[ic] Add a new MegaDOM IC

This patch implements the MegaDOM IC setup and access. A new MegaDOM IC state indicates that we've seen only DOM accessors at this access site. This CL only adds support for DOM getters in LoadIC, other kinds of access will be added in follow on CLs. Still remaining TODO before shipping: 1. Have a mechanism to invalidate the protector 2. Have a mechanism to find the accessors that aren't overloaded 3. Use a new builtin to miss to runtime on access check failure Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2 Bug: v8:11321 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239Reviewed-by: Omer Katz <omerkatz@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#73733}

[ic] Add a new MegaDOM IC
This patch implements the MegaDOM IC setup and access. A new MegaDOM IC state indicates that we've seen only DOM accessors at this access site. This CL only adds support for DOM getters in LoadIC, other kinds of access will be added in follow on CLs. Still remaining TODO before shipping: 1. Have a mechanism to invalidate the protector 2. Have a mechanism to find the accessors that aren't overloaded 3. Use a new builtin to miss to runtime on access check failure Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2 Bug: v8:11321 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239Reviewed-by: Omer Katz <omerkatz@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Dan Elphick <delphick@chromium.org> Reviewed-by: Mythri Alle <mythria@chromium.org> Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#73733}
c83c9590 · Sathya Gunasekaran · Commit Bot · ecc59c4e · c83c9590 · c83c9590
Commit c83c9590 authored Mar 30, 2021 by Sathya Gunasekaran Committed by Commit Bot Mar 31, 2021
36 changed files
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -1237,6 +1237,8 @@ action("postmortem-metadata") {
    "src/objects/map.cc",
    "src/objects/map.h",
    "src/objects/map-inl.h",
+    "src/objects/megadom-handler.h",
+    "src/objects/megadom-handler-inl.h",
    "src/objects/name.h",
    "src/objects/name-inl.h",
    "src/objects/objects.h",
@@ -1425,6 +1427,7 @@ torque_files = [
  "src/objects/js-weak-refs.tq",
  "src/objects/literal-objects.tq",
  "src/objects/map.tq",
+  "src/objects/megadom-handler.tq",
  "src/objects/microtask.tq",
  "src/objects/module.tq",
  "src/objects/name.tq",
@@ -2791,6 +2794,8 @@ v8_header_set("v8_internal_headers") {
    "src/objects/map.h",
    "src/objects/maybe-object-inl.h",
    "src/objects/maybe-object.h",
+    "src/objects/megadom-handler-inl.h",
+    "src/objects/megadom-handler.h",
    "src/objects/microtask-inl.h",
    "src/objects/microtask.h",
    "src/objects/module-inl.h",

--- a/include/v8.h
+++ b/include/v8.h
@@ -8545,6 +8545,7 @@ class V8_EXPORT Isolate {
    kWasmBulkMemory = 109,  // Unused.
    kWasmMultiValue = 110,
    kWasmExceptionHandling = 111,
+    kInvalidatedMegaDOMProtector = 112,
    // If you add new values here, you'll also need to update Chromium's:
    // web_feature.mojom, use_counter_callback.cc, and enums.xml. V8 changes to

--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@@ -6036,6 +6036,13 @@ TNode<BoolT> CodeStubAssembler::IsNoElementsProtectorCellInvalid() {
  return TaggedEqual(cell_value, invalid);
 }
+TNode<BoolT> CodeStubAssembler::IsMegaDOMProtectorCellInvalid() {
+  TNode<Smi> invalid = SmiConstant(Protectors::kProtectorInvalid);
+  TNode<PropertyCell> cell = MegaDOMProtectorConstant();
+  TNode<Object> cell_value = LoadObjectField(cell, PropertyCell::kValueOffset);
+  return TaggedEqual(cell_value, invalid);
+}
 TNode<BoolT> CodeStubAssembler::IsArrayIteratorProtectorCellInvalid() {
  TNode<Smi> invalid = SmiConstant(Protectors::kProtectorInvalid);
  TNode<PropertyCell> cell = ArrayIteratorProtectorConstant();
@@ -6285,14 +6292,27 @@ TNode<BoolT> CodeStubAssembler::IsJSObjectInstanceType(
                                 Int32Constant(FIRST_JS_OBJECT_TYPE));
 }
+TNode<BoolT> CodeStubAssembler::IsJSApiObjectInstanceType(
+    TNode<Int32T> instance_type) {
+  return InstanceTypeEqual(instance_type, JS_API_OBJECT_TYPE);
+}
 TNode<BoolT> CodeStubAssembler::IsJSObjectMap(TNode<Map> map) {
  return IsJSObjectInstanceType(LoadMapInstanceType(map));
 }
+TNode<BoolT> CodeStubAssembler::IsJSApiObjectMap(TNode<Map> map) {
+  return IsJSApiObjectInstanceType(LoadMapInstanceType(map));
+}
 TNode<BoolT> CodeStubAssembler::IsJSObject(TNode<HeapObject> object) {
  return IsJSObjectMap(LoadMap(object));
 }
+TNode<BoolT> CodeStubAssembler::IsJSApiObject(TNode<HeapObject> object) {
+  return IsJSApiObjectMap(LoadMap(object));
+}
 TNode<BoolT> CodeStubAssembler::IsJSFinalizationRegistryMap(TNode<Map> map) {
  return InstanceTypeEqual(LoadMapInstanceType(map),
                           JS_FINALIZATION_REGISTRY_TYPE);

--- a/src/codegen/code-stub-assembler.h
+++ b/src/codegen/code-stub-assembler.h
@@ -67,6 +67,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
    AsyncIteratorValueUnwrapSharedFun)                                         \
  V(MapIteratorProtector, map_iterator_protector, MapIteratorProtector)        \
  V(NoElementsProtector, no_elements_protector, NoElementsProtector)           \
+  V(MegaDOMProtector, mega_dom_protector, MegaDOMProtector)                    \
  V(NumberStringCache, number_string_cache, NumberStringCache)                 \
  V(PromiseAllResolveElementSharedFun, promise_all_resolve_element_shared_fun, \
    PromiseAllResolveElementSharedFun)                                         \
@@ -157,6 +158,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
  V(ManyClosuresCellMap, many_closures_cell_map, ManyClosuresCellMap)        \
  V(match_symbol, match_symbol, MatchSymbol)                                 \
  V(megamorphic_symbol, megamorphic_symbol, MegamorphicSymbol)               \
+  V(mega_dom_symbol, mega_dom_symbol, MegaDOMSymbol)                         \
  V(message_string, message_string, MessageString)                           \
  V(minus_Infinity_string, minus_Infinity_string, MinusInfinityString)       \
  V(MinusZeroValue, minus_zero_value, MinusZero)                             \
@@ -2342,6 +2344,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  // JSProxy or an object with interceptors.
  TNode<BoolT> InstanceTypeEqual(TNode<Int32T> instance_type, int type);
  TNode<BoolT> IsNoElementsProtectorCellInvalid();
+  TNode<BoolT> IsMegaDOMProtectorCellInvalid();
  TNode<BoolT> IsArrayIteratorProtectorCellInvalid();
  TNode<BoolT> IsBigIntInstanceType(TNode<Int32T> instance_type);
  TNode<BoolT> IsBigInt(TNode<HeapObject> object);
@@ -2391,6 +2394,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
  TNode<BoolT> IsJSObjectInstanceType(TNode<Int32T> instance_type);
  TNode<BoolT> IsJSObjectMap(TNode<Map> map);
  TNode<BoolT> IsJSObject(TNode<HeapObject> object);
+  TNode<BoolT> IsJSApiObjectInstanceType(TNode<Int32T> instance_type);
+  TNode<BoolT> IsJSApiObjectMap(TNode<Map> map);
+  TNode<BoolT> IsJSApiObject(TNode<HeapObject> object);
  TNode<BoolT> IsJSFinalizationRegistryMap(TNode<Map> map);
  TNode<BoolT> IsJSFinalizationRegistry(TNode<HeapObject> object);
  TNode<BoolT> IsJSPromiseMap(TNode<Map> map);

--- a/src/common/globals.h
+++ b/src/common/globals.h
@@ -880,6 +880,8 @@ enum InlineCacheState {
  RECOMPUTE_HANDLER,
  // Multiple receiver types have been seen.
  POLYMORPHIC,
+  // Many DOM receiver types have been seen for the same accessor.
+  MEGADOM,
  // Many receiver types have been seen.
  MEGAMORPHIC,
  // A generic handler is installed and no extra typefeedback is recorded.
@@ -901,6 +903,8 @@ inline const char* InlineCacheState2String(InlineCacheState state) {
      return "POLYMORPHIC";
    case MEGAMORPHIC:
      return "MEGAMORPHIC";
+    case MEGADOM:
+      return "MEGADOM";
    case GENERIC:
      return "GENERIC";
  }

