[inspector] Fix crash due to misuse of embedder fields.

The contract between V8 and Blink is that embedder fields belong to Blink, at least when the object has two or more of them. Now we had 2-3 embedder fields used by the debug proxies and that was confusing Blink, since it expects the first slot to hold an aligned pointer in that case and we had a HeapObject reference stored there. This is a quickfix, which avoids internal fields completely for the context extension proxy (using interceptors on the prototype instead) and changes the named proxies to store the name table under a private symbol instead of using a second internal field. A proper but way more involved fix is to introduce a proper instance type here and use space in the header instead of misusing embedder fields. Fixed: chromium:1170283 Bug: chromium:1159402 Change-Id: I6c4bbe2fe88fef29a6b9946708588245efbbe72b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2649033 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#72323}

[inspector] Fix crash due to misuse of embedder fields.
The contract between V8 and Blink is that embedder fields belong to Blink, at least when the object has two or more of them. Now we had 2-3 embedder fields used by the debug proxies and that was confusing Blink, since it expects the first slot to hold an aligned pointer in that case and we had a HeapObject reference stored there. This is a quickfix, which avoids internal fields completely for the context extension proxy (using interceptors on the prototype instead) and changes the named proxies to store the name table under a private symbol instead of using a second internal field. A proper but way more involved fix is to introduce a proper instance type here and use space in the header instead of misusing embedder fields. Fixed: chromium:1170283 Bug: chromium:1159402 Change-Id: I6c4bbe2fe88fef29a6b9946708588245efbbe72b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2649033 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#72323}
7e2f1108 · Benedikt Meurer · Commit Bot · f30c2681 · 7e2f1108 · 7e2f1108
Commit 7e2f1108 authored Jan 26, 2021 by Benedikt Meurer Committed by Commit Bot Jan 26, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 136 additions and 156 deletions

debug-wasm-support.cc src/debug/debug-wasm-support.cc +40 -61

heap-symbols.h src/init/heap-symbols.h +34 -33

v8heapconst.py tools/v8heapconst.py +62 -62

No files found.
--- a/src/debug/debug-wasm-support.cc
+++ b/src/debug/debug-wasm-support.cc
@@ -255,12 +255,6 @@ struct IndexedDebugProxy {
 // of functions in them.
 template <typename T, DebugProxyId id, typename Provider = WasmInstanceObject>
 struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {
-  enum {
-    kProviderField,
-    kNameTableField,
-    kFieldCount,
-  };
-
  static v8::Local<v8::FunctionTemplate> CreateTemplate(v8::Isolate* isolate) {
    auto templ = IndexedDebugProxy<T, id, Provider>::CreateTemplate(isolate);
    templ->InstanceTemplate()->SetHandler(v8::NamedPropertyHandlerConfiguration(
@@ -275,8 +269,9 @@ struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {

  static Handle<NameDictionary> GetNameTable(Handle<JSObject> holder,
                                             Isolate* isolate) {
-    Handle<Object> table_or_undefined(holder->GetEmbedderField(kNameTableField),
-                                      isolate);
+    Handle<Symbol> symbol = isolate->factory()->wasm_debug_proxy_names_symbol();
+    Handle<Object> table_or_undefined =
+        JSObject::GetProperty(isolate, holder, symbol).ToHandleChecked();
    if (!table_or_undefined->IsUndefined(isolate)) {
      return Handle<NameDictionary>::cast(table_or_undefined);
    }
@@ -291,7 +286,7 @@ struct NamedDebugProxy : IndexedDebugProxy<T, id, Provider> {
      table = NameDictionary::Add(isolate, table, key, value,
                                  PropertyDetails::Empty());
    }
-    holder->SetEmbedderField(kNameTableField, *table);
+    Object::SetProperty(isolate, holder, symbol, table).Check();
    return table;
  }

