Changeset 217031 in webkit for trunk/Source/JavaScriptCore/jsc.cpp

Timestamp:

May 17, 2017, 9:59:38 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
​https://bugs.webkit.org/show_bug.cgi?id=172098

Reviewed by Saam Barati.

JSTests:

• stress/check-sub-class.js: Added.

(shouldBe):
(shouldThrow):
(calling):
(array.forEach):
(i.array.forEach):

Source/JavaScriptCore:

In this patch, we generalize CheckDOM to CheckSubClass.
It can accept any ClassInfo and perform ClassInfo check
in DFG / FTL. Now, we add a new function pointer to ClassInfo,
checkSubClassPatchpoint. It can create DOMJIT patchpoint
for that ClassInfo. It it natural that ClassInfo holds the
way to emit DOMJIT::Patchpoint to perform CheckSubClass
rather than having it in each DOMJIT getter / function
signature annotation.

One problem is that it enlarges the size of ClassInfo.
But this is the best place to put this function pointer.
By doing so, we can add a patchpoint for CheckSubClass
in an non-intrusive manner: WebCore can inject patchpoints
without interactive JSC.

We still have a way to reduce the size of ClassInfo if
we move ArrayBuffer related methods out to the other places.

This patch touches many files because we add a new function
pointer to ClassInfo. But they are basically mechanical change.

• API/JSAPIWrapperObject.mm:
• API/JSCallbackConstructor.cpp:
• API/JSCallbackFunction.cpp:
• API/JSCallbackObject.cpp:
• API/ObjCCallbackFunction.mm:
• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:
• bytecode/DOMJITAccessCasePatchpointParams.h:

(JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):

• bytecode/EvalCodeBlock.cpp:
• bytecode/FunctionCodeBlock.cpp:
• bytecode/GetterSetterAccessCase.cpp:

(JSC::GetterSetterAccessCase::emitDOMJITGetter):

• bytecode/ModuleProgramCodeBlock.cpp:
• bytecode/ProgramCodeBlock.cpp:
• bytecode/UnlinkedCodeBlock.cpp:
• bytecode/UnlinkedEvalCodeBlock.cpp:
• bytecode/UnlinkedFunctionCodeBlock.cpp:
• bytecode/UnlinkedFunctionExecutable.cpp:
• bytecode/UnlinkedModuleProgramCodeBlock.cpp:
• bytecode/UnlinkedProgramCodeBlock.cpp:
• debugger/DebuggerScope.cpp:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleDOMJITGetter):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDOMJITPatchpointParams.h:

(JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeCallDOM):
(JSC::DFG::FixupPhase::fixupCheckSubClass):
(JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasClassInfo):
(JSC::DFG::Node::classInfo):
(JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
(JSC::DFG::Node::checkDOMPatchpoint): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckSubClass):
(JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::vm):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):
In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
And ClassInfo knows how to perform CheckSubClass efficiently.
If ClassInfo does not have a way to perform CheckSubClass efficiently,
we just perform jsDynamicCast thing in ASM.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• domjit/DOMJITGetterSetter.h:
• domjit/DOMJITPatchpointParams.h:

(JSC::DOMJIT::PatchpointParams::PatchpointParams):
(JSC::DOMJIT::PatchpointParams::vm):

• domjit/DOMJITSignature.h:

(JSC::DOMJIT::Signature::Signature):
(JSC::DOMJIT::Signature::checkDOM): Deleted.

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLDOMJITPatchpointParams.h:

(JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.

• inspector/JSInjectedScriptHost.cpp:
• inspector/JSInjectedScriptHostPrototype.cpp:
• inspector/JSJavaScriptCallFrame.cpp:
• inspector/JSJavaScriptCallFramePrototype.cpp:
• jsc.cpp:

(WTF::DOMJITNode::checkSubClassPatchpoint):
(WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
(WTF::DOMJITFunctionObject::finishCreation):
(WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
(WTF::DOMJITCheckSubClassObject::createStructure):
(WTF::DOMJITCheckSubClassObject::create):
(WTF::DOMJITCheckSubClassObject::safeFunction):
(WTF::DOMJITCheckSubClassObject::unsafeFunction):
(WTF::DOMJITCheckSubClassObject::finishCreation):
(GlobalObject::finishCreation):
(functionCreateDOMJITCheckSubClassObject):
(WTF::DOMJITNode::checkDOMJITNode): Deleted.
(WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.