--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -2553,6 +2553,33 @@ Local<String> Shell::Stringify(Isolate* isolate, Local<Value> value) {
  return result.ToLocalChecked().As<String>();
 }
+void Shell::NodeTypeCallback(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  args.GetReturnValue().Set(v8::Number::New(isolate, 1));
+}
+Local<FunctionTemplate> Shell::CreateNodeTemplates(Isolate* isolate) {
+  Local<FunctionTemplate> node = FunctionTemplate::New(isolate);
+  Local<ObjectTemplate> proto_template = node->PrototypeTemplate();
+  Local<Signature> signature = v8::Signature::New(isolate, node);
+  Local<FunctionTemplate> nodeType = FunctionTemplate::New(
+      isolate, NodeTypeCallback, Local<Value>(), signature);
+  nodeType->SetAcceptAnyReceiver(false);
+  proto_template->SetAccessorProperty(
+      String::NewFromUtf8Literal(isolate, "nodeType"), nodeType);
+  Local<FunctionTemplate> element = FunctionTemplate::New(isolate);
+  element->Inherit(node);
+  Local<FunctionTemplate> html_element = FunctionTemplate::New(isolate);
+  html_element->Inherit(element);
+  Local<FunctionTemplate> div_element = FunctionTemplate::New(isolate);
+  div_element->Inherit(html_element);
+  return div_element;
+}
 Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
  Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
  global_template->Set(Symbol::GetToStringTag(isolate),
@@ -2584,6 +2611,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
  global_template->Set(isolate, "performance",
                       Shell::CreatePerformanceTemplate(isolate));
  global_template->Set(isolate, "Worker", Shell::CreateWorkerTemplate(isolate));
  // Prevent fuzzers from creating side effects.
  if (!i::FLAG_fuzzing) {
    global_template->Set(isolate, "os", Shell::CreateOSTemplate(isolate));
@@ -2711,6 +2739,10 @@ Local<ObjectTemplate> Shell::CreateD8Template(Isolate* isolate) {
                      FunctionTemplate::New(isolate, LogGetAndStop));
    d8_template->Set(isolate, "log", log_template);
+    Local<ObjectTemplate> dom_template = ObjectTemplate::New(isolate);
+    dom_template->Set(isolate, "Div", Shell::CreateNodeTemplates(isolate));
+    d8_template->Set(isolate, "dom", dom_template);
  }
  {
    Local<ObjectTemplate> test_template = ObjectTemplate::New(isolate);

--- a/src/d8/d8.h
+++ b/src/d8/d8.h
@@ -624,6 +624,9 @@ class Shell : public i::AllStatic {
  static void RunShell(Isolate* isolate);
  static bool SetOptions(int argc, char* argv[]);
+  static void NodeTypeCallback(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static Local<FunctionTemplate> CreateNodeTemplates(Isolate* isolate);
  static Local<ObjectTemplate> CreateGlobalTemplate(Isolate* isolate);
  static Local<ObjectTemplate> CreateOSTemplate(Isolate* isolate);
  static Local<FunctionTemplate> CreateWorkerTemplate(Isolate* isolate);

--- a/src/diagnostics/objects-debug.cc
+++ b/src/diagnostics/objects-debug.cc
@@ -61,6 +61,7 @@
 #include "src/objects/js-weak-refs-inl.h"
 #include "src/objects/literal-objects-inl.h"
 #include "src/objects/maybe-object.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/oddball-inl.h"

--- a/src/execution/protectors.h
+++ b/src/execution/protectors.h
@@ -26,6 +26,8 @@ class Protectors : public AllStatic {
    is_concat_spreadable_protector)                                           \
  V(NoElements, NoElementsProtector, no_elements_protector)                   \
                                                                              \
+  V(MegaDOM, MegaDOMProtector, mega_dom_protector)                            \
+                                                                              \
  /* The MapIterator protector protects the original iteration behaviors   */ \
  /* of Map.prototype.keys(), Map.prototype.values(), and                  */ \
  /* Set.prototype.entries(). It does not protect the original iteration   */ \

--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@@ -1454,6 +1454,8 @@ DEFINE_BOOL(native_code_counters, DEBUG_BOOL,
 DEFINE_BOOL(super_ic, true, "use an IC for super property loads")
+DEFINE_BOOL(enable_mega_dom_ic, false, "use MegaDOM IC state for API objects")
 // objects.cc
 DEFINE_BOOL(thin_strings, true, "Enable ThinString support")
 DEFINE_BOOL(trace_prototype_users, false,

--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@@ -53,6 +53,7 @@
 #include "src/objects/js-regexp-inl.h"
 #include "src/objects/js-weak-refs-inl.h"
 #include "src/objects/literal-objects-inl.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/promise-inl.h"
@@ -3098,6 +3099,16 @@ Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<NativeContext> context,
  return map;
 }
+Handle<MegaDomHandler> Factory::NewMegaDomHandler(MaybeObjectHandle accessor,
+                                                  MaybeObjectHandle context) {
+  Handle<Map> map = read_only_roots().mega_dom_handler_map_handle();
+  MegaDomHandler handler = MegaDomHandler::cast(New(map, AllocationType::kOld));
+  DisallowGarbageCollection no_gc;
+  handler.set_accessor(*accessor);
+  handler.set_context(*context);
+  return handle(handler, isolate());
+}
 Handle<LoadHandler> Factory::NewLoadHandler(int data_count,
                                            AllocationType allocation) {
  Handle<Map> map;

--- a/src/heap/factory.h
+++ b/src/heap/factory.h
@@ -732,7 +732,8 @@ class V8_EXPORT_PRIVATE Factory : public FactoryBase<Factory> {
  Handle<LoadHandler> NewLoadHandler(
      int data_count, AllocationType allocation = AllocationType::kOld);
  Handle<StoreHandler> NewStoreHandler(int data_count);
+  Handle<MegaDomHandler> NewMegaDomHandler(MaybeObjectHandle accessor,
+                                           MaybeObjectHandle context);
  Handle<RegExpMatchInfo> NewRegExpMatchInfo();
  // Creates a new FixedArray that holds the data associated with the

--- a/src/heap/setup-heap-internal.cc
+++ b/src/heap/setup-heap-internal.cc
@@ -381,6 +381,7 @@ bool Heap::CreateInitialMaps() {
    ALLOCATE_PRIMITIVE_MAP(SYMBOL_TYPE, Symbol::kSize, symbol,
                           Context::SYMBOL_FUNCTION_INDEX)
    ALLOCATE_MAP(FOREIGN_TYPE, Foreign::kSize, foreign)
+    ALLOCATE_MAP(MEGA_DOM_HANDLER_TYPE, MegaDomHandler::kSize, mega_dom_handler)
    ALLOCATE_PRIMITIVE_MAP(ODDBALL_TYPE, Oddball::kSize, boolean,
                           Context::BOOLEAN_FUNCTION_INDEX);
@@ -864,6 +865,7 @@ void Heap::CreateInitialObjects() {
  set_is_concat_spreadable_protector(*factory->NewProtector());
  set_map_iterator_protector(*factory->NewProtector());
  set_no_elements_protector(*factory->NewProtector());
+  set_mega_dom_protector(*factory->NewProtector());
  set_promise_hook_protector(*factory->NewProtector());
  set_promise_resolve_protector(*factory->NewProtector());
  set_promise_species_protector(*factory->NewProtector());

--- a/src/ic/accessor-assembler.cc
+++ b/src/ic/accessor-assembler.cc
@@ -16,6 +16,7 @@
 #include "src/objects/cell.h"
 #include "src/objects/foreign.h"
 #include "src/objects/heap-number.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/module.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/property-details.h"
@@ -134,6 +135,55 @@ void AccessorAssembler::HandlePolymorphicCase(
  }
 }
+void AccessorAssembler::TryMegaDOMCase(TNode<Object> lookup_start_object,
+                                       TNode<Map> lookup_start_object_map,
+                                       TVariable<MaybeObject>* var_handler,
+                                       TNode<Object> vector,
+                                       TNode<TaggedIndex> slot, Label* miss,
+                                       ExitPoint* exit_point) {
+  // Check if the receiver is a JS_API_OBJECT
+  GotoIfNot(IsJSApiObjectMap(lookup_start_object_map), miss);
+  // Check if receiver requires access check
+  GotoIf(IsSetWord32<Map::Bits1::IsAccessCheckNeededBit>(
+             LoadMapBitField(lookup_start_object_map)),
+         miss);
+  CSA_ASSERT(this, TaggedEqual(LoadFeedbackVectorSlot(CAST(vector), slot),
+                               MegaDOMSymbolConstant()));
+  // In some cases, we load the
+  TNode<MegaDomHandler> handler;
+  if (var_handler->IsBound()) {
+    handler = CAST(var_handler->value());
+  } else {
+    TNode<MaybeObject> maybe_handler =
+        LoadFeedbackVectorSlot(CAST(vector), slot, kTaggedSize);
+    CSA_ASSERT(this, IsStrong(maybe_handler));
+    handler = CAST(maybe_handler);
+  }
+  // Check if dom protector cell is still valid
+  GotoIf(IsMegaDOMProtectorCellInvalid(), miss);
+  // Load the getter
+  TNode<MaybeObject> maybe_getter = LoadMegaDomHandlerAccessor(handler);
+  CSA_ASSERT(this, IsWeakOrCleared(maybe_getter));
+  TNode<FunctionTemplateInfo> getter =
+      CAST(GetHeapObjectAssumeWeak(maybe_getter, miss));
+  // Load the accessor context
+  TNode<MaybeObject> maybe_context = LoadMegaDomHandlerContext(handler);
+  CSA_ASSERT(this, IsWeakOrCleared(maybe_context));
+  TNode<Context> context = CAST(GetHeapObjectAssumeWeak(maybe_context, miss));
+  // TODO(gsathya): This builtin throws an exception on interface check fail but
+  // we should miss to the runtime.
+  exit_point->Return(
+      CallBuiltin(Builtins::kCallFunctionTemplate_CheckCompatibleReceiver,
+                  context, getter, IntPtrConstant(0), lookup_start_object));
+}
 void AccessorAssembler::HandleLoadICHandlerCase(
    const LazyLoadICParameters* p, TNode<Object> handler, Label* miss,
    ExitPoint* exit_point, ICMode ic_mode, OnNonExistent on_nonexistent,
@@ -2864,11 +2914,23 @@ void AccessorAssembler::LoadIC_Noninlined(const LoadICParameters* p,
  DCHECK_EQ(MachineRepresentation::kTagged, var_handler->rep());
  {
-    // Check megamorphic case.
+    Label try_megamorphic(this), try_megadom(this);
-    GotoIfNot(TaggedEqual(feedback, MegamorphicSymbolConstant()), miss);
+    GotoIf(TaggedEqual(feedback, MegamorphicSymbolConstant()),
+           &try_megamorphic);
+    GotoIf(TaggedEqual(feedback, MegaDOMSymbolConstant()), &try_megadom);
+    Goto(miss);
+    BIND(&try_megamorphic);
+    {
+      TryProbeStubCache(isolate()->load_stub_cache(), p->lookup_start_object(),
+                        CAST(p->name()), if_handler, var_handler, miss);
+    }
-    TryProbeStubCache(isolate()->load_stub_cache(), p->lookup_start_object(),
+    BIND(&try_megadom);
-                      CAST(p->name()), if_handler, var_handler, miss);
+    {
+      TryMegaDOMCase(p->lookup_start_object(), lookup_start_object_map,
+                     var_handler, p->vector(), p->slot(), miss, exit_point);
+    }
  }
 }