@@ -593,33 +588,17 @@ Handle<JSObject> GetOrCreateInstanceProxy(Isolate* isolate,
 //
 // See http://doc/1VZOJrU2VsqOZe3IUzbwQWQQSZwgGySsm5119Ust1gUA and
 // http://bit.ly/devtools-wasm-entities for more details.
-class ContextProxy {
+class ContextProxyPrototype {
 public:
-  static Handle<JSObject> Create(WasmFrame* frame) {
-    Isolate* isolate = frame->isolate();
+  static Handle<JSObject> Create(Isolate* isolate) {
    auto object_map =
        GetOrCreateDebugProxyMap(isolate, kContextProxy, &CreateTemplate);
-    auto object = isolate->factory()->NewJSObjectFromMap(object_map);
-    Handle<WasmInstanceObject> instance(frame->wasm_instance(), isolate);
-    object->SetEmbedderField(kInstanceField, *instance);
-    Handle<JSObject> locals = LocalsProxy::Create(frame);
-    object->SetEmbedderField(kLocalsField, *locals);
-    Handle<JSObject> stack = StackProxy::Create(frame);
-    object->SetEmbedderField(kStackField, *stack);
-    return object;
+    return isolate->factory()->NewJSObjectFromMap(object_map);
  }

 private:
-  enum {
-    kInstanceField,
-    kLocalsField,
-    kStackField,
-    kFieldCount,
-  };
-
  static v8::Local<v8::FunctionTemplate> CreateTemplate(v8::Isolate* isolate) {
    Local<v8::FunctionTemplate> templ = v8::FunctionTemplate::New(isolate);
-    templ->InstanceTemplate()->SetInternalFieldCount(kFieldCount);
    templ->InstanceTemplate()->SetHandler(v8::NamedPropertyHandlerConfiguration(
        &NamedGetter, {}, {}, {}, {}, {}, {}, {},
        static_cast<v8::PropertyHandlerFlags>(
@@ -631,44 +610,16 @@ class ContextProxy {
  }

  static MaybeHandle<Object> GetNamedProperty(Isolate* isolate,
-                                              Handle<JSObject> holder,
+                                              Handle<JSObject> receiver,
                                              Handle<String> name) {
-    if (name->length() == 0) return {};
-    Handle<WasmInstanceObject> instance(
-        WasmInstanceObject::cast(holder->GetEmbedderField(kInstanceField)),
-        isolate);
-    if (name->IsOneByteEqualTo(StaticCharVector("instance"))) {
-      return instance;
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("module"))) {
-      return handle(instance->module_object(), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("locals"))) {
-      return handle(holder->GetEmbedderField(kLocalsField), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("stack"))) {
-      return handle(holder->GetEmbedderField(kStackField), isolate);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("memories"))) {
-      return GetOrCreateInstanceProxy<MemoriesProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("tables"))) {
-      return GetOrCreateInstanceProxy<TablesProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("globals"))) {
-      return GetOrCreateInstanceProxy<GlobalsProxy>(isolate, instance);
-    }
-    if (name->IsOneByteEqualTo(StaticCharVector("functions"))) {
-      return GetOrCreateInstanceProxy<FunctionsProxy>(isolate, instance);
-    }
-    if (name->Get(0) == '$') {
+    if (name->length() != 0 && name->Get(0) == '$') {
      const char* kDelegateNames[] = {"memories", "locals", "tables",
                                      "functions", "globals"};
      for (auto delegate_name : kDelegateNames) {
        Handle<Object> delegate;
        ASSIGN_RETURN_ON_EXCEPTION(
            isolate, delegate,
-            JSObject::GetProperty(isolate, holder, delegate_name), Object);
+            JSObject::GetProperty(isolate, receiver, delegate_name), Object);
        if (!delegate->IsUndefined(isolate)) {
          Handle<Object> value;
          ASSIGN_RETURN_ON_EXCEPTION(
@@ -685,14 +636,42 @@ class ContextProxy {
                          const PropertyCallbackInfo<v8::Value>& info) {
    auto name_string = Handle<String>::cast(Utils::OpenHandle(*name));
    auto isolate = reinterpret_cast<Isolate*>(info.GetIsolate());
-    auto holder = Handle<JSObject>::cast(Utils::OpenHandle(*info.Holder()));
+    auto receiver = Handle<JSObject>::cast(Utils::OpenHandle(*info.This()));
    Handle<Object> value;
-    if (GetNamedProperty(isolate, holder, name_string).ToHandle(&value)) {
+    if (GetNamedProperty(isolate, receiver, name_string).ToHandle(&value)) {
      info.GetReturnValue().Set(Utils::ToLocal(value));
    }
  }
 };