• runtime/AbstractModuleRecord.cpp:
• runtime/ArrayBufferNeuteringWatchpoint.cpp:
• runtime/ArrayConstructor.cpp:
• runtime/ArrayIteratorPrototype.cpp:
• runtime/ArrayPrototype.cpp:
• runtime/AsyncFunctionConstructor.cpp:
• runtime/AsyncFunctionPrototype.cpp:
• runtime/AtomicsObject.cpp:
• runtime/BooleanConstructor.cpp:
• runtime/BooleanObject.cpp:
• runtime/BooleanPrototype.cpp:
• runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.

(JSC::ClassInfo::dump):

• runtime/ClassInfo.h:

(JSC::ClassInfo::offsetOfParentClass):

• runtime/ClonedArguments.cpp:
• runtime/ConsoleObject.cpp:
• runtime/CustomGetterSetter.cpp:
• runtime/DateConstructor.cpp:
• runtime/DateInstance.cpp:
• runtime/DatePrototype.cpp:
• runtime/DirectArguments.cpp:
• runtime/Error.cpp:
• runtime/ErrorConstructor.cpp:
• runtime/ErrorInstance.cpp:
• runtime/ErrorPrototype.cpp:
• runtime/EvalExecutable.cpp:
• runtime/Exception.cpp:
• runtime/ExceptionHelpers.cpp:
• runtime/ExecutableBase.cpp:
• runtime/FunctionConstructor.cpp:
• runtime/FunctionExecutable.cpp:
• runtime/FunctionPrototype.cpp:
• runtime/FunctionRareData.cpp:
• runtime/GeneratorFunctionConstructor.cpp:
• runtime/GeneratorFunctionPrototype.cpp:
• runtime/GeneratorPrototype.cpp:
• runtime/GetterSetter.cpp:
• runtime/HashMapImpl.cpp:
• runtime/HashMapImpl.h:
• runtime/InferredType.cpp:

(JSC::InferredType::create):

