[runtime] Invalidate XxxIteratorLookupChain protectors

... when "return" property is added to respective iterator or might be
added somewhere up the prototype chain.

According to the iterator protocol the "return" callback must be
called when iteration is aborted in the middle.

Bug: chromium:1357318
Change-Id: I36d81b90cfd40e417136ab97ec53ad7054f4df77
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916630Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83427}

src/execution/isolate.cc

@@ -4799,6 +4799,16 @@ void Isolate::UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
   }
 }
 
+void Isolate::UpdateIteratorLookupChainsProtectorOnSetPrototype(
+    Handle<JSObject> object) {
+  // Modification of the iterator object prototypes might alter behaviour of
+  // iterators because the new prototype chain might introduce a "return"
+  // callback which might need to be called according to the iterator protocol.
+  InstanceType instance_type = object->map(this).instance_type();
+  Protectors::InvalidateRespectiveIteratorLookupChainForReturn(this,
+                                                               instance_type);
+}
+
 static base::RandomNumberGenerator* ensure_rng_exists(
     base::RandomNumberGenerator** rng, int seed) {
   if (*rng == nullptr) {

src/execution/isolate.h

@@ -1495,6 +1495,9 @@ class V8_EXPORT_PRIVATE Isolate final : private HiddenFactory {
   }
   void UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
       Handle<JSObject> object);
+  void UpdateIteratorLookupChainsProtectorOnSetPrototype(
+      Handle<JSObject> object);
+
   void UpdateNoElementsProtectorOnNormalizeElements(Handle<JSObject> object) {
     UpdateNoElementsProtectorOnSetElement(object);
   }

src/execution/protectors.cc

@@ -13,8 +13,7 @@
 #include "src/tracing/trace-event.h"
 #include "src/utils/utils.h"
 
-namespace v8 {
-namespace internal {
+namespace v8::internal {
 
 namespace {
 
@@ -59,5 +58,56 @@ DECLARED_PROTECTORS_ON_ISOLATE(V)
 DECLARED_PROTECTORS_ON_ISOLATE(INVALIDATE_PROTECTOR_ON_ISOLATE_DEFINITION)
 #undef INVALIDATE_PROTECTOR_ON_ISOLATE_DEFINITION
 
-}  // namespace internal
-}  // namespace v8
+void Protectors::InvalidateRespectiveIteratorLookupChain(
+    Isolate* isolate, InstanceType instance_type) {
+  if (InstanceTypeChecker::IsJSArrayIterator(instance_type) ||
+      InstanceTypeChecker::IsJSArrayIteratorPrototype(instance_type)) {
+    if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return;
+    Protectors::InvalidateArrayIteratorLookupChain(isolate);
+
+  } else if (InstanceTypeChecker::IsJSMapIterator(instance_type) ||
+             InstanceTypeChecker::IsJSMapIteratorPrototype(instance_type)) {
+    if (!Protectors::IsMapIteratorLookupChainIntact(isolate)) return;
+    Protectors::InvalidateMapIteratorLookupChain(isolate);
+
+  } else if (InstanceTypeChecker::IsJSSetIterator(instance_type) ||
+             InstanceTypeChecker::IsJSSetIteratorPrototype(instance_type)) {
+    if (!Protectors::IsSetIteratorLookupChainIntact(isolate)) return;
+    Protectors::InvalidateSetIteratorLookupChain(isolate);
+
+  } else if (InstanceTypeChecker::IsJSStringIterator(instance_type) ||
+             InstanceTypeChecker::IsJSStringIteratorPrototype(instance_type)) {
+    if (!Protectors::IsStringIteratorLookupChainIntact(isolate)) return;
+    Protectors::InvalidateStringIteratorLookupChain(isolate);
+  }
+}
+
+void Protectors::InvalidateRespectiveIteratorLookupChainForReturn(
+    Isolate* isolate, InstanceType instance_type) {
+  if (InstanceTypeChecker::IsJSIteratorPrototype(instance_type) ||
+      InstanceTypeChecker::IsJSObjectPrototype(instance_type)) {
+    // Addition of the "return" property to the Object prototype alters
+    // behaviour of all iterators because the "return" callback might need to be
+    // called according to the iterator protocol.
+    Protectors::InvalidateAllIteratorLookupChains(isolate);
+  } else {
+    Protectors::InvalidateRespectiveIteratorLookupChain(isolate, instance_type);
+  }
+}
+
+void Protectors::InvalidateAllIteratorLookupChains(Isolate* isolate) {
+  if (Protectors::IsArrayIteratorLookupChainIntact(isolate)) {
+    Protectors::InvalidateArrayIteratorLookupChain(isolate);
+  }
+  if (Protectors::IsMapIteratorLookupChainIntact(isolate)) {
+    Protectors::InvalidateMapIteratorLookupChain(isolate);
+  }
+  if (Protectors::IsSetIteratorLookupChainIntact(isolate)) {
+    Protectors::InvalidateSetIteratorLookupChain(isolate);
+  }
+  if (Protectors::IsStringIteratorLookupChainIntact(isolate)) {
+    Protectors::InvalidateStringIteratorLookupChain(isolate);
+  }
+}
+
+}  // namespace v8::internal