+class ContextProxy {
+ public:
+  static Handle<JSObject> Create(WasmFrame* frame) {
+    Isolate* isolate = frame->isolate();
+    auto object = isolate->factory()->NewJSObjectWithNullProto();
+    Handle<WasmInstanceObject> instance(frame->wasm_instance(), isolate);
+    JSObject::AddProperty(isolate, object, "instance", instance, FROZEN);
+    Handle<WasmModuleObject> module_object(instance->module_object(), isolate);
+    JSObject::AddProperty(isolate, object, "module", module_object, FROZEN);
+    auto locals = LocalsProxy::Create(frame);
+    JSObject::AddProperty(isolate, object, "locals", locals, FROZEN);
+    auto stack = StackProxy::Create(frame);
+    JSObject::AddProperty(isolate, object, "stack", stack, FROZEN);
+    auto memories = GetOrCreateInstanceProxy<MemoriesProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "memories", memories, FROZEN);
+    auto tables = GetOrCreateInstanceProxy<TablesProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "tables", tables, FROZEN);
+    auto globals = GetOrCreateInstanceProxy<GlobalsProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "globals", globals, FROZEN);
+    auto functions =
+        GetOrCreateInstanceProxy<FunctionsProxy>(isolate, instance);
+    JSObject::AddProperty(isolate, object, "functions", functions, FROZEN);
+    Handle<JSObject> prototype = ContextProxyPrototype::Create(isolate);
+    JSObject::SetPrototype(object, prototype, false, kDontThrow).Check();
+    return object;
+  }
+};
+
 class DebugWasmScopeIterator final : public debug::ScopeIterator {
 public:
  explicit DebugWasmScopeIterator(WasmFrame* frame)

--- a/src/init/heap-symbols.h
+++ b/src/init/heap-symbols.h
@@ -336,39 +336,40 @@
  V(_, writable_string, "writable")                                  \
  V(_, zero_string, "0")

-#define PRIVATE_SYMBOL_LIST_GENERATOR(V, _)           \
-  V(_, call_site_frame_array_symbol)                  \
-  V(_, call_site_frame_index_symbol)                  \
-  V(_, console_context_id_symbol)                     \
-  V(_, console_context_name_symbol)                   \
-  V(_, class_fields_symbol)                           \
-  V(_, class_positions_symbol)                        \
-  V(_, detailed_stack_trace_symbol)                   \
-  V(_, elements_transition_symbol)                    \
-  V(_, error_end_pos_symbol)                          \
-  V(_, error_script_symbol)                           \
-  V(_, error_start_pos_symbol)                        \
-  V(_, frozen_symbol)                                 \
-  V(_, interpreter_trampoline_symbol)                 \
-  V(_, megamorphic_symbol)                            \
-  V(_, native_context_index_symbol)                   \
-  V(_, nonextensible_symbol)                          \
-  V(_, not_mapped_symbol)                             \
-  V(_, promise_debug_marker_symbol)                   \
-  V(_, promise_debug_message_symbol)                  \
-  V(_, promise_forwarding_handler_symbol)             \
-  V(_, promise_handled_by_symbol)                     \
-  V(_, regexp_result_names_symbol)                    \
-  V(_, regexp_result_regexp_input_symbol)             \
-  V(_, regexp_result_regexp_last_index_symbol)        \
-  V(_, sealed_symbol)                                 \
-  V(_, stack_trace_symbol)                            \
-  V(_, strict_function_transition_symbol)             \
-  V(_, wasm_exception_tag_symbol)                     \
-  V(_, wasm_exception_values_symbol)                  \
-  V(_, wasm_uncatchable_symbol)                       \
-  V(_, wasm_wrapped_object_symbol)                    \
-  V(_, wasm_debug_proxy_cache_symbol)                 \
+#define PRIVATE_SYMBOL_LIST_GENERATOR(V, _)    \
+  V(_, call_site_frame_array_symbol)           \
+  V(_, call_site_frame_index_symbol)           \
+  V(_, console_context_id_symbol)              \
+  V(_, console_context_name_symbol)            \
+  V(_, class_fields_symbol)                    \
+  V(_, class_positions_symbol)                 \
+  V(_, detailed_stack_trace_symbol)            \
+  V(_, elements_transition_symbol)             \
+  V(_, error_end_pos_symbol)                   \
+  V(_, error_script_symbol)                    \
+  V(_, error_start_pos_symbol)                 \
+  V(_, frozen_symbol)                          \
+  V(_, interpreter_trampoline_symbol)          \
+  V(_, megamorphic_symbol)                     \
+  V(_, native_context_index_symbol)            \
+  V(_, nonextensible_symbol)                   \
+  V(_, not_mapped_symbol)                      \
+  V(_, promise_debug_marker_symbol)            \
+  V(_, promise_debug_message_symbol)           \
+  V(_, promise_forwarding_handler_symbol)      \
+  V(_, promise_handled_by_symbol)              \
+  V(_, regexp_result_names_symbol)             \
+  V(_, regexp_result_regexp_input_symbol)      \
+  V(_, regexp_result_regexp_last_index_symbol) \
+  V(_, sealed_symbol)                          \
+  V(_, stack_trace_symbol)                     \
+  V(_, strict_function_transition_symbol)      \
+  V(_, wasm_exception_tag_symbol)              \
+  V(_, wasm_exception_values_symbol)           \
+  V(_, wasm_uncatchable_symbol)                \
+  V(_, wasm_wrapped_object_symbol)             \
+  V(_, wasm_debug_proxy_cache_symbol)          \
+  V(_, wasm_debug_proxy_names_symbol)          \
  V(_, uninitialized_symbol)

