[builtins] Put all JS linkage builtins in CODE_SPACE

Since WASM can generate direct calls to any function that it knows the
arity of and these can be any JS linkage builtin, we need to ensure that
CPP builtins also go into CODE_SPACE.

This moves 276 builtins (~25KiB) from RO_SPACE back to CODE_SPACE.

Bug: chromium:1022695, v8:7464
Change-Id: I4cda8b68ddf6a5ddad09c6e7d4e6a08c8e6c2ccb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1916600
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65004}

src/builtins/builtins.cc

@@ -443,7 +443,12 @@ bool Builtins::CodeObjectIsExecutable(int builtin_index) {
   // that they are builtins at generation time. E.g.
   //   f = Array.of;
   //   f(1, 2, 3);
-  if (Builtins::KindOf(builtin_index) == Builtins::TFJ) return true;
+  // TODO(delphick): This is probably too loose but for now Wasm can call any JS
+  // linkage builtin via its Code object. Once Wasm is fixed this can either be
+  // tighted or removed completely.
+  if (Builtins::KindOf(builtin_index) != BCH && HasJSLinkage(builtin_index)) {
+    return true;
+  }
 
   // There are some other non-TF builtins that also have JS linkage like
   // InterpreterEntryTrampoline which are explicitly allow-listed below.

test/mjsunit/regress/regress-crbug-1022695.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(() => {
+  (function (foo, foreign) {
+      'use asm';
+      var f = foreign.toString;
+      function get() {
+          f();
+      }
+      return get;
+  })(this, new Error())();
+});