src/execution/protectors.h

@@ -7,8 +7,9 @@
 
 #include "src/handles/handles.h"
 
-namespace v8 {
-namespace internal {
+namespace v8::internal {
+
+enum InstanceType : uint16_t;
 
 class Protectors : public AllStatic {
  public:
@@ -88,9 +89,23 @@ class Protectors : public AllStatic {
   V8_EXPORT_PRIVATE static void Invalidate##name(Isolate* isolate);
   DECLARED_PROTECTORS_ON_ISOLATE(DECLARE_PROTECTOR_ON_ISOLATE)
 #undef DECLARE_PROTECTOR_ON_ISOLATE
+
+  // Invalidates respective iterator lookup chain protector.
+  static void InvalidateRespectiveIteratorLookupChain(
+      Isolate* isolate, InstanceType instance_type);
+
+  // Invalidates iterator lookup chain protectors that might be altered by
+  // introducing a "return" property.
+  // The fast iteration protocol can't be used because the "return" callback
+  // might need to be called according to the iterator protocol.
+  static void InvalidateRespectiveIteratorLookupChainForReturn(
+      Isolate* isolate, InstanceType instance_type);
+
+ private:
+  // Invalidates all iterator lookup chain protectors.
+  static void InvalidateAllIteratorLookupChains(Isolate* isolate);
 };
 
-}  // namespace internal
-}  // namespace v8
+}  // namespace v8::internal
 
 #endif  // V8_EXECUTION_PROTECTORS_H_

src/init/heap-symbols.h

@@ -369,7 +369,6 @@
   V(_, relativeTo_string, "relativeTo")                              \
   V(_, resizable_string, "resizable")                                \
   V(_, ResizableArrayBuffer_string, "ResizableArrayBuffer")          \
-  V(_, return_string, "return")                                      \
   V(_, revoke_string, "revoke")                                      \
   V(_, roundingIncrement_string, "roundingIncrement")                \
   V(_, RuntimeError_string, "RuntimeError")                          \
@@ -504,6 +503,7 @@
   V(_, constructor_string, "constructor")                      \
   V(_, next_string, "next")                                    \
   V(_, resolve_string, "resolve")                              \
+  V(_, return_string, "return")                                \
   V(_, then_string, "then")
 
 // Note that the descriptioon string should be part of the internalized

src/objects/js-objects.cc

@@ -5154,6 +5154,7 @@ Maybe<bool> JSObject::SetPrototype(Isolate* isolate, Handle<JSObject> object,
   isolate->UpdateNoElementsProtectorOnSetPrototype(real_receiver);
   isolate->UpdateTypedArraySpeciesLookupChainProtectorOnSetPrototype(
       real_receiver);
+  isolate->UpdateIteratorLookupChainsProtectorOnSetPrototype(real_receiver);
 
