Merge r228500 - We should be able to jsDynamicCast from JSType when p…

…ossible https://bugs.webkit.org/show_bug.cgi?id=182804 Reviewed by Filip Pizlo and Mark Lam. This patch beefs up jsDynamicCast in some of the cases where we can use the JSType to quickly determine if a cell is a subclass of the desired type. Since all JSCells have a range of JSTypes they support, if there is a range exclusive to a class and all subclasses we can use that range to quickly determine if the cast should be successful. Additionally, the JSValue versions of jsCast and jsDynamicCast now call the JSCell version after checking the value is a cell. Finally, the casting functions have been moved to a new header, JSCast.h * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/CallVariant.h: * bytecode/CodeBlock.h: * bytecode/ExecutableToCodeBlockEdge.h: * bytecode/TrackedReferences.h: * bytecode/UnlinkedCodeBlock.h: * bytecode/UnlinkedFunctionExecutable.h: * dfg/DFGAbstractValue.h: * dfg/DFGCommonData.h: * dfg/DFGFrozenValue.h: * dfg/DFGStructureAbstractValue.h: * heap/CellContainerInlines.h: * heap/ConservativeRoots.cpp: * heap/GCLogging.cpp: * heap/HeapInlines.h: * heap/HeapSnapshotBuilder.cpp: * heap/MarkedBlock.cpp: * heap/MarkedBlockInlines.h: * heap/SubspaceInlines.h: * heap/WeakInlines.h: * jit/JITOpcodes.cpp: * jit/JITOpcodes32_64.cpp: * llint/LLIntOffsetsExtractor.cpp: * runtime/ArrayBufferNeuteringWatchpoint.h: * runtime/BigIntPrototype.cpp: * runtime/ClassInfo.h: * runtime/CustomGetterSetter.h: * runtime/FunctionRareData.h: * runtime/GetterSetter.h: * runtime/InferredType.h: * runtime/InferredTypeTable.h: * runtime/InferredValue.h: * runtime/InternalFunction.cpp: (JSC::InternalFunction::finishCreation): * runtime/JSAPIValueWrapper.h: * runtime/JSArray.h: (JSC::JSArray::finishCreation): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::finishCreation): * runtime/JSCast.h: Added. (JSC::jsCast): (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): (JSC::jsDynamicCast): * runtime/JSCell.cpp: * runtime/JSCell.h: (JSC::jsCast): Deleted. (JSC::jsDynamicCast): Deleted. * runtime/JSCellInlines.h: * runtime/JSFunction.cpp: (JSC::JSFunction::finishCreation): * runtime/JSJob.h: * runtime/JSObject.h: (JSC::JSObject::finishCreation): * runtime/JSPromiseDeferred.h: * runtime/JSPropertyNameEnumerator.h: * runtime/NativeStdFunctionCell.h: * runtime/ScopedArgumentsTable.h: * runtime/SparseArrayValueMap.h: * runtime/Structure.h: * runtime/StructureChain.h: * runtime/StructureRareData.h: * tools/CellProfile.h: * wasm/js/JSWebAssemblyCodeBlock.h:
WebKit · Feb 20, 2018 · 6ab8862 · 6ab8862
1 parent ea24ba3
commit 6ab8862
Show file tree

Hide file tree

Showing 56 changed files with 266 additions and 79 deletions.
diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
@@ -747,6 +747,7 @@ set(JavaScriptCore_FORWARDING_HEADERS
     runtime/JSCJSValueInlines.h
     runtime/JSCPoison.h
     runtime/JSCallee.h
+    runtime/JSCast.h
     runtime/JSCell.h
     runtime/JSCellInlines.h
     runtime/JSDataView.h

