitFieldOffset:
 macro IsWord16WasmArrayMap(map: Map): bool {
  const arrayTypePtr: RawPtr<int32> = %RawDownCast<RawPtr<int32>>(
-      WasmTypeInfo(map).foreign_address_ptr + kWasmArrayTypeRepOffset +
+      WasmTypeInfo(map).native_type_ptr + kWasmArrayTypeRepOffset +
      kWasmValueTypeBitFieldOffset);
  const arrayTypeRef: &int32 =
      torque_internal::unsafe::NewOffHeapReference(arrayTypePtr);
--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@ -1167,6 +1167,11 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
        object, WasmInternalFunction::kCallTargetOffset,
        kWasmInternalFunctionCallTargetTag);
  }
  TNode<RawPtrT> LoadWasmTypeInfoNativeTypePtr(TNode<WasmTypeInfo> object) {
    return LoadExternalPointerFromObject(
        object, WasmTypeInfo::kNativeTypeOffset, kWasmTypeInfoNativeTypeTag);
  }
 #endif  // V8_ENABLE_WEBASSEMBLY
  TNode<RawPtrT> LoadJSTypedArrayExternalPointerPtr(
--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@ -1861,7 +1861,7 @@ void AsmWasmData::AsmWasmDataPrint(std::ostream& os) {
 void WasmTypeInfo::WasmTypeInfoPrint(std::ostream& os) {
  PrintHeader(os, "WasmTypeInfo");
-  os << "\n - type address: " << reinterpret_cast<void*>(foreign_address());
+  os << "\n - type address: " << reinterpret_cast<void*>(native_type());
  // TODO(manoskouk): Print supertype info.
  os << "\n - supertypes: ";
  for (int i = 0; i < supertypes_length(); i++) {
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -1596,7 +1596,7 @@ Handle<WasmTypeInfo> Factory::NewWasmTypeInfo(
  for (size_t i = 0; i < supertypes.size(); i++) {
    result.set_supertypes(static_cast<int>(i), *supertypes[i]);
  }
-  result.init_foreign_address(isolate(), type_address);
+  result.init_native_type(isolate(), type_address);
  result.set_instance(*instance);
  return handle(result, isolate());
 }
@ -1788,9 +1788,9 @@ Handle<WasmArray> Factory::NewWasmArrayFromElements(
 Handle<WasmArray> Factory::NewWasmArrayFromMemory(uint32_t length,
                                                  Handle<Map> map,
                                                  Address source) {
-  wasm::ValueType element_type = reinterpret_cast<wasm::ArrayType*>(
+  wasm::ValueType element_type =
-                                     map->wasm_type_info().foreign_address())
+      reinterpret_cast<wasm::ArrayType*>(map->wasm_type_info().native_type())
-                                     ->element_type();
+          ->element_type();
  DCHECK(element_type.is_numeric());
  HeapObject raw =
      AllocateRaw(WasmArray::SizeFor(*map, length), AllocationType::kYoung);
--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@ -713,10 +713,11 @@ class WasmTypeInfo::BodyDescriptor final : public BodyDescriptorBase {
  template <typename ObjectVisitor>
  static inline void IterateBody(Map map, HeapObject obj, int object_size,
                                 ObjectVisitor* v) {
    Foreign::BodyDescriptor::IterateBody<ObjectVisitor>(map, obj, object_size,
                                                        v);
    IteratePointer(obj, kInstanceOffset, v);
    IteratePointers(obj, kSupertypesOffset, SizeOf(map, obj), v);
    v->VisitExternalPointer(obj, obj.RawExternalPointerField(kNativeTypeOffset),
                            kWasmTypeInfoNativeTypeTag);
  }
  static inline int SizeOf(Map map, HeapObject object) {
--- a/src/runtime/runtime-wasm.cc
+++ b/src/runtime/runtime-wasm.cc
@ -723,8 +723,8 @@ RUNTIME_FUNCTION(Runtime_WasmArrayNewSegment) {
  uint32_t length = args.positive_smi_value_at(3);
  Handle<Map> rtt(Map::cast(args[4]), isolate);
-  wasm::ArrayType* type = reinterpret_cast<wasm::ArrayType*>(
+  wasm::ArrayType* type =
-      rtt->wasm_type_info().foreign_address());
+      reinterpret_cast<wasm::ArrayType*>(rtt->wasm_type_info().native_type());
  uint32_t element_size = type->element_type().value_kind_size();
  // This check also implies no overflow.