   Handle<Map> new_map =
       Map::TransitionToPrototype(isolate, map, Handle<HeapObject>::cast(value));

src/objects/lookup-inl.h

@@ -237,7 +237,8 @@ void LookupIterator::UpdateProtector(Isolate* isolate, Handle<Object> receiver,
 #if DEBUG
   bool debug_maybe_protector =
       *name == roots.constructor_string() || *name == roots.next_string() ||
-      *name == roots.resolve_string() || *name == roots.then_string() ||
+      *name == roots.resolve_string() || *name == roots.return_string() ||
+      *name == roots.then_string() ||
       *name == roots.is_concat_spreadable_symbol() ||
       *name == roots.iterator_symbol() || *name == roots.species_symbol();
   DCHECK_EQ(maybe_protector, debug_maybe_protector);

src/objects/lookup.cc

@@ -231,27 +231,13 @@ void LookupIterator::InternalUpdateProtector(Isolate* isolate,
       }
     }
   } else if (*name == roots.next_string()) {
-    if (receiver->IsJSArrayIterator() ||
-        receiver->IsJSArrayIteratorPrototype()) {
-      // Setting the next property of %ArrayIteratorPrototype% also needs to
-      // invalidate the array iterator protector.
-      if (!Protectors::IsArrayIteratorLookupChainIntact(isolate)) return;
-      Protectors::InvalidateArrayIteratorLookupChain(isolate);
-    } else if (receiver->IsJSMapIterator() ||
-               receiver->IsJSMapIteratorPrototype()) {
-      if (!Protectors::IsMapIteratorLookupChainIntact(isolate)) return;
-      Protectors::InvalidateMapIteratorLookupChain(isolate);
-    } else if (receiver->IsJSSetIterator() ||
-               receiver->IsJSSetIteratorPrototype()) {
-      if (!Protectors::IsSetIteratorLookupChainIntact(isolate)) return;
-      Protectors::InvalidateSetIteratorLookupChain(isolate);
-    } else if (receiver->IsJSStringIterator() ||
-               receiver->IsJSStringIteratorPrototype()) {
-      // Setting the next property of %StringIteratorPrototype% invalidates the
-      // string iterator protector.
-      if (!Protectors::IsStringIteratorLookupChainIntact(isolate)) return;
-      Protectors::InvalidateStringIteratorLookupChain(isolate);
-    }
+    InstanceType instance_type = receiver->map(isolate).instance_type();
+    Protectors::InvalidateRespectiveIteratorLookupChain(isolate, instance_type);
+
+  } else if (*name == roots.return_string()) {
+    InstanceType instance_type = receiver->map(isolate).instance_type();
+    Protectors::InvalidateRespectiveIteratorLookupChainForReturn(isolate,
+                                                                 instance_type);
   } else if (*name == roots.species_symbol()) {
     // Setting the Symbol.species property of any Array, Promise or TypedArray
     // constructor invalidates the @@species protector

test/mjsunit/protector-cell/array-return-1.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+Object.defineProperty([].values(), "return", { value: {}})
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertFalse(%ArrayIteratorProtector());

test/mjsunit/protector-cell/array-return-2.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const arrayIteratorPrototype = Object.getPrototypeOf([].values());
+Object.defineProperty(arrayIteratorPrototype, "return", { value: {}})
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertFalse(%ArrayIteratorProtector());

test/mjsunit/protector-cell/iterator-prototype-return-1.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const arrayIteratorPrototype = Object.getPrototypeOf([].values());
+const iteratorPrototype = Object.getPrototypeOf(arrayIteratorPrototype);
+Object.defineProperty(iteratorPrototype, "return", { value: {}});
+// All protectors must be invalidated.
+assertFalse(%SetIteratorProtector());
+assertFalse(%MapIteratorProtector());
+assertFalse(%StringIteratorProtector());
+assertFalse(%ArrayIteratorProtector());

test/mjsunit/protector-cell/iterator-prototype-return-2.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const arrayIteratorPrototype = Object.getPrototypeOf([].values());
+const iteratorPrototype = Object.getPrototypeOf(arrayIteratorPrototype);
+Object.setPrototypeOf(iteratorPrototype, {});
+// All protectors must be invalidated.
+assertFalse(%SetIteratorProtector());
+assertFalse(%MapIteratorProtector());
+assertFalse(%StringIteratorProtector());
+assertFalse(%ArrayIteratorProtector());