• runtime/InferredTypeTable.cpp:
• runtime/InferredValue.cpp:
• runtime/InspectorInstrumentationObject.cpp:
• runtime/InternalFunction.cpp:
• runtime/IntlCollator.cpp:
• runtime/IntlCollatorConstructor.cpp:
• runtime/IntlCollatorPrototype.cpp:
• runtime/IntlDateTimeFormat.cpp:
• runtime/IntlDateTimeFormatConstructor.cpp:
• runtime/IntlDateTimeFormatPrototype.cpp:
• runtime/IntlNumberFormat.cpp:
• runtime/IntlNumberFormatConstructor.cpp:
• runtime/IntlNumberFormatPrototype.cpp:
• runtime/IntlObject.cpp:
• runtime/IteratorPrototype.cpp:
• runtime/JSAPIValueWrapper.cpp:
• runtime/JSArray.cpp:
• runtime/JSArrayBuffer.cpp:
• runtime/JSArrayBufferConstructor.cpp:
• runtime/JSArrayBufferPrototype.cpp:
• runtime/JSArrayBufferView.cpp:
• runtime/JSAsyncFunction.cpp:
• runtime/JSBoundFunction.cpp:
• runtime/JSCallee.cpp:
• runtime/JSCustomGetterSetterFunction.cpp:
• runtime/JSDataView.cpp:
• runtime/JSDataViewPrototype.cpp:
• runtime/JSEnvironmentRecord.cpp:
• runtime/JSFixedArray.cpp:
• runtime/JSFunction.cpp:
• runtime/JSGeneratorFunction.cpp:
• runtime/JSGlobalLexicalEnvironment.cpp:
• runtime/JSGlobalObject.cpp:
• runtime/JSInternalPromise.cpp:
• runtime/JSInternalPromiseConstructor.cpp:
• runtime/JSInternalPromiseDeferred.cpp:
• runtime/JSInternalPromisePrototype.cpp:
• runtime/JSLexicalEnvironment.cpp:
• runtime/JSMap.cpp:
• runtime/JSMapIterator.cpp:
• runtime/JSModuleEnvironment.cpp:
• runtime/JSModuleLoader.cpp:
• runtime/JSModuleNamespaceObject.cpp:
• runtime/JSModuleRecord.cpp:
• runtime/JSNativeStdFunction.cpp:
• runtime/JSONObject.cpp:
• runtime/JSObject.cpp:
• runtime/JSPromise.cpp:
• runtime/JSPromiseConstructor.cpp:
• runtime/JSPromiseDeferred.cpp:
• runtime/JSPromisePrototype.cpp:
• runtime/JSPropertyNameEnumerator.cpp:
• runtime/JSPropertyNameIterator.cpp:
• runtime/JSProxy.cpp:
• runtime/JSScriptFetcher.cpp:
• runtime/JSSet.cpp:
• runtime/JSSetIterator.cpp:
• runtime/JSSourceCode.cpp:
• runtime/JSString.cpp:
• runtime/JSStringIterator.cpp:
• runtime/JSSymbolTableObject.cpp:
• runtime/JSTemplateRegistryKey.cpp:
• runtime/JSTypedArrayConstructors.cpp:
• runtime/JSTypedArrayPrototypes.cpp:
• runtime/JSTypedArrayViewConstructor.cpp:
• runtime/JSTypedArrays.cpp:
• runtime/JSWeakMap.cpp:
• runtime/JSWeakSet.cpp:
• runtime/JSWithScope.cpp:
• runtime/MapConstructor.cpp:
• runtime/MapIteratorPrototype.cpp:
• runtime/MapPrototype.cpp:
• runtime/MathObject.cpp:
• runtime/ModuleLoaderPrototype.cpp:
• runtime/ModuleProgramExecutable.cpp:
• runtime/NativeErrorConstructor.cpp:
• runtime/NativeExecutable.cpp:
• runtime/NativeStdFunctionCell.cpp:
• runtime/NullGetterFunction.cpp:
• runtime/NullSetterFunction.cpp:
• runtime/NumberConstructor.cpp:
• runtime/NumberObject.cpp:
• runtime/NumberPrototype.cpp:
• runtime/ObjectConstructor.cpp:
• runtime/ObjectPrototype.cpp:
• runtime/ProgramExecutable.cpp:
• runtime/PropertyTable.cpp:
• runtime/ProxyConstructor.cpp:
• runtime/ProxyObject.cpp:
• runtime/ProxyRevoke.cpp:
• runtime/ReflectObject.cpp:
• runtime/RegExp.cpp:
• runtime/RegExpConstructor.cpp:
• runtime/RegExpObject.cpp:
• runtime/RegExpPrototype.cpp:
• runtime/ScopedArguments.cpp:
• runtime/ScopedArgumentsTable.cpp:
• runtime/ScriptExecutable.cpp:
• runtime/SetConstructor.cpp:
• runtime/SetIteratorPrototype.cpp:
• runtime/SetPrototype.cpp:
• runtime/SparseArrayValueMap.cpp:
• runtime/StrictEvalActivation.cpp:
• runtime/StringConstructor.cpp:
• runtime/StringIteratorPrototype.cpp:
• runtime/StringObject.cpp:
• runtime/StringPrototype.cpp:
• runtime/Structure.cpp:
• runtime/StructureChain.cpp:
• runtime/StructureRareData.cpp:
• runtime/Symbol.cpp:
• runtime/SymbolConstructor.cpp:
• runtime/SymbolObject.cpp:
• runtime/SymbolPrototype.cpp:
• runtime/SymbolTable.cpp:
• runtime/WeakMapConstructor.cpp:
• runtime/WeakMapData.cpp:
• runtime/WeakMapPrototype.cpp:
• runtime/WeakSetConstructor.cpp:
• runtime/WeakSetPrototype.cpp:
• testRegExp.cpp:
• tools/JSDollarVM.cpp:
• tools/JSDollarVMPrototype.cpp:
• wasm/JSWebAssembly.cpp:
• wasm/js/JSWebAssemblyCodeBlock.cpp:
• wasm/js/JSWebAssemblyCompileError.cpp:
• wasm/js/JSWebAssemblyInstance.cpp:
• wasm/js/JSWebAssemblyLinkError.cpp:
• wasm/js/JSWebAssemblyMemory.cpp:
• wasm/js/JSWebAssemblyModule.cpp:
• wasm/js/JSWebAssemblyRuntimeError.cpp:
• wasm/js/JSWebAssemblyTable.cpp:
• wasm/js/WebAssemblyCompileErrorConstructor.cpp:
• wasm/js/WebAssemblyCompileErrorPrototype.cpp:
• wasm/js/WebAssemblyFunction.cpp:
• wasm/js/WebAssemblyInstanceConstructor.cpp:
• wasm/js/WebAssemblyInstancePrototype.cpp:
• wasm/js/WebAssemblyLinkErrorConstructor.cpp:
• wasm/js/WebAssemblyLinkErrorPrototype.cpp:
• wasm/js/WebAssemblyMemoryConstructor.cpp:
• wasm/js/WebAssemblyMemoryPrototype.cpp:
• wasm/js/WebAssemblyModuleConstructor.cpp:
• wasm/js/WebAssemblyModulePrototype.cpp:
• wasm/js/WebAssemblyModuleRecord.cpp:
• wasm/js/WebAssemblyPrototype.cpp:
• wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
• wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
• wasm/js/WebAssemblyTableConstructor.cpp:
• wasm/js/WebAssemblyTablePrototype.cpp:
• wasm/js/WebAssemblyToJSCallee.cpp:
• wasm/js/WebAssemblyWrapperFunction.cpp:

Source/WebCore:

Add DOMJIT interface IDL attribute. Which allows us to define checkSubClassPatchpoint function
for that ClassInfo. And we move CheckSubClass patchpoint implementation to ClassInfo's member.

• CMakeLists.txt:
• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSDOMGlobalObject.cpp:
• bindings/js/JSDOMWindowBase.cpp:
• bindings/js/JSDOMWindowProperties.cpp:
• bindings/js/JSDOMWindowShell.cpp:
• bindings/js/JSReadableStreamPrivateConstructors.cpp:
• bindings/js/JSWorkerGlobalScopeBase.cpp:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):
(GenerateImplementationIterableFunctions):
(GenerateConstructorHelperMethods):

• bindings/scripts/IDLAttributes.json:
• bindings/scripts/test/JS/JSInterfaceName.cpp:
• bindings/scripts/test/JS/JSMapLike.cpp:
• bindings/scripts/test/JS/JSReadOnlyMapLike.cpp:
• bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
• bindings/scripts/test/JS/JSTestCEReactions.cpp:
• bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp:
• bindings/scripts/test/JS/JSTestCallbackInterface.cpp:
• bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp:
• bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp:
• bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
• bindings/scripts/test/JS/JSTestDOMJIT.cpp:
• bindings/scripts/test/JS/JSTestDOMJIT.h:
• bindings/scripts/test/JS/JSTestEventConstructor.cpp:
• bindings/scripts/test/JS/JSTestEventTarget.cpp:
• bindings/scripts/test/JS/JSTestException.cpp:
• bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp:
• bindings/scripts/test/JS/JSTestGlobalObject.cpp:
• bindings/scripts/test/JS/JSTestInterface.cpp:
• bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp:
• bindings/scripts/test/JS/JSTestIterable.cpp:
• bindings/scripts/test/JS/JSTestJSBuiltinConstructor.cpp:
• bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
• bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
• bindings/scripts/test/JS/JSTestNode.cpp:
• bindings/scripts/test/JS/JSTestObj.cpp:
• bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
• bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
• bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp:
• bindings/scripts/test/JS/JSTestPromiseRejectionEvent.cpp:
• bindings/scripts/test/JS/JSTestSerialization.cpp:
• bindings/scripts/test/JS/JSTestSerializationInherit.cpp:
• bindings/scripts/test/JS/JSTestSerializationInheritFinal.cpp:
• bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
• bindings/scripts/test/JS/JSTestTypedefs.cpp:
• bridge/c/CRuntimeObject.cpp:
• bridge/c/c_instance.cpp:
• bridge/objc/ObjCRuntimeObject.mm:
• bridge/objc/objc_instance.mm:
• bridge/objc/objc_runtime.mm:
• bridge/runtime_array.cpp:
• bridge/runtime_method.cpp:
• bridge/runtime_object.cpp:
• dom/Document.idl:
• dom/DocumentFragment.idl:
• dom/Element.idl:
• dom/Event.idl:
• dom/Node.idl:
• domjit/JSDocumentDOMJIT.cpp:

(WebCore::JSDocument::checkSubClassPatchpoint):
(WebCore::DocumentDocumentElementDOMJIT::checkDOM): Deleted.
(WebCore::DocumentBodyDOMJIT::checkDOM): Deleted.

• domjit/JSDocumentFragmentDOMJIT.cpp: Copied from Source/JavaScriptCore/runtime/JSMap.cpp.

(WebCore::JSDocumentFragment::checkSubClassPatchpoint):

• domjit/JSElementDOMJIT.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.

(WebCore::JSElement::checkSubClassPatchpoint):

• domjit/JSEventDOMJIT.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.

(WebCore::JSEvent::checkSubClassPatchpoint):

• domjit/JSNodeDOMJIT.cpp:

(WebCore::JSNode::checkSubClassPatchpoint):
(WebCore::NodeFirstChildDOMJIT::checkDOM): Deleted.
(WebCore::NodeLastChildDOMJIT::checkDOM): Deleted.
(WebCore::NodeNextSiblingDOMJIT::checkDOM): Deleted.
(WebCore::NodePreviousSiblingDOMJIT::checkDOM): Deleted.
(WebCore::NodeParentNodeDOMJIT::checkDOM): Deleted.
(WebCore::NodeNodeTypeDOMJIT::checkDOM): Deleted.
(WebCore::NodeOwnerDocumentDOMJIT::checkDOM): Deleted.

Source/WebKit/mac:

• Plugins/Hosted/ProxyInstance.mm:
• Plugins/Hosted/ProxyRuntimeObject.mm:

Source/WebKit2:

• WebProcess/Plugins/Netscape/JSNPMethod.cpp:
• WebProcess/Plugins/Netscape/JSNPObject.cpp:

File:

• trunk/Source/JavaScriptCore/jsc.cpp (modified) (12 diffs)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -590 +590 @@
 
 #if ENABLE(JIT)
-    static Ref<DOMJIT::Patchpoint> checkDOMJITNode()
+    static RefPtr<DOMJIT::Patchpoint> checkSubClassPatchpoint()
     {
         Ref<DOMJIT::Patchpoint> patchpoint = DOMJIT::Patchpoint::create();
@@ -601 +601 @@
             return failureCases;
         });
-        return patchpoint;
+        return WTFMove(patchpoint);
     }
 #endif
@@ -654 +654 @@
 
 #if ENABLE(JIT)
-        Ref<DOMJIT::Patchpoint> checkDOM() override
-        {
-            return DOMJITNode::checkDOMJITNode();
-        }
-
         static EncodedJSValue JIT_OPERATION slowCall(ExecState* exec, void* pointer)
         {
@@ -739 +734 @@
 
 #if ENABLE(JIT)
-        Ref<DOMJIT::Patchpoint> checkDOM() override
-        {
-            return DOMJITNode::checkDOMJITNode();
-        }
-
         static EncodedJSValue JIT_OPERATION slowCall(ExecState* exec, void* pointer)
         {
@@ -857 +847 @@
     }
 
-#if ENABLE(JIT)
     static EncodedJSValue JIT_OPERATION unsafeFunction(ExecState* exec, DOMJITNode* node)
     {
@@ -864 +853 @@
     }
 
