Reland "[ic] Add a new MegaDOM IC"

This is a reland of c83c9590

Changes since revert: nothing, issue was crbug.com/v8/11666

Original change's description:
> [ic] Add a new MegaDOM IC
>
> This patch implements the MegaDOM IC setup and access. A new MegaDOM
> IC state indicates that we've seen only DOM accessors at this access
> site.
>
> This CL only adds support for DOM getters in LoadIC, other kinds of
> access will be added in follow on CLs.
>
> Still remaining TODO before shipping:
> 1. Have a mechanism to invalidate the protector
> 2. Have a mechanism to find the accessors that aren't overloaded
> 3. Use a new builtin to miss to runtime on access check failure
>
> Change-Id: Ie12efe5e9fa284f023043b996d61e7d74e710ee2
> Bug: v8:11321
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2618239
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Dan Elphick <delphick@chromium.org>
> Reviewed-by: Mythri Alle <mythria@chromium.org>
> Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73733}

Bug: v8:11321
Change-Id: I2bec54465542b5b40c42adb6eb12b6ce72cce5bd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794439Reviewed-by: Dan Elphick <delphick@chromium.org>
Reviewed-by: Mythri Alle <mythria@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Sathya Gunasekaran  <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74056}

BUILD.gn

@@ -1284,6 +1284,8 @@ action("postmortem-metadata") {
     "src/objects/map.cc",
     "src/objects/map.h",
     "src/objects/map-inl.h",
+    "src/objects/megadom-handler.h",
+    "src/objects/megadom-handler-inl.h",
     "src/objects/name.h",
     "src/objects/name-inl.h",
     "src/objects/objects.h",
@@ -1472,6 +1474,7 @@ torque_files = [
   "src/objects/js-weak-refs.tq",
   "src/objects/literal-objects.tq",
   "src/objects/map.tq",
+  "src/objects/megadom-handler.tq",
   "src/objects/microtask.tq",
   "src/objects/module.tq",
   "src/objects/name.tq",
@@ -2835,6 +2838,8 @@ v8_header_set("v8_internal_headers") {
     "src/objects/map.h",
     "src/objects/maybe-object-inl.h",
     "src/objects/maybe-object.h",
+    "src/objects/megadom-handler-inl.h",
+    "src/objects/megadom-handler.h",
     "src/objects/microtask-inl.h",
     "src/objects/microtask.h",
     "src/objects/module-inl.h",

include/v8.h

@@ -8534,6 +8534,7 @@ class V8_EXPORT Isolate {
     kWasmBulkMemory = 109,  // Unused.
     kWasmMultiValue = 110,
     kWasmExceptionHandling = 111,
+    kInvalidatedMegaDOMProtector = 112,
 
     // If you add new values here, you'll also need to update Chromium's:
     // web_feature.mojom, use_counter_callback.cc, and enums.xml. V8 changes to

src/codegen/code-stub-assembler.cc

@@ -6064,6 +6064,13 @@ TNode<BoolT> CodeStubAssembler::IsNoElementsProtectorCellInvalid() {
   return TaggedEqual(cell_value, invalid);
 }
 
+TNode<BoolT> CodeStubAssembler::IsMegaDOMProtectorCellInvalid() {
+  TNode<Smi> invalid = SmiConstant(Protectors::kProtectorInvalid);
+  TNode<PropertyCell> cell = MegaDOMProtectorConstant();
+  TNode<Object> cell_value = LoadObjectField(cell, PropertyCell::kValueOffset);
+  return TaggedEqual(cell_value, invalid);
+}
+
 TNode<BoolT> CodeStubAssembler::IsArrayIteratorProtectorCellInvalid() {
   TNode<Smi> invalid = SmiConstant(Protectors::kProtectorInvalid);
   TNode<PropertyCell> cell = ArrayIteratorProtectorConstant();
@@ -6313,14 +6320,27 @@ TNode<BoolT> CodeStubAssembler::IsJSObjectInstanceType(
                                  Int32Constant(FIRST_JS_OBJECT_TYPE));
 }
 
+TNode<BoolT> CodeStubAssembler::IsJSApiObjectInstanceType(
+    TNode<Int32T> instance_type) {
+  return InstanceTypeEqual(instance_type, JS_API_OBJECT_TYPE);
+}
+
 TNode<BoolT> CodeStubAssembler::IsJSObjectMap(TNode<Map> map) {
   return IsJSObjectInstanceType(LoadMapInstanceType(map));
 }
 
+TNode<BoolT> CodeStubAssembler::IsJSApiObjectMap(TNode<Map> map) {
+  return IsJSApiObjectInstanceType(LoadMapInstanceType(map));
+}
+
 TNode<BoolT> CodeStubAssembler::IsJSObject(TNode<HeapObject> object) {
   return IsJSObjectMap(LoadMap(object));
 }
 
+TNode<BoolT> CodeStubAssembler::IsJSApiObject(TNode<HeapObject> object) {
+  return IsJSApiObjectMap(LoadMap(object));
+}
+
 TNode<BoolT> CodeStubAssembler::IsJSFinalizationRegistryMap(TNode<Map> map) {
   return InstanceTypeEqual(LoadMapInstanceType(map),
                            JS_FINALIZATION_REGISTRY_TYPE);

src/codegen/code-stub-assembler.h

@@ -67,6 +67,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
     AsyncIteratorValueUnwrapSharedFun)                                         \
   V(MapIteratorProtector, map_iterator_protector, MapIteratorProtector)        \
   V(NoElementsProtector, no_elements_protector, NoElementsProtector)           \
+  V(MegaDOMProtector, mega_dom_protector, MegaDOMProtector)                    \
   V(NumberStringCache, number_string_cache, NumberStringCache)                 \
   V(PromiseAllResolveElementSharedFun, promise_all_resolve_element_shared_fun, \
     PromiseAllResolveElementSharedFun)                                         \
@@ -157,6 +158,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
   V(ManyClosuresCellMap, many_closures_cell_map, ManyClosuresCellMap)        \
   V(match_symbol, match_symbol, MatchSymbol)                                 \
   V(megamorphic_symbol, megamorphic_symbol, MegamorphicSymbol)               \
+  V(mega_dom_symbol, mega_dom_symbol, MegaDOMSymbol)                         \
   V(message_string, message_string, MessageString)                           \
   V(minus_Infinity_string, minus_Infinity_string, MinusInfinityString)       \
   V(MinusZeroValue, minus_zero_value, MinusZero)                             \
@@ -2370,6 +2372,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
   // JSProxy or an object with interceptors.
   TNode<BoolT> InstanceTypeEqual(TNode<Int32T> instance_type, int type);
   TNode<BoolT> IsNoElementsProtectorCellInvalid();
+  TNode<BoolT> IsMegaDOMProtectorCellInvalid();
   TNode<BoolT> IsArrayIteratorProtectorCellInvalid();
   TNode<BoolT> IsBigIntInstanceType(TNode<Int32T> instance_type);
   TNode<BoolT> IsBigInt(TNode<HeapObject> object);
@@ -2419,6 +2422,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
   TNode<BoolT> IsJSObjectInstanceType(TNode<Int32T> instance_type);
   TNode<BoolT> IsJSObjectMap(TNode<Map> map);
   TNode<BoolT> IsJSObject(TNode<HeapObject> object);
+  TNode<BoolT> IsJSApiObjectInstanceType(TNode<Int32T> instance_type);
+  TNode<BoolT> IsJSApiObjectMap(TNode<Map> map);
+  TNode<BoolT> IsJSApiObject(TNode<HeapObject> object);
   TNode<BoolT> IsJSFinalizationRegistryMap(TNode<Map> map);
   TNode<BoolT> IsJSFinalizationRegistry(TNode<HeapObject> object);
   TNode<BoolT> IsJSPromiseMap(TNode<Map> map);

src/common/globals.h

@@ -881,6 +881,8 @@ enum InlineCacheState {
   RECOMPUTE_HANDLER,
   // Multiple receiver types have been seen.
   POLYMORPHIC,
+  // Many DOM receiver types have been seen for the same accessor.
+  MEGADOM,
   // Many receiver types have been seen.
   MEGAMORPHIC,
   // A generic handler is installed and no extra typefeedback is recorded.
@@ -902,6 +904,8 @@ inline const char* InlineCacheState2String(InlineCacheState state) {
       return "POLYMORPHIC";
     case MEGAMORPHIC:
       return "MEGAMORPHIC";
+    case MEGADOM:
+      return "MEGADOM";
     case GENERIC:
       return "GENERIC";
   }

src/d8/d8.cc

@@ -2563,6 +2563,33 @@ Local<String> Shell::Stringify(Isolate* isolate, Local<Value> value) {
   return result.ToLocalChecked().As<String>();
 }
 