--- a/src/ic/accessor-assembler.h
+++ b/src/ic/accessor-assembler.h
@@ -311,6 +311,12 @@ class V8_EXPORT_PRIVATE AccessorAssembler : public CodeStubAssembler {
                             TVariable<MaybeObject>* var_handler,
                             Label* if_miss);
+  void TryMegaDOMCase(TNode<Object> lookup_start_object,
+                      TNode<Map> lookup_start_object_map,
+                      TVariable<MaybeObject>* var_handler, TNode<Object> vector,
+                      TNode<TaggedIndex> slot, Label* miss,
+                      ExitPoint* exit_point);
  // LoadIC implementation.
  void HandleLoadICHandlerCase(
      const LazyLoadICParameters* p, TNode<Object> handler, Label* miss,

--- a/src/ic/call-optimization.cc
+++ b/src/ic/call-optimization.cc
@@ -11,6 +11,7 @@ namespace internal {
 CallOptimization::CallOptimization(Isolate* isolate, Handle<Object> function) {
  constant_function_ = Handle<JSFunction>::null();
  is_simple_api_call_ = false;
+  accept_any_receiver_ = false;
  expected_receiver_type_ = Handle<FunctionTemplateInfo>::null();
  api_call_info_ = Handle<CallHandlerInfo>::null();
  if (function->IsJSFunction()) {
@@ -98,6 +99,7 @@ void CallOptimization::Initialize(
        handle(FunctionTemplateInfo::cast(signature), isolate);
  }
  is_simple_api_call_ = true;
+  accept_any_receiver_ = function_template_info->accept_any_receiver();
 }
 void CallOptimization::Initialize(Isolate* isolate,
@@ -125,6 +127,7 @@ void CallOptimization::AnalyzePossibleApiFunction(Isolate* isolate,
  }
  is_simple_api_call_ = true;
+  accept_any_receiver_ = info->accept_any_receiver();
 }
 }  // namespace internal
 }  // namespace v8
--- a/src/ic/call-optimization.h
+++ b/src/ic/call-optimization.h
@@ -20,6 +20,10 @@ class CallOptimization {
                                      Map holder_map) const;
  bool is_constant_call() const { return !constant_function_.is_null(); }
+  bool accept_any_receiver() const { return accept_any_receiver_; }
+  bool requires_signature_check() const {
+    return !expected_receiver_type_.is_null();
+  }
  Handle<JSFunction> constant_function() const {
    DCHECK(is_constant_call());
@@ -56,9 +60,13 @@ class CallOptimization {
                                  Handle<JSFunction> function);
  Handle<JSFunction> constant_function_;
-  bool is_simple_api_call_;
  Handle<FunctionTemplateInfo> expected_receiver_type_;
  Handle<CallHandlerInfo> api_call_info_;
+  // TODO(gsathya): Change these to be a bitfield and do a single fast check
+  // rather than two checks.
+  bool is_simple_api_call_;
+  bool accept_any_receiver_;
 };
 }  // namespace internal
 }  // namespace v8

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -33,6 +33,7 @@
 #include "src/objects/heap-number-inl.h"
 #include "src/objects/js-array-buffer-inl.h"
 #include "src/objects/js-array-inl.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/prototype.h"
 #include "src/objects/struct-inl.h"
@@ -59,6 +60,8 @@ char IC::TransitionMarkFromState(IC::State state) {
      return 'P';
    case MEGAMORPHIC:
      return 'N';
+    case MEGADOM:
+      return 'D';
    case GENERIC:
      return 'G';
  }
@@ -566,6 +569,55 @@ static bool AddOneReceiverMapIfMissing(
  return true;
 }
+bool IC::UpdateMegaDOMIC(const MaybeObjectHandle& handler, Handle<Name> name) {
+  if (!FLAG_enable_mega_dom_ic) return false;
+  // TODO(gsathya): Enable fuzzing once this feature is more stable.
+  if (FLAG_fuzzing) return false;
+  // TODO(gsathya): Support KeyedLoadIC, StoreIC and KeyedStoreIC.
+  if (!IsLoadIC()) return false;
+  // Check if DOM protector cell is valid.
+  if (!Protectors::IsMegaDOMIntact(isolate())) return false;
+  // Check if current lookup object is an API object
+  Handle<Map> map = lookup_start_object_map();
+  if (!InstanceTypeChecker::IsJSApiObject(map->instance_type())) return false;
+  Handle<Object> accessor_obj;
+  // TODO(gsathya): Check if there are overloads possible for this accessor and
+  // transition only if it isn't possible.
+  if (!accessor().ToHandle(&accessor_obj)) return false;
+  // TODO(gsathya): This is also created in IC::ComputeHandler, find a way to
+  // reuse it here.
+  CallOptimization call_optimization(isolate(), accessor_obj);
+  // Check if accessor is an API function
+  if (!call_optimization.is_simple_api_call()) return false;
+  // Check if accessor requires access checks
+  if (call_optimization.accept_any_receiver()) return false;
+  // Check if accessor requires signature checks
+  if (!call_optimization.requires_signature_check()) return false;
+  // Check if the receiver is the holder
+  CallOptimization::HolderLookup holder_lookup;
+  call_optimization.LookupHolderOfExpectedType(map, &holder_lookup);
+  if (holder_lookup != CallOptimization::kHolderIsReceiver) return false;
+  Handle<Context> accessor_context(call_optimization.GetAccessorContext(*map),
+                                   isolate());
+  Handle<MegaDomHandler> new_handler = isolate()->factory()->NewMegaDomHandler(
+      MaybeObjectHandle::Weak(accessor_obj),
+      MaybeObjectHandle::Weak(accessor_context));
+  nexus()->ConfigureMegaDOM(MaybeObjectHandle(new_handler));
+  return true;
+}
 bool IC::UpdatePolymorphicIC(Handle<Name> name,
                             const MaybeObjectHandle& handler) {
  DCHECK(IsHandler(*handler));
@@ -703,9 +755,12 @@ void IC::SetCache(Handle<Name> name, const MaybeObjectHandle& handler) {
      V8_FALLTHROUGH;
    case POLYMORPHIC:
      if (UpdatePolymorphicIC(name, handler)) break;
+      if (UpdateMegaDOMIC(handler, name)) break;
      if (!is_keyed() || state() == RECOMPUTE_HANDLER) {
        CopyICToMegamorphicCache(name);
      }
+      V8_FALLTHROUGH;
+    case MEGADOM:
      ConfigureVectorState(MEGAMORPHIC, name);
      V8_FALLTHROUGH;
    case MEGAMORPHIC:
@@ -875,6 +930,7 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
          TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
          return LoadHandler::LoadSlow(isolate());
        }
+        set_accessor(getter);
        if ((getter->IsFunctionTemplateInfo() &&
             FunctionTemplateInfo::cast(*getter).BreakAtEntry()) ||

--- a/src/ic/ic.h
+++ b/src/ic/ic.h
@@ -67,6 +67,8 @@ class IC {
 protected:
  void set_slow_stub_reason(const char* reason) { slow_stub_reason_ = reason; }
+  void set_accessor(Handle<Object> accessor) { accessor_ = accessor; }
+  MaybeHandle<Object> accessor() const { return accessor_; }
  Isolate* isolate() const { return isolate_; }
@@ -96,6 +98,7 @@ class IC {
  MaybeHandle<Object> ReferenceError(Handle<Name> name);
  void UpdateMonomorphicIC(const MaybeObjectHandle& handler, Handle<Name> name);
+  bool UpdateMegaDOMIC(const MaybeObjectHandle& handler, Handle<Name> name);
  bool UpdatePolymorphicIC(Handle<Name> name, const MaybeObjectHandle& handler);
  void UpdateMegamorphicCache(Handle<Map> map, Handle<Name> name,
                              const MaybeObjectHandle& handler);
@@ -154,7 +157,7 @@ class IC {
  State state_;
  FeedbackSlotKind kind_;
  Handle<Map> lookup_start_object_map_;
+  MaybeHandle<Object> accessor_;
  MapHandles target_maps_;
  bool target_maps_set_;