--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@ -330,10 +330,15 @@ PRIMITIVE_ACCESSORS(WasmIndirectFunctionTable, targets, Address*,
 OPTIONAL_ACCESSORS(WasmIndirectFunctionTable, managed_native_allocations,
                   Foreign, kManagedNativeAllocationsOffset)
 // WasmTypeInfo
 EXTERNAL_POINTER_ACCESSORS(WasmTypeInfo, native_type, Address,
                           kNativeTypeOffset, kWasmTypeInfoNativeTypeTag)
 #undef OPTIONAL_ACCESSORS
 #undef READ_PRIMITIVE_FIELD
 #undef WRITE_PRIMITIVE_FIELD
 #undef PRIMITIVE_ACCESSORS
 #undef SANDBOXED_POINTER_ACCESSORS
 wasm::ValueType WasmTableObject::type() {
  return wasm::ValueType::FromRawBitField(raw_type());
@ -504,17 +509,17 @@ void WasmObject::WriteValueAt(Isolate* isolate, Handle<HeapObject> obj,
 wasm::StructType* WasmStruct::type(Map map) {
  WasmTypeInfo type_info = map.wasm_type_info();
-  return reinterpret_cast<wasm::StructType*>(type_info.foreign_address());
+  return reinterpret_cast<wasm::StructType*>(type_info.native_type());
 }
 wasm::StructType* WasmStruct::GcSafeType(Map map) {
  DCHECK_EQ(WASM_STRUCT_TYPE, map.instance_type());
  HeapObject raw = HeapObject::cast(map.constructor_or_back_pointer());
-  // The {Foreign} might be in the middle of being moved, which is why we
+  // The {WasmTypeInfo} might be in the middle of being moved, which is why we
-  // can't read its map for a checked cast. But we can rely on its payload
+  // can't read its map for a checked cast. But we can rely on its native type
-  // being intact in the old location.
+  // pointer being intact in the old location.
-  Foreign foreign = Foreign::unchecked_cast(raw);
+  WasmTypeInfo type_info = WasmTypeInfo::unchecked_cast(raw);
-  return reinterpret_cast<wasm::StructType*>(foreign.foreign_address());
+  return reinterpret_cast<wasm::StructType*>(type_info.native_type());
 }
 int WasmStruct::Size(const wasm::StructType* type) {
@ -580,17 +585,17 @@ void WasmStruct::SetField(Isolate* isolate, Handle<WasmStruct> obj,
 wasm::ArrayType* WasmArray::type(Map map) {
  DCHECK_EQ(WASM_ARRAY_TYPE, map.instance_type());
  WasmTypeInfo type_info = map.wasm_type_info();
-  return reinterpret_cast<wasm::ArrayType*>(type_info.foreign_address());
+  return reinterpret_cast<wasm::ArrayType*>(type_info.native_type());
 }
 wasm::ArrayType* WasmArray::GcSafeType(Map map) {
  DCHECK_EQ(WASM_ARRAY_TYPE, map.instance_type());
  HeapObject raw = HeapObject::cast(map.constructor_or_back_pointer());
-  // The {Foreign} might be in the middle of being moved, which is why we
+  // The {WasmTypeInfo} might be in the middle of being moved, which is why we
-  // can't read its map for a checked cast. But we can rely on its payload
+  // can't read its map for a checked cast. But we can rely on its native type
-  // being intact in the old location.
+  // pointer being intact in the old location.