+void Shell::NodeTypeCallback(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  v8::Isolate* isolate = args.GetIsolate();
+  args.GetReturnValue().Set(v8::Number::New(isolate, 1));
+}
+
+Local<FunctionTemplate> Shell::CreateNodeTemplates(Isolate* isolate) {
+  Local<FunctionTemplate> node = FunctionTemplate::New(isolate);
+  Local<ObjectTemplate> proto_template = node->PrototypeTemplate();
+  Local<Signature> signature = v8::Signature::New(isolate, node);
+  Local<FunctionTemplate> nodeType = FunctionTemplate::New(
+      isolate, NodeTypeCallback, Local<Value>(), signature);
+  nodeType->SetAcceptAnyReceiver(false);
+  proto_template->SetAccessorProperty(
+      String::NewFromUtf8Literal(isolate, "nodeType"), nodeType);
+
+  Local<FunctionTemplate> element = FunctionTemplate::New(isolate);
+  element->Inherit(node);
+
+  Local<FunctionTemplate> html_element = FunctionTemplate::New(isolate);
+  html_element->Inherit(element);
+
+  Local<FunctionTemplate> div_element = FunctionTemplate::New(isolate);
+  div_element->Inherit(html_element);
+
+  return div_element;
+}
+
 Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
   global_template->Set(Symbol::GetToStringTag(isolate),
@@ -2594,6 +2621,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "performance",
                        Shell::CreatePerformanceTemplate(isolate));
   global_template->Set(isolate, "Worker", Shell::CreateWorkerTemplate(isolate));
+
   // Prevent fuzzers from creating side effects.
   if (!i::FLAG_fuzzing) {
     global_template->Set(isolate, "os", Shell::CreateOSTemplate(isolate));
@@ -2722,6 +2750,10 @@ Local<ObjectTemplate> Shell::CreateD8Template(Isolate* isolate) {
                       FunctionTemplate::New(isolate, LogGetAndStop));
 
     d8_template->Set(isolate, "log", log_template);
+
+    Local<ObjectTemplate> dom_template = ObjectTemplate::New(isolate);
+    dom_template->Set(isolate, "Div", Shell::CreateNodeTemplates(isolate));
+    d8_template->Set(isolate, "dom", dom_template);
   }
   {
     Local<ObjectTemplate> test_template = ObjectTemplate::New(isolate);

src/d8/d8.h

@@ -626,6 +626,9 @@ class Shell : public i::AllStatic {
   static void RunShell(Isolate* isolate);
   static bool SetOptions(int argc, char* argv[]);
 
+  static void NodeTypeCallback(const v8::FunctionCallbackInfo<v8::Value>& args);
+
+  static Local<FunctionTemplate> CreateNodeTemplates(Isolate* isolate);
   static Local<ObjectTemplate> CreateGlobalTemplate(Isolate* isolate);
   static Local<ObjectTemplate> CreateOSTemplate(Isolate* isolate);
   static Local<FunctionTemplate> CreateWorkerTemplate(Isolate* isolate);

src/diagnostics/objects-debug.cc

@@ -61,6 +61,7 @@
 #include "src/objects/js-weak-refs-inl.h"
 #include "src/objects/literal-objects-inl.h"
 #include "src/objects/maybe-object.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/oddball-inl.h"

src/execution/protectors.h

@@ -26,6 +26,8 @@ class Protectors : public AllStatic {
     is_concat_spreadable_protector)                                           \
   V(NoElements, NoElementsProtector, no_elements_protector)                   \
                                                                               \
+  V(MegaDOM, MegaDOMProtector, mega_dom_protector)                            \
+                                                                              \
   /* The MapIterator protector protects the original iteration behaviors   */ \
   /* of Map.prototype.keys(), Map.prototype.values(), and                  */ \
   /* Set.prototype.entries(). It does not protect the original iteration   */ \

src/flags/flag-definitions.h

@@ -1468,6 +1468,8 @@ DEFINE_BOOL(native_code_counters, DEBUG_BOOL,
 
 DEFINE_BOOL(super_ic, true, "use an IC for super property loads")
 
+DEFINE_BOOL(enable_mega_dom_ic, false, "use MegaDOM IC state for API objects")
+
 // objects.cc
 DEFINE_BOOL(thin_strings, true, "Enable ThinString support")
 DEFINE_BOOL(trace_prototype_users, false,

src/heap/factory.cc

@@ -53,6 +53,7 @@
 #include "src/objects/js-regexp-inl.h"
 #include "src/objects/js-weak-refs-inl.h"
 #include "src/objects/literal-objects-inl.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/promise-inl.h"
@@ -3137,6 +3138,16 @@ Handle<Map> Factory::ObjectLiteralMapFromCache(Handle<NativeContext> context,
   return map;
 }
 
+Handle<MegaDomHandler> Factory::NewMegaDomHandler(MaybeObjectHandle accessor,
+                                                  MaybeObjectHandle context) {
+  Handle<Map> map = read_only_roots().mega_dom_handler_map_handle();
+  MegaDomHandler handler = MegaDomHandler::cast(New(map, AllocationType::kOld));
+  DisallowGarbageCollection no_gc;
+  handler.set_accessor(*accessor);
+  handler.set_context(*context);
+  return handle(handler, isolate());
+}
+
 Handle<LoadHandler> Factory::NewLoadHandler(int data_count,
                                             AllocationType allocation) {
   Handle<Map> map;

src/heap/factory.h

@@ -732,7 +732,8 @@ class V8_EXPORT_PRIVATE Factory : public FactoryBase<Factory> {
   Handle<LoadHandler> NewLoadHandler(
       int data_count, AllocationType allocation = AllocationType::kOld);
   Handle<StoreHandler> NewStoreHandler(int data_count);
-
+  Handle<MegaDomHandler> NewMegaDomHandler(MaybeObjectHandle accessor,
+                                           MaybeObjectHandle context);
   Handle<RegExpMatchInfo> NewRegExpMatchInfo();
 
   // Creates a new FixedArray that holds the data associated with the

src/heap/setup-heap-internal.cc

@@ -381,6 +381,7 @@ bool Heap::CreateInitialMaps() {
     ALLOCATE_PRIMITIVE_MAP(SYMBOL_TYPE, Symbol::kSize, symbol,
                            Context::SYMBOL_FUNCTION_INDEX)
     ALLOCATE_MAP(FOREIGN_TYPE, Foreign::kSize, foreign)
+    ALLOCATE_MAP(MEGA_DOM_HANDLER_TYPE, MegaDomHandler::kSize, mega_dom_handler)
 
     ALLOCATE_PRIMITIVE_MAP(ODDBALL_TYPE, Oddball::kSize, boolean,
                            Context::BOOLEAN_FUNCTION_INDEX);
@@ -864,6 +865,7 @@ void Heap::CreateInitialObjects() {
   set_is_concat_spreadable_protector(*factory->NewProtector());
   set_map_iterator_protector(*factory->NewProtector());
   set_no_elements_protector(*factory->NewProtector());
+  set_mega_dom_protector(*factory->NewProtector());
   set_promise_hook_protector(*factory->NewProtector());
   set_promise_resolve_protector(*factory->NewProtector());
   set_promise_species_protector(*factory->NewProtector());

src/ic/accessor-assembler.cc

@@ -17,6 +17,7 @@
 #include "src/objects/cell.h"
 #include "src/objects/foreign.h"
 #include "src/objects/heap-number.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/module.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/property-details.h"
@@ -135,6 +136,55 @@ void AccessorAssembler::HandlePolymorphicCase(
   }
 }
 
+void AccessorAssembler::TryMegaDOMCase(TNode<Object> lookup_start_object,
+                                       TNode<Map> lookup_start_object_map,
+                                       TVariable<MaybeObject>* var_handler,
+                                       TNode<Object> vector,
+                                       TNode<TaggedIndex> slot, Label* miss,
+                                       ExitPoint* exit_point) {
+  // Check if the receiver is a JS_API_OBJECT
+  GotoIfNot(IsJSApiObjectMap(lookup_start_object_map), miss);
+
+  // Check if receiver requires access check
+  GotoIf(IsSetWord32<Map::Bits1::IsAccessCheckNeededBit>(
+             LoadMapBitField(lookup_start_object_map)),
+         miss);
+
+  CSA_ASSERT(this, TaggedEqual(LoadFeedbackVectorSlot(CAST(vector), slot),
+                               MegaDOMSymbolConstant()));
+
+  // In some cases, we load the
+  TNode<MegaDomHandler> handler;
+  if (var_handler->IsBound()) {
+    handler = CAST(var_handler->value());
+  } else {
+    TNode<MaybeObject> maybe_handler =
+        LoadFeedbackVectorSlot(CAST(vector), slot, kTaggedSize);
+    CSA_ASSERT(this, IsStrong(maybe_handler));
+    handler = CAST(maybe_handler);
+  }
+
+  // Check if dom protector cell is still valid
+  GotoIf(IsMegaDOMProtectorCellInvalid(), miss);
+
+  // Load the getter
+  TNode<MaybeObject> maybe_getter = LoadMegaDomHandlerAccessor(handler);
+  CSA_ASSERT(this, IsWeakOrCleared(maybe_getter));
+  TNode<FunctionTemplateInfo> getter =
+      CAST(GetHeapObjectAssumeWeak(maybe_getter, miss));
+
+  // Load the accessor context
+  TNode<MaybeObject> maybe_context = LoadMegaDomHandlerContext(handler);
+  CSA_ASSERT(this, IsWeakOrCleared(maybe_context));
+  TNode<Context> context = CAST(GetHeapObjectAssumeWeak(maybe_context, miss));
+
+  // TODO(gsathya): This builtin throws an exception on interface check fail but
+  // we should miss to the runtime.
+  exit_point->Return(
+      CallBuiltin(Builtins::kCallFunctionTemplate_CheckCompatibleReceiver,
+                  context, getter, IntPtrConstant(0), lookup_start_object));
+}
+
 void AccessorAssembler::HandleLoadICHandlerCase(
     const LazyLoadICParameters* p, TNode<Object> handler, Label* miss,
     ExitPoint* exit_point, ICMode ic_mode, OnNonExistent on_nonexistent,
@@ -2864,11 +2914,23 @@ void AccessorAssembler::LoadIC_Noninlined(const LoadICParameters* p,
   DCHECK_EQ(MachineRepresentation::kTagged, var_handler->rep());
 