 #define PUBLIC_SYMBOL_LIST_GENERATOR(V, _)                \

--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -319,68 +319,68 @@ KNOWN_MAPS = {
  ("read_only_space", 0x03151): (67, "BasicBlockCountersMarkerMap"),
  ("read_only_space", 0x03195): (87, "ArrayBoilerplateDescriptionMap"),
  ("read_only_space", 0x03269): (99, "InterceptorInfoMap"),
-  ("read_only_space", 0x053c5): (72, "PromiseFulfillReactionJobTaskMap"),
-  ("read_only_space", 0x053ed): (73, "PromiseRejectReactionJobTaskMap"),
-  ("read_only_space", 0x05415): (74, "CallableTaskMap"),
-  ("read_only_space", 0x0543d): (75, "CallbackTaskMap"),
-  ("read_only_space", 0x05465): (76, "PromiseResolveThenableJobTaskMap"),
-  ("read_only_space", 0x0548d): (79, "FunctionTemplateInfoMap"),
-  ("read_only_space", 0x054b5): (80, "ObjectTemplateInfoMap"),
-  ("read_only_space", 0x054dd): (81, "AccessCheckInfoMap"),
-  ("read_only_space", 0x05505): (82, "AccessorInfoMap"),
-  ("read_only_space", 0x0552d): (83, "AccessorPairMap"),
-  ("read_only_space", 0x05555): (84, "AliasedArgumentsEntryMap"),
-  ("read_only_space", 0x0557d): (85, "AllocationMementoMap"),
-  ("read_only_space", 0x055a5): (88, "AsmWasmDataMap"),
-  ("read_only_space", 0x055cd): (89, "AsyncGeneratorRequestMap"),
-  ("read_only_space", 0x055f5): (90, "BreakPointMap"),
-  ("read_only_space", 0x0561d): (91, "BreakPointInfoMap"),
-  ("read_only_space", 0x05645): (92, "CachedTemplateObjectMap"),
-  ("read_only_space", 0x0566d): (94, "ClassPositionsMap"),
-  ("read_only_space", 0x05695): (95, "DebugInfoMap"),
-  ("read_only_space", 0x056bd): (98, "FunctionTemplateRareDataMap"),
-  ("read_only_space", 0x056e5): (100, "InterpreterDataMap"),
-  ("read_only_space", 0x0570d): (101, "ModuleRequestMap"),
-  ("read_only_space", 0x05735): (102, "PromiseCapabilityMap"),
-  ("read_only_space", 0x0575d): (103, "PromiseReactionMap"),
-  ("read_only_space", 0x05785): (104, "PropertyDescriptorObjectMap"),
-  ("read_only_space", 0x057ad): (105, "PrototypeInfoMap"),
-  ("read_only_space", 0x057d5): (106, "ScriptMap"),
-  ("read_only_space", 0x057fd): (107, "SourceTextModuleInfoEntryMap"),
-  ("read_only_space", 0x05825): (108, "StackFrameInfoMap"),
-  ("read_only_space", 0x0584d): (109, "StackTraceFrameMap"),
-  ("read_only_space", 0x05875): (110, "TemplateObjectDescriptionMap"),
-  ("read_only_space", 0x0589d): (111, "Tuple2Map"),
-  ("read_only_space", 0x058c5): (112, "WasmExceptionTagMap"),
-  ("read_only_space", 0x058ed): (113, "WasmExportedFunctionDataMap"),
-  ("read_only_space", 0x05915): (114, "WasmIndirectFunctionTableMap"),
-  ("read_only_space", 0x0593d): (115, "WasmJSFunctionDataMap"),
-  ("read_only_space", 0x05965): (134, "SloppyArgumentsElementsMap"),
-  ("read_only_space", 0x0598d): (151, "DescriptorArrayMap"),
-  ("read_only_space", 0x059b5): (156, "UncompiledDataWithoutPreparseDataMap"),
