[wasm] Move js-to-wasm wrappers to the isolate

We move js-to-wasm wrappers to a WeakFixedArray in the isolate, indexed by their canonical type index. This ensures that they are reused across instances, and get GC'd when no longer needed. We also remove eager compilation of wrappers. This CL fixes some issues that were caused by out-of-bounds accesses to wrapper arrays attached to module objects. Bug: chromium:1363859, chromium:1363895 Change-Id: Idec0925e775f51fdfa7cd380379b0d1798295a0c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893860Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83275}

[wasm] Move js-to-wasm wrappers to the isolate
We move js-to-wasm wrappers to a WeakFixedArray in the isolate, indexed by their canonical type index. This ensures that they are reused across instances, and get GC'd when no longer needed. We also remove eager compilation of wrappers. This CL fixes some issues that were caused by out-of-bounds accesses to wrapper arrays attached to module objects. Bug: chromium:1363859, chromium:1363895 Change-Id: Idec0925e775f51fdfa7cd380379b0d1798295a0c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3893860Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#83275}
45d4d220 · Manos Koukoutos · V8 LUCI CQ · 1135c0fc · 45d4d220 · 45d4d220
Commit 45d4d220 authored Sep 16, 2022 by Manos Koukoutos Committed by V8 LUCI CQ Sep 16, 2022
20 changed files
--- a/src/diagnostics/objects-printer.cc
+++ b/src/diagnostics/objects-printer.cc
@@ -1873,7 +1873,6 @@ void ArrayBoilerplateDescription::ArrayBoilerplateDescriptionPrint(
 void AsmWasmData::AsmWasmDataPrint(std::ostream& os) {
  PrintHeader(os, "AsmWasmData");
  os << "\n - native module: " << Brief(managed_native_module());
-  os << "\n - export_wrappers: " << Brief(export_wrappers());
  os << "\n - uses bitset: " << uses_bitset().value();
  os << "\n";
 }
@@ -2156,7 +2155,6 @@ void WasmModuleObject::WasmModuleObjectPrint(std::ostream& os) {
  PrintHeader(os, "WasmModuleObject");
  os << "\n - module: " << module();
  os << "\n - native module: " << native_module();
-  os << "\n - export wrappers: " << Brief(export_wrappers());
  os << "\n - script: " << Brief(script());
  os << "\n";
 }

--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2234,12 +2234,26 @@ void Heap::CheckCollectionRequested() {

 #if V8_ENABLE_WEBASSEMBLY
 void Heap::EnsureWasmCanonicalRttsSize(int length) {
+  HandleScope scope(isolate());
+
  Handle<WeakArrayList> current_rtts = handle(wasm_canonical_rtts(), isolate_);
  if (length <= current_rtts->length()) return;
-  Handle<WeakArrayList> result = WeakArrayList::EnsureSpace(
+  Handle<WeakArrayList> new_rtts = WeakArrayList::EnsureSpace(
      isolate(), current_rtts, length, AllocationType::kOld);
-  result->set_length(length);
-  set_wasm_canonical_rtts(*result);
+  new_rtts->set_length(length);
+  set_wasm_canonical_rtts(*new_rtts);
+
+  // Wrappers are indexed by canonical rtt length, and an additional boolean
+  // storing whether the corresponding function is imported or not.
+  int required_wrapper_length = 2 * length;
+  Handle<WeakArrayList> current_wrappers =
+      handle(js_to_wasm_wrappers(), isolate_);
+  if (required_wrapper_length <= current_wrappers->length()) return;
+  Handle<WeakArrayList> new_wrappers =
+      WeakArrayList::EnsureSpace(isolate(), current_wrappers,
+                                 required_wrapper_length, AllocationType::kOld);
+  new_wrappers->set_length(required_wrapper_length);
+  set_js_to_wasm_wrappers(*new_wrappers);
 }
 #endif


--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -820,9 +820,9 @@ class Heap {
  }

 #if V8_ENABLE_WEBASSEMBLY
-  // TODO(manoskouk): Inline this if STRONG_MUTABLE_MOVABLE_ROOT_LIST setters
-  // become public.
-  void EnsureWasmCanonicalRttsSize(int length);
+  // TODO(manoskouk): Consider inlining/moving this if
+  // STRONG_MUTABLE_MOVABLE_ROOT_LIST setters become public.
+  V8_EXPORT_PRIVATE void EnsureWasmCanonicalRttsSize(int length);
 #endif