-  Foreign foreign = Foreign::unchecked_cast(raw);
+  WasmTypeInfo type_info = WasmTypeInfo::unchecked_cast(raw);
-  return reinterpret_cast<wasm::ArrayType*>(foreign.foreign_address());
+  return reinterpret_cast<wasm::ArrayType*>(type_info.native_type());
 }
 wasm::ArrayType* WasmArray::type() const { return type(map()); }
--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@ -901,8 +901,11 @@ class AsmWasmData : public TorqueGeneratedAsmWasmData<AsmWasmData, Struct> {
  TQ_OBJECT_CONSTRUCTORS(AsmWasmData)
 };
-class WasmTypeInfo : public TorqueGeneratedWasmTypeInfo<WasmTypeInfo, Foreign> {
+class WasmTypeInfo
    : public TorqueGeneratedWasmTypeInfo<WasmTypeInfo, HeapObject> {
 public:
  DECL_EXTERNAL_POINTER_ACCESSORS(native_type, Address);
  DECL_PRINTER(WasmTypeInfo)
  class BodyDescriptor;
--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@ -179,7 +179,7 @@ extern class AsmWasmData extends Struct {
  uses_bitset: HeapNumber;
 }
-extern class WasmTypeInfo extends Foreign {
+extern class WasmTypeInfo extends HeapObject {
  // We must make sure that the StructType/ArrayType, which is allocated in
  // the WasmModule's "signature_zone", stays around as long as there are
  // HeapObjects referring to it. Short term, we simply keep a reference to
@ -188,11 +188,15 @@ extern class WasmTypeInfo extends Foreign {
  // lifetime separately by having WasmModule refer to it via std::shared_ptr,
  // and introduce a new link from here to just that zone using a Managed<...>.
  // Details: https://bit.ly/2UxD4hW
  native_type: ExternalPointer;
  instance: WasmInstanceObject;
  const supertypes_length: Smi;
  supertypes[supertypes_length]: Object;
 }
 extern operator '.native_type_ptr' macro LoadWasmTypeInfoNativeTypePtr(
    WasmTypeInfo): RawPtr;
 // WasmObject corresponds to data ref types which are WasmStruct and WasmArray.
@abstract
 extern class WasmObject extends JSReceiver {
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@ -109,66 +109,66 @@ INSTANCE_TYPES = {
  202: "EXPORTED_SUB_CLASS_TYPE",
  203: "EXPORTED_SUB_CLASS2_TYPE",
  204: "FOREIGN_TYPE",
-  205: "WASM_TYPE_INFO_TYPE",
+  205: "AWAIT_CONTEXT_TYPE",
-  206: "AWAIT_CONTEXT_TYPE",
+  206: "BLOCK_CONTEXT_TYPE",
-  207: "BLOCK_CONTEXT_TYPE",
+  207: "CATCH_CONTEXT_TYPE",
-  208: "CATCH_CONTEXT_TYPE",
+  208: "DEBUG_EVALUATE_CONTEXT_TYPE",
-  209: "DEBUG_EVALUATE_CONTEXT_TYPE",
+  209: "EVAL_CONTEXT_TYPE",
-  210: "EVAL_CONTEXT_TYPE",
+  210: "FUNCTION_CONTEXT_TYPE",
-  211: "FUNCTION_CONTEXT_TYPE",
+  211: "MODULE_CONTEXT_TYPE",
-  212: "MODULE_CONTEXT_TYPE",
+  212: "NATIVE_CONTEXT_TYPE",
-  213: "NATIVE_CONTEXT_TYPE",
+  213: "SCRIPT_CONTEXT_TYPE",
-  214: "SCRIPT_CONTEXT_TYPE",
+  214: "WITH_CONTEXT_TYPE",
-  215: "WITH_CONTEXT_TYPE",
+  215: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
-  216: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_TYPE",