--- a/src/init/heap-symbols.h
+++ b/src/init/heap-symbols.h
@@ -349,6 +349,7 @@
  V(_, error_start_pos_symbol)                 \
  V(_, frozen_symbol)                          \
  V(_, interpreter_trampoline_symbol)          \
+  V(_, mega_dom_symbol)                        \
  V(_, megamorphic_symbol)                     \
  V(_, native_context_index_symbol)            \
  V(_, nonextensible_symbol)                   \

--- a/src/objects/all-objects-inl.h
+++ b/src/objects/all-objects-inl.h
@@ -52,6 +52,7 @@
 #include "src/objects/lookup-inl.h"
 #include "src/objects/map-inl.h"
 #include "src/objects/maybe-object-inl.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/name-inl.h"

--- a/src/objects/feedback-vector-inl.h
+++ b/src/objects/feedback-vector-inl.h
@@ -334,6 +334,10 @@ Handle<Symbol> FeedbackVector::MegamorphicSentinel(Isolate* isolate) {
  return isolate->factory()->megamorphic_symbol();
 }
+Handle<Symbol> FeedbackVector::MegaDOMSentinel(Isolate* isolate) {
+  return isolate->factory()->mega_dom_symbol();
+}
 Symbol FeedbackVector::RawUninitializedSentinel(Isolate* isolate) {
  return ReadOnlyRoots(isolate).uninitialized_symbol();
 }
@@ -376,6 +380,11 @@ MaybeObject FeedbackNexus::MegamorphicSentinel() const {
      *FeedbackVector::MegamorphicSentinel(GetIsolate()));
 }
+MaybeObject FeedbackNexus::MegaDOMSentinel() const {
+  return MaybeObject::FromObject(
+      *FeedbackVector::MegaDOMSentinel(GetIsolate()));
+}
 MaybeObject FeedbackNexus::FromHandle(MaybeObjectHandle slot) const {
  return slot.is_null() ? HeapObjectReference::ClearedValue(config()->isolate())
                        : *slot;

--- a/src/objects/feedback-vector.cc
+++ b/src/objects/feedback-vector.cc
@@ -54,6 +54,7 @@ static bool IsPropertyNameFeedback(MaybeObject feedback) {
  Symbol symbol = Symbol::cast(heap_object);
  ReadOnlyRoots roots = symbol.GetReadOnlyRoots();
  return symbol != roots.uninitialized_symbol() &&
+         symbol != roots.mega_dom_symbol() &&
         symbol != roots.megamorphic_symbol();
 }
@@ -676,6 +677,13 @@ bool FeedbackNexus::ConfigureMegamorphic() {
  return false;
 }
+void FeedbackNexus::ConfigureMegaDOM(const MaybeObjectHandle& handler) {
+  DisallowGarbageCollection no_gc;
+  MaybeObject sentinel = MegaDOMSentinel();
+  SetFeedback(sentinel, SKIP_WRITE_BARRIER, *handler, UPDATE_WRITE_BARRIER);
+}
 bool FeedbackNexus::ConfigureMegamorphic(IcCheckType property_type) {
  DisallowGarbageCollection no_gc;
  MaybeObject sentinel = MegamorphicSentinel();
@@ -737,6 +745,10 @@ InlineCacheState FeedbackNexus::ic_state() const {
      if (feedback == MegamorphicSentinel()) {
        return MEGAMORPHIC;
      }
+      if (feedback == MegaDOMSentinel()) {
+        DCHECK(IsLoadICKind(kind()));
+        return MEGADOM;
+      }
      if (feedback->IsWeakOrCleared()) {
        // Don't check if the map is cleared.
        return MONOMORPHIC;

--- a/src/objects/feedback-vector.h
+++ b/src/objects/feedback-vector.h
@@ -322,6 +322,9 @@ class FeedbackVector
  // The object that indicates a megamorphic state.
  static inline Handle<Symbol> MegamorphicSentinel(Isolate* isolate);
+  // The object that indicates a MegaDOM state.
+  static inline Handle<Symbol> MegaDOMSentinel(Isolate* isolate);
  // A raw version of the uninitialized sentinel that's safe to read during
  // garbage collection (e.g., for patching the cache).
  static inline Symbol RawUninitializedSentinel(Isolate* isolate);
@@ -773,6 +776,8 @@ class V8_EXPORT_PRIVATE FeedbackNexus final {
  void ConfigurePolymorphic(
      Handle<Name> name, std::vector<MapAndHandler> const& maps_and_handlers);
+  void ConfigureMegaDOM(const MaybeObjectHandle& handler);
  BinaryOperationHint GetBinaryOperationFeedback() const;
  CompareOperationHint GetCompareOperationFeedback() const;
  ForInHint GetForInFeedback() const;
@@ -847,6 +852,7 @@ class V8_EXPORT_PRIVATE FeedbackNexus final {
  inline MaybeObject UninitializedSentinel() const;
  inline MaybeObject MegamorphicSentinel() const;
+  inline MaybeObject MegaDOMSentinel() const;
  // Create an array. The caller must install it in a feedback vector slot.
  Handle<WeakFixedArray> CreateArrayOfSize(int length);

--- a/src/objects/instance-type.h
+++ b/src/objects/instance-type.h
@@ -258,6 +258,7 @@ TYPED_ARRAYS(TYPED_ARRAY_IS_TYPE_FUNCTION_DECL)
  V(_, FunctionTemplateInfoMap, function_template_info_map,                    \
    FunctionTemplateInfo)                                                      \
  V(_, HeapNumberMap, heap_number_map, HeapNumber)                             \
+  V(_, MegaDomHandlerMap, mega_dom_handler_map, MegaDomHandler)                \
  V(_, MetaMap, meta_map, Map)                                                 \
  V(_, PreparseDataMap, preparse_data_map, PreparseData)                       \
  V(_, PrototypeInfoMap, prototype_info_map, PrototypeInfo)                    \

--- a/src/objects/megadom-handler-inl.h
+++ b/src/objects/megadom-handler-inl.h
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef V8_OBJECTS_MEGADOM_HANDLER_INL_H_
+#define V8_OBJECTS_MEGADOM_HANDLER_INL_H_
+#include "src/objects/megadom-handler.h"
+#include "src/objects/objects-inl.h"  // Needed for write barriers
+// Has to be the last include (doesn't have include guards):
+#include "src/objects/object-macros.h"
+namespace v8 {
+namespace internal {
+#include "torque-generated/src/objects/megadom-handler-tq-inl.inc"
+TQ_OBJECT_CONSTRUCTORS_IMPL(MegaDomHandler)
+}  // namespace internal
+}  // namespace v8
+#include "src/objects/object-macros-undef.h"
+#endif  // V8_OBJECTS_MEGADOM_HANDLER_INL_H_
--- a/src/objects/megadom-handler.h
+++ b/src/objects/megadom-handler.h
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef V8_OBJECTS_MEGADOM_HANDLER_H_
+#define V8_OBJECTS_MEGADOM_HANDLER_H_
+#include "src/objects/heap-object.h"
+// Has to be the last include (doesn't have include guards):
+#include "src/objects/object-macros.h"
+namespace v8 {
+namespace internal {
+#include "torque-generated/src/objects/megadom-handler-tq.inc"
+class MegaDomHandler
+    : public TorqueGeneratedMegaDomHandler<MegaDomHandler, HeapObject> {
+ public:
+  void BriefPrintDetails(std::ostream& os);
+  class BodyDescriptor;
+  TQ_OBJECT_CONSTRUCTORS(MegaDomHandler)
+};
+}  // namespace internal
+}  // namespace v8
+#include "src/objects/object-macros-undef.h"
+#endif  // V8_OBJECTS_MEGADOM_HANDLER_H_
--- a/src/objects/megadom-handler.tq
+++ b/src/objects/megadom-handler.tq
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+@generateCppClass
+@generatePrint
+@generateBodyDescriptor
+extern class MegaDomHandler extends HeapObject {
+  accessor: MaybeObject;
+  context: MaybeObject;
+}
--- a/src/objects/object-list-macros.h
+++ b/src/objects/object-list-macros.h
@@ -166,6 +166,7 @@ class ZoneForwardList;
  V(LoadHandler)                               \
  V(Map)                                       \
  V(MapCache)                                  \
+  V(MegaDomHandler)                            \
  V(Module)                                    \
  V(Microtask)                                 \
  V(Name)                                      \

--- a/src/objects/objects-body-descriptors-inl.h
+++ b/src/objects/objects-body-descriptors-inl.h
@@ -15,6 +15,7 @@
 #include "src/objects/hash-table.h"
 #include "src/objects/js-collection.h"
 #include "src/objects/js-weak-refs.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/objects-body-descriptors.h"
 #include "src/objects/oddball.h"
 #include "src/objects/ordered-hash-table-inl.h"

--- a/src/objects/objects.cc
+++ b/src/objects/objects.cc
@@ -102,6 +102,7 @@
 #include "src/objects/literal-objects-inl.h"
 #include "src/objects/map-inl.h"
 #include "src/objects/map.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/promise-inl.h"
@@ -2200,6 +2201,10 @@ void Tuple2::BriefPrintDetails(std::ostream& os) {
  os << " " << Brief(value1()) << ", " << Brief(value2());
 }
+void MegaDomHandler::BriefPrintDetails(std::ostream& os) {
+  os << " " << Brief(accessor()) << ", " << Brief(context());
+}
 void ClassPositions::BriefPrintDetails(std::ostream& os) {
  os << " " << start() << ", " << end();
 }