  // ===========================================================================

--- a/src/heap/setup-heap-internal.cc
+++ b/src/heap/setup-heap-internal.cc
@@ -881,6 +881,7 @@ void Heap::CreateInitialObjects() {
 #ifdef V8_ENABLE_WEBASSEMBLY
  set_active_continuation(roots.undefined_value());
  set_active_suspender(roots.undefined_value());
+  set_js_to_wasm_wrappers(roots.empty_weak_array_list());
  set_wasm_canonical_rtts(roots.empty_weak_array_list());
 #endif  // V8_ENABLE_WEBASSEMBLY


--- a/src/roots/roots.h
+++ b/src/roots/roots.h
@@ -336,6 +336,7 @@ class Symbol;
  V(WeakArrayList, shared_wasm_memories, SharedWasmMemories)                \
  IF_WASM(V, HeapObject, active_continuation, ActiveContinuation)           \
  IF_WASM(V, HeapObject, active_suspender, ActiveSuspender)                 \
+  IF_WASM(V, WeakArrayList, js_to_wasm_wrappers, JSToWasmWrappers)          \
  IF_WASM(V, WeakArrayList, wasm_canonical_rtts, WasmCanonicalRtts)

 // Entries in this list are limited to Smis and are not visited during GC.

--- a/src/wasm/module-compiler.cc
+++ b/src/wasm/module-compiler.cc
@@ -616,8 +616,6 @@ class CompilationStateImpl {

  std::shared_ptr<JSToWasmWrapperCompilationUnit>
  GetNextJSToWasmWrapperCompilationUnit();
-  void FinalizeJSToWasmWrappers(Isolate* isolate, const WasmModule* module,
-                                Handle<FixedArray>* export_wrappers_out);

  void OnFinishedUnits(base::Vector<WasmCode*>);
  void OnFinishedJSToWasmWrapperUnits(int num);
@@ -1511,13 +1509,6 @@ void TierUpNowForTesting(Isolate* isolate, WasmInstanceObject instance,

 namespace {

-void RecordStats(CodeT codet, Counters* counters) {
-  if (codet.is_off_heap_trampoline()) return;
-  Code code = FromCodeT(codet);
-  counters->wasm_generated_code_size()->Increment(code.raw_body_size());
-  counters->wasm_reloc_size()->Increment(code.relocation_info().length());
-}
-
 enum CompilationExecutionResult : int8_t { kNoMoreUnits, kYield };

 CompilationExecutionResult ExecuteJSToWasmWrapperCompilationUnits(
@@ -1898,8 +1889,7 @@ class CompilationTimeCallback : public CompilationEventCallback {
 void CompileNativeModule(Isolate* isolate,
                         v8::metrics::Recorder::ContextId context_id,
                         ErrorThrower* thrower, const WasmModule* wasm_module,
-                         std::shared_ptr<NativeModule> native_module,
-                         Handle<FixedArray>* export_wrappers_out) {
+                         std::shared_ptr<NativeModule> native_module) {
  CHECK(!v8_flags.jitless);
  ModuleWireBytes wire_bytes(native_module->wire_bytes());
  const bool lazy_module = IsLazyModule(wasm_module);
@@ -1942,9 +1932,6 @@ void CompileNativeModule(Isolate* isolate,
    return;
  }

-  compilation_state->FinalizeJSToWasmWrappers(isolate, native_module->module(),
-                                              export_wrappers_out);
-
  compilation_state->WaitForCompilationEvent(
      CompilationEvent::kFinishedBaselineCompilation);

@@ -1995,8 +1982,7 @@ class BackgroundCompileJob final : public JobTask {
 std::shared_ptr<NativeModule> CompileToNativeModule(
    Isolate* isolate, const WasmFeatures& enabled, ErrorThrower* thrower,
    std::shared_ptr<const WasmModule> module, const ModuleWireBytes& wire_bytes,
-    Handle<FixedArray>* export_wrappers_out, int compilation_id,
-    v8::metrics::Recorder::ContextId context_id) {
+    int compilation_id, v8::metrics::Recorder::ContextId context_id) {
  const WasmModule* wasm_module = module.get();
  WasmEngine* engine = GetWasmEngine();
  base::OwnedVector<uint8_t> wire_bytes_copy =
@@ -2008,8 +1994,6 @@ std::shared_ptr<NativeModule> CompileToNativeModule(
  std::shared_ptr<NativeModule> native_module = engine->MaybeGetNativeModule(
      wasm_module->origin, wire_bytes_copy.as_vector(), isolate);
  if (native_module) {
-    // TODO(thibaudm): Look into sharing export wrappers.
-    CompileJsToWasmWrappers(isolate, wasm_module, export_wrappers_out);
    return native_module;
  }