test/mjsunit/protector-cell/map-return-1.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const mapIterator = new Map().values();
+Object.defineProperty(mapIterator, "return", { value: {} });
+assertTrue(%SetIteratorProtector());
+assertFalse(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/protector-cell/map-return-2.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const mapIteratorPrototype = Object.getPrototypeOf(new Map().values());
+Object.defineProperty(mapIteratorPrototype, "return", { value: {} });
+assertTrue(%SetIteratorProtector());
+assertFalse(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/protector-cell/object-prototype-return.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const arrayIteratorPrototype = Object.getPrototypeOf([].values());
+const iteratorPrototype = Object.getPrototypeOf(arrayIteratorPrototype);
+const objectPrototype = Object.getPrototypeOf(iteratorPrototype);
+Object.defineProperty(objectPrototype, "return", { value: {}});
+// All protectors must be invalidated.
+assertFalse(%SetIteratorProtector());
+assertFalse(%MapIteratorProtector());
+assertFalse(%StringIteratorProtector());
+assertFalse(%ArrayIteratorProtector());

test/mjsunit/protector-cell/set-return-1.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const setIterator = new Set().values();
+Object.defineProperty(setIterator, "return", { value: {} });
+assertFalse(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/protector-cell/set-return-2.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+const setIteratorPrototype = Object.getPrototypeOf(new Set().values());
+Object.defineProperty(setIteratorPrototype, "return", { value: {} });
+assertFalse(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/protector-cell/string-return-1.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+var str = 'ott';
+var iterator = str[Symbol.iterator]();
+iterator.__proto__.return = () => ({value : undefined, done : true});
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertFalse(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/protector-cell/string-return-2.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertTrue(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());
+var str = 'ott';
+var iterator = str[Symbol.iterator]();
+iterator.return = () => ({value : undefined, done : true});
+assertTrue(%SetIteratorProtector());
+assertTrue(%MapIteratorProtector());
+assertFalse(%StringIteratorProtector());
+assertTrue(%ArrayIteratorProtector());

test/mjsunit/regress/regress-crbug-1357318.js

+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+(function array_iterator() {
+  let count = 0;
+  [].values().__proto__.return = function(value) {
+    ++count;
+    return {value: value, done: true};
+  };
+
+  let array = [1, 2, 3, 4, 5, 6, 7, 8];
+
+  // Aborted iteration in a builtin.
+  try {
+    new WeakSet(array);
+  } catch (e) {}
+  assertEquals(count, 1);
+
+  // Aborted iteration via for..of.
+  let i = array.length / 2;
+  for (c of array) {
+    if (--i == 0) break;
+  }
+  assertEquals(count, 2);
+})();
+
+(function set_iterator() {
+  let count = 0;
+  new Set().values().__proto__.return = function(value) {
+    ++count;
+    return {value: value, done: true};
+  };
+
+  let set = new Set();
+  for (let i = 0; i < 26; i++) {
+    set.add("item" + i);
+  }
+
+  // Aborted iteration in a builtin.
+  try {
+    new WeakSet(set);
+  } catch (e) {}
+  assertEquals(count, 1);
+
+  // Aborted iteration via for..of.
+  let i = set.size / 2;
+  for (c of set.values()) {
+    if (--i == 0) break;
+  }
+  assertEquals(count, 2);
+})();
+
+(function map_iterator() {
+  let count = 0;
+  new Map().values().__proto__.return = function(value) {
+    ++count;
+    return {value: value, done: true};
+  };
+
+  let map = new Map();
+  for (let i = 0; i < 26; i++) {
+    map.set(String.fromCharCode(97 + i), i);
+  }
+
+  // Aborted iteration in a builtin.
+  try {
+    new WeakMap(map);
+  } catch (e) {}
+  assertEquals(count, 1);
+
+  // Aborted iteration via for..of.
+  let i = map.size / 2;
+  for (c of map.keys()) {
+    if (--i == 0) break;
+  }
+  assertEquals(count, 2);
+})();
+
+(function string_iterator() {
+  let count = 0;
+  let str = "some long string";
+  let iterator = str[Symbol.iterator]();
+  iterator.__proto__.return = function(value) {
+    ++count;
+    return {value: value, done: true};
+  };
+
+  // Aborted iteration in a builtin.
+  try {
+    new WeakSet(iterator);
+  } catch (e) {}
+  assertEquals(count, 1);
+
+  // Aborted iteration via for..of.
+  let i = str.length / 2;
+  for (c of iterator) {
+    if (--i == 0) break;
+  }
+  assertEquals(count, 2);
+})();