   {
-    // Check megamorphic case.
-    GotoIfNot(TaggedEqual(feedback, MegamorphicSymbolConstant()), miss);
+    Label try_megamorphic(this), try_megadom(this);
+    GotoIf(TaggedEqual(feedback, MegamorphicSymbolConstant()),
+           &try_megamorphic);
+    GotoIf(TaggedEqual(feedback, MegaDOMSymbolConstant()), &try_megadom);
+    Goto(miss);
+
+    BIND(&try_megamorphic);
+    {
+      TryProbeStubCache(isolate()->load_stub_cache(), p->lookup_start_object(),
+                        CAST(p->name()), if_handler, var_handler, miss);
+    }
 
-    TryProbeStubCache(isolate()->load_stub_cache(), p->lookup_start_object(),
-                      CAST(p->name()), if_handler, var_handler, miss);
+    BIND(&try_megadom);
+    {
+      TryMegaDOMCase(p->lookup_start_object(), lookup_start_object_map,
+                     var_handler, p->vector(), p->slot(), miss, exit_point);
+    }
   }
 }
 

src/ic/accessor-assembler.h

@@ -311,6 +311,12 @@ class V8_EXPORT_PRIVATE AccessorAssembler : public CodeStubAssembler {
                              TVariable<MaybeObject>* var_handler,
                              Label* if_miss);
 
+  void TryMegaDOMCase(TNode<Object> lookup_start_object,
+                      TNode<Map> lookup_start_object_map,
+                      TVariable<MaybeObject>* var_handler, TNode<Object> vector,
+                      TNode<TaggedIndex> slot, Label* miss,
+                      ExitPoint* exit_point);
+
   // LoadIC implementation.
   void HandleLoadICHandlerCase(
       const LazyLoadICParameters* p, TNode<Object> handler, Label* miss,

src/ic/call-optimization.cc

@@ -11,6 +11,7 @@ namespace internal {
 CallOptimization::CallOptimization(Isolate* isolate, Handle<Object> function) {
   constant_function_ = Handle<JSFunction>::null();
   is_simple_api_call_ = false;
+  accept_any_receiver_ = false;
   expected_receiver_type_ = Handle<FunctionTemplateInfo>::null();
   api_call_info_ = Handle<CallHandlerInfo>::null();
   if (function->IsJSFunction()) {
@@ -98,6 +99,7 @@ void CallOptimization::Initialize(
         handle(FunctionTemplateInfo::cast(signature), isolate);
   }
   is_simple_api_call_ = true;
+  accept_any_receiver_ = function_template_info->accept_any_receiver();
 }
 
 void CallOptimization::Initialize(Isolate* isolate,
@@ -125,6 +127,7 @@ void CallOptimization::AnalyzePossibleApiFunction(Isolate* isolate,
   }
 
   is_simple_api_call_ = true;
+  accept_any_receiver_ = info->accept_any_receiver();
 }
 }  // namespace internal
 }  // namespace v8

src/ic/call-optimization.h

@@ -20,6 +20,10 @@ class CallOptimization {
                                       Map holder_map) const;
 
   bool is_constant_call() const { return !constant_function_.is_null(); }
+  bool accept_any_receiver() const { return accept_any_receiver_; }
+  bool requires_signature_check() const {
+    return !expected_receiver_type_.is_null();
+  }
 
   Handle<JSFunction> constant_function() const {
     DCHECK(is_constant_call());
@@ -56,9 +60,13 @@ class CallOptimization {
                                   Handle<JSFunction> function);
 
   Handle<JSFunction> constant_function_;
-  bool is_simple_api_call_;
   Handle<FunctionTemplateInfo> expected_receiver_type_;
   Handle<CallHandlerInfo> api_call_info_;
+
+  // TODO(gsathya): Change these to be a bitfield and do a single fast check
+  // rather than two checks.
+  bool is_simple_api_call_;
+  bool accept_any_receiver_;
 };
 }  // namespace internal
 }  // namespace v8

src/ic/ic.cc

@@ -33,6 +33,7 @@
 #include "src/objects/heap-number-inl.h"
 #include "src/objects/js-array-buffer-inl.h"
 #include "src/objects/js-array-inl.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/prototype.h"
 #include "src/objects/struct-inl.h"
@@ -59,6 +60,8 @@ char IC::TransitionMarkFromState(IC::State state) {
       return 'P';
     case MEGAMORPHIC:
       return 'N';
+    case MEGADOM:
+      return 'D';
     case GENERIC:
       return 'G';
   }
@@ -566,6 +569,55 @@ static bool AddOneReceiverMapIfMissing(
   return true;
 }
 
+bool IC::UpdateMegaDOMIC(const MaybeObjectHandle& handler, Handle<Name> name) {
+  if (!FLAG_enable_mega_dom_ic) return false;
+
+  // TODO(gsathya): Enable fuzzing once this feature is more stable.
+  if (FLAG_fuzzing) return false;
+
+  // TODO(gsathya): Support KeyedLoadIC, StoreIC and KeyedStoreIC.
+  if (!IsLoadIC()) return false;
+
+  // Check if DOM protector cell is valid.
+  if (!Protectors::IsMegaDOMIntact(isolate())) return false;
+
+  // Check if current lookup object is an API object
+  Handle<Map> map = lookup_start_object_map();
+  if (!InstanceTypeChecker::IsJSApiObject(map->instance_type())) return false;
+
+  Handle<Object> accessor_obj;
+  // TODO(gsathya): Check if there are overloads possible for this accessor and
+  // transition only if it isn't possible.
+  if (!accessor().ToHandle(&accessor_obj)) return false;
+
+  // TODO(gsathya): This is also created in IC::ComputeHandler, find a way to
+  // reuse it here.
+  CallOptimization call_optimization(isolate(), accessor_obj);
+
+  // Check if accessor is an API function
+  if (!call_optimization.is_simple_api_call()) return false;
+
+  // Check if accessor requires access checks
+  if (call_optimization.accept_any_receiver()) return false;
+
+  // Check if accessor requires signature checks
+  if (!call_optimization.requires_signature_check()) return false;
+
+  // Check if the receiver is the holder
+  CallOptimization::HolderLookup holder_lookup;
+  call_optimization.LookupHolderOfExpectedType(map, &holder_lookup);
+  if (holder_lookup != CallOptimization::kHolderIsReceiver) return false;
+
+  Handle<Context> accessor_context(call_optimization.GetAccessorContext(*map),
+                                   isolate());
+
+  Handle<MegaDomHandler> new_handler = isolate()->factory()->NewMegaDomHandler(
+      MaybeObjectHandle::Weak(accessor_obj),
+      MaybeObjectHandle::Weak(accessor_context));
+  nexus()->ConfigureMegaDOM(MaybeObjectHandle(new_handler));
+  return true;
+}
+
 bool IC::UpdatePolymorphicIC(Handle<Name> name,
                              const MaybeObjectHandle& handler) {
   DCHECK(IsHandler(*handler));
@@ -703,9 +755,12 @@ void IC::SetCache(Handle<Name> name, const MaybeObjectHandle& handler) {
       V8_FALLTHROUGH;
     case POLYMORPHIC:
       if (UpdatePolymorphicIC(name, handler)) break;
+      if (UpdateMegaDOMIC(handler, name)) break;
       if (!is_keyed() || state() == RECOMPUTE_HANDLER) {
         CopyICToMegamorphicCache(name);
       }
+      V8_FALLTHROUGH;
+    case MEGADOM:
       ConfigureVectorState(MEGAMORPHIC, name);
       V8_FALLTHROUGH;
     case MEGAMORPHIC:
@@ -875,6 +930,7 @@ Handle<Object> LoadIC::ComputeHandler(LookupIterator* lookup) {
           TRACE_HANDLER_STATS(isolate(), LoadIC_SlowStub);
           return LoadHandler::LoadSlow(isolate());
         }
+        set_accessor(getter);
 
         if ((getter->IsFunctionTemplateInfo() &&
              FunctionTemplateInfo::cast(*getter).BreakAtEntry()) ||

src/ic/ic.h

@@ -67,6 +67,8 @@ class IC {
 
  protected:
   void set_slow_stub_reason(const char* reason) { slow_stub_reason_ = reason; }
+  void set_accessor(Handle<Object> accessor) { accessor_ = accessor; }
+  MaybeHandle<Object> accessor() const { return accessor_; }
 
   Isolate* isolate() const { return isolate_; }
 
@@ -96,6 +98,7 @@ class IC {
   MaybeHandle<Object> ReferenceError(Handle<Name> name);
 
   void UpdateMonomorphicIC(const MaybeObjectHandle& handler, Handle<Name> name);
+  bool UpdateMegaDOMIC(const MaybeObjectHandle& handler, Handle<Name> name);
   bool UpdatePolymorphicIC(Handle<Name> name, const MaybeObjectHandle& handler);
   void UpdateMegamorphicCache(Handle<Map> map, Handle<Name> name,
                               const MaybeObjectHandle& handler);
@@ -154,7 +157,7 @@ class IC {
   State state_;
   FeedbackSlotKind kind_;
   Handle<Map> lookup_start_object_map_;
-
+  MaybeHandle<Object> accessor_;
   MapHandles target_maps_;
   bool target_maps_set_;
 

src/init/heap-symbols.h

@@ -350,6 +350,7 @@
   V(_, error_start_pos_symbol)                 \
   V(_, frozen_symbol)                          \
   V(_, interpreter_trampoline_symbol)          \
+  V(_, mega_dom_symbol)                        \
   V(_, megamorphic_symbol)                     \
   V(_, native_context_index_symbol)            \
   V(_, nonextensible_symbol)                   \

src/objects/all-objects-inl.h

@@ -52,6 +52,7 @@
 #include "src/objects/lookup-inl.h"
 #include "src/objects/map-inl.h"
 #include "src/objects/maybe-object-inl.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/name-inl.h"

src/objects/feedback-vector-inl.h

@@ -335,6 +335,10 @@ Handle<Symbol> FeedbackVector::MegamorphicSentinel(Isolate* isolate) {
   return isolate->factory()->megamorphic_symbol();
 }
 