-  ("read_only_space", 0x059dd): (155, "UncompiledDataWithPreparseDataMap"),
-  ("read_only_space", 0x05a05): (171, "OnHeapBasicBlockProfilerDataMap"),
-  ("read_only_space", 0x05a2d): (180, "WasmCapiFunctionDataMap"),
-  ("read_only_space", 0x05a55): (168, "InternalClassMap"),
-  ("read_only_space", 0x05a7d): (177, "SmiPairMap"),
-  ("read_only_space", 0x05aa5): (176, "SmiBoxMap"),
-  ("read_only_space", 0x05acd): (145, "ExportedSubClassBaseMap"),
-  ("read_only_space", 0x05af5): (146, "ExportedSubClassMap"),
-  ("read_only_space", 0x05b1d): (68, "AbstractInternalClassSubclass1Map"),
-  ("read_only_space", 0x05b45): (69, "AbstractInternalClassSubclass2Map"),
-  ("read_only_space", 0x05b6d): (132, "InternalClassWithSmiElementsMap"),
-  ("read_only_space", 0x05b95): (169, "InternalClassWithStructElementsMap"),
-  ("read_only_space", 0x05bbd): (147, "ExportedSubClass2Map"),
-  ("read_only_space", 0x05be5): (178, "SortStateMap"),
-  ("read_only_space", 0x05c0d): (86, "AllocationSiteWithWeakNextMap"),
-  ("read_only_space", 0x05c35): (86, "AllocationSiteWithoutWeakNextMap"),
-  ("read_only_space", 0x05c5d): (77, "LoadHandler1Map"),
-  ("read_only_space", 0x05c85): (77, "LoadHandler2Map"),
-  ("read_only_space", 0x05cad): (77, "LoadHandler3Map"),
-  ("read_only_space", 0x05cd5): (78, "StoreHandler0Map"),
-  ("read_only_space", 0x05cfd): (78, "StoreHandler1Map"),
-  ("read_only_space", 0x05d25): (78, "StoreHandler2Map"),
-  ("read_only_space", 0x05d4d): (78, "StoreHandler3Map"),
+  ("read_only_space", 0x053d5): (72, "PromiseFulfillReactionJobTaskMap"),
+  ("read_only_space", 0x053fd): (73, "PromiseRejectReactionJobTaskMap"),
+  ("read_only_space", 0x05425): (74, "CallableTaskMap"),
+  ("read_only_space", 0x0544d): (75, "CallbackTaskMap"),
+  ("read_only_space", 0x05475): (76, "PromiseResolveThenableJobTaskMap"),
+  ("read_only_space", 0x0549d): (79, "FunctionTemplateInfoMap"),
+  ("read_only_space", 0x054c5): (80, "ObjectTemplateInfoMap"),
+  ("read_only_space", 0x054ed): (81, "AccessCheckInfoMap"),
+  ("read_only_space", 0x05515): (82, "AccessorInfoMap"),
+  ("read_only_space", 0x0553d): (83, "AccessorPairMap"),
+  ("read_only_space", 0x05565): (84, "AliasedArgumentsEntryMap"),
+  ("read_only_space", 0x0558d): (85, "AllocationMementoMap"),
+  ("read_only_space", 0x055b5): (88, "AsmWasmDataMap"),
+  ("read_only_space", 0x055dd): (89, "AsyncGeneratorRequestMap"),
+  ("read_only_space", 0x05605): (90, "BreakPointMap"),
+  ("read_only_space", 0x0562d): (91, "BreakPointInfoMap"),
+  ("read_only_space", 0x05655): (92, "CachedTemplateObjectMap"),
+  ("read_only_space", 0x0567d): (94, "ClassPositionsMap"),
+  ("read_only_space", 0x056a5): (95, "DebugInfoMap"),
+  ("read_only_space", 0x056cd): (98, "FunctionTemplateRareDataMap"),
+  ("read_only_space", 0x056f5): (100, "InterpreterDataMap"),