@@ -2035,14 +2019,12 @@ std::shared_ptr<NativeModule> CompileToNativeModule(
  // Sync compilation is user blocking, so we increase the priority.
  native_module->compilation_state()->SetHighPriority();

-  CompileNativeModule(isolate, context_id, thrower, wasm_module, native_module,
-                      export_wrappers_out);
+  CompileNativeModule(isolate, context_id, thrower, wasm_module, native_module);
  bool cache_hit = !engine->UpdateNativeModuleCache(thrower->error(),
                                                    &native_module, isolate);
  if (thrower->error()) return {};

  if (cache_hit) {
-    CompileJsToWasmWrappers(isolate, wasm_module, export_wrappers_out);
    return native_module;
  }

@@ -2318,19 +2300,6 @@ void AsyncCompileJob::FinishCompile(bool is_after_cache_hit) {
    isolate_->debug()->OnAfterCompile(script);
  }

-  // TODO(bbudge) Allow deserialization without wrapper compilation, so we can
-  // just compile wrappers here.
-  if (!is_after_deserialization) {
-    Handle<FixedArray> export_wrappers;
-    if (is_after_cache_hit) {
-      // TODO(thibaudm): Look into sharing wrappers.
-      CompileJsToWasmWrappers(isolate_, module, &export_wrappers);
-    } else {
-      compilation_state->FinalizeJSToWasmWrappers(isolate_, module,
-                                                  &export_wrappers);
-    }
-    module_object_->set_export_wrappers(*export_wrappers);
-  }
  // We can only update the feature counts once the entire compile is done.
  compilation_state->PublishDetectedFeatures(isolate_);

@@ -3547,29 +3516,6 @@ CompilationStateImpl::GetNextJSToWasmWrapperCompilationUnit() {
  return js_to_wasm_wrapper_units_[outstanding_units - 1];
 }

-void CompilationStateImpl::FinalizeJSToWasmWrappers(
-    Isolate* isolate, const WasmModule* module,
-    Handle<FixedArray>* export_wrappers_out) {
-  *export_wrappers_out = isolate->factory()->NewFixedArray(
-      MaxNumExportWrappers(module), AllocationType::kOld);
-  // TODO(6792): Wrappers below are allocated with {Factory::NewCode}. As an
-  // optimization we create a code memory modification scope that avoids
-  // changing the page permissions back-and-forth between RWX and RX, because
-  // many such wrapper are allocated in sequence below.
-  TRACE_EVENT1(TRACE_DISABLED_BY_DEFAULT("v8.wasm.detailed"),
-               "wasm.FinalizeJSToWasmWrappers", "wrappers",
-               js_to_wasm_wrapper_units_.size());
-  CodePageCollectionMemoryModificationScope modification_scope(isolate->heap());
-  for (auto& unit : js_to_wasm_wrapper_units_) {
-    DCHECK_EQ(isolate, unit->isolate());
-    Handle<CodeT> code = unit->Finalize();
-    int wrapper_index = GetExportWrapperIndex(
-        module, unit->canonical_sig_index(), unit->is_import());
-    (*export_wrappers_out)->set(wrapper_index, *code);
-    RecordStats(*code, isolate->counters());
-  }
-}
-
 CompilationUnitQueues::Queue* CompilationStateImpl::GetQueueForCompileTask(
    int task_id) {
  return compilation_unit_queues_.GetQueueForTask(task_id);
@@ -3944,67 +3890,6 @@ class CompileJSToWasmWrapperJob final : public JobTask {
 };
 }  // namespace