+Handle<Symbol> FeedbackVector::MegaDOMSentinel(Isolate* isolate) {
+  return isolate->factory()->mega_dom_symbol();
+}
+
 Symbol FeedbackVector::RawUninitializedSentinel(Isolate* isolate) {
   return ReadOnlyRoots(isolate).uninitialized_symbol();
 }
@@ -377,6 +381,11 @@ MaybeObject FeedbackNexus::MegamorphicSentinel() const {
       *FeedbackVector::MegamorphicSentinel(GetIsolate()));
 }
 
+MaybeObject FeedbackNexus::MegaDOMSentinel() const {
+  return MaybeObject::FromObject(
+      *FeedbackVector::MegaDOMSentinel(GetIsolate()));
+}
+
 MaybeObject FeedbackNexus::FromHandle(MaybeObjectHandle slot) const {
   return slot.is_null() ? HeapObjectReference::ClearedValue(config()->isolate())
                         : *slot;

src/objects/feedback-vector.cc

@@ -54,6 +54,7 @@ static bool IsPropertyNameFeedback(MaybeObject feedback) {
   Symbol symbol = Symbol::cast(heap_object);
   ReadOnlyRoots roots = symbol.GetReadOnlyRoots();
   return symbol != roots.uninitialized_symbol() &&
+         symbol != roots.mega_dom_symbol() &&
          symbol != roots.megamorphic_symbol();
 }
 
@@ -674,6 +675,13 @@ bool FeedbackNexus::ConfigureMegamorphic() {
   return false;
 }
 
+void FeedbackNexus::ConfigureMegaDOM(const MaybeObjectHandle& handler) {
+  DisallowGarbageCollection no_gc;
+  MaybeObject sentinel = MegaDOMSentinel();
+
+  SetFeedback(sentinel, SKIP_WRITE_BARRIER, *handler, UPDATE_WRITE_BARRIER);
+}
+
 bool FeedbackNexus::ConfigureMegamorphic(IcCheckType property_type) {
   DisallowGarbageCollection no_gc;
   MaybeObject sentinel = MegamorphicSentinel();
@@ -735,6 +743,10 @@ InlineCacheState FeedbackNexus::ic_state() const {
       if (feedback == MegamorphicSentinel()) {
         return MEGAMORPHIC;
       }
+      if (feedback == MegaDOMSentinel()) {
+        DCHECK(IsLoadICKind(kind()));
+        return MEGADOM;
+      }
       if (feedback->IsWeakOrCleared()) {
         // Don't check if the map is cleared.
         return MONOMORPHIC;

src/objects/feedback-vector.h

@@ -322,6 +322,9 @@ class FeedbackVector
   // The object that indicates a megamorphic state.
   static inline Handle<Symbol> MegamorphicSentinel(Isolate* isolate);
 
+  // The object that indicates a MegaDOM state.
+  static inline Handle<Symbol> MegaDOMSentinel(Isolate* isolate);
+
   // A raw version of the uninitialized sentinel that's safe to read during
   // garbage collection (e.g., for patching the cache).
   static inline Symbol RawUninitializedSentinel(Isolate* isolate);
@@ -773,6 +776,8 @@ class V8_EXPORT_PRIVATE FeedbackNexus final {
   void ConfigurePolymorphic(
       Handle<Name> name, std::vector<MapAndHandler> const& maps_and_handlers);
 
+  void ConfigureMegaDOM(const MaybeObjectHandle& handler);
+
   BinaryOperationHint GetBinaryOperationFeedback() const;
   CompareOperationHint GetCompareOperationFeedback() const;
   ForInHint GetForInFeedback() const;
@@ -847,6 +852,7 @@ class V8_EXPORT_PRIVATE FeedbackNexus final {
 
   inline MaybeObject UninitializedSentinel() const;
   inline MaybeObject MegamorphicSentinel() const;
+  inline MaybeObject MegaDOMSentinel() const;
 
   // Create an array. The caller must install it in a feedback vector slot.
   Handle<WeakFixedArray> CreateArrayOfSize(int length);

src/objects/instance-type.h

@@ -258,6 +258,7 @@ TYPED_ARRAYS(TYPED_ARRAY_IS_TYPE_FUNCTION_DECL)
   V(_, FunctionTemplateInfoMap, function_template_info_map,                    \
     FunctionTemplateInfo)                                                      \
   V(_, HeapNumberMap, heap_number_map, HeapNumber)                             \
+  V(_, MegaDomHandlerMap, mega_dom_handler_map, MegaDomHandler)                \
   V(_, MetaMap, meta_map, Map)                                                 \
   V(_, PreparseDataMap, preparse_data_map, PreparseData)                       \
   V(_, PrototypeInfoMap, prototype_info_map, PrototypeInfo)                    \

src/objects/megadom-handler-inl.h

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef V8_OBJECTS_MEGADOM_HANDLER_INL_H_
+#define V8_OBJECTS_MEGADOM_HANDLER_INL_H_
+
+#include "src/objects/megadom-handler.h"
+#include "src/objects/objects-inl.h"  // Needed for write barriers
+
+// Has to be the last include (doesn't have include guards):
+#include "src/objects/object-macros.h"
+
+namespace v8 {
+namespace internal {
+
+#include "torque-generated/src/objects/megadom-handler-tq-inl.inc"
+
+TQ_OBJECT_CONSTRUCTORS_IMPL(MegaDomHandler)
+
+}  // namespace internal
+}  // namespace v8
+
+#include "src/objects/object-macros-undef.h"
+
+#endif  // V8_OBJECTS_MEGADOM_HANDLER_INL_H_

src/objects/megadom-handler.h

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef V8_OBJECTS_MEGADOM_HANDLER_H_
+#define V8_OBJECTS_MEGADOM_HANDLER_H_
+
+#include "src/objects/heap-object.h"
+
+// Has to be the last include (doesn't have include guards):
+#include "src/objects/object-macros.h"
+
+namespace v8 {
+namespace internal {
+
+#include "torque-generated/src/objects/megadom-handler-tq.inc"
+
+class MegaDomHandler
+    : public TorqueGeneratedMegaDomHandler<MegaDomHandler, HeapObject> {
+ public:
+  void BriefPrintDetails(std::ostream& os);
+  class BodyDescriptor;
+
+  TQ_OBJECT_CONSTRUCTORS(MegaDomHandler)
+};
+
+}  // namespace internal
+}  // namespace v8
+
+#include "src/objects/object-macros-undef.h"
+
+#endif  // V8_OBJECTS_MEGADOM_HANDLER_H_

src/objects/megadom-handler.tq

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+@generateCppClass
+@generatePrint
+@generateBodyDescriptor
+extern class MegaDomHandler extends HeapObject {
+  accessor: MaybeObject;
+  context: MaybeObject;
+}

src/objects/object-list-macros.h

@@ -166,6 +166,7 @@ class ZoneForwardList;
   V(LoadHandler)                               \
   V(Map)                                       \
   V(MapCache)                                  \
+  V(MegaDomHandler)                            \
   V(Module)                                    \
   V(Microtask)                                 \
   V(Name)                                      \

src/objects/objects-body-descriptors-inl.h

@@ -15,6 +15,7 @@
 #include "src/objects/hash-table.h"
 #include "src/objects/js-collection.h"
 #include "src/objects/js-weak-refs.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/objects-body-descriptors.h"
 #include "src/objects/oddball.h"
 #include "src/objects/ordered-hash-table-inl.h"

src/objects/objects.cc

@@ -101,6 +101,7 @@
 #include "src/objects/literal-objects-inl.h"
 #include "src/objects/map-inl.h"
 #include "src/objects/map.h"
+#include "src/objects/megadom-handler-inl.h"
 #include "src/objects/microtask-inl.h"
 #include "src/objects/module-inl.h"
 #include "src/objects/promise-inl.h"
@@ -2199,6 +2200,10 @@ void Tuple2::BriefPrintDetails(std::ostream& os) {
   os << " " << Brief(value1()) << ", " << Brief(value2());
 }
 
+void MegaDomHandler::BriefPrintDetails(std::ostream& os) {
+  os << " " << Brief(accessor()) << ", " << Brief(context());
+}
+
 void ClassPositions::BriefPrintDetails(std::ostream& os) {
   os << " " << start() << ", " << end();
 }

src/objects/torque-defined-classes.h

@@ -7,6 +7,7 @@
 #include "src/objects/descriptor-array.h"
 #include "src/objects/fixed-array.h"
 #include "src/objects/heap-object.h"
+#include "src/objects/megadom-handler.h"
 #include "src/objects/objects.h"
 