+  ("read_only_space", 0x0571d): (101, "ModuleRequestMap"),
+  ("read_only_space", 0x05745): (102, "PromiseCapabilityMap"),
+  ("read_only_space", 0x0576d): (103, "PromiseReactionMap"),
+  ("read_only_space", 0x05795): (104, "PropertyDescriptorObjectMap"),
+  ("read_only_space", 0x057bd): (105, "PrototypeInfoMap"),
+  ("read_only_space", 0x057e5): (106, "ScriptMap"),
+  ("read_only_space", 0x0580d): (107, "SourceTextModuleInfoEntryMap"),
+  ("read_only_space", 0x05835): (108, "StackFrameInfoMap"),
+  ("read_only_space", 0x0585d): (109, "StackTraceFrameMap"),
+  ("read_only_space", 0x05885): (110, "TemplateObjectDescriptionMap"),
+  ("read_only_space", 0x058ad): (111, "Tuple2Map"),
+  ("read_only_space", 0x058d5): (112, "WasmExceptionTagMap"),
+  ("read_only_space", 0x058fd): (113, "WasmExportedFunctionDataMap"),
+  ("read_only_space", 0x05925): (114, "WasmIndirectFunctionTableMap"),
+  ("read_only_space", 0x0594d): (115, "WasmJSFunctionDataMap"),
+  ("read_only_space", 0x05975): (134, "SloppyArgumentsElementsMap"),
+  ("read_only_space", 0x0599d): (151, "DescriptorArrayMap"),
+  ("read_only_space", 0x059c5): (156, "UncompiledDataWithoutPreparseDataMap"),
+  ("read_only_space", 0x059ed): (155, "UncompiledDataWithPreparseDataMap"),
+  ("read_only_space", 0x05a15): (171, "OnHeapBasicBlockProfilerDataMap"),
+  ("read_only_space", 0x05a3d): (180, "WasmCapiFunctionDataMap"),
+  ("read_only_space", 0x05a65): (168, "InternalClassMap"),
+  ("read_only_space", 0x05a8d): (177, "SmiPairMap"),
+  ("read_only_space", 0x05ab5): (176, "SmiBoxMap"),
+  ("read_only_space", 0x05add): (145, "ExportedSubClassBaseMap"),
+  ("read_only_space", 0x05b05): (146, "ExportedSubClassMap"),
+  ("read_only_space", 0x05b2d): (68, "AbstractInternalClassSubclass1Map"),
+  ("read_only_space", 0x05b55): (69, "AbstractInternalClassSubclass2Map"),
+  ("read_only_space", 0x05b7d): (132, "InternalClassWithSmiElementsMap"),
+  ("read_only_space", 0x05ba5): (169, "InternalClassWithStructElementsMap"),
+  ("read_only_space", 0x05bcd): (147, "ExportedSubClass2Map"),
+  ("read_only_space", 0x05bf5): (178, "SortStateMap"),
+  ("read_only_space", 0x05c1d): (86, "AllocationSiteWithWeakNextMap"),
+  ("read_only_space", 0x05c45): (86, "AllocationSiteWithoutWeakNextMap"),
+  ("read_only_space", 0x05c6d): (77, "LoadHandler1Map"),
+  ("read_only_space", 0x05c95): (77, "LoadHandler2Map"),
+  ("read_only_space", 0x05cbd): (77, "LoadHandler3Map"),
+  ("read_only_space", 0x05ce5): (78, "StoreHandler0Map"),
+  ("read_only_space", 0x05d0d): (78, "StoreHandler1Map"),
+  ("read_only_space", 0x05d35): (78, "StoreHandler2Map"),
+  ("read_only_space", 0x05d5d): (78, "StoreHandler3Map"),
  ("map_space", 0x02119): (1057, "ExternalMap"),
  ("map_space", 0x02141): (1098, "JSMessageObjectMap"),
  ("map_space", 0x02169): (181, "WasmRttEqrefMap"),