-void CompileJsToWasmWrappers(Isolate* isolate, const WasmModule* module,
-                             Handle<FixedArray>* export_wrappers_out) {
-  TRACE_EVENT0("v8.wasm", "wasm.CompileJsToWasmWrappers");
-  *export_wrappers_out = isolate->factory()->NewFixedArray(
-      MaxNumExportWrappers(module), AllocationType::kOld);
-
-  JSToWasmWrapperQueue queue;
-  JSToWasmWrapperUnitMap compilation_units;
-  WasmFeatures enabled_features = WasmFeatures::FromIsolate(isolate);
-
-  // Prepare compilation units in the main thread.
-  for (auto exp : module->export_table) {
-    if (exp.kind != kExternalFunction) continue;
-    auto& function = module->functions[exp.index];
-    uint32_t canonical_type_index =
-        module->isorecursive_canonical_type_ids[function.sig_index];
-    JSToWasmWrapperKey key(function.imported, canonical_type_index);
-    if (queue.insert(key, nullptr)) {
-      auto unit = std::make_unique<JSToWasmWrapperCompilationUnit>(
-          isolate, function.sig, canonical_type_index, module,
-          function.imported, enabled_features,
-          JSToWasmWrapperCompilationUnit::kAllowGeneric);
-      compilation_units.emplace(key, std::move(unit));
-    }
-  }
-
-  {
-    // This is nested inside the event above, so the name can be less
-    // descriptive. It's mainly to log the number of wrappers.
-    TRACE_EVENT1("v8.wasm", "wasm.JsToWasmWrapperCompilation", "num_wrappers",
-                 compilation_units.size());
-    auto job =
-        std::make_unique<CompileJSToWasmWrapperJob>(&queue, &compilation_units);
-    if (v8_flags.wasm_num_compilation_tasks > 0) {
-      auto job_handle = V8::GetCurrentPlatform()->CreateJob(
-          TaskPriority::kUserVisible, std::move(job));
-
-      // Wait for completion, while contributing to the work.
-      job_handle->Join();
-    } else {
-      job->Run(nullptr);
-    }
-  }
-
-  // Finalize compilation jobs in the main thread.
-  // TODO(6792): Wrappers below are allocated with {Factory::NewCode}. As an
-  // optimization we create a code memory modification scope that avoids
-  // changing the page permissions back-and-forth between RWX and RX, because
-  // many such wrapper are allocated in sequence below.
-  CodePageCollectionMemoryModificationScope modification_scope(isolate->heap());
-  for (auto& pair : compilation_units) {
-    JSToWasmWrapperKey key = pair.first;
-    JSToWasmWrapperCompilationUnit* unit = pair.second.get();
-    DCHECK_EQ(isolate, unit->isolate());
-    Handle<CodeT> code = unit->Finalize();
-    int wrapper_index = GetExportWrapperIndex(module, key.second, key.first);
-    (*export_wrappers_out)->set(wrapper_index, *code);
-    RecordStats(*code, isolate->counters());
-  }
-}
-
 WasmCode* CompileImportWrapper(
    NativeModule* native_module, Counters* counters,
    compiler::WasmImportCallKind kind, const FunctionSig* sig,

--- a/src/wasm/module-compiler.h
+++ b/src/wasm/module-compiler.h
@@ -57,16 +57,11 @@ V8_EXPORT_PRIVATE
 std::shared_ptr<NativeModule> CompileToNativeModule(
    Isolate* isolate, const WasmFeatures& enabled, ErrorThrower* thrower,
    std::shared_ptr<const WasmModule> module, const ModuleWireBytes& wire_bytes,
-    Handle<FixedArray>* export_wrappers_out, int compilation_id,
-    v8::metrics::Recorder::ContextId context_id);
+    int compilation_id, v8::metrics::Recorder::ContextId context_id);

 void RecompileNativeModule(NativeModule* native_module,
                           TieringState new_tiering_state);

-V8_EXPORT_PRIVATE
-void CompileJsToWasmWrappers(Isolate* isolate, const WasmModule* module,
-                             Handle<FixedArray>* export_wrappers_out);
-
 // Compiles the wrapper for this (kind, sig) pair and sets the corresponding
 // cache entry. Assumes the key already exists in the cache but has not been
 // compiled yet.