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,88 @@
+2018-02-14  Keith Miller  <keith_miller@apple.com>
+
+        We should be able to jsDynamicCast from JSType when possible
+        https://bugs.webkit.org/show_bug.cgi?id=182804
+
+        Reviewed by Filip Pizlo and Mark Lam.
+
+        This patch beefs up jsDynamicCast in some of the cases where we
+        can use the JSType to quickly determine if a cell is a subclass of
+        the desired type. Since all JSCells have a range of JSTypes they support,
+        if there is a range exclusive to a class and all subclasses we can use
+        that range to quickly determine if the cast should be successful.
+
+        Additionally, the JSValue versions of jsCast and jsDynamicCast now
+        call the JSCell version after checking the value is a cell.
+
+        Finally, the casting functions have been moved to a new header,
+        JSCast.h
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CallVariant.h:
+        * bytecode/CodeBlock.h:
+        * bytecode/ExecutableToCodeBlockEdge.h:
+        * bytecode/TrackedReferences.h:
+        * bytecode/UnlinkedCodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * dfg/DFGAbstractValue.h:
+        * dfg/DFGCommonData.h:
+        * dfg/DFGFrozenValue.h:
+        * dfg/DFGStructureAbstractValue.h:
+        * heap/CellContainerInlines.h:
+        * heap/ConservativeRoots.cpp:
+        * heap/GCLogging.cpp:
+        * heap/HeapInlines.h:
+        * heap/HeapSnapshotBuilder.cpp:
+        * heap/MarkedBlock.cpp:
+        * heap/MarkedBlockInlines.h:
+        * heap/SubspaceInlines.h:
+        * heap/WeakInlines.h:
+        * jit/JITOpcodes.cpp:
+        * jit/JITOpcodes32_64.cpp:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * runtime/ArrayBufferNeuteringWatchpoint.h:
+        * runtime/BigIntPrototype.cpp:
+        * runtime/ClassInfo.h:
+        * runtime/CustomGetterSetter.h:
+        * runtime/FunctionRareData.h:
+        * runtime/GetterSetter.h:
+        * runtime/InferredType.h:
+        * runtime/InferredTypeTable.h:
+        * runtime/InferredValue.h:
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::finishCreation):
+        * runtime/JSAPIValueWrapper.h:
+        * runtime/JSArray.h:
+        (JSC::JSArray::finishCreation):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::finishCreation):
+        * runtime/JSCast.h: Added.
+        (JSC::jsCast):
+        (JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
+        (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
+        (JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
+        (JSC::jsDynamicCast):
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        (JSC::jsCast): Deleted.
+        (JSC::jsDynamicCast): Deleted.
+        * runtime/JSCellInlines.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        * runtime/JSJob.h:
+        * runtime/JSObject.h:
+        (JSC::JSObject::finishCreation):
+        * runtime/JSPromiseDeferred.h:
+        * runtime/JSPropertyNameEnumerator.h:
+        * runtime/NativeStdFunctionCell.h:
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/SparseArrayValueMap.h:
+        * runtime/Structure.h:
+        * runtime/StructureChain.h:
+        * runtime/StructureRareData.h:
+        * tools/CellProfile.h:
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+
 2018-02-14  Michael Saboff  <msaboff@apple.com>
 
         Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code

diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -1020,6 +1020,7 @@
 		53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
 		539FB8BA1C99DA7C00940FA1 /* JSArrayInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */; };
 		53B4BD121F68B32500D2BEA3 /* WasmOps.h in Headers */ = {isa = PBXBuildFile; fileRef = 533B15DE1DC7F463004D500A /* WasmOps.h */; settings = {ATTRIBUTES = (Private, ); }; };
+		53B601EC2034B8C5006BE667 /* JSCast.h in Headers */ = {isa = PBXBuildFile; fileRef = 53B601EB2034B8C5006BE667 /* JSCast.h */; settings = {ATTRIBUTES = (Private, ); }; };
 		53C6FEEF1E8ADFA900B18425 /* WasmOpcodeOrigin.h in Headers */ = {isa = PBXBuildFile; fileRef = 53C6FEEE1E8ADFA900B18425 /* WasmOpcodeOrigin.h */; };
 		53CA730A1EA533D80076049D /* WasmBBQPlan.h in Headers */ = {isa = PBXBuildFile; fileRef = 53CA73081EA533D80076049D /* WasmBBQPlan.h */; };
 		53D444DC1DAF08AB00B92784 /* B3WasmAddressValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 53D444DB1DAF08AB00B92784 /* B3WasmAddressValue.h */; };
@@ -3427,6 +3428,7 @@
 		53B0BE331E561AC900A8FC29 /* GetterSetterAccessCase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetterSetterAccessCase.cpp; sourceTree = "<group>"; };
 		53B0BE351E561B0900A8FC29 /* ProxyableAccessCase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ProxyableAccessCase.cpp; sourceTree = "<group>"; };
 		53B0BE371E561B2400A8FC29 /* IntrinsicGetterAccessCase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IntrinsicGetterAccessCase.cpp; sourceTree = "<group>"; };
+		53B601EB2034B8C5006BE667 /* JSCast.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = JSCast.h; sourceTree = "<group>"; };
 		53C6FEEE1E8ADFA900B18425 /* WasmOpcodeOrigin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmOpcodeOrigin.h; sourceTree = "<group>"; };
 		53C6FEF01E8AFE0C00B18425 /* WasmOpcodeOrigin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmOpcodeOrigin.cpp; sourceTree = "<group>"; };
 		53CA73071EA533D80076049D /* WasmBBQPlan.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmBBQPlan.cpp; sourceTree = "<group>"; };
@@ -6608,6 +6610,7 @@
 				86FA9E90142BBB2E001773B7 /* JSBoundFunction.h */,
 				657CF45619BF6662004ACBF2 /* JSCallee.cpp */,
 				657CF45719BF6662004ACBF2 /* JSCallee.h */,
+				53B601EB2034B8C5006BE667 /* JSCast.h */,
 				BC7F8FBA0E19D1EF008632C0 /* JSCell.cpp */,
 				BC1167D80E19BCC9008066DD /* JSCell.h */,
 				0F97496F1687ADE200A4FF6A /* JSCellInlines.h */,
@@ -8898,6 +8901,7 @@
 				BC18C41B0E16F5CD00B34460 /* JSCallbackObject.h in Headers */,
 				BC18C41C0E16F5CD00B34460 /* JSCallbackObjectFunctions.h in Headers */,
 				657CF45919BF6662004ACBF2 /* JSCallee.h in Headers */,
+				53B601EC2034B8C5006BE667 /* JSCast.h in Headers */,
 				535C24691F7A1624006EC40E /* JSCBuiltins.cpp in Headers */,
 				A7D801A91880D6A80026C39B /* JSCBuiltins.h in Headers */,
 				BC1167DA0E19BCC9008066DD /* JSCell.h in Headers */,

diff --git a/Source/JavaScriptCore/bytecode/CallVariant.h b/Source/JavaScriptCore/bytecode/CallVariant.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "FunctionExecutable.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSFunction.h"
 #include "NativeExecutable.h"
 

diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.h b/Source/JavaScriptCore/bytecode/CodeBlock.h
@@ -50,7 +50,7 @@
 #include "JITCode.h"
 #include "JITMathICForwards.h"
 #include "JSCPoison.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSGlobalObject.h"
 #include "JumpTable.h"
 #include "LLIntCallLinkInfo.h"

diff --git a/Source/JavaScriptCore/bytecode/ExecutableToCodeBlockEdge.h b/Source/JavaScriptCore/bytecode/ExecutableToCodeBlockEdge.h
@@ -27,7 +27,7 @@
 
 #include "ConcurrentJSLock.h"
 #include "IsoSubspace.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "VM.h"
 
 namespace JSC {

diff --git a/Source/JavaScriptCore/bytecode/TrackedReferences.h b/Source/JavaScriptCore/bytecode/TrackedReferences.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "JSCJSValue.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include <wtf/HashSet.h>
 #include <wtf/PrintStream.h>
 

diff --git a/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h b/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h
@@ -31,7 +31,7 @@
 #include "ExpressionRangeInfo.h"
 #include "HandlerInfo.h"
 #include "Identifier.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "LockDuringMarking.h"
 #include "ParserModes.h"
 #include "RegExp.h"

diff --git a/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h b/Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h
@@ -31,7 +31,7 @@
 #include "ExpressionRangeInfo.h"
 #include "Identifier.h"
 #include "Intrinsic.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "ParserModes.h"
 #include "RegExp.h"
 #include "SourceCode.h"