-    static Ref<DOMJIT::Patchpoint> checkDOMJITNode()
+#if ENABLE(JIT)
+    static RefPtr<DOMJIT::Patchpoint> checkSubClassPatchpoint()
     {
         static const double value = 42.0;
@@ -879 +869 @@
             return failureCases;
         });
-        return patchpoint;
+        return WTFMove(patchpoint);
     }
 #endif
@@ -887 +877 @@
 };
 
+static const DOMJIT::Signature DOMJITFunctionObjectSignature((uintptr_t)DOMJITFunctionObject::unsafeFunction, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange::top()), SpecInt32Only);
+
+void DOMJITFunctionObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, &DOMJITFunctionObjectSignature, ReadOnly);
+}
+
+class DOMJITCheckSubClassObject : public DOMJITNode {
+public:
+    DOMJITCheckSubClassObject(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef DOMJITNode Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITCheckSubClassObject* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    {
+        DOMJITCheckSubClassObject* object = new (NotNull, allocateCell<DOMJITCheckSubClassObject>(vm.heap, sizeof(DOMJITCheckSubClassObject))) DOMJITCheckSubClassObject(vm, structure);
+        object->finishCreation(vm, globalObject);
+        return object;
+    }
+
+    static EncodedJSValue JSC_HOST_CALL safeFunction(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        auto* thisObject = jsDynamicCast<DOMJITCheckSubClassObject*>(vm, exec->thisValue());
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(thisObject->value()));
+    }
+
+    static EncodedJSValue JIT_OPERATION unsafeFunction(ExecState* exec, DOMJITNode* node)
+    {
+        NativeCallFrameTracer tracer(&exec->vm(), exec);
+        return JSValue::encode(jsNumber(node->value()));
+    }
+
+private:
+    void finishCreation(VM&, JSGlobalObject*);
+};
+
+static const DOMJIT::Signature DOMJITCheckSubClassObjectSignature((uintptr_t)DOMJITCheckSubClassObject::unsafeFunction, DOMJITCheckSubClassObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange::top()), SpecInt32Only);
+
+void DOMJITCheckSubClassObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, &DOMJITCheckSubClassObjectSignature, ReadOnly);
+}
+
+const ClassInfo Element::s_info = { "Element", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Element) };
+const ClassInfo Masquerader::s_info = { "Masquerader", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Masquerader) };
+const ClassInfo Root::s_info = { "Root", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Root) };
+const ClassInfo ImpureGetter::s_info = { "ImpureGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ImpureGetter) };
+const ClassInfo CustomGetter::s_info = { "CustomGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(CustomGetter) };
 #if ENABLE(JIT)
-static const DOMJIT::Signature DOMJITFunctionObjectSignature((uintptr_t)DOMJITFunctionObject::unsafeFunction, DOMJITFunctionObject::checkDOMJITNode, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange::top()), SpecInt32Only);
-#endif
-
-void DOMJITFunctionObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
-{
-    Base::finishCreation(vm);
+const ClassInfo DOMJITNode::s_info = { "DOMJITNode", &Base::s_info, nullptr, &DOMJITNode::checkSubClassPatchpoint, CREATE_METHOD_TABLE(DOMJITNode) };
+#else
+const ClassInfo DOMJITNode::s_info = { "DOMJITNode", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITNode) };
+#endif
+const ClassInfo DOMJITGetter::s_info = { "DOMJITGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITGetter) };
+const ClassInfo DOMJITGetterComplex::s_info = { "DOMJITGetterComplex", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITGetterComplex) };
 #if ENABLE(JIT)
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, &DOMJITFunctionObjectSignature, ReadOnly);
+const ClassInfo DOMJITFunctionObject::s_info = { "DOMJITFunctionObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITFunctionObject) };