--- a/src/wasm/module-instantiate.cc
+++ b/src/wasm/module-instantiate.cc
@@ -718,13 +718,10 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
  //--------------------------------------------------------------------------
  if (enabled_.has_gc()) {
    if (module_->isorecursive_canonical_type_ids.size() > 0) {
-      uint32_t maximum_canonical_type_index =
-          *std::max_element(module_->isorecursive_canonical_type_ids.begin(),
-                            module_->isorecursive_canonical_type_ids.end());
      // Make sure all canonical indices have been set.
-      DCHECK_NE(maximum_canonical_type_index, kNoSuperType);
+      DCHECK_NE(module_->MaxCanonicalTypeIndex(), kNoSuperType);
      isolate_->heap()->EnsureWasmCanonicalRttsSize(
-          maximum_canonical_type_index + 1);
+          module_->MaxCanonicalTypeIndex() + 1);
    }
    Handle<FixedArray> maps = isolate_->factory()->NewFixedArray(
        static_cast<int>(module_->types.size()));

--- a/src/wasm/wasm-engine.cc
+++ b/src/wasm/wasm-engine.cc
@@ -511,14 +511,12 @@ MaybeHandle<AsmWasmData> WasmEngine::SyncCompileTranslatedAsmJs(

  // Transfer ownership of the WasmModule to the {Managed<WasmModule>} generated
  // in {CompileToNativeModule}.
-  Handle<FixedArray> export_wrappers;
  std::shared_ptr<NativeModule> native_module = CompileToNativeModule(
      isolate, WasmFeatures::ForAsmjs(), thrower, std::move(result).value(),
-      bytes, &export_wrappers, compilation_id, context_id);
+      bytes, compilation_id, context_id);
  if (!native_module) return {};

-  return AsmWasmData::New(isolate, std::move(native_module), export_wrappers,
-                          uses_bitset);
+  return AsmWasmData::New(isolate, std::move(native_module), uses_bitset);
 }

 Handle<WasmModuleObject> WasmEngine::FinalizeTranslatedAsmJs(
@@ -526,10 +524,8 @@ Handle<WasmModuleObject> WasmEngine::FinalizeTranslatedAsmJs(
    Handle<Script> script) {
  std::shared_ptr<NativeModule> native_module =
      asm_wasm_data->managed_native_module().get();
-  Handle<FixedArray> export_wrappers =
-      handle(asm_wasm_data->export_wrappers(), isolate);
-  Handle<WasmModuleObject> module_object = WasmModuleObject::New(
-      isolate, std::move(native_module), script, export_wrappers);
+  Handle<WasmModuleObject> module_object =
+      WasmModuleObject::New(isolate, std::move(native_module), script);
  return module_object;
 }

@@ -560,10 +556,9 @@ MaybeHandle<WasmModuleObject> WasmEngine::SyncCompile(

  // Transfer ownership of the WasmModule to the {Managed<WasmModule>} generated
  // in {CompileToNativeModule}.
-  Handle<FixedArray> export_wrappers;
  std::shared_ptr<NativeModule> native_module =
      CompileToNativeModule(isolate, enabled, thrower, std::move(module), bytes,
-                            &export_wrappers, compilation_id, context_id);
+                            compilation_id, context_id);
  if (!native_module) return {};

 #ifdef DEBUG
@@ -587,8 +582,8 @@ MaybeHandle<WasmModuleObject> WasmEngine::SyncCompile(
  // and information needed at instantiation time. This object needs to be
  // serializable. Instantiation may occur off a deserialized version of this
  // object.
-  Handle<WasmModuleObject> module_object = WasmModuleObject::New(
-      isolate, std::move(native_module), script, export_wrappers);
+  Handle<WasmModuleObject> module_object =
+      WasmModuleObject::New(isolate, std::move(native_module), script);

  // Finish the Wasm script now and make it public to the debugger.
  isolate->debug()->OnAfterCompile(script);
@@ -871,10 +866,8 @@ Handle<WasmModuleObject> WasmEngine::ImportNativeModule(
  ModuleWireBytes wire_bytes(native_module->wire_bytes());
  Handle<Script> script =
      GetOrCreateScript(isolate, shared_native_module, source_url);
-  Handle<FixedArray> export_wrappers;
-  CompileJsToWasmWrappers(isolate, native_module->module(), &export_wrappers);
-  Handle<WasmModuleObject> module_object = WasmModuleObject::New(
-      isolate, std::move(shared_native_module), script, export_wrappers);
+  Handle<WasmModuleObject> module_object =
+      WasmModuleObject::New(isolate, std::move(shared_native_module), script);
  {
    base::MutexGuard lock(&mutex_);
    DCHECK_EQ(1, isolates_.count(isolate));

--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -64,20 +64,7 @@ bool LazilyGeneratedNames::Has(uint32_t function_index) {
  return function_names_.Get(function_index) != nullptr;
 }