--- a/src/objects/torque-defined-classes.h
+++ b/src/objects/torque-defined-classes.h
@@ -7,6 +7,7 @@
 #include "src/objects/descriptor-array.h"
 #include "src/objects/fixed-array.h"
 #include "src/objects/heap-object.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/objects.h"
 // Has to be the last include (doesn't have include guards):

--- a/src/roots/roots.h
+++ b/src/roots/roots.h
@@ -88,6 +88,7 @@ class Symbol;
  V(Map, fixed_double_array_map, FixedDoubleArrayMap)                          \
  V(Map, global_dictionary_map, GlobalDictionaryMap)                           \
  V(Map, many_closures_cell_map, ManyClosuresCellMap)                          \
+  V(Map, mega_dom_handler_map, MegaDomHandlerMap)                              \
  V(Map, module_info_map, ModuleInfoMap)                                       \
  V(Map, name_dictionary_map, NameDictionaryMap)                               \
  V(Map, no_closures_cell_map, NoClosuresCellMap)                              \
@@ -210,6 +211,7 @@ class Symbol;
  /* Protectors */                                                             \
  V(PropertyCell, array_constructor_protector, ArrayConstructorProtector)      \
  V(PropertyCell, no_elements_protector, NoElementsProtector)                  \
+  V(PropertyCell, mega_dom_protector, MegaDOMProtector)                        \
  V(PropertyCell, is_concat_spreadable_protector, IsConcatSpreadableProtector) \
  V(PropertyCell, array_species_protector, ArraySpeciesProtector)              \
  V(PropertyCell, typed_array_species_protector, TypedArraySpeciesProtector)   \