 #else
-    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, nullptr, ReadOnly);
-#endif
-}
-
-
-const ClassInfo Element::s_info = { "Element", &Base::s_info, nullptr, CREATE_METHOD_TABLE(Element) };
-const ClassInfo Masquerader::s_info = { "Masquerader", &Base::s_info, nullptr, CREATE_METHOD_TABLE(Masquerader) };
-const ClassInfo Root::s_info = { "Root", &Base::s_info, nullptr, CREATE_METHOD_TABLE(Root) };
-const ClassInfo ImpureGetter::s_info = { "ImpureGetter", &Base::s_info, nullptr, CREATE_METHOD_TABLE(ImpureGetter) };
-const ClassInfo CustomGetter::s_info = { "CustomGetter", &Base::s_info, nullptr, CREATE_METHOD_TABLE(CustomGetter) };
-const ClassInfo DOMJITNode::s_info = { "DOMJITNode", &Base::s_info, nullptr, CREATE_METHOD_TABLE(DOMJITNode) };
-const ClassInfo DOMJITGetter::s_info = { "DOMJITGetter", &Base::s_info, nullptr, CREATE_METHOD_TABLE(DOMJITGetter) };
-const ClassInfo DOMJITGetterComplex::s_info = { "DOMJITGetterComplex", &Base::s_info, nullptr, CREATE_METHOD_TABLE(DOMJITGetterComplex) };
-const ClassInfo DOMJITFunctionObject::s_info = { "DOMJITFunctionObject", &Base::s_info, nullptr, CREATE_METHOD_TABLE(DOMJITFunctionObject) };
-const ClassInfo RuntimeArray::s_info = { "RuntimeArray", &Base::s_info, nullptr, CREATE_METHOD_TABLE(RuntimeArray) };
-const ClassInfo SimpleObject::s_info = { "SimpleObject", &Base::s_info, nullptr, CREATE_METHOD_TABLE(SimpleObject) };
+const ClassInfo DOMJITFunctionObject::s_info = { "DOMJITFunctionObject", &Base::s_info, nullptr, &DOMJITFunctionObject::checkSubClassPatchpoint, CREATE_METHOD_TABLE(DOMJITFunctionObject) };
+#endif
+const ClassInfo DOMJITCheckSubClassObject::s_info = { "DOMJITCheckSubClassObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITCheckSubClassObject) };
+const ClassInfo RuntimeArray::s_info = { "RuntimeArray", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(RuntimeArray) };
+const ClassInfo SimpleObject::s_info = { "SimpleObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(SimpleObject) };
 static unsigned asyncTestPasses { 0 };
 static unsigned asyncTestExpectedPasses { 0 };
@@ -1004 +1049 @@
 static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITGetterComplexObject(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITFunctionObject(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITCheckSubClassObject(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionCreateBuiltin(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionCreateGlobalObject(ExecState*);
@@ -1319 +1365 @@
         addFunction(vm, "createDOMJITGetterComplexObject", functionCreateDOMJITGetterComplexObject, 0);
         addFunction(vm, "createDOMJITFunctionObject", functionCreateDOMJITFunctionObject, 0);
+        addFunction(vm, "createDOMJITCheckSubClassObject", functionCreateDOMJITCheckSubClassObject, 0);
         addFunction(vm, "createBuiltin", functionCreateBuiltin, 2);
         addFunction(vm, "createGlobalObject", functionCreateGlobalObject, 0);
@@ -1427 +1474 @@
 };
 
-const ClassInfo GlobalObject::s_info = { "global", &JSGlobalObject::s_info, nullptr, CREATE_METHOD_TABLE(GlobalObject) };
+const ClassInfo GlobalObject::s_info = { "global", &JSGlobalObject::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(GlobalObject) };
 const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = {
     &supportsRichSourceInfo,
@@ -2002 +2049 @@
 }
 
+EncodedJSValue JSC_HOST_CALL functionCreateDOMJITCheckSubClassObject(ExecState* exec)
+{
+    JSLockHolder lock(exec);
+    Structure* structure = DOMJITCheckSubClassObject::createStructure(exec->vm(), exec->lexicalGlobalObject(), jsNull());
+    DOMJITCheckSubClassObject* result = DOMJITCheckSubClassObject::create(exec->vm(), exec->lexicalGlobalObject(), structure);
+    return JSValue::encode(result);
+}
+
 EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(ExecState* exec)
 {