-// static
-int MaxNumExportWrappers(const WasmModule* module) {
-  if (module->isorecursive_canonical_type_ids.empty()) return 0;
-  // TODO(manoskouk): This will create oversized wrappers for modules with few
-  // types but large canonical type indices. Move wrappers to isolate to avoid
-  // this.
-  uint32_t max_canonical_index =
-      *std::max_element(module->isorecursive_canonical_type_ids.begin(),
-                        module->isorecursive_canonical_type_ids.end());
-  return (max_canonical_index + 1) * 2;
-}
-
-int GetExportWrapperIndex(const WasmModule* module,
-                          uint32_t canonical_sig_index, bool is_import) {
+int GetExportWrapperIndex(uint32_t canonical_sig_index, bool is_import) {
  return 2 * canonical_sig_index + (is_import ? 1 : 0);
 }


--- a/src/wasm/wasm-module.h
+++ b/src/wasm/wasm-module.h
@@ -561,6 +561,13 @@ struct V8_EXPORT_PRIVATE WasmModule {
    return supertype(index) != kNoSuperType;
  }

+  // Linear search. Returns -1 if types are empty.
+  int MaxCanonicalTypeIndex() const {
+    if (isorecursive_canonical_type_ids.empty()) return -1;
+    return *std::max_element(isorecursive_canonical_type_ids.begin(),
+                             isorecursive_canonical_type_ids.end());
+  }
+
  std::vector<TypeDefinition> types;  // by type index
  // Maps each type index to its global (cross-module) canonical index as per
  // isorecursive type canonicalization.
@@ -612,14 +619,9 @@ inline bool is_asmjs_module(const WasmModule* module) {

 size_t EstimateStoredSize(const WasmModule* module);

-// Returns the number of possible export wrappers for a given module.
-V8_EXPORT_PRIVATE int MaxNumExportWrappers(const WasmModule* module);
-
-// Returns the wrapper index for a function in {module} with isorecursive
-// canonical signature index {canonical_sig_index}, and origin defined by
-// {is_import}.
-int GetExportWrapperIndex(const WasmModule* module,
-                          uint32_t canonical_sig_index, bool is_import);
+// Returns the wrapper index for a function with isorecursive canonical
+// signature index {canonical_sig_index}, and origin defined by {is_import}.
+int GetExportWrapperIndex(uint32_t canonical_sig_index, bool is_import);

 // Return the byte offset of the function identified by the given index.
 // The offset will be relative to the start of the module bytes.

--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@@ -56,14 +56,6 @@ enum DispatchTableElements : int {
 Handle<WasmModuleObject> WasmModuleObject::New(
    Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
    Handle<Script> script) {
-  Handle<FixedArray> export_wrappers = isolate->factory()->NewFixedArray(0);
-  return New(isolate, std::move(native_module), script, export_wrappers);
-}
-
-// static
-Handle<WasmModuleObject> WasmModuleObject::New(
-    Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
-    Handle<Script> script, Handle<FixedArray> export_wrappers) {
  Handle<Managed<wasm::NativeModule>> managed_native_module;
  if (script->type() == Script::TYPE_WASM) {
    managed_native_module = handle(
@@ -79,7 +71,6 @@ Handle<WasmModuleObject> WasmModuleObject::New(
  }
  Handle<WasmModuleObject> module_object = Handle<WasmModuleObject>::cast(
      isolate->factory()->NewJSObject(isolate->wasm_module_constructor()));
-  module_object->set_export_wrappers(*export_wrappers);
  module_object->set_managed_native_module(*managed_native_module);
  module_object->set_script(*script);
  return module_object;
@@ -1362,15 +1353,16 @@ WasmInstanceObject::GetOrCreateWasmInternalFunction(
  const WasmFunction& function = module->functions[function_index];
  uint32_t canonical_sig_index =
      module->isorecursive_canonical_type_ids[function.sig_index];
+  isolate->heap()->EnsureWasmCanonicalRttsSize(canonical_sig_index + 1);
  int wrapper_index =
-      GetExportWrapperIndex(module, canonical_sig_index, function.imported);
+      wasm::GetExportWrapperIndex(canonical_sig_index, function.imported);

-  Handle<Object> entry =
-      FixedArray::get(module_object->export_wrappers(), wrapper_index, isolate);
+  MaybeObject entry = isolate->heap()->js_to_wasm_wrappers().Get(wrapper_index);