--- a/test/mjsunit/ic-megadom-2.js
+++ b/test/mjsunit/ic-megadom-2.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --enable-mega-dom-ic --allow-natives-syntax
+function load(obj) {
+  return obj.nodeType;
+}
+%PrepareFunctionForOptimization(load);
+var a = new d8.dom.Div();
+var b = new d8.dom.Div();
+b.b = 1;
+var c = new d8.dom.Div();
+c.c = 1;
+var d = new d8.dom.Div();
+d.d = 1;
+var e = new d8.dom.Div();
+e.e = 1;
+var f = new d8.dom.Div();
+f.f = 1;
+const objs = [
+  a, b, c, d, e, f
+];
+function test() {
+  let result = 0;
+  for (let i = 0; i < objs.length; i++) {
+    result += load(objs[i]);
+  }
+  return result;
+}
+%PrepareFunctionForOptimization(test);
+let result = test();
+assertEquals(6, result);
+assertEquals(load({}), undefined);
+assertEquals(load({ nodeType: 'foo' }), 'foo');
+%OptimizeFunctionOnNextCall(test);
+result = test();
+assertEquals(6, result);
+assertEquals(load({}), undefined)
+assertEquals(load({nodeType: 'foo'}), 'foo')
--- a/test/mjsunit/ic-megadom.js
+++ b/test/mjsunit/ic-megadom.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --enable-mega-dom-ic --allow-natives-syntax
+function load(obj) {
+  return obj.nodeType;
+}
+%PrepareFunctionForOptimization(load);
+var a = new d8.dom.Div();
+var b = new d8.dom.Div();
+b.b = 1;
+var c = new d8.dom.Div();
+c.c = 1;
+var d = new d8.dom.Div();
+d.d = 1;
+var e = new d8.dom.Div();
+e.e = 1;
+var f = new d8.dom.Div();
+f.f = 1;
+const objs = [
+  a, b, c, d, e, f
+];
+function test() {
+  let result = 0;
+  for (let i = 0; i < objs.length; i++) {
+    result += load(objs[i]);
+  }
+  return result;
+}
+%PrepareFunctionForOptimization(test);
+let result = test();
+assertEquals(6, result);
+%OptimizeFunctionOnNextCall(test);
+result = test();
+assertEquals(6, result);
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -132,26 +132,27 @@ INSTANCE_TYPES = {
  168: "INTERNAL_CLASS_TYPE",
  169: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
  170: "MAP_TYPE",
-  171: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
+  171: "MEGA_DOM_HANDLER_TYPE",
-  172: "PREPARSE_DATA_TYPE",
+  172: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
-  173: "PROPERTY_ARRAY_TYPE",
+  173: "PREPARSE_DATA_TYPE",
-  174: "PROPERTY_CELL_TYPE",
+  174: "PROPERTY_ARRAY_TYPE",
-  175: "SCOPE_INFO_TYPE",
+  175: "PROPERTY_CELL_TYPE",
-  176: "SHARED_FUNCTION_INFO_TYPE",
+  176: "SCOPE_INFO_TYPE",
-  177: "SMI_BOX_TYPE",
+  177: "SHARED_FUNCTION_INFO_TYPE",
-  178: "SMI_PAIR_TYPE",
+  178: "SMI_BOX_TYPE",
-  179: "SORT_STATE_TYPE",
+  179: "SMI_PAIR_TYPE",
-  180: "SWISS_NAME_DICTIONARY_TYPE",
+  180: "SORT_STATE_TYPE",
-  181: "WASM_ARRAY_TYPE",
+  181: "SWISS_NAME_DICTIONARY_TYPE",
-  182: "WASM_CAPI_FUNCTION_DATA_TYPE",
+  182: "WASM_ARRAY_TYPE",
-  183: "WASM_STRUCT_TYPE",
+  183: "WASM_CAPI_FUNCTION_DATA_TYPE",
-  184: "WEAK_ARRAY_LIST_TYPE",
+  184: "WASM_STRUCT_TYPE",
-  185: "WEAK_CELL_TYPE",
+  185: "WEAK_ARRAY_LIST_TYPE",
-  186: "JS_PROXY_TYPE",
+  186: "WEAK_CELL_TYPE",
+  187: "JS_PROXY_TYPE",
  1057: "JS_OBJECT_TYPE",
-  187: "JS_GLOBAL_OBJECT_TYPE",
+  188: "JS_GLOBAL_OBJECT_TYPE",
-  188: "JS_GLOBAL_PROXY_TYPE",
+  189: "JS_GLOBAL_PROXY_TYPE",
-  189: "JS_MODULE_NAMESPACE_TYPE",
+  190: "JS_MODULE_NAMESPACE_TYPE",
  1040: "JS_SPECIAL_API_OBJECT_TYPE",
  1041: "JS_PRIMITIVE_WRAPPER_TYPE",
  1042: "JS_ARRAY_ITERATOR_PROTOTYPE_TYPE",
@@ -253,11 +254,11 @@ KNOWN_MAPS = {
  ("read_only_space", 0x02559): (118, "HashTableMap"),
  ("read_only_space", 0x02581): (64, "SymbolMap"),
  ("read_only_space", 0x025a9): (40, "OneByteStringMap"),
-  ("read_only_space", 0x025d1): (175, "ScopeInfoMap"),
+  ("read_only_space", 0x025d1): (176, "ScopeInfoMap"),
-  ("read_only_space", 0x025f9): (176, "SharedFunctionInfoMap"),
+  ("read_only_space", 0x025f9): (177, "SharedFunctionInfoMap"),
  ("read_only_space", 0x02621): (160, "CodeMap"),
  ("read_only_space", 0x02649): (159, "CellMap"),
-  ("read_only_space", 0x02671): (174, "GlobalPropertyCellMap"),
+  ("read_only_space", 0x02671): (175, "GlobalPropertyCellMap"),
  ("read_only_space", 0x02699): (70, "ForeignMap"),
  ("read_only_space", 0x026c1): (158, "TransitionArrayMap"),
  ("read_only_space", 0x026e9): (45, "ThinOneByteStringMap"),
@@ -279,113 +280,114 @@ KNOWN_MAPS = {
  ("read_only_space", 0x02a95): (132, "FixedDoubleArrayMap"),
  ("read_only_space", 0x02abd): (120, "GlobalDictionaryMap"),
  ("read_only_space", 0x02ae5): (98, "ManyClosuresCellMap"),
-  ("read_only_space", 0x02b0d): (117, "ModuleInfoMap"),
+  ("read_only_space", 0x02b0d): (171, "MegaDomHandlerMap"),
-  ("read_only_space", 0x02b35): (121, "NameDictionaryMap"),
+  ("read_only_space", 0x02b35): (117, "ModuleInfoMap"),
-  ("read_only_space", 0x02b5d): (98, "NoClosuresCellMap"),
+  ("read_only_space", 0x02b5d): (121, "NameDictionaryMap"),
-  ("read_only_space", 0x02b85): (122, "NumberDictionaryMap"),
+  ("read_only_space", 0x02b85): (98, "NoClosuresCellMap"),
-  ("read_only_space", 0x02bad): (98, "OneClosureCellMap"),
+  ("read_only_space", 0x02bad): (122, "NumberDictionaryMap"),
-  ("read_only_space", 0x02bd5): (123, "OrderedHashMapMap"),
+  ("read_only_space", 0x02bd5): (98, "OneClosureCellMap"),
-  ("read_only_space", 0x02bfd): (124, "OrderedHashSetMap"),
+  ("read_only_space", 0x02bfd): (123, "OrderedHashMapMap"),
-  ("read_only_space", 0x02c25): (125, "OrderedNameDictionaryMap"),
+  ("read_only_space", 0x02c25): (124, "OrderedHashSetMap"),
-  ("read_only_space", 0x02c4d): (172, "PreparseDataMap"),
+  ("read_only_space", 0x02c4d): (125, "OrderedNameDictionaryMap"),
-  ("read_only_space", 0x02c75): (173, "PropertyArrayMap"),
+  ("read_only_space", 0x02c75): (173, "PreparseDataMap"),
-  ("read_only_space", 0x02c9d): (94, "SideEffectCallHandlerInfoMap"),
+  ("read_only_space", 0x02c9d): (174, "PropertyArrayMap"),
-  ("read_only_space", 0x02cc5): (94, "SideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02cc5): (94, "SideEffectCallHandlerInfoMap"),
-  ("read_only_space", 0x02ced): (94, "NextCallSideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02ced): (94, "SideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02d15): (126, "SimpleNumberDictionaryMap"),
+  ("read_only_space", 0x02d15): (94, "NextCallSideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02d3d): (148, "SmallOrderedHashMapMap"),
+  ("read_only_space", 0x02d3d): (126, "SimpleNumberDictionaryMap"),
-  ("read_only_space", 0x02d65): (149, "SmallOrderedHashSetMap"),
+  ("read_only_space", 0x02d65): (148, "SmallOrderedHashMapMap"),
-  ("read_only_space", 0x02d8d): (150, "SmallOrderedNameDictionaryMap"),
+  ("read_only_space", 0x02d8d): (149, "SmallOrderedHashSetMap"),
-  ("read_only_space", 0x02db5): (153, "SourceTextModuleMap"),
+  ("read_only_space", 0x02db5): (150, "SmallOrderedNameDictionaryMap"),
-  ("read_only_space", 0x02ddd): (180, "SwissNameDictionaryMap"),
+  ("read_only_space", 0x02ddd): (153, "SourceTextModuleMap"),
-  ("read_only_space", 0x02e05): (154, "SyntheticModuleMap"),
+  ("read_only_space", 0x02e05): (181, "SwissNameDictionaryMap"),
-  ("read_only_space", 0x02e2d): (71, "WasmTypeInfoMap"),
+  ("read_only_space", 0x02e2d): (154, "SyntheticModuleMap"),
-  ("read_only_space", 0x02e55): (184, "WeakArrayListMap"),
+  ("read_only_space", 0x02e55): (71, "WasmTypeInfoMap"),
-  ("read_only_space", 0x02e7d): (119, "EphemeronHashTableMap"),
+  ("read_only_space", 0x02e7d): (185, "WeakArrayListMap"),
-  ("read_only_space", 0x02ea5): (163, "EmbedderDataArrayMap"),
+  ("read_only_space", 0x02ea5): (119, "EphemeronHashTableMap"),
-  ("read_only_space", 0x02ecd): (185, "WeakCellMap"),
+  ("read_only_space", 0x02ecd): (163, "EmbedderDataArrayMap"),
-  ("read_only_space", 0x02ef5): (32, "StringMap"),
+  ("read_only_space", 0x02ef5): (186, "WeakCellMap"),
-  ("read_only_space", 0x02f1d): (41, "ConsOneByteStringMap"),
+  ("read_only_space", 0x02f1d): (32, "StringMap"),
-  ("read_only_space", 0x02f45): (33, "ConsStringMap"),
+  ("read_only_space", 0x02f45): (41, "ConsOneByteStringMap"),
-  ("read_only_space", 0x02f6d): (37, "ThinStringMap"),
+  ("read_only_space", 0x02f6d): (33, "ConsStringMap"),
-  ("read_only_space", 0x02f95): (35, "SlicedStringMap"),
+  ("read_only_space", 0x02f95): (37, "ThinStringMap"),
-  ("read_only_space", 0x02fbd): (43, "SlicedOneByteStringMap"),
+  ("read_only_space", 0x02fbd): (35, "SlicedStringMap"),
-  ("read_only_space", 0x02fe5): (34, "ExternalStringMap"),
+  ("read_only_space", 0x02fe5): (43, "SlicedOneByteStringMap"),
-  ("read_only_space", 0x0300d): (42, "ExternalOneByteStringMap"),
+  ("read_only_space", 0x0300d): (34, "ExternalStringMap"),
-  ("read_only_space", 0x03035): (50, "UncachedExternalStringMap"),
+  ("read_only_space", 0x03035): (42, "ExternalOneByteStringMap"),
-  ("read_only_space", 0x0305d): (0, "InternalizedStringMap"),
+  ("read_only_space", 0x0305d): (50, "UncachedExternalStringMap"),
-  ("read_only_space", 0x03085): (2, "ExternalInternalizedStringMap"),
+  ("read_only_space", 0x03085): (0, "InternalizedStringMap"),