+  216: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_AND_JOB_TYPE",
-  217: "UNCOMPILED_DATA_WITH_PREPARSE_DATA_AND_JOB_TYPE",
+  217: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
-  218: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_TYPE",
+  218: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_WITH_JOB_TYPE",
-  219: "UNCOMPILED_DATA_WITHOUT_PREPARSE_DATA_WITH_JOB_TYPE",
+  219: "WASM_FUNCTION_DATA_TYPE",
-  220: "WASM_FUNCTION_DATA_TYPE",
+  220: "WASM_CAPI_FUNCTION_DATA_TYPE",
-  221: "WASM_CAPI_FUNCTION_DATA_TYPE",
+  221: "WASM_EXPORTED_FUNCTION_DATA_TYPE",
-  222: "WASM_EXPORTED_FUNCTION_DATA_TYPE",
+  222: "WASM_JS_FUNCTION_DATA_TYPE",
-  223: "WASM_JS_FUNCTION_DATA_TYPE",
+  223: "SMALL_ORDERED_HASH_MAP_TYPE",
-  224: "SMALL_ORDERED_HASH_MAP_TYPE",
+  224: "SMALL_ORDERED_HASH_SET_TYPE",
-  225: "SMALL_ORDERED_HASH_SET_TYPE",
+  225: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
-  226: "SMALL_ORDERED_NAME_DICTIONARY_TYPE",
+  226: "ABSTRACT_INTERNAL_CLASS_SUBCLASS1_TYPE",
-  227: "ABSTRACT_INTERNAL_CLASS_SUBCLASS1_TYPE",
+  227: "ABSTRACT_INTERNAL_CLASS_SUBCLASS2_TYPE",
-  228: "ABSTRACT_INTERNAL_CLASS_SUBCLASS2_TYPE",
+  228: "DESCRIPTOR_ARRAY_TYPE",
-  229: "DESCRIPTOR_ARRAY_TYPE",
+  229: "STRONG_DESCRIPTOR_ARRAY_TYPE",
-  230: "STRONG_DESCRIPTOR_ARRAY_TYPE",
+  230: "SOURCE_TEXT_MODULE_TYPE",
-  231: "SOURCE_TEXT_MODULE_TYPE",
+  231: "SYNTHETIC_MODULE_TYPE",
-  232: "SYNTHETIC_MODULE_TYPE",
+  232: "WEAK_FIXED_ARRAY_TYPE",
-  233: "WEAK_FIXED_ARRAY_TYPE",
+  233: "TRANSITION_ARRAY_TYPE",
-  234: "TRANSITION_ARRAY_TYPE",
+  234: "ACCESSOR_INFO_TYPE",
-  235: "ACCESSOR_INFO_TYPE",
+  235: "CALL_HANDLER_INFO_TYPE",
-  236: "CALL_HANDLER_INFO_TYPE",
+  236: "CELL_TYPE",
-  237: "CELL_TYPE",
+  237: "CODE_TYPE",
-  238: "CODE_TYPE",
+  238: "CODE_DATA_CONTAINER_TYPE",
-  239: "CODE_DATA_CONTAINER_TYPE",
+  239: "COVERAGE_INFO_TYPE",
-  240: "COVERAGE_INFO_TYPE",
+  240: "EMBEDDER_DATA_ARRAY_TYPE",
-  241: "EMBEDDER_DATA_ARRAY_TYPE",
+  241: "FEEDBACK_METADATA_TYPE",
-  242: "FEEDBACK_METADATA_TYPE",
+  242: "FEEDBACK_VECTOR_TYPE",
-  243: "FEEDBACK_VECTOR_TYPE",
+  243: "FILLER_TYPE",
-  244: "FILLER_TYPE",
+  244: "FREE_SPACE_TYPE",
-  245: "FREE_SPACE_TYPE",
+  245: "INTERNAL_CLASS_TYPE",
-  246: "INTERNAL_CLASS_TYPE",
+  246: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
-  247: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
+  247: "MAP_TYPE",
-  248: "MAP_TYPE",
+  248: "MEGA_DOM_HANDLER_TYPE",
-  249: "MEGA_DOM_HANDLER_TYPE",
+  249: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
-  250: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
+  250: "PREPARSE_DATA_TYPE",
-  251: "PREPARSE_DATA_TYPE",
+  251: "PROPERTY_ARRAY_TYPE",
-  252: "PROPERTY_ARRAY_TYPE",
+  252: "PROPERTY_CELL_TYPE",
-  253: "PROPERTY_CELL_TYPE",