tools/v8heapconst.py

@@ -393,69 +393,69 @@ KNOWN_MAPS = {
     ("read_only_space", 0x03491): (131, "BasicBlockCountersMarkerMap"),
     ("read_only_space", 0x034d5): (146, "ArrayBoilerplateDescriptionMap"),
     ("read_only_space", 0x035d5): (158, "InterceptorInfoMap"),
-    ("read_only_space", 0x07455): (132, "PromiseFulfillReactionJobTaskMap"),
-    ("read_only_space", 0x0747d): (133, "PromiseRejectReactionJobTaskMap"),
-    ("read_only_space", 0x074a5): (134, "CallableTaskMap"),
-    ("read_only_space", 0x074cd): (135, "CallbackTaskMap"),
-    ("read_only_space", 0x074f5): (136, "PromiseResolveThenableJobTaskMap"),
-    ("read_only_space", 0x0751d): (139, "FunctionTemplateInfoMap"),
-    ("read_only_space", 0x07545): (140, "ObjectTemplateInfoMap"),
-    ("read_only_space", 0x0756d): (141, "AccessCheckInfoMap"),
-    ("read_only_space", 0x07595): (142, "AccessorPairMap"),
-    ("read_only_space", 0x075bd): (143, "AliasedArgumentsEntryMap"),
-    ("read_only_space", 0x075e5): (144, "AllocationMementoMap"),
-    ("read_only_space", 0x0760d): (147, "AsmWasmDataMap"),
-    ("read_only_space", 0x07635): (148, "AsyncGeneratorRequestMap"),
-    ("read_only_space", 0x0765d): (149, "BreakPointMap"),
-    ("read_only_space", 0x07685): (150, "BreakPointInfoMap"),
-    ("read_only_space", 0x076ad): (151, "CallSiteInfoMap"),
-    ("read_only_space", 0x076d5): (152, "ClassPositionsMap"),
-    ("read_only_space", 0x076fd): (153, "DebugInfoMap"),
-    ("read_only_space", 0x07725): (155, "ErrorStackDataMap"),
-    ("read_only_space", 0x0774d): (157, "FunctionTemplateRareDataMap"),
-    ("read_only_space", 0x07775): (159, "InterpreterDataMap"),
-    ("read_only_space", 0x0779d): (160, "ModuleRequestMap"),
-    ("read_only_space", 0x077c5): (161, "PromiseCapabilityMap"),
-    ("read_only_space", 0x077ed): (162, "PromiseOnStackMap"),
-    ("read_only_space", 0x07815): (163, "PromiseReactionMap"),
-    ("read_only_space", 0x0783d): (164, "PropertyDescriptorObjectMap"),
-    ("read_only_space", 0x07865): (165, "PrototypeInfoMap"),
-    ("read_only_space", 0x0788d): (166, "RegExpBoilerplateDescriptionMap"),
-    ("read_only_space", 0x078b5): (167, "ScriptMap"),
-    ("read_only_space", 0x078dd): (168, "ScriptOrModuleMap"),
-    ("read_only_space", 0x07905): (169, "SourceTextModuleInfoEntryMap"),
-    ("read_only_space", 0x0792d): (170, "StackFrameInfoMap"),
-    ("read_only_space", 0x07955): (171, "TemplateObjectDescriptionMap"),
-    ("read_only_space", 0x0797d): (172, "Tuple2Map"),
-    ("read_only_space", 0x079a5): (173, "WasmExceptionTagMap"),
-    ("read_only_space", 0x079cd): (174, "WasmIndirectFunctionTableMap"),
-    ("read_only_space", 0x079f5): (194, "SloppyArgumentsElementsMap"),
-    ("read_only_space", 0x07a1d): (227, "DescriptorArrayMap"),
-    ("read_only_space", 0x07a45): (202, "UncompiledDataWithoutPreparseDataMap"),
-    ("read_only_space", 0x07a6d): (200, "UncompiledDataWithPreparseDataMap"),
-    ("read_only_space", 0x07a95): (203, "UncompiledDataWithoutPreparseDataWithJobMap"),