-  ("read_only_space", 0x030ad): (10, "ExternalOneByteInternalizedStringMap"),
+  ("read_only_space", 0x030ad): (2, "ExternalInternalizedStringMap"),
-  ("read_only_space", 0x030d5): (18, "UncachedExternalInternalizedStringMap"),
+  ("read_only_space", 0x030d5): (10, "ExternalOneByteInternalizedStringMap"),
-  ("read_only_space", 0x030fd): (26, "UncachedExternalOneByteInternalizedStringMap"),
+  ("read_only_space", 0x030fd): (18, "UncachedExternalInternalizedStringMap"),
-  ("read_only_space", 0x03125): (58, "UncachedExternalOneByteStringMap"),
+  ("read_only_space", 0x03125): (26, "UncachedExternalOneByteInternalizedStringMap"),
-  ("read_only_space", 0x0314d): (67, "SelfReferenceMarkerMap"),
+  ("read_only_space", 0x0314d): (58, "UncachedExternalOneByteStringMap"),
-  ("read_only_space", 0x03175): (67, "BasicBlockCountersMarkerMap"),
+  ("read_only_space", 0x03175): (67, "SelfReferenceMarkerMap"),
-  ("read_only_space", 0x031b9): (87, "ArrayBoilerplateDescriptionMap"),
+  ("read_only_space", 0x0319d): (67, "BasicBlockCountersMarkerMap"),
-  ("read_only_space", 0x032b9): (100, "InterceptorInfoMap"),
+  ("read_only_space", 0x031e1): (87, "ArrayBoilerplateDescriptionMap"),
-  ("read_only_space", 0x05401): (72, "PromiseFulfillReactionJobTaskMap"),
+  ("read_only_space", 0x032e1): (100, "InterceptorInfoMap"),
-  ("read_only_space", 0x05429): (73, "PromiseRejectReactionJobTaskMap"),
+  ("read_only_space", 0x05439): (72, "PromiseFulfillReactionJobTaskMap"),
-  ("read_only_space", 0x05451): (74, "CallableTaskMap"),
+  ("read_only_space", 0x05461): (73, "PromiseRejectReactionJobTaskMap"),
-  ("read_only_space", 0x05479): (75, "CallbackTaskMap"),
+  ("read_only_space", 0x05489): (74, "CallableTaskMap"),
-  ("read_only_space", 0x054a1): (76, "PromiseResolveThenableJobTaskMap"),
+  ("read_only_space", 0x054b1): (75, "CallbackTaskMap"),
-  ("read_only_space", 0x054c9): (79, "FunctionTemplateInfoMap"),
+  ("read_only_space", 0x054d9): (76, "PromiseResolveThenableJobTaskMap"),
-  ("read_only_space", 0x054f1): (80, "ObjectTemplateInfoMap"),
+  ("read_only_space", 0x05501): (79, "FunctionTemplateInfoMap"),
-  ("read_only_space", 0x05519): (81, "AccessCheckInfoMap"),
+  ("read_only_space", 0x05529): (80, "ObjectTemplateInfoMap"),
-  ("read_only_space", 0x05541): (82, "AccessorInfoMap"),
+  ("read_only_space", 0x05551): (81, "AccessCheckInfoMap"),
-  ("read_only_space", 0x05569): (83, "AccessorPairMap"),
+  ("read_only_space", 0x05579): (82, "AccessorInfoMap"),
-  ("read_only_space", 0x05591): (84, "AliasedArgumentsEntryMap"),
+  ("read_only_space", 0x055a1): (83, "AccessorPairMap"),
-  ("read_only_space", 0x055b9): (85, "AllocationMementoMap"),
+  ("read_only_space", 0x055c9): (84, "AliasedArgumentsEntryMap"),
-  ("read_only_space", 0x055e1): (88, "AsmWasmDataMap"),
+  ("read_only_space", 0x055f1): (85, "AllocationMementoMap"),
-  ("read_only_space", 0x05609): (89, "AsyncGeneratorRequestMap"),
+  ("read_only_space", 0x05619): (88, "AsmWasmDataMap"),
-  ("read_only_space", 0x05631): (90, "BaselineDataMap"),
+  ("read_only_space", 0x05641): (89, "AsyncGeneratorRequestMap"),
-  ("read_only_space", 0x05659): (91, "BreakPointMap"),
+  ("read_only_space", 0x05669): (90, "BaselineDataMap"),
-  ("read_only_space", 0x05681): (92, "BreakPointInfoMap"),
+  ("read_only_space", 0x05691): (91, "BreakPointMap"),
-  ("read_only_space", 0x056a9): (93, "CachedTemplateObjectMap"),
+  ("read_only_space", 0x056b9): (92, "BreakPointInfoMap"),
-  ("read_only_space", 0x056d1): (95, "ClassPositionsMap"),
+  ("read_only_space", 0x056e1): (93, "CachedTemplateObjectMap"),
-  ("read_only_space", 0x056f9): (96, "DebugInfoMap"),
+  ("read_only_space", 0x05709): (95, "ClassPositionsMap"),
-  ("read_only_space", 0x05721): (99, "FunctionTemplateRareDataMap"),
+  ("read_only_space", 0x05731): (96, "DebugInfoMap"),
-  ("read_only_space", 0x05749): (101, "InterpreterDataMap"),
+  ("read_only_space", 0x05759): (99, "FunctionTemplateRareDataMap"),
-  ("read_only_space", 0x05771): (102, "ModuleRequestMap"),
+  ("read_only_space", 0x05781): (101, "InterpreterDataMap"),
-  ("read_only_space", 0x05799): (103, "PromiseCapabilityMap"),
+  ("read_only_space", 0x057a9): (102, "ModuleRequestMap"),
-  ("read_only_space", 0x057c1): (104, "PromiseReactionMap"),
+  ("read_only_space", 0x057d1): (103, "PromiseCapabilityMap"),
-  ("read_only_space", 0x057e9): (105, "PropertyDescriptorObjectMap"),
+  ("read_only_space", 0x057f9): (104, "PromiseReactionMap"),
-  ("read_only_space", 0x05811): (106, "PrototypeInfoMap"),
+  ("read_only_space", 0x05821): (105, "PropertyDescriptorObjectMap"),
-  ("read_only_space", 0x05839): (107, "RegExpBoilerplateDescriptionMap"),
+  ("read_only_space", 0x05849): (106, "PrototypeInfoMap"),
-  ("read_only_space", 0x05861): (108, "ScriptMap"),
+  ("read_only_space", 0x05871): (107, "RegExpBoilerplateDescriptionMap"),
-  ("read_only_space", 0x05889): (109, "SourceTextModuleInfoEntryMap"),
+  ("read_only_space", 0x05899): (108, "ScriptMap"),
-  ("read_only_space", 0x058b1): (110, "StackFrameInfoMap"),
+  ("read_only_space", 0x058c1): (109, "SourceTextModuleInfoEntryMap"),
-  ("read_only_space", 0x058d9): (111, "TemplateObjectDescriptionMap"),
+  ("read_only_space", 0x058e9): (110, "StackFrameInfoMap"),
-  ("read_only_space", 0x05901): (112, "Tuple2Map"),
+  ("read_only_space", 0x05911): (111, "TemplateObjectDescriptionMap"),
-  ("read_only_space", 0x05929): (113, "WasmExceptionTagMap"),
+  ("read_only_space", 0x05939): (112, "Tuple2Map"),
-  ("read_only_space", 0x05951): (114, "WasmExportedFunctionDataMap"),
+  ("read_only_space", 0x05961): (113, "WasmExceptionTagMap"),
-  ("read_only_space", 0x05979): (115, "WasmIndirectFunctionTableMap"),
+  ("read_only_space", 0x05989): (114, "WasmExportedFunctionDataMap"),
-  ("read_only_space", 0x059a1): (116, "WasmJSFunctionDataMap"),
+  ("read_only_space", 0x059b1): (115, "WasmIndirectFunctionTableMap"),
-  ("read_only_space", 0x059c9): (134, "SloppyArgumentsElementsMap"),
+  ("read_only_space", 0x059d9): (116, "WasmJSFunctionDataMap"),
-  ("read_only_space", 0x059f1): (151, "DescriptorArrayMap"),
+  ("read_only_space", 0x05a01): (134, "SloppyArgumentsElementsMap"),
-  ("read_only_space", 0x05a19): (156, "UncompiledDataWithoutPreparseDataMap"),
+  ("read_only_space", 0x05a29): (151, "DescriptorArrayMap"),
-  ("read_only_space", 0x05a41): (155, "UncompiledDataWithPreparseDataMap"),
+  ("read_only_space", 0x05a51): (156, "UncompiledDataWithoutPreparseDataMap"),
-  ("read_only_space", 0x05a69): (171, "OnHeapBasicBlockProfilerDataMap"),
+  ("read_only_space", 0x05a79): (155, "UncompiledDataWithPreparseDataMap"),
-  ("read_only_space", 0x05a91): (168, "InternalClassMap"),
+  ("read_only_space", 0x05aa1): (172, "OnHeapBasicBlockProfilerDataMap"),
-  ("read_only_space", 0x05ab9): (178, "SmiPairMap"),
+  ("read_only_space", 0x05ac9): (168, "InternalClassMap"),
-  ("read_only_space", 0x05ae1): (177, "SmiBoxMap"),
+  ("read_only_space", 0x05af1): (179, "SmiPairMap"),
-  ("read_only_space", 0x05b09): (145, "ExportedSubClassBaseMap"),
+  ("read_only_space", 0x05b19): (178, "SmiBoxMap"),
-  ("read_only_space", 0x05b31): (146, "ExportedSubClassMap"),
+  ("read_only_space", 0x05b41): (145, "ExportedSubClassBaseMap"),
-  ("read_only_space", 0x05b59): (68, "AbstractInternalClassSubclass1Map"),
+  ("read_only_space", 0x05b69): (146, "ExportedSubClassMap"),
-  ("read_only_space", 0x05b81): (69, "AbstractInternalClassSubclass2Map"),
+  ("read_only_space", 0x05b91): (68, "AbstractInternalClassSubclass1Map"),
-  ("read_only_space", 0x05ba9): (133, "InternalClassWithSmiElementsMap"),
+  ("read_only_space", 0x05bb9): (69, "AbstractInternalClassSubclass2Map"),
-  ("read_only_space", 0x05bd1): (169, "InternalClassWithStructElementsMap"),
+  ("read_only_space", 0x05be1): (133, "InternalClassWithSmiElementsMap"),
-  ("read_only_space", 0x05bf9): (147, "ExportedSubClass2Map"),
+  ("read_only_space", 0x05c09): (169, "InternalClassWithStructElementsMap"),
-  ("read_only_space", 0x05c21): (179, "SortStateMap"),
+  ("read_only_space", 0x05c31): (147, "ExportedSubClass2Map"),
-  ("read_only_space", 0x05c49): (182, "WasmCapiFunctionDataMap"),
+  ("read_only_space", 0x05c59): (180, "SortStateMap"),
-  ("read_only_space", 0x05c71): (86, "AllocationSiteWithWeakNextMap"),
+  ("read_only_space", 0x05c81): (183, "WasmCapiFunctionDataMap"),
-  ("read_only_space", 0x05c99): (86, "AllocationSiteWithoutWeakNextMap"),
+  ("read_only_space", 0x05ca9): (86, "AllocationSiteWithWeakNextMap"),
-  ("read_only_space", 0x05cc1): (77, "LoadHandler1Map"),
+  ("read_only_space", 0x05cd1): (86, "AllocationSiteWithoutWeakNextMap"),
-  ("read_only_space", 0x05ce9): (77, "LoadHandler2Map"),
+  ("read_only_space", 0x05cf9): (77, "LoadHandler1Map"),
-  ("read_only_space", 0x05d11): (77, "LoadHandler3Map"),
+  ("read_only_space", 0x05d21): (77, "LoadHandler2Map"),
-  ("read_only_space", 0x05d39): (78, "StoreHandler0Map"),
+  ("read_only_space", 0x05d49): (77, "LoadHandler3Map"),