+  253: "SCOPE_INFO_TYPE",
-  254: "SCOPE_INFO_TYPE",
+  254: "SHARED_FUNCTION_INFO_TYPE",
-  255: "SHARED_FUNCTION_INFO_TYPE",
+  255: "SMI_BOX_TYPE",
-  256: "SMI_BOX_TYPE",
+  256: "SMI_PAIR_TYPE",
-  257: "SMI_PAIR_TYPE",
+  257: "SORT_STATE_TYPE",
-  258: "SORT_STATE_TYPE",
+  258: "SWISS_NAME_DICTIONARY_TYPE",
-  259: "SWISS_NAME_DICTIONARY_TYPE",
+  259: "WASM_API_FUNCTION_REF_TYPE",
-  260: "WASM_API_FUNCTION_REF_TYPE",
+  260: "WASM_CONTINUATION_OBJECT_TYPE",
-  261: "WASM_CONTINUATION_OBJECT_TYPE",
+  261: "WASM_INTERNAL_FUNCTION_TYPE",
-  262: "WASM_INTERNAL_FUNCTION_TYPE",
+  262: "WASM_RESUME_DATA_TYPE",
-  263: "WASM_RESUME_DATA_TYPE",
+  263: "WASM_STRING_VIEW_ITER_TYPE",
-  264: "WASM_STRING_VIEW_ITER_TYPE",
+  264: "WASM_TYPE_INFO_TYPE",
  265: "WEAK_ARRAY_LIST_TYPE",
  266: "WEAK_CELL_TYPE",
  267: "WASM_ARRAY_TYPE",
@ -280,16 +280,16 @@ INSTANCE_TYPES = {
 # List of known V8 maps.
 KNOWN_MAPS = {
-    ("read_only_space", 0x02139): (248, "MetaMap"),
+    ("read_only_space", 0x02139): (247, "MetaMap"),
    ("read_only_space", 0x02161): (131, "NullMap"),
-    ("read_only_space", 0x02189): (230, "StrongDescriptorArrayMap"),
+    ("read_only_space", 0x02189): (229, "StrongDescriptorArrayMap"),
    ("read_only_space", 0x021b1): (265, "WeakArrayListMap"),
    ("read_only_space", 0x021f5): (155, "EnumCacheMap"),
    ("read_only_space", 0x02229): (176, "FixedArrayMap"),
    ("read_only_space", 0x02275): (8, "OneByteInternalizedStringMap"),
-    ("read_only_space", 0x022c1): (245, "FreeSpaceMap"),
+    ("read_only_space", 0x022c1): (244, "FreeSpaceMap"),
-    ("read_only_space", 0x022e9): (244, "OnePointerFillerMap"),
+    ("read_only_space", 0x022e9): (243, "OnePointerFillerMap"),
-    ("read_only_space", 0x02311): (244, "TwoPointerFillerMap"),
+    ("read_only_space", 0x02311): (243, "TwoPointerFillerMap"),
    ("read_only_space", 0x02339): (131, "UninitializedMap"),
    ("read_only_space", 0x023b1): (131, "UndefinedMap"),
    ("read_only_space", 0x023f5): (130, "HeapNumberMap"),
@ -300,15 +300,15 @@ KNOWN_MAPS = {
    ("read_only_space", 0x0257d): (177, "HashTableMap"),
    ("read_only_space", 0x025a5): (128, "SymbolMap"),
    ("read_only_space", 0x025cd): (40, "OneByteStringMap"),
-    ("read_only_space", 0x025f5): (254, "ScopeInfoMap"),
+    ("read_only_space", 0x025f5): (253, "ScopeInfoMap"),
-    ("read_only_space", 0x0261d): (255, "SharedFunctionInfoMap"),
+    ("read_only_space", 0x0261d): (254, "SharedFunctionInfoMap"),
-    ("read_only_space", 0x02645): (238, "CodeMap"),
+    ("read_only_space", 0x02645): (237, "CodeMap"),
-    ("read_only_space", 0x0266d): (237, "CellMap"),
+    ("read_only_space", 0x0266d): (236, "CellMap"),
-    ("read_only_space", 0x02695): (253, "GlobalPropertyCellMap"),
+    ("read_only_space", 0x02695): (252, "GlobalPropertyCellMap"),