 // Has to be the last include (doesn't have include guards):

src/roots/roots.h

@@ -88,6 +88,7 @@ class Symbol;
   V(Map, fixed_double_array_map, FixedDoubleArrayMap)                          \
   V(Map, global_dictionary_map, GlobalDictionaryMap)                           \
   V(Map, many_closures_cell_map, ManyClosuresCellMap)                          \
+  V(Map, mega_dom_handler_map, MegaDomHandlerMap)                              \
   V(Map, module_info_map, ModuleInfoMap)                                       \
   V(Map, name_dictionary_map, NameDictionaryMap)                               \
   V(Map, no_closures_cell_map, NoClosuresCellMap)                              \
@@ -210,6 +211,7 @@ class Symbol;
   /* Protectors */                                                             \
   V(PropertyCell, array_constructor_protector, ArrayConstructorProtector)      \
   V(PropertyCell, no_elements_protector, NoElementsProtector)                  \
+  V(PropertyCell, mega_dom_protector, MegaDOMProtector)                        \
   V(PropertyCell, is_concat_spreadable_protector, IsConcatSpreadableProtector) \
   V(PropertyCell, array_species_protector, ArraySpeciesProtector)              \
   V(PropertyCell, typed_array_species_protector, TypedArraySpeciesProtector)   \

test/mjsunit/ic-megadom-2.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --enable-mega-dom-ic --allow-natives-syntax
+
+function load(obj) {
+  return obj.nodeType;
+}
+
+%PrepareFunctionForOptimization(load);
+
+var a = new d8.dom.Div();
+var b = new d8.dom.Div();
+b.b = 1;
+
+var c = new d8.dom.Div();
+c.c = 1;
+
+var d = new d8.dom.Div();
+d.d = 1;
+
+var e = new d8.dom.Div();
+e.e = 1;
+
+var f = new d8.dom.Div();
+f.f = 1;
+
+const objs = [
+  a, b, c, d, e, f
+];
+
+
+function test() {
+  let result = 0;
+  for (let i = 0; i < objs.length; i++) {
+    result += load(objs[i]);
+  }
+
+  return result;
+}
+%PrepareFunctionForOptimization(test);
+let result = test();
+assertEquals(6, result);
+assertEquals(load({}), undefined);
+assertEquals(load({ nodeType: 'foo' }), 'foo');
+
+%OptimizeFunctionOnNextCall(test);
+result = test();
+assertEquals(6, result);
+assertEquals(load({}), undefined)
+assertEquals(load({nodeType: 'foo'}), 'foo')

test/mjsunit/ic-megadom.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --enable-mega-dom-ic --allow-natives-syntax
+
+function load(obj) {
+  return obj.nodeType;
+}
+%PrepareFunctionForOptimization(load);
+
+var a = new d8.dom.Div();
+var b = new d8.dom.Div();
+b.b = 1;
+
+var c = new d8.dom.Div();
+c.c = 1;
+
+var d = new d8.dom.Div();
+d.d = 1;
+
+var e = new d8.dom.Div();
+e.e = 1;
+
+var f = new d8.dom.Div();
+f.f = 1;
+
+const objs = [
+  a, b, c, d, e, f
+];
+
+
+
+function test() {
+  let result = 0;
+  for (let i = 0; i < objs.length; i++) {
+    result += load(objs[i]);
+  }
+
+  return result;
+}
+%PrepareFunctionForOptimization(test);
+let result = test();
+assertEquals(6, result);
+
+%OptimizeFunctionOnNextCall(test);
+result = test();
+assertEquals(6, result);