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractValue.h b/Source/JavaScriptCore/dfg/DFGAbstractValue.h
@@ -34,7 +34,7 @@
 #include "DFGStructureAbstractValue.h"
 #include "DFGStructureClobberState.h"
 #include "InferredType.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "ResultType.h"
 #include "SpeculatedType.h"
 #include "DumpContext.h"

diff --git a/Source/JavaScriptCore/dfg/DFGCommonData.h b/Source/JavaScriptCore/dfg/DFGCommonData.h
@@ -33,7 +33,7 @@
 #include "DFGJumpReplacement.h"
 #include "DFGOSREntry.h"
 #include "InlineCallFrameSet.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "ProfilerCompilation.h"
 #include <wtf/Bag.h>
 #include <wtf/Noncopyable.h>

diff --git a/Source/JavaScriptCore/dfg/DFGFrozenValue.h b/Source/JavaScriptCore/dfg/DFGFrozenValue.h
@@ -28,8 +28,8 @@
 #if ENABLE(DFG_JIT)
 
 #include "DFGValueStrength.h"
-#include "JSCell.h"
 #include "JSCJSValue.h"
+#include "JSCast.h"
 #include "Structure.h"
 
 namespace JSC { namespace DFG {

diff --git a/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h b/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h
@@ -30,7 +30,7 @@
 #include "DFGRegisteredStructureSet.h"
 #include "DFGTransition.h"
 #include "DumpContext.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "SpeculatedType.h"
 #include "StructureSet.h"
 

diff --git a/Source/JavaScriptCore/heap/CellContainerInlines.h b/Source/JavaScriptCore/heap/CellContainerInlines.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "CellContainer.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "LargeAllocation.h"
 #include "MarkedBlock.h"
 #include "VM.h"

diff --git a/Source/JavaScriptCore/heap/ConservativeRoots.cpp b/Source/JavaScriptCore/heap/ConservativeRoots.cpp
@@ -31,7 +31,7 @@
 #include "HeapInlines.h"
 #include "HeapUtil.h"
 #include "JITStubRoutineSet.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSObject.h"
 #include "JSCInlines.h"
 #include "MarkedBlockInlines.h"

diff --git a/Source/JavaScriptCore/heap/GCLogging.cpp b/Source/JavaScriptCore/heap/GCLogging.cpp
@@ -29,7 +29,7 @@
 #include "ClassInfo.h"
 #include "Heap.h"
 #include "HeapIterationScope.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSCellInlines.h"
 #include <wtf/PrintStream.h>
 

diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
@@ -30,7 +30,7 @@
 #include "HeapCellInlines.h"
 #include "IndexingHeader.h"
 #include "JSCallee.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "Structure.h"
 #include <type_traits>
 #include <wtf/Assertions.h>

diff --git a/Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp b/Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp
@@ -31,7 +31,7 @@
 #include "HeapProfiler.h"
 #include "HeapSnapshot.h"
 #include "JSCInlines.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "PreventCollectionScope.h"
 #include "VM.h"
 #include <wtf/text/StringBuilder.h>

diff --git a/Source/JavaScriptCore/heap/MarkedBlock.cpp b/Source/JavaScriptCore/heap/MarkedBlock.cpp
@@ -29,7 +29,7 @@
 #include "AlignedMemoryAllocator.h"
 #include "BlockDirectoryInlines.h"
 #include "FreeListInlines.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSDestructibleObject.h"
 #include "JSCInlines.h"
 #include "MarkedBlockInlines.h"

diff --git a/Source/JavaScriptCore/heap/MarkedBlockInlines.h b/Source/JavaScriptCore/heap/MarkedBlockInlines.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "BlockDirectory.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "MarkedBlock.h"
 #include "MarkedSpace.h"
 #include "Operations.h"

diff --git a/Source/JavaScriptCore/heap/SubspaceInlines.h b/Source/JavaScriptCore/heap/SubspaceInlines.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "BlockDirectoryInlines.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "MarkedBlock.h"
 #include "MarkedSpace.h"
 #include "Subspace.h"

diff --git a/Source/JavaScriptCore/heap/WeakInlines.h b/Source/JavaScriptCore/heap/WeakInlines.h
@@ -25,7 +25,7 @@
 