-    ("read_only_space", 0x07abd): (201, "UncompiledDataWithPreparseDataAndJobMap"),
-    ("read_only_space", 0x07ae5): (249, "OnHeapBasicBlockProfilerDataMap"),
-    ("read_only_space", 0x07b0d): (234, "CachedTemplateObjectMap"),
-    ("read_only_space", 0x07b35): (195, "TurbofanBitsetTypeMap"),
-    ("read_only_space", 0x07b5d): (199, "TurbofanUnionTypeMap"),
-    ("read_only_space", 0x07b85): (198, "TurbofanRangeTypeMap"),
-    ("read_only_space", 0x07bad): (196, "TurbofanHeapConstantTypeMap"),
-    ("read_only_space", 0x07bd5): (197, "TurbofanOtherNumberConstantTypeMap"),
-    ("read_only_space", 0x07bfd): (245, "InternalClassMap"),
-    ("read_only_space", 0x07c25): (256, "SmiPairMap"),
-    ("read_only_space", 0x07c4d): (255, "SmiBoxMap"),
-    ("read_only_space", 0x07c75): (219, "ExportedSubClassBaseMap"),
-    ("read_only_space", 0x07c9d): (220, "ExportedSubClassMap"),
-    ("read_only_space", 0x07cc5): (225, "AbstractInternalClassSubclass1Map"),
-    ("read_only_space", 0x07ced): (226, "AbstractInternalClassSubclass2Map"),
-    ("read_only_space", 0x07d15): (193, "InternalClassWithSmiElementsMap"),
-    ("read_only_space", 0x07d3d): (246, "InternalClassWithStructElementsMap"),
-    ("read_only_space", 0x07d65): (221, "ExportedSubClass2Map"),
-    ("read_only_space", 0x07d8d): (257, "SortStateMap"),
-    ("read_only_space", 0x07db5): (263, "WasmStringViewIterMap"),
-    ("read_only_space", 0x07ddd): (145, "AllocationSiteWithWeakNextMap"),
-    ("read_only_space", 0x07e05): (145, "AllocationSiteWithoutWeakNextMap"),
+    ("read_only_space", 0x07441): (132, "PromiseFulfillReactionJobTaskMap"),
+    ("read_only_space", 0x07469): (133, "PromiseRejectReactionJobTaskMap"),
+    ("read_only_space", 0x07491): (134, "CallableTaskMap"),
+    ("read_only_space", 0x074b9): (135, "CallbackTaskMap"),
+    ("read_only_space", 0x074e1): (136, "PromiseResolveThenableJobTaskMap"),
+    ("read_only_space", 0x07509): (139, "FunctionTemplateInfoMap"),
+    ("read_only_space", 0x07531): (140, "ObjectTemplateInfoMap"),
+    ("read_only_space", 0x07559): (141, "AccessCheckInfoMap"),
+    ("read_only_space", 0x07581): (142, "AccessorPairMap"),
+    ("read_only_space", 0x075a9): (143, "AliasedArgumentsEntryMap"),
+    ("read_only_space", 0x075d1): (144, "AllocationMementoMap"),
+    ("read_only_space", 0x075f9): (147, "AsmWasmDataMap"),
+    ("read_only_space", 0x07621): (148, "AsyncGeneratorRequestMap"),
+    ("read_only_space", 0x07649): (149, "BreakPointMap"),
+    ("read_only_space", 0x07671): (150, "BreakPointInfoMap"),
+    ("read_only_space", 0x07699): (151, "CallSiteInfoMap"),
+    ("read_only_space", 0x076c1): (152, "ClassPositionsMap"),
+    ("read_only_space", 0x076e9): (153, "DebugInfoMap"),
+    ("read_only_space", 0x07711): (155, "ErrorStackDataMap"),
+    ("read_only_space", 0x07739): (157, "FunctionTemplateRareDataMap"),
+    ("read_only_space", 0x07761): (159, "InterpreterDataMap"),
+    ("read_only_space", 0x07789): (160, "ModuleRequestMap"),