tools/v8heapconst.py

@@ -132,26 +132,27 @@ INSTANCE_TYPES = {
   168: "INTERNAL_CLASS_TYPE",
   169: "INTERNAL_CLASS_WITH_STRUCT_ELEMENTS_TYPE",
   170: "MAP_TYPE",
-  171: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
-  172: "PREPARSE_DATA_TYPE",
-  173: "PROPERTY_ARRAY_TYPE",
-  174: "PROPERTY_CELL_TYPE",
-  175: "SCOPE_INFO_TYPE",
-  176: "SHARED_FUNCTION_INFO_TYPE",
-  177: "SMI_BOX_TYPE",
-  178: "SMI_PAIR_TYPE",
-  179: "SORT_STATE_TYPE",
-  180: "SWISS_NAME_DICTIONARY_TYPE",
-  181: "WASM_ARRAY_TYPE",
-  182: "WASM_CAPI_FUNCTION_DATA_TYPE",
-  183: "WASM_STRUCT_TYPE",
-  184: "WEAK_ARRAY_LIST_TYPE",
-  185: "WEAK_CELL_TYPE",
-  186: "JS_PROXY_TYPE",
+  171: "MEGA_DOM_HANDLER_TYPE",
+  172: "ON_HEAP_BASIC_BLOCK_PROFILER_DATA_TYPE",
+  173: "PREPARSE_DATA_TYPE",
+  174: "PROPERTY_ARRAY_TYPE",
+  175: "PROPERTY_CELL_TYPE",
+  176: "SCOPE_INFO_TYPE",
+  177: "SHARED_FUNCTION_INFO_TYPE",
+  178: "SMI_BOX_TYPE",
+  179: "SMI_PAIR_TYPE",
+  180: "SORT_STATE_TYPE",
+  181: "SWISS_NAME_DICTIONARY_TYPE",
+  182: "WASM_ARRAY_TYPE",
+  183: "WASM_CAPI_FUNCTION_DATA_TYPE",
+  184: "WASM_STRUCT_TYPE",
+  185: "WEAK_ARRAY_LIST_TYPE",
+  186: "WEAK_CELL_TYPE",
+  187: "JS_PROXY_TYPE",
   1057: "JS_OBJECT_TYPE",
-  187: "JS_GLOBAL_OBJECT_TYPE",
-  188: "JS_GLOBAL_PROXY_TYPE",
-  189: "JS_MODULE_NAMESPACE_TYPE",
+  188: "JS_GLOBAL_OBJECT_TYPE",
+  189: "JS_GLOBAL_PROXY_TYPE",
+  190: "JS_MODULE_NAMESPACE_TYPE",
   1040: "JS_SPECIAL_API_OBJECT_TYPE",
   1041: "JS_PRIMITIVE_WRAPPER_TYPE",
   1042: "JS_ARRAY_ITERATOR_PROTOTYPE_TYPE",
@@ -253,11 +254,11 @@ KNOWN_MAPS = {
   ("read_only_space", 0x02559): (118, "HashTableMap"),
   ("read_only_space", 0x02581): (64, "SymbolMap"),
   ("read_only_space", 0x025a9): (40, "OneByteStringMap"),
-  ("read_only_space", 0x025d1): (175, "ScopeInfoMap"),
-  ("read_only_space", 0x025f9): (176, "SharedFunctionInfoMap"),
+  ("read_only_space", 0x025d1): (176, "ScopeInfoMap"),
+  ("read_only_space", 0x025f9): (177, "SharedFunctionInfoMap"),
   ("read_only_space", 0x02621): (160, "CodeMap"),
   ("read_only_space", 0x02649): (159, "CellMap"),
-  ("read_only_space", 0x02671): (174, "GlobalPropertyCellMap"),
+  ("read_only_space", 0x02671): (175, "GlobalPropertyCellMap"),
   ("read_only_space", 0x02699): (70, "ForeignMap"),
   ("read_only_space", 0x026c1): (158, "TransitionArrayMap"),
   ("read_only_space", 0x026e9): (45, "ThinOneByteStringMap"),
@@ -279,113 +280,114 @@ KNOWN_MAPS = {
   ("read_only_space", 0x02a95): (132, "FixedDoubleArrayMap"),
   ("read_only_space", 0x02abd): (120, "GlobalDictionaryMap"),
   ("read_only_space", 0x02ae5): (98, "ManyClosuresCellMap"),
-  ("read_only_space", 0x02b0d): (117, "ModuleInfoMap"),
-  ("read_only_space", 0x02b35): (121, "NameDictionaryMap"),
-  ("read_only_space", 0x02b5d): (98, "NoClosuresCellMap"),
-  ("read_only_space", 0x02b85): (122, "NumberDictionaryMap"),
-  ("read_only_space", 0x02bad): (98, "OneClosureCellMap"),
-  ("read_only_space", 0x02bd5): (123, "OrderedHashMapMap"),
-  ("read_only_space", 0x02bfd): (124, "OrderedHashSetMap"),
-  ("read_only_space", 0x02c25): (125, "OrderedNameDictionaryMap"),
-  ("read_only_space", 0x02c4d): (172, "PreparseDataMap"),
-  ("read_only_space", 0x02c75): (173, "PropertyArrayMap"),
-  ("read_only_space", 0x02c9d): (94, "SideEffectCallHandlerInfoMap"),
-  ("read_only_space", 0x02cc5): (94, "SideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02ced): (94, "NextCallSideEffectFreeCallHandlerInfoMap"),
-  ("read_only_space", 0x02d15): (126, "SimpleNumberDictionaryMap"),
-  ("read_only_space", 0x02d3d): (148, "SmallOrderedHashMapMap"),
-  ("read_only_space", 0x02d65): (149, "SmallOrderedHashSetMap"),
-  ("read_only_space", 0x02d8d): (150, "SmallOrderedNameDictionaryMap"),
-  ("read_only_space", 0x02db5): (153, "SourceTextModuleMap"),
-  ("read_only_space", 0x02ddd): (180, "SwissNameDictionaryMap"),
-  ("read_only_space", 0x02e05): (154, "SyntheticModuleMap"),
-  ("read_only_space", 0x02e2d): (71, "WasmTypeInfoMap"),
-  ("read_only_space", 0x02e55): (184, "WeakArrayListMap"),
-  ("read_only_space", 0x02e7d): (119, "EphemeronHashTableMap"),
-  ("read_only_space", 0x02ea5): (163, "EmbedderDataArrayMap"),
-  ("read_only_space", 0x02ecd): (185, "WeakCellMap"),
-  ("read_only_space", 0x02ef5): (32, "StringMap"),
-  ("read_only_space", 0x02f1d): (41, "ConsOneByteStringMap"),
-  ("read_only_space", 0x02f45): (33, "ConsStringMap"),
-  ("read_only_space", 0x02f6d): (37, "ThinStringMap"),
-  ("read_only_space", 0x02f95): (35, "SlicedStringMap"),
-  ("read_only_space", 0x02fbd): (43, "SlicedOneByteStringMap"),
-  ("read_only_space", 0x02fe5): (34, "ExternalStringMap"),
-  ("read_only_space", 0x0300d): (42, "ExternalOneByteStringMap"),
-  ("read_only_space", 0x03035): (50, "UncachedExternalStringMap"),
-  ("read_only_space", 0x0305d): (0, "InternalizedStringMap"),
-  ("read_only_space", 0x03085): (2, "ExternalInternalizedStringMap"),
-  ("read_only_space", 0x030ad): (10, "ExternalOneByteInternalizedStringMap"),
-  ("read_only_space", 0x030d5): (18, "UncachedExternalInternalizedStringMap"),
-  ("read_only_space", 0x030fd): (26, "UncachedExternalOneByteInternalizedStringMap"),
-  ("read_only_space", 0x03125): (58, "UncachedExternalOneByteStringMap"),
-  ("read_only_space", 0x0314d): (67, "SelfReferenceMarkerMap"),
-  ("read_only_space", 0x03175): (67, "BasicBlockCountersMarkerMap"),
-  ("read_only_space", 0x031b9): (87, "ArrayBoilerplateDescriptionMap"),
-  ("read_only_space", 0x032b9): (100, "InterceptorInfoMap"),
-  ("read_only_space", 0x05415): (72, "PromiseFulfillReactionJobTaskMap"),
-  ("read_only_space", 0x0543d): (73, "PromiseRejectReactionJobTaskMap"),
-  ("read_only_space", 0x05465): (74, "CallableTaskMap"),
-  ("read_only_space", 0x0548d): (75, "CallbackTaskMap"),
-  ("read_only_space", 0x054b5): (76, "PromiseResolveThenableJobTaskMap"),
-  ("read_only_space", 0x054dd): (79, "FunctionTemplateInfoMap"),
-  ("read_only_space", 0x05505): (80, "ObjectTemplateInfoMap"),
-  ("read_only_space", 0x0552d): (81, "AccessCheckInfoMap"),
-  ("read_only_space", 0x05555): (82, "AccessorInfoMap"),
-  ("read_only_space", 0x0557d): (83, "AccessorPairMap"),
-  ("read_only_space", 0x055a5): (84, "AliasedArgumentsEntryMap"),
-  ("read_only_space", 0x055cd): (85, "AllocationMementoMap"),
-  ("read_only_space", 0x055f5): (88, "AsmWasmDataMap"),
-  ("read_only_space", 0x0561d): (89, "AsyncGeneratorRequestMap"),
-  ("read_only_space", 0x05645): (90, "BaselineDataMap"),
-  ("read_only_space", 0x0566d): (91, "BreakPointMap"),
-  ("read_only_space", 0x05695): (92, "BreakPointInfoMap"),
-  ("read_only_space", 0x056bd): (93, "CachedTemplateObjectMap"),
-  ("read_only_space", 0x056e5): (95, "ClassPositionsMap"),
-  ("read_only_space", 0x0570d): (96, "DebugInfoMap"),
-  ("read_only_space", 0x05735): (99, "FunctionTemplateRareDataMap"),
-  ("read_only_space", 0x0575d): (101, "InterpreterDataMap"),
-  ("read_only_space", 0x05785): (102, "ModuleRequestMap"),
-  ("read_only_space", 0x057ad): (103, "PromiseCapabilityMap"),
-  ("read_only_space", 0x057d5): (104, "PromiseReactionMap"),
-  ("read_only_space", 0x057fd): (105, "PropertyDescriptorObjectMap"),
-  ("read_only_space", 0x05825): (106, "PrototypeInfoMap"),
-  ("read_only_space", 0x0584d): (107, "RegExpBoilerplateDescriptionMap"),
-  ("read_only_space", 0x05875): (108, "ScriptMap"),
-  ("read_only_space", 0x0589d): (109, "SourceTextModuleInfoEntryMap"),
-  ("read_only_space", 0x058c5): (110, "StackFrameInfoMap"),
-  ("read_only_space", 0x058ed): (111, "TemplateObjectDescriptionMap"),
-  ("read_only_space", 0x05915): (112, "Tuple2Map"),
-  ("read_only_space", 0x0593d): (113, "WasmExceptionTagMap"),
-  ("read_only_space", 0x05965): (114, "WasmExportedFunctionDataMap"),
-  ("read_only_space", 0x0598d): (115, "WasmIndirectFunctionTableMap"),
-  ("read_only_space", 0x059b5): (116, "WasmJSFunctionDataMap"),
-  ("read_only_space", 0x059dd): (134, "SloppyArgumentsElementsMap"),
-  ("read_only_space", 0x05a05): (151, "DescriptorArrayMap"),
-  ("read_only_space", 0x05a2d): (156, "UncompiledDataWithoutPreparseDataMap"),
-  ("read_only_space", 0x05a55): (155, "UncompiledDataWithPreparseDataMap"),
-  ("read_only_space", 0x05a7d): (171, "OnHeapBasicBlockProfilerDataMap"),
-  ("read_only_space", 0x05aa5): (168, "InternalClassMap"),
-  ("read_only_space", 0x05acd): (178, "SmiPairMap"),
-  ("read_only_space", 0x05af5): (177, "SmiBoxMap"),