 #pragma once
 
-#include "JSCell.h"
+#include "JSCast.h"
 #include "WeakSetInlines.h"
 #include <wtf/Assertions.h>
 

diff --git a/Source/JavaScriptCore/jit/JITOpcodes.cpp b/Source/JavaScriptCore/jit/JITOpcodes.cpp
@@ -35,7 +35,7 @@
 #include "InterpreterInlines.h"
 #include "JITInlines.h"
 #include "JSArray.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSFunction.h"
 #include "JSPropertyNameEnumerator.h"
 #include "LinkBuffer.h"

diff --git a/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp b/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
@@ -35,7 +35,7 @@
 #include "Exception.h"
 #include "JITInlines.h"
 #include "JSArray.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSFunction.h"
 #include "JSPropertyNameEnumerator.h"
 #include "LinkBuffer.h"

diff --git a/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp b/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp
@@ -38,7 +38,7 @@
 #include "Interpreter.h"
 #include "JSArray.h"
 #include "JSArrayBufferView.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSFunction.h"
 #include "JSGlobalObject.h"
 #include "JSLexicalEnvironment.h"

diff --git a/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h b/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.h
@@ -25,7 +25,7 @@
 
 #pragma once
 
-#include "JSCell.h"
+#include "JSCast.h"
 #include "Watchpoint.h"
 
 namespace JSC {

diff --git a/Source/JavaScriptCore/runtime/BigIntPrototype.cpp b/Source/JavaScriptCore/runtime/BigIntPrototype.cpp
@@ -31,7 +31,7 @@
 #include "JSBigInt.h"
 #include "JSCBuiltins.h"
 #include "JSCInlines.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "JSFunction.h"
 #include "JSGlobalObject.h"
 #include "JSString.h"

diff --git a/Source/JavaScriptCore/runtime/ClassInfo.h b/Source/JavaScriptCore/runtime/ClassInfo.h
@@ -24,7 +24,7 @@
 
 #include "CallFrame.h"
 #include "ConstructData.h"
-#include "JSCell.h"
+#include "JSCast.h"
 
 namespace WTF {
 class PrintStream;

diff --git a/Source/JavaScriptCore/runtime/CustomGetterSetter.h b/Source/JavaScriptCore/runtime/CustomGetterSetter.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "JSCPoison.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "PropertySlot.h"
 #include "PutPropertySlot.h"
 #include "Structure.h"

diff --git a/Source/JavaScriptCore/runtime/FunctionRareData.h b/Source/JavaScriptCore/runtime/FunctionRareData.h
@@ -26,7 +26,7 @@
 #pragma once
 
 #include "InternalFunctionAllocationProfile.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "ObjectAllocationProfile.h"
 #include "Watchpoint.h"
 

diff --git a/Source/JavaScriptCore/runtime/GetterSetter.h b/Source/JavaScriptCore/runtime/GetterSetter.h
@@ -22,7 +22,7 @@
 
 #pragma once
 
-#include "JSCell.h"
+#include "JSCast.h"
 
 #include "CallFrame.h"
 #include "JSGlobalObject.h"

diff --git a/Source/JavaScriptCore/runtime/InferredType.h b/Source/JavaScriptCore/runtime/InferredType.h
@@ -28,7 +28,7 @@
 #include "ConcurrentJSLock.h"
 #include "InferredStructure.h"
 #include "IsoCellSet.h"
-#include "JSCell.h"
+#include "JSCast.h"
 #include "PropertyName.h"
 #include "PutByIdFlags.h"
 #include "Watchpoint.h"

diff --git a/Source/JavaScriptCore/runtime/InferredTypeTable.h b/Source/JavaScriptCore/runtime/InferredTypeTable.h
@@ -27,7 +27,7 @@
 
 #include "Identifier.h"
 #include "InferredType.h"
-#include "JSCell.h"
+#include "JSCast.h"
 
 namespace JSC {