    ("read_only_space", 0x026bd): (204, "ForeignMap"),
-    ("read_only_space", 0x026e5): (234, "TransitionArrayMap"),
+    ("read_only_space", 0x026e5): (233, "TransitionArrayMap"),
    ("read_only_space", 0x0270d): (45, "ThinOneByteStringMap"),
-    ("read_only_space", 0x02735): (243, "FeedbackVectorMap"),
+    ("read_only_space", 0x02735): (242, "FeedbackVectorMap"),
    ("read_only_space", 0x0276d): (131, "ArgumentsMarkerMap"),
    ("read_only_space", 0x027cd): (131, "ExceptionMap"),
    ("read_only_space", 0x02829): (131, "TerminationExceptionMap"),
@ -316,17 +316,17 @@ KNOWN_MAPS = {
    ("read_only_space", 0x028f1): (131, "StaleRegisterMap"),
    ("read_only_space", 0x02951): (190, "ScriptContextTableMap"),
    ("read_only_space", 0x02979): (188, "ClosureFeedbackCellArrayMap"),
-    ("read_only_space", 0x029a1): (242, "FeedbackMetadataArrayMap"),
+    ("read_only_space", 0x029a1): (241, "FeedbackMetadataArrayMap"),
    ("read_only_space", 0x029c9): (176, "ArrayListMap"),
    ("read_only_space", 0x029f1): (129, "BigIntMap"),
    ("read_only_space", 0x02a19): (189, "ObjectBoilerplateDescriptionMap"),
    ("read_only_space", 0x02a41): (192, "BytecodeArrayMap"),
-    ("read_only_space", 0x02a69): (239, "CodeDataContainerMap"),
+    ("read_only_space", 0x02a69): (238, "CodeDataContainerMap"),
-    ("read_only_space", 0x02a91): (240, "CoverageInfoMap"),
+    ("read_only_space", 0x02a91): (239, "CoverageInfoMap"),
    ("read_only_space", 0x02ab9): (193, "FixedDoubleArrayMap"),
    ("read_only_space", 0x02ae1): (179, "GlobalDictionaryMap"),
    ("read_only_space", 0x02b09): (157, "ManyClosuresCellMap"),
-    ("read_only_space", 0x02b31): (249, "MegaDomHandlerMap"),
+    ("read_only_space", 0x02b31): (248, "MegaDomHandlerMap"),
    ("read_only_space", 0x02b59): (176, "ModuleInfoMap"),
    ("read_only_space", 0x02b81): (180, "NameDictionaryMap"),
    ("read_only_space", 0x02ba9): (157, "NoClosuresCellMap"),
@ -337,30 +337,30 @@ KNOWN_MAPS = {
    ("read_only_space", 0x02c71): (181, "NameToIndexHashTableMap"),
    ("read_only_space", 0x02c99): (186, "RegisteredSymbolTableMap"),
    ("read_only_space", 0x02cc1): (185, "OrderedNameDictionaryMap"),
-    ("read_only_space", 0x02ce9): (251, "PreparseDataMap"),
+    ("read_only_space", 0x02ce9): (250, "PreparseDataMap"),
-    ("read_only_space", 0x02d11): (252, "PropertyArrayMap"),
+    ("read_only_space", 0x02d11): (251, "PropertyArrayMap"),
-    ("read_only_space", 0x02d39): (235, "AccessorInfoMap"),
+    ("read_only_space", 0x02d39): (234, "AccessorInfoMap"),
-    ("read_only_space", 0x02d61): (236, "SideEffectCallHandlerInfoMap"),
+    ("read_only_space", 0x02d61): (235, "SideEffectCallHandlerInfoMap"),
-    ("read_only_space", 0x02d89): (236, "SideEffectFreeCallHandlerInfoMap"),
+    ("read_only_space", 0x02d89): (235, "SideEffectFreeCallHandlerInfoMap"),