-  ("read_only_space", 0x05b1d): (145, "ExportedSubClassBaseMap"),
-  ("read_only_space", 0x05b45): (146, "ExportedSubClassMap"),
-  ("read_only_space", 0x05b6d): (68, "AbstractInternalClassSubclass1Map"),
-  ("read_only_space", 0x05b95): (69, "AbstractInternalClassSubclass2Map"),
-  ("read_only_space", 0x05bbd): (133, "InternalClassWithSmiElementsMap"),
-  ("read_only_space", 0x05be5): (169, "InternalClassWithStructElementsMap"),
-  ("read_only_space", 0x05c0d): (147, "ExportedSubClass2Map"),
-  ("read_only_space", 0x05c35): (179, "SortStateMap"),
-  ("read_only_space", 0x05c5d): (182, "WasmCapiFunctionDataMap"),
-  ("read_only_space", 0x05c85): (86, "AllocationSiteWithWeakNextMap"),
-  ("read_only_space", 0x05cad): (86, "AllocationSiteWithoutWeakNextMap"),
-  ("read_only_space", 0x05cd5): (77, "LoadHandler1Map"),
-  ("read_only_space", 0x05cfd): (77, "LoadHandler2Map"),
-  ("read_only_space", 0x05d25): (77, "LoadHandler3Map"),
-  ("read_only_space", 0x05d4d): (78, "StoreHandler0Map"),
-  ("read_only_space", 0x05d75): (78, "StoreHandler1Map"),
-  ("read_only_space", 0x05d9d): (78, "StoreHandler2Map"),
-  ("read_only_space", 0x05dc5): (78, "StoreHandler3Map"),
+  ("read_only_space", 0x02b0d): (171, "MegaDomHandlerMap"),
+  ("read_only_space", 0x02b35): (117, "ModuleInfoMap"),
+  ("read_only_space", 0x02b5d): (121, "NameDictionaryMap"),
+  ("read_only_space", 0x02b85): (98, "NoClosuresCellMap"),
+  ("read_only_space", 0x02bad): (122, "NumberDictionaryMap"),
+  ("read_only_space", 0x02bd5): (98, "OneClosureCellMap"),
+  ("read_only_space", 0x02bfd): (123, "OrderedHashMapMap"),
+  ("read_only_space", 0x02c25): (124, "OrderedHashSetMap"),
+  ("read_only_space", 0x02c4d): (125, "OrderedNameDictionaryMap"),
+  ("read_only_space", 0x02c75): (173, "PreparseDataMap"),
+  ("read_only_space", 0x02c9d): (174, "PropertyArrayMap"),
+  ("read_only_space", 0x02cc5): (94, "SideEffectCallHandlerInfoMap"),
+  ("read_only_space", 0x02ced): (94, "SideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02d15): (94, "NextCallSideEffectFreeCallHandlerInfoMap"),
+  ("read_only_space", 0x02d3d): (126, "SimpleNumberDictionaryMap"),
+  ("read_only_space", 0x02d65): (148, "SmallOrderedHashMapMap"),
+  ("read_only_space", 0x02d8d): (149, "SmallOrderedHashSetMap"),
+  ("read_only_space", 0x02db5): (150, "SmallOrderedNameDictionaryMap"),
+  ("read_only_space", 0x02ddd): (153, "SourceTextModuleMap"),
+  ("read_only_space", 0x02e05): (181, "SwissNameDictionaryMap"),
+  ("read_only_space", 0x02e2d): (154, "SyntheticModuleMap"),
+  ("read_only_space", 0x02e55): (71, "WasmTypeInfoMap"),
+  ("read_only_space", 0x02e7d): (185, "WeakArrayListMap"),
+  ("read_only_space", 0x02ea5): (119, "EphemeronHashTableMap"),
+  ("read_only_space", 0x02ecd): (163, "EmbedderDataArrayMap"),
+  ("read_only_space", 0x02ef5): (186, "WeakCellMap"),
+  ("read_only_space", 0x02f1d): (32, "StringMap"),
+  ("read_only_space", 0x02f45): (41, "ConsOneByteStringMap"),
+  ("read_only_space", 0x02f6d): (33, "ConsStringMap"),
+  ("read_only_space", 0x02f95): (37, "ThinStringMap"),
+  ("read_only_space", 0x02fbd): (35, "SlicedStringMap"),
+  ("read_only_space", 0x02fe5): (43, "SlicedOneByteStringMap"),
+  ("read_only_space", 0x0300d): (34, "ExternalStringMap"),
+  ("read_only_space", 0x03035): (42, "ExternalOneByteStringMap"),
+  ("read_only_space", 0x0305d): (50, "UncachedExternalStringMap"),
+  ("read_only_space", 0x03085): (0, "InternalizedStringMap"),
+  ("read_only_space", 0x030ad): (2, "ExternalInternalizedStringMap"),
+  ("read_only_space", 0x030d5): (10, "ExternalOneByteInternalizedStringMap"),
+  ("read_only_space", 0x030fd): (18, "UncachedExternalInternalizedStringMap"),
+  ("read_only_space", 0x03125): (26, "UncachedExternalOneByteInternalizedStringMap"),
+  ("read_only_space", 0x0314d): (58, "UncachedExternalOneByteStringMap"),
+  ("read_only_space", 0x03175): (67, "SelfReferenceMarkerMap"),
+  ("read_only_space", 0x0319d): (67, "BasicBlockCountersMarkerMap"),
+  ("read_only_space", 0x031e1): (87, "ArrayBoilerplateDescriptionMap"),
+  ("read_only_space", 0x032e1): (100, "InterceptorInfoMap"),
+  ("read_only_space", 0x0544d): (72, "PromiseFulfillReactionJobTaskMap"),
+  ("read_only_space", 0x05475): (73, "PromiseRejectReactionJobTaskMap"),
+  ("read_only_space", 0x0549d): (74, "CallableTaskMap"),
+  ("read_only_space", 0x054c5): (75, "CallbackTaskMap"),
+  ("read_only_space", 0x054ed): (76, "PromiseResolveThenableJobTaskMap"),
+  ("read_only_space", 0x05515): (79, "FunctionTemplateInfoMap"),
+  ("read_only_space", 0x0553d): (80, "ObjectTemplateInfoMap"),
+  ("read_only_space", 0x05565): (81, "AccessCheckInfoMap"),
+  ("read_only_space", 0x0558d): (82, "AccessorInfoMap"),
+  ("read_only_space", 0x055b5): (83, "AccessorPairMap"),
+  ("read_only_space", 0x055dd): (84, "AliasedArgumentsEntryMap"),
+  ("read_only_space", 0x05605): (85, "AllocationMementoMap"),
+  ("read_only_space", 0x0562d): (88, "AsmWasmDataMap"),
+  ("read_only_space", 0x05655): (89, "AsyncGeneratorRequestMap"),
+  ("read_only_space", 0x0567d): (90, "BaselineDataMap"),
+  ("read_only_space", 0x056a5): (91, "BreakPointMap"),
+  ("read_only_space", 0x056cd): (92, "BreakPointInfoMap"),
+  ("read_only_space", 0x056f5): (93, "CachedTemplateObjectMap"),
+  ("read_only_space", 0x0571d): (95, "ClassPositionsMap"),
+  ("read_only_space", 0x05745): (96, "DebugInfoMap"),
+  ("read_only_space", 0x0576d): (99, "FunctionTemplateRareDataMap"),
+  ("read_only_space", 0x05795): (101, "InterpreterDataMap"),
+  ("read_only_space", 0x057bd): (102, "ModuleRequestMap"),
+  ("read_only_space", 0x057e5): (103, "PromiseCapabilityMap"),
+  ("read_only_space", 0x0580d): (104, "PromiseReactionMap"),
+  ("read_only_space", 0x05835): (105, "PropertyDescriptorObjectMap"),
+  ("read_only_space", 0x0585d): (106, "PrototypeInfoMap"),
+  ("read_only_space", 0x05885): (107, "RegExpBoilerplateDescriptionMap"),
+  ("read_only_space", 0x058ad): (108, "ScriptMap"),
+  ("read_only_space", 0x058d5): (109, "SourceTextModuleInfoEntryMap"),
+  ("read_only_space", 0x058fd): (110, "StackFrameInfoMap"),
+  ("read_only_space", 0x05925): (111, "TemplateObjectDescriptionMap"),
+  ("read_only_space", 0x0594d): (112, "Tuple2Map"),
+  ("read_only_space", 0x05975): (113, "WasmExceptionTagMap"),
+  ("read_only_space", 0x0599d): (114, "WasmExportedFunctionDataMap"),
+  ("read_only_space", 0x059c5): (115, "WasmIndirectFunctionTableMap"),
+  ("read_only_space", 0x059ed): (116, "WasmJSFunctionDataMap"),
+  ("read_only_space", 0x05a15): (134, "SloppyArgumentsElementsMap"),
+  ("read_only_space", 0x05a3d): (151, "DescriptorArrayMap"),
+  ("read_only_space", 0x05a65): (156, "UncompiledDataWithoutPreparseDataMap"),
+  ("read_only_space", 0x05a8d): (155, "UncompiledDataWithPreparseDataMap"),
+  ("read_only_space", 0x05ab5): (172, "OnHeapBasicBlockProfilerDataMap"),
+  ("read_only_space", 0x05add): (168, "InternalClassMap"),
+  ("read_only_space", 0x05b05): (179, "SmiPairMap"),
+  ("read_only_space", 0x05b2d): (178, "SmiBoxMap"),
+  ("read_only_space", 0x05b55): (145, "ExportedSubClassBaseMap"),
+  ("read_only_space", 0x05b7d): (146, "ExportedSubClassMap"),
+  ("read_only_space", 0x05ba5): (68, "AbstractInternalClassSubclass1Map"),
+  ("read_only_space", 0x05bcd): (69, "AbstractInternalClassSubclass2Map"),
+  ("read_only_space", 0x05bf5): (133, "InternalClassWithSmiElementsMap"),
+  ("read_only_space", 0x05c1d): (169, "InternalClassWithStructElementsMap"),
+  ("read_only_space", 0x05c45): (147, "ExportedSubClass2Map"),
+  ("read_only_space", 0x05c6d): (180, "SortStateMap"),
+  ("read_only_space", 0x05c95): (183, "WasmCapiFunctionDataMap"),
+  ("read_only_space", 0x05cbd): (86, "AllocationSiteWithWeakNextMap"),
+  ("read_only_space", 0x05ce5): (86, "AllocationSiteWithoutWeakNextMap"),
+  ("read_only_space", 0x05d0d): (77, "LoadHandler1Map"),
+  ("read_only_space", 0x05d35): (77, "LoadHandler2Map"),
+  ("read_only_space", 0x05d5d): (77, "LoadHandler3Map"),
+  ("read_only_space", 0x05d85): (78, "StoreHandler0Map"),
+  ("read_only_space", 0x05dad): (78, "StoreHandler1Map"),
+  ("read_only_space", 0x05dd5): (78, "StoreHandler2Map"),
+  ("read_only_space", 0x05dfd): (78, "StoreHandler3Map"),
   ("map_space", 0x02119): (1057, "ExternalMap"),
   ("map_space", 0x02141): (1098, "JSMessageObjectMap"),
 }
@@ -411,32 +413,32 @@ KNOWN_OBJECTS = {