+    ("read_only_space", 0x077b1): (161, "PromiseCapabilityMap"),
+    ("read_only_space", 0x077d9): (162, "PromiseOnStackMap"),
+    ("read_only_space", 0x07801): (163, "PromiseReactionMap"),
+    ("read_only_space", 0x07829): (164, "PropertyDescriptorObjectMap"),
+    ("read_only_space", 0x07851): (165, "PrototypeInfoMap"),
+    ("read_only_space", 0x07879): (166, "RegExpBoilerplateDescriptionMap"),
+    ("read_only_space", 0x078a1): (167, "ScriptMap"),
+    ("read_only_space", 0x078c9): (168, "ScriptOrModuleMap"),
+    ("read_only_space", 0x078f1): (169, "SourceTextModuleInfoEntryMap"),
+    ("read_only_space", 0x07919): (170, "StackFrameInfoMap"),
+    ("read_only_space", 0x07941): (171, "TemplateObjectDescriptionMap"),
+    ("read_only_space", 0x07969): (172, "Tuple2Map"),
+    ("read_only_space", 0x07991): (173, "WasmExceptionTagMap"),
+    ("read_only_space", 0x079b9): (174, "WasmIndirectFunctionTableMap"),
+    ("read_only_space", 0x079e1): (194, "SloppyArgumentsElementsMap"),
+    ("read_only_space", 0x07a09): (227, "DescriptorArrayMap"),
+    ("read_only_space", 0x07a31): (202, "UncompiledDataWithoutPreparseDataMap"),
+    ("read_only_space", 0x07a59): (200, "UncompiledDataWithPreparseDataMap"),
+    ("read_only_space", 0x07a81): (203, "UncompiledDataWithoutPreparseDataWithJobMap"),
+    ("read_only_space", 0x07aa9): (201, "UncompiledDataWithPreparseDataAndJobMap"),
+    ("read_only_space", 0x07ad1): (249, "OnHeapBasicBlockProfilerDataMap"),
+    ("read_only_space", 0x07af9): (234, "CachedTemplateObjectMap"),
+    ("read_only_space", 0x07b21): (195, "TurbofanBitsetTypeMap"),
+    ("read_only_space", 0x07b49): (199, "TurbofanUnionTypeMap"),
+    ("read_only_space", 0x07b71): (198, "TurbofanRangeTypeMap"),
+    ("read_only_space", 0x07b99): (196, "TurbofanHeapConstantTypeMap"),
+    ("read_only_space", 0x07bc1): (197, "TurbofanOtherNumberConstantTypeMap"),
+    ("read_only_space", 0x07be9): (245, "InternalClassMap"),
+    ("read_only_space", 0x07c11): (256, "SmiPairMap"),
+    ("read_only_space", 0x07c39): (255, "SmiBoxMap"),
+    ("read_only_space", 0x07c61): (219, "ExportedSubClassBaseMap"),
+    ("read_only_space", 0x07c89): (220, "ExportedSubClassMap"),
+    ("read_only_space", 0x07cb1): (225, "AbstractInternalClassSubclass1Map"),
+    ("read_only_space", 0x07cd9): (226, "AbstractInternalClassSubclass2Map"),
+    ("read_only_space", 0x07d01): (193, "InternalClassWithSmiElementsMap"),
+    ("read_only_space", 0x07d29): (246, "InternalClassWithStructElementsMap"),
+    ("read_only_space", 0x07d51): (221, "ExportedSubClass2Map"),
+    ("read_only_space", 0x07d79): (257, "SortStateMap"),
+    ("read_only_space", 0x07da1): (263, "WasmStringViewIterMap"),
+    ("read_only_space", 0x07dc9): (145, "AllocationSiteWithWeakNextMap"),
+    ("read_only_space", 0x07df1): (145, "AllocationSiteWithoutWeakNextMap"),
     ("read_only_space", 0x07ed1): (137, "LoadHandler1Map"),
     ("read_only_space", 0x07ef9): (137, "LoadHandler2Map"),
     ("read_only_space", 0x07f21): (137, "LoadHandler3Map"),