-    ("read_only_space", 0x02db1): (236, "NextCallSideEffectFreeCallHandlerInfoMap"),
+    ("read_only_space", 0x02db1): (235, "NextCallSideEffectFreeCallHandlerInfoMap"),
    ("read_only_space", 0x02dd9): (187, "SimpleNumberDictionaryMap"),
-    ("read_only_space", 0x02e01): (224, "SmallOrderedHashMapMap"),
+    ("read_only_space", 0x02e01): (223, "SmallOrderedHashMapMap"),
-    ("read_only_space", 0x02e29): (225, "SmallOrderedHashSetMap"),
+    ("read_only_space", 0x02e29): (224, "SmallOrderedHashSetMap"),
-    ("read_only_space", 0x02e51): (226, "SmallOrderedNameDictionaryMap"),
+    ("read_only_space", 0x02e51): (225, "SmallOrderedNameDictionaryMap"),
-    ("read_only_space", 0x02e79): (231, "SourceTextModuleMap"),
+    ("read_only_space", 0x02e79): (230, "SourceTextModuleMap"),
-    ("read_only_space", 0x02ea1): (259, "SwissNameDictionaryMap"),
+    ("read_only_space", 0x02ea1): (258, "SwissNameDictionaryMap"),
-    ("read_only_space", 0x02ec9): (232, "SyntheticModuleMap"),
+    ("read_only_space", 0x02ec9): (231, "SyntheticModuleMap"),
-    ("read_only_space", 0x02ef1): (260, "WasmApiFunctionRefMap"),
+    ("read_only_space", 0x02ef1): (259, "WasmApiFunctionRefMap"),
-    ("read_only_space", 0x02f19): (221, "WasmCapiFunctionDataMap"),
+    ("read_only_space", 0x02f19): (220, "WasmCapiFunctionDataMap"),
-    ("read_only_space", 0x02f41): (222, "WasmExportedFunctionDataMap"),
+    ("read_only_space", 0x02f41): (221, "WasmExportedFunctionDataMap"),
-    ("read_only_space", 0x02f69): (262, "WasmInternalFunctionMap"),
+    ("read_only_space", 0x02f69): (261, "WasmInternalFunctionMap"),
-    ("read_only_space", 0x02f91): (223, "WasmJSFunctionDataMap"),
+    ("read_only_space", 0x02f91): (222, "WasmJSFunctionDataMap"),
-    ("read_only_space", 0x02fb9): (263, "WasmResumeDataMap"),
+    ("read_only_space", 0x02fb9): (262, "WasmResumeDataMap"),
-    ("read_only_space", 0x02fe1): (205, "WasmTypeInfoMap"),
+    ("read_only_space", 0x02fe1): (264, "WasmTypeInfoMap"),
-    ("read_only_space", 0x03009): (261, "WasmContinuationObjectMap"),
+    ("read_only_space", 0x03009): (260, "WasmContinuationObjectMap"),
-    ("read_only_space", 0x03031): (233, "WeakFixedArrayMap"),
+    ("read_only_space", 0x03031): (232, "WeakFixedArrayMap"),
    ("read_only_space", 0x03059): (178, "EphemeronHashTableMap"),
-    ("read_only_space", 0x03081): (241, "EmbedderDataArrayMap"),
+    ("read_only_space", 0x03081): (240, "EmbedderDataArrayMap"),
    ("read_only_space", 0x030a9): (266, "WeakCellMap"),
    ("read_only_space", 0x030d1): (32, "StringMap"),
    ("read_only_space", 0x030f9): (41, "ConsOneByteStringMap"),
@ -423,29 +423,29 @@ KNOWN_MAPS = {
    ("read_only_space", 0x078d1): (174, "WasmExceptionTagMap"),
    ("read_only_space", 0x078f9): (175, "WasmIndirectFunctionTableMap"),
    ("read_only_space", 0x07921): (195, "SloppyArgumentsElementsMap"),