   ("read_only_space", 0x0282d): "TerminationException",
   ("read_only_space", 0x02895): "OptimizedOut",
   ("read_only_space", 0x028f5): "StaleRegister",
-  ("read_only_space", 0x0319d): "EmptyPropertyArray",
-  ("read_only_space", 0x031a5): "EmptyByteArray",
-  ("read_only_space", 0x031ad): "EmptyObjectBoilerplateDescription",
-  ("read_only_space", 0x031e1): "EmptyArrayBoilerplateDescription",
-  ("read_only_space", 0x031ed): "EmptyClosureFeedbackCellArray",
-  ("read_only_space", 0x031f5): "EmptySlowElementDictionary",
-  ("read_only_space", 0x03219): "EmptyOrderedHashMap",
-  ("read_only_space", 0x0322d): "EmptyOrderedHashSet",
-  ("read_only_space", 0x03241): "EmptyFeedbackMetadata",
-  ("read_only_space", 0x0324d): "EmptyPropertyDictionary",
-  ("read_only_space", 0x03275): "EmptyOrderedPropertyDictionary",
-  ("read_only_space", 0x0328d): "EmptySwissPropertyDictionary",
-  ("read_only_space", 0x032e1): "NoOpInterceptorInfo",
-  ("read_only_space", 0x03309): "EmptyWeakArrayList",
-  ("read_only_space", 0x03315): "InfinityValue",
-  ("read_only_space", 0x03321): "MinusZeroValue",
-  ("read_only_space", 0x0332d): "MinusInfinityValue",
-  ("read_only_space", 0x03339): "SelfReferenceMarker",
-  ("read_only_space", 0x03379): "BasicBlockCountersMarker",
-  ("read_only_space", 0x033bd): "OffHeapTrampolineRelocationInfo",
-  ("read_only_space", 0x033c9): "TrampolineTrivialCodeDataContainer",
-  ("read_only_space", 0x033d5): "TrampolinePromiseRejectionCodeDataContainer",
-  ("read_only_space", 0x033e1): "GlobalThisBindingScopeInfo",
-  ("read_only_space", 0x03415): "EmptyFunctionScopeInfo",
-  ("read_only_space", 0x03439): "NativeScopeInfo",
-  ("read_only_space", 0x03451): "HashSeed",
+  ("read_only_space", 0x031c5): "EmptyPropertyArray",
+  ("read_only_space", 0x031cd): "EmptyByteArray",
+  ("read_only_space", 0x031d5): "EmptyObjectBoilerplateDescription",
+  ("read_only_space", 0x03209): "EmptyArrayBoilerplateDescription",
+  ("read_only_space", 0x03215): "EmptyClosureFeedbackCellArray",
+  ("read_only_space", 0x0321d): "EmptySlowElementDictionary",
+  ("read_only_space", 0x03241): "EmptyOrderedHashMap",
+  ("read_only_space", 0x03255): "EmptyOrderedHashSet",
+  ("read_only_space", 0x03269): "EmptyFeedbackMetadata",
+  ("read_only_space", 0x03275): "EmptyPropertyDictionary",
+  ("read_only_space", 0x0329d): "EmptyOrderedPropertyDictionary",
+  ("read_only_space", 0x032b5): "EmptySwissPropertyDictionary",
+  ("read_only_space", 0x03309): "NoOpInterceptorInfo",
+  ("read_only_space", 0x03331): "EmptyWeakArrayList",
+  ("read_only_space", 0x0333d): "InfinityValue",
+  ("read_only_space", 0x03349): "MinusZeroValue",
+  ("read_only_space", 0x03355): "MinusInfinityValue",
+  ("read_only_space", 0x03361): "SelfReferenceMarker",
+  ("read_only_space", 0x033a1): "BasicBlockCountersMarker",
+  ("read_only_space", 0x033e5): "OffHeapTrampolineRelocationInfo",
+  ("read_only_space", 0x033f1): "TrampolineTrivialCodeDataContainer",
+  ("read_only_space", 0x033fd): "TrampolinePromiseRejectionCodeDataContainer",
+  ("read_only_space", 0x03409): "GlobalThisBindingScopeInfo",
+  ("read_only_space", 0x0343d): "EmptyFunctionScopeInfo",
+  ("read_only_space", 0x03461): "NativeScopeInfo",
+  ("read_only_space", 0x03479): "HashSeed",
   ("old_space", 0x02119): "ArgumentsIteratorAccessor",
   ("old_space", 0x0215d): "ArrayLengthAccessor",
   ("old_space", 0x021a1): "BoundFunctionLengthAccessor",
@@ -453,45 +455,46 @@ KNOWN_OBJECTS = {
   ("old_space", 0x0244d): "ManyClosuresCell",
   ("old_space", 0x02459): "ArrayConstructorProtector",
   ("old_space", 0x0246d): "NoElementsProtector",
-  ("old_space", 0x02481): "IsConcatSpreadableProtector",
-  ("old_space", 0x02495): "ArraySpeciesProtector",
-  ("old_space", 0x024a9): "TypedArraySpeciesProtector",
-  ("old_space", 0x024bd): "PromiseSpeciesProtector",
-  ("old_space", 0x024d1): "RegExpSpeciesProtector",
-  ("old_space", 0x024e5): "StringLengthProtector",
-  ("old_space", 0x024f9): "ArrayIteratorProtector",
-  ("old_space", 0x0250d): "ArrayBufferDetachingProtector",
-  ("old_space", 0x02521): "PromiseHookProtector",
-  ("old_space", 0x02535): "PromiseResolveProtector",
-  ("old_space", 0x02549): "MapIteratorProtector",
-  ("old_space", 0x0255d): "PromiseThenProtector",
-  ("old_space", 0x02571): "SetIteratorProtector",
-  ("old_space", 0x02585): "StringIteratorProtector",
-  ("old_space", 0x02599): "SingleCharacterStringCache",
-  ("old_space", 0x029a1): "StringSplitCache",
-  ("old_space", 0x02da9): "RegExpMultipleCache",
-  ("old_space", 0x031b1): "BuiltinsConstantsTable",
-  ("old_space", 0x035b1): "AsyncFunctionAwaitRejectSharedFun",
-  ("old_space", 0x035d5): "AsyncFunctionAwaitResolveSharedFun",
-  ("old_space", 0x035f9): "AsyncGeneratorAwaitRejectSharedFun",
-  ("old_space", 0x0361d): "AsyncGeneratorAwaitResolveSharedFun",
-  ("old_space", 0x03641): "AsyncGeneratorYieldResolveSharedFun",
-  ("old_space", 0x03665): "AsyncGeneratorReturnResolveSharedFun",
-  ("old_space", 0x03689): "AsyncGeneratorReturnClosedRejectSharedFun",
-  ("old_space", 0x036ad): "AsyncGeneratorReturnClosedResolveSharedFun",
-  ("old_space", 0x036d1): "AsyncIteratorValueUnwrapSharedFun",
-  ("old_space", 0x036f5): "PromiseAllResolveElementSharedFun",
-  ("old_space", 0x03719): "PromiseAllSettledResolveElementSharedFun",
-  ("old_space", 0x0373d): "PromiseAllSettledRejectElementSharedFun",
-  ("old_space", 0x03761): "PromiseAnyRejectElementSharedFun",
-  ("old_space", 0x03785): "PromiseCapabilityDefaultRejectSharedFun",
-  ("old_space", 0x037a9): "PromiseCapabilityDefaultResolveSharedFun",
-  ("old_space", 0x037cd): "PromiseCatchFinallySharedFun",
-  ("old_space", 0x037f1): "PromiseGetCapabilitiesExecutorSharedFun",
-  ("old_space", 0x03815): "PromiseThenFinallySharedFun",
-  ("old_space", 0x03839): "PromiseThrowerFinallySharedFun",
-  ("old_space", 0x0385d): "PromiseValueThunkFinallySharedFun",
-  ("old_space", 0x03881): "ProxyRevokeSharedFun",
+  ("old_space", 0x02481): "MegaDOMProtector",
+  ("old_space", 0x02495): "IsConcatSpreadableProtector",
+  ("old_space", 0x024a9): "ArraySpeciesProtector",
+  ("old_space", 0x024bd): "TypedArraySpeciesProtector",
+  ("old_space", 0x024d1): "PromiseSpeciesProtector",
+  ("old_space", 0x024e5): "RegExpSpeciesProtector",
+  ("old_space", 0x024f9): "StringLengthProtector",
+  ("old_space", 0x0250d): "ArrayIteratorProtector",
+  ("old_space", 0x02521): "ArrayBufferDetachingProtector",
+  ("old_space", 0x02535): "PromiseHookProtector",
+  ("old_space", 0x02549): "PromiseResolveProtector",
+  ("old_space", 0x0255d): "MapIteratorProtector",
+  ("old_space", 0x02571): "PromiseThenProtector",
+  ("old_space", 0x02585): "SetIteratorProtector",
+  ("old_space", 0x02599): "StringIteratorProtector",
+  ("old_space", 0x025ad): "SingleCharacterStringCache",
+  ("old_space", 0x029b5): "StringSplitCache",
+  ("old_space", 0x02dbd): "RegExpMultipleCache",
+  ("old_space", 0x031c5): "BuiltinsConstantsTable",
+  ("old_space", 0x035c5): "AsyncFunctionAwaitRejectSharedFun",
+  ("old_space", 0x035e9): "AsyncFunctionAwaitResolveSharedFun",
+  ("old_space", 0x0360d): "AsyncGeneratorAwaitRejectSharedFun",
+  ("old_space", 0x03631): "AsyncGeneratorAwaitResolveSharedFun",
+  ("old_space", 0x03655): "AsyncGeneratorYieldResolveSharedFun",
+  ("old_space", 0x03679): "AsyncGeneratorReturnResolveSharedFun",
+  ("old_space", 0x0369d): "AsyncGeneratorReturnClosedRejectSharedFun",
+  ("old_space", 0x036c1): "AsyncGeneratorReturnClosedResolveSharedFun",
+  ("old_space", 0x036e5): "AsyncIteratorValueUnwrapSharedFun",
+  ("old_space", 0x03709): "PromiseAllResolveElementSharedFun",
+  ("old_space", 0x0372d): "PromiseAllSettledResolveElementSharedFun",
+  ("old_space", 0x03751): "PromiseAllSettledRejectElementSharedFun",
+  ("old_space", 0x03775): "PromiseAnyRejectElementSharedFun",
+  ("old_space", 0x03799): "PromiseCapabilityDefaultRejectSharedFun",
+  ("old_space", 0x037bd): "PromiseCapabilityDefaultResolveSharedFun",
+  ("old_space", 0x037e1): "PromiseCatchFinallySharedFun",
+  ("old_space", 0x03805): "PromiseGetCapabilitiesExecutorSharedFun",
+  ("old_space", 0x03829): "PromiseThenFinallySharedFun",
+  ("old_space", 0x0384d): "PromiseThrowerFinallySharedFun",
+  ("old_space", 0x03871): "PromiseValueThunkFinallySharedFun",
+  ("old_space", 0x03895): "ProxyRevokeSharedFun",
 }
 
 # Lower 32 bits of first page addresses for various heap spaces.