  Handle<CodeT> wrapper;
-  if (entry->IsCodeT()) {
-    wrapper = Handle<CodeT>::cast(entry);
+  // {entry} can be cleared, {undefined}, or a ready {CodeT}.
+  if (entry.IsStrongOrWeak() && entry.GetHeapObject().IsCodeT()) {
+    wrapper = handle(CodeT::cast(entry.GetHeapObject()), isolate);
  } else {
    // The wrapper may not exist yet if no function in the exports section has
    // this signature. We compile it and store the wrapper in the module for
@@ -1378,7 +1370,8 @@ WasmInstanceObject::GetOrCreateWasmInternalFunction(
    wrapper = wasm::JSToWasmWrapperCompilationUnit::CompileJSToWasmWrapper(
        isolate, function.sig, canonical_sig_index, instance->module(),
        function.imported);
-    module_object->export_wrappers().set(wrapper_index, *wrapper);
+    isolate->heap()->js_to_wasm_wrappers().Set(
+        wrapper_index, HeapObjectReference::Weak(*wrapper));
  }
  auto external = Handle<WasmExternalFunction>::cast(WasmExportedFunction::New(
      isolate, instance, function_index,
@@ -2205,7 +2198,7 @@ Handle<WasmExceptionTag> WasmExceptionTag::New(Isolate* isolate, int index) {

 Handle<AsmWasmData> AsmWasmData::New(
    Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
-    Handle<FixedArray> export_wrappers, Handle<HeapNumber> uses_bitset) {
+    Handle<HeapNumber> uses_bitset) {
  const WasmModule* module = native_module->module();
  const bool kUsesLiftoff = false;
  size_t memory_estimate =
@@ -2218,7 +2211,6 @@ Handle<AsmWasmData> AsmWasmData::New(
  Handle<AsmWasmData> result = Handle<AsmWasmData>::cast(
      isolate->factory()->NewStruct(ASM_WASM_DATA_TYPE, AllocationType::kOld));
  result->set_managed_native_module(*managed_native_module);
-  result->set_export_wrappers(*export_wrappers);
  result->set_uses_bitset(*uses_bitset);
  return result;
 }

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -133,9 +133,6 @@ class WasmModuleObject
  V8_EXPORT_PRIVATE static Handle<WasmModuleObject> New(
      Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
      Handle<Script> script);
-  V8_EXPORT_PRIVATE static Handle<WasmModuleObject> New(
-      Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
-      Handle<Script> script, Handle<FixedArray> export_wrappers);

  // Check whether this module was generated from asm.js source.
  inline bool is_asm_js();
@@ -899,7 +896,7 @@ class AsmWasmData : public TorqueGeneratedAsmWasmData<AsmWasmData, Struct> {
 public:
  static Handle<AsmWasmData> New(
      Isolate* isolate, std::shared_ptr<wasm::NativeModule> native_module,
-      Handle<FixedArray> export_wrappers, Handle<HeapNumber> uses_bitset);
+      Handle<HeapNumber> uses_bitset);

  DECL_PRINTER(AsmWasmData)


--- a/src/wasm/wasm-objects.tq
+++ b/src/wasm/wasm-objects.tq
@@ -127,7 +127,6 @@ extern class WasmExceptionPackage extends JSObject;

 extern class WasmModuleObject extends JSObject {
  managed_native_module: ManagedWasmNativeModule;
-  export_wrappers: FixedArray;
  script: Script;
 }

@@ -177,7 +176,6 @@ type WasmExportedFunction extends JSFunction;

 extern class AsmWasmData extends Struct {
  managed_native_module: ManagedWasmNativeModule;
-  export_wrappers: FixedArray;
  uses_bitset: HeapNumber;
 }


--- a/src/wasm/wasm-serialization.cc
+++ b/src/wasm/wasm-serialization.cc
@@ -900,14 +900,10 @@ MaybeHandle<WasmModuleObject> DeserializeNativeModule(
    wasm_engine->UpdateNativeModuleCache(error, &shared_native_module, isolate);
  }

-  Handle<FixedArray> export_wrappers;
-  CompileJsToWasmWrappers(isolate, shared_native_module->module(),
-                          &export_wrappers);
-
  Handle<Script> script =
      wasm_engine->GetOrCreateScript(isolate, shared_native_module, source_url);
-  Handle<WasmModuleObject> module_object = WasmModuleObject::New(
-      isolate, shared_native_module, script, export_wrappers);
+  Handle<WasmModuleObject> module_object =
+      WasmModuleObject::New(isolate, shared_native_module, script);