-    ("read_only_space", 0x07949): (229, "DescriptorArrayMap"),
+    ("read_only_space", 0x07949): (228, "DescriptorArrayMap"),
-    ("read_only_space", 0x07971): (218, "UncompiledDataWithoutPreparseDataMap"),
+    ("read_only_space", 0x07971): (217, "UncompiledDataWithoutPreparseDataMap"),
-    ("read_only_space", 0x07999): (216, "UncompiledDataWithPreparseDataMap"),
+    ("read_only_space", 0x07999): (215, "UncompiledDataWithPreparseDataMap"),
-    ("read_only_space", 0x079c1): (219, "UncompiledDataWithoutPreparseDataWithJobMap"),
+    ("read_only_space", 0x079c1): (218, "UncompiledDataWithoutPreparseDataWithJobMap"),
-    ("read_only_space", 0x079e9): (217, "UncompiledDataWithPreparseDataAndJobMap"),
+    ("read_only_space", 0x079e9): (216, "UncompiledDataWithPreparseDataAndJobMap"),
-    ("read_only_space", 0x07a11): (250, "OnHeapBasicBlockProfilerDataMap"),
+    ("read_only_space", 0x07a11): (249, "OnHeapBasicBlockProfilerDataMap"),
    ("read_only_space", 0x07a39): (196, "TurbofanBitsetTypeMap"),
    ("read_only_space", 0x07a61): (200, "TurbofanUnionTypeMap"),
    ("read_only_space", 0x07a89): (199, "TurbofanRangeTypeMap"),
    ("read_only_space", 0x07ab1): (197, "TurbofanHeapConstantTypeMap"),
    ("read_only_space", 0x07ad9): (198, "TurbofanOtherNumberConstantTypeMap"),
-    ("read_only_space", 0x07b01): (246, "InternalClassMap"),
+    ("read_only_space", 0x07b01): (245, "InternalClassMap"),
-    ("read_only_space", 0x07b29): (257, "SmiPairMap"),
+    ("read_only_space", 0x07b29): (256, "SmiPairMap"),
-    ("read_only_space", 0x07b51): (256, "SmiBoxMap"),
+    ("read_only_space", 0x07b51): (255, "SmiBoxMap"),
    ("read_only_space", 0x07b79): (201, "ExportedSubClassBaseMap"),
    ("read_only_space", 0x07ba1): (202, "ExportedSubClassMap"),
-    ("read_only_space", 0x07bc9): (227, "AbstractInternalClassSubclass1Map"),
+    ("read_only_space", 0x07bc9): (226, "AbstractInternalClassSubclass1Map"),
-    ("read_only_space", 0x07bf1): (228, "AbstractInternalClassSubclass2Map"),
+    ("read_only_space", 0x07bf1): (227, "AbstractInternalClassSubclass2Map"),
    ("read_only_space", 0x07c19): (194, "InternalClassWithSmiElementsMap"),
-    ("read_only_space", 0x07c41): (247, "InternalClassWithStructElementsMap"),
+    ("read_only_space", 0x07c41): (246, "InternalClassWithStructElementsMap"),
    ("read_only_space", 0x07c69): (203, "ExportedSubClass2Map"),
-    ("read_only_space", 0x07c91): (258, "SortStateMap"),
+    ("read_only_space", 0x07c91): (257, "SortStateMap"),
-    ("read_only_space", 0x07cb9): (264, "WasmStringViewIterMap"),
+    ("read_only_space", 0x07cb9): (263, "WasmStringViewIterMap"),
    ("read_only_space", 0x07ce1): (145, "AllocationSiteWithWeakNextMap"),
    ("read_only_space", 0x07d09): (145, "AllocationSiteWithoutWeakNextMap"),
    ("read_only_space", 0x07dd5): (137, "LoadHandler1Map"),