-  ("read_only_space", 0x05d61): (78, "StoreHandler1Map"),
+  ("read_only_space", 0x05d71): (78, "StoreHandler0Map"),
-  ("read_only_space", 0x05d89): (78, "StoreHandler2Map"),
+  ("read_only_space", 0x05d99): (78, "StoreHandler1Map"),
-  ("read_only_space", 0x05db1): (78, "StoreHandler3Map"),
+  ("read_only_space", 0x05dc1): (78, "StoreHandler2Map"),
+  ("read_only_space", 0x05de9): (78, "StoreHandler3Map"),
  ("map_space", 0x02119): (1057, "ExternalMap"),
  ("map_space", 0x02141): (1098, "JSMessageObjectMap"),
 }
@@ -411,32 +413,32 @@ KNOWN_OBJECTS = {
  ("read_only_space", 0x0282d): "TerminationException",
  ("read_only_space", 0x02895): "OptimizedOut",
  ("read_only_space", 0x028f5): "StaleRegister",
-  ("read_only_space", 0x0319d): "EmptyPropertyArray",
+  ("read_only_space", 0x031c5): "EmptyPropertyArray",
-  ("read_only_space", 0x031a5): "EmptyByteArray",
+  ("read_only_space", 0x031cd): "EmptyByteArray",
-  ("read_only_space", 0x031ad): "EmptyObjectBoilerplateDescription",
+  ("read_only_space", 0x031d5): "EmptyObjectBoilerplateDescription",
-  ("read_only_space", 0x031e1): "EmptyArrayBoilerplateDescription",
+  ("read_only_space", 0x03209): "EmptyArrayBoilerplateDescription",
-  ("read_only_space", 0x031ed): "EmptyClosureFeedbackCellArray",
+  ("read_only_space", 0x03215): "EmptyClosureFeedbackCellArray",
-  ("read_only_space", 0x031f5): "EmptySlowElementDictionary",
+  ("read_only_space", 0x0321d): "EmptySlowElementDictionary",
-  ("read_only_space", 0x03219): "EmptyOrderedHashMap",
+  ("read_only_space", 0x03241): "EmptyOrderedHashMap",
-  ("read_only_space", 0x0322d): "EmptyOrderedHashSet",
+  ("read_only_space", 0x03255): "EmptyOrderedHashSet",
-  ("read_only_space", 0x03241): "EmptyFeedbackMetadata",
+  ("read_only_space", 0x03269): "EmptyFeedbackMetadata",
-  ("read_only_space", 0x0324d): "EmptyPropertyDictionary",
+  ("read_only_space", 0x03275): "EmptyPropertyDictionary",
-  ("read_only_space", 0x03275): "EmptyOrderedPropertyDictionary",
+  ("read_only_space", 0x0329d): "EmptyOrderedPropertyDictionary",
-  ("read_only_space", 0x0328d): "EmptySwissPropertyDictionary",
+  ("read_only_space", 0x032b5): "EmptySwissPropertyDictionary",
-  ("read_only_space", 0x032e1): "NoOpInterceptorInfo",
+  ("read_only_space", 0x03309): "NoOpInterceptorInfo",
-  ("read_only_space", 0x03309): "EmptyWeakArrayList",
+  ("read_only_space", 0x03331): "EmptyWeakArrayList",
-  ("read_only_space", 0x03315): "InfinityValue",
+  ("read_only_space", 0x0333d): "InfinityValue",
-  ("read_only_space", 0x03321): "MinusZeroValue",
+  ("read_only_space", 0x03349): "MinusZeroValue",
-  ("read_only_space", 0x0332d): "MinusInfinityValue",
+  ("read_only_space", 0x03355): "MinusInfinityValue",
-  ("read_only_space", 0x03339): "SelfReferenceMarker",
+  ("read_only_space", 0x03361): "SelfReferenceMarker",
-  ("read_only_space", 0x03379): "BasicBlockCountersMarker",
+  ("read_only_space", 0x033a1): "BasicBlockCountersMarker",
-  ("read_only_space", 0x033bd): "OffHeapTrampolineRelocationInfo",
+  ("read_only_space", 0x033e5): "OffHeapTrampolineRelocationInfo",
-  ("read_only_space", 0x033c9): "TrampolineTrivialCodeDataContainer",
+  ("read_only_space", 0x033f1): "TrampolineTrivialCodeDataContainer",
-  ("read_only_space", 0x033d5): "TrampolinePromiseRejectionCodeDataContainer",
+  ("read_only_space", 0x033fd): "TrampolinePromiseRejectionCodeDataContainer",
-  ("read_only_space", 0x033e1): "GlobalThisBindingScopeInfo",
+  ("read_only_space", 0x03409): "GlobalThisBindingScopeInfo",
-  ("read_only_space", 0x03415): "EmptyFunctionScopeInfo",
+  ("read_only_space", 0x0343d): "EmptyFunctionScopeInfo",
-  ("read_only_space", 0x03439): "NativeScopeInfo",
+  ("read_only_space", 0x03461): "NativeScopeInfo",
-  ("read_only_space", 0x03451): "HashSeed",
+  ("read_only_space", 0x03479): "HashSeed",
  ("old_space", 0x02119): "ArgumentsIteratorAccessor",
  ("old_space", 0x0215d): "ArrayLengthAccessor",
  ("old_space", 0x021a1): "BoundFunctionLengthAccessor",
@@ -453,45 +455,46 @@ KNOWN_OBJECTS = {
  ("old_space", 0x0244d): "ManyClosuresCell",
  ("old_space", 0x02459): "ArrayConstructorProtector",
  ("old_space", 0x0246d): "NoElementsProtector",
-  ("old_space", 0x02481): "IsConcatSpreadableProtector",
+  ("old_space", 0x02481): "MegaDOMProtector",
-  ("old_space", 0x02495): "ArraySpeciesProtector",
+  ("old_space", 0x02495): "IsConcatSpreadableProtector",
-  ("old_space", 0x024a9): "TypedArraySpeciesProtector",
+  ("old_space", 0x024a9): "ArraySpeciesProtector",
-  ("old_space", 0x024bd): "PromiseSpeciesProtector",
+  ("old_space", 0x024bd): "TypedArraySpeciesProtector",
-  ("old_space", 0x024d1): "RegExpSpeciesProtector",
+  ("old_space", 0x024d1): "PromiseSpeciesProtector",
-  ("old_space", 0x024e5): "StringLengthProtector",
+  ("old_space", 0x024e5): "RegExpSpeciesProtector",
-  ("old_space", 0x024f9): "ArrayIteratorProtector",
+  ("old_space", 0x024f9): "StringLengthProtector",
-  ("old_space", 0x0250d): "ArrayBufferDetachingProtector",
+  ("old_space", 0x0250d): "ArrayIteratorProtector",
-  ("old_space", 0x02521): "PromiseHookProtector",
+  ("old_space", 0x02521): "ArrayBufferDetachingProtector",
-  ("old_space", 0x02535): "PromiseResolveProtector",
+  ("old_space", 0x02535): "PromiseHookProtector",
-  ("old_space", 0x02549): "MapIteratorProtector",
+  ("old_space", 0x02549): "PromiseResolveProtector",
-  ("old_space", 0x0255d): "PromiseThenProtector",
+  ("old_space", 0x0255d): "MapIteratorProtector",
-  ("old_space", 0x02571): "SetIteratorProtector",
+  ("old_space", 0x02571): "PromiseThenProtector",
-  ("old_space", 0x02585): "StringIteratorProtector",
+  ("old_space", 0x02585): "SetIteratorProtector",
-  ("old_space", 0x02599): "SingleCharacterStringCache",
+  ("old_space", 0x02599): "StringIteratorProtector",
-  ("old_space", 0x029a1): "StringSplitCache",
+  ("old_space", 0x025ad): "SingleCharacterStringCache",
-  ("old_space", 0x02da9): "RegExpMultipleCache",
+  ("old_space", 0x029b5): "StringSplitCache",
-  ("old_space", 0x031b1): "BuiltinsConstantsTable",
+  ("old_space", 0x02dbd): "RegExpMultipleCache",
-  ("old_space", 0x035b1): "AsyncFunctionAwaitRejectSharedFun",
+  ("old_space", 0x031c5): "BuiltinsConstantsTable",
-  ("old_space", 0x035d5): "AsyncFunctionAwaitResolveSharedFun",
+  ("old_space", 0x035c5): "AsyncFunctionAwaitRejectSharedFun",
-  ("old_space", 0x035f9): "AsyncGeneratorAwaitRejectSharedFun",
+  ("old_space", 0x035e9): "AsyncFunctionAwaitResolveSharedFun",
-  ("old_space", 0x0361d): "AsyncGeneratorAwaitResolveSharedFun",
+  ("old_space", 0x0360d): "AsyncGeneratorAwaitRejectSharedFun",
-  ("old_space", 0x03641): "AsyncGeneratorYieldResolveSharedFun",
+  ("old_space", 0x03631): "AsyncGeneratorAwaitResolveSharedFun",
-  ("old_space", 0x03665): "AsyncGeneratorReturnResolveSharedFun",
+  ("old_space", 0x03655): "AsyncGeneratorYieldResolveSharedFun",
-  ("old_space", 0x03689): "AsyncGeneratorReturnClosedRejectSharedFun",
+  ("old_space", 0x03679): "AsyncGeneratorReturnResolveSharedFun",
-  ("old_space", 0x036ad): "AsyncGeneratorReturnClosedResolveSharedFun",
+  ("old_space", 0x0369d): "AsyncGeneratorReturnClosedRejectSharedFun",
-  ("old_space", 0x036d1): "AsyncIteratorValueUnwrapSharedFun",
+  ("old_space", 0x036c1): "AsyncGeneratorReturnClosedResolveSharedFun",
-  ("old_space", 0x036f5): "PromiseAllResolveElementSharedFun",
+  ("old_space", 0x036e5): "AsyncIteratorValueUnwrapSharedFun",
-  ("old_space", 0x03719): "PromiseAllSettledResolveElementSharedFun",
+  ("old_space", 0x03709): "PromiseAllResolveElementSharedFun",
-  ("old_space", 0x0373d): "PromiseAllSettledRejectElementSharedFun",
+  ("old_space", 0x0372d): "PromiseAllSettledResolveElementSharedFun",
-  ("old_space", 0x03761): "PromiseAnyRejectElementSharedFun",
+  ("old_space", 0x03751): "PromiseAllSettledRejectElementSharedFun",
-  ("old_space", 0x03785): "PromiseCapabilityDefaultRejectSharedFun",
+  ("old_space", 0x03775): "PromiseAnyRejectElementSharedFun",
-  ("old_space", 0x037a9): "PromiseCapabilityDefaultResolveSharedFun",
+  ("old_space", 0x03799): "PromiseCapabilityDefaultRejectSharedFun",
-  ("old_space", 0x037cd): "PromiseCatchFinallySharedFun",
+  ("old_space", 0x037bd): "PromiseCapabilityDefaultResolveSharedFun",
-  ("old_space", 0x037f1): "PromiseGetCapabilitiesExecutorSharedFun",
+  ("old_space", 0x037e1): "PromiseCatchFinallySharedFun",
-  ("old_space", 0x03815): "PromiseThenFinallySharedFun",
+  ("old_space", 0x03805): "PromiseGetCapabilitiesExecutorSharedFun",
-  ("old_space", 0x03839): "PromiseThrowerFinallySharedFun",
+  ("old_space", 0x03829): "PromiseThenFinallySharedFun",
-  ("old_space", 0x0385d): "PromiseValueThunkFinallySharedFun",
+  ("old_space", 0x0384d): "PromiseThrowerFinallySharedFun",
-  ("old_space", 0x03881): "ProxyRevokeSharedFun",
+  ("old_space", 0x03871): "PromiseValueThunkFinallySharedFun",
+  ("old_space", 0x03895): "ProxyRevokeSharedFun",
 }
 # Lower 32 bits of first page addresses for various heap spaces.