  // Finish the Wasm script now and make it public to the debugger.
  isolate->debug()->OnAfterCompile(script);

--- a/test/cctest/wasm/test-streaming-compilation.cc
+++ b/test/cctest/wasm/test-streaming-compilation.cc
@@ -1253,9 +1253,8 @@ STREAM_TEST(TestIncrementalCaching) {
  Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
  Handle<Script> script = GetWasmEngine()->GetOrCreateScript(
      i_isolate, tester.shared_native_module(), kNoSourceUrl);
-  Handle<FixedArray> export_wrappers = i_isolate->factory()->NewFixedArray(3);
-  Handle<WasmModuleObject> module_object = WasmModuleObject::New(
-      i_isolate, tester.shared_native_module(), script, export_wrappers);
+  Handle<WasmModuleObject> module_object =
+      WasmModuleObject::New(i_isolate, tester.shared_native_module(), script);
  ErrorThrower thrower(i_isolate, "Instantiation");
  // We instantiated before, so the second instantiation must also succeed:
  Handle<WasmInstanceObject> instance =

--- a/test/cctest/wasm/wasm-run-utils.cc
+++ b/test/cctest/wasm/wasm-run-utils.cc
@@ -185,10 +185,8 @@ uint32_t TestingModuleBuilder::AddFunction(const FunctionSig* sig,
 }

 void TestingModuleBuilder::InitializeWrapperCache() {
-  size_t max_num_sigs = MaxNumExportWrappers(test_module_.get());
-  Handle<FixedArray> export_wrappers =
-      isolate_->factory()->NewFixedArray(static_cast<int>(max_num_sigs));
-  instance_object_->module_object().set_export_wrappers(*export_wrappers);
+  isolate_->heap()->EnsureWasmCanonicalRttsSize(
+      test_module_->MaxCanonicalTypeIndex() + 1);
 }

 Handle<JSFunction> TestingModuleBuilder::WrapCode(uint32_t index) {

--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -81,10 +81,9 @@ Handle<WasmModuleObject> CompileReferenceModule(Zone* zone, Isolate* isolate,
  constexpr base::Vector<const char> kNoSourceUrl;
  Handle<Script> script =
      GetWasmEngine()->GetOrCreateScript(isolate, native_module, kNoSourceUrl);
-  Handle<FixedArray> export_wrappers = isolate->factory()->NewFixedArray(
-      static_cast<int>(module->functions.size()));
-  return WasmModuleObject::New(isolate, std::move(native_module), script,
-                               export_wrappers);
+  isolate->heap()->EnsureWasmCanonicalRttsSize(module->MaxCanonicalTypeIndex() +
+                                               1);
+  return WasmModuleObject::New(isolate, std::move(native_module), script);
 }

 void InterpretAndExecuteModule(i::Isolate* isolate,

--- a/test/unittests/objects/roots-unittest.cc
+++ b/test/unittests/objects/roots-unittest.cc
@@ -59,6 +59,7 @@ bool IsInitiallyMutable(Factory* factory, Address object_address) {
  V(retaining_path_targets)               \
  V(serialized_global_proxy_sizes)        \
  V(serialized_objects)                   \
+  IF_WASM(V, js_to_wasm_wrappers)         \
  IF_WASM(V, wasm_canonical_rtts)         \
  V(weak_refs_keep_during_job)


--- a/test/unittests/wasm/memory-protection-unittest.cc
+++ b/test/unittests/wasm/memory-protection-unittest.cc
@@ -128,13 +128,12 @@ class MemoryProtectionTest : public TestWithNativeContext {
                         DecodingMethod::kSync, GetWasmEngine()->allocator());
    CHECK(result.ok());

-    Handle<FixedArray> export_wrappers;
    ErrorThrower thrower(isolate(), "");
    constexpr int kNoCompilationId = 0;
    std::shared_ptr<NativeModule> native_module = CompileToNativeModule(
        isolate(), WasmFeatures::All(), &thrower, std::move(result).value(),
-        ModuleWireBytes{base::ArrayVector(module_bytes)}, &export_wrappers,
-        kNoCompilationId, v8::metrics::Recorder::ContextId::Empty());
+        ModuleWireBytes{base::ArrayVector(module_bytes)}, kNoCompilationId,
+        v8::metrics::Recorder::ContextId::Empty());
    CHECK(!thrower.error());
    CHECK_NOT_NULL(native_module);