[turbofan] Store native_context rather than global_proxy for JSFunction.

This will also be useful for JSCallReducer.

In order to avoid extra work, the CL restricts one path of the JSCall
lowering to functions from the own native context.

Bug: v8:7790
Change-Id: I9f3a478969d641da59661ff196fdedae8195d680
Reviewed-on: https://chromium-review.googlesource.com/c/1286335Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56733}

src/compiler/js-heap-broker.cc

@@ -284,7 +284,7 @@ class JSFunctionData : public JSObjectData {
 
   void Serialize(JSHeapBroker* broker);
 
-  JSGlobalProxyData* global_proxy() const { return global_proxy_; }
+  NativeContextData* native_context() const { return native_context_; }
   MapData* initial_map() const { return initial_map_; }
   ObjectData* prototype() const { return prototype_; }
   SharedFunctionInfoData* shared() const { return shared_; }
@@ -300,7 +300,7 @@ class JSFunctionData : public JSObjectData {
 
   bool serialized_ = false;
 
-  JSGlobalProxyData* global_proxy_ = nullptr;
+  NativeContextData* native_context_ = nullptr;
   MapData* initial_map_ = nullptr;
   ObjectData* prototype_ = nullptr;
   SharedFunctionInfoData* shared_ = nullptr;
@@ -749,13 +749,13 @@ void JSFunctionData::Serialize(JSHeapBroker* broker) {
   TraceScope tracer(broker, this, "JSFunctionData::Serialize");
   Handle<JSFunction> function = Handle<JSFunction>::cast(object());
 
-  DCHECK_NULL(global_proxy_);
+  DCHECK_NULL(native_context_);
   DCHECK_NULL(initial_map_);
   DCHECK_NULL(prototype_);
   DCHECK_NULL(shared_);
 
-  global_proxy_ =
-      broker->GetOrCreateData(function->global_proxy())->AsJSGlobalProxy();
+  native_context_ =
+      broker->GetOrCreateData(function->native_context())->AsNativeContext();
   shared_ = broker->GetOrCreateData(function->shared())->AsSharedFunctionInfo();
   initial_map_ = has_initial_map()
                      ? broker->GetOrCreateData(function->initial_map())->AsMap()
@@ -2040,7 +2040,7 @@ BIMODAL_ACCESSOR(JSArray, Object, length)
 BIMODAL_ACCESSOR_C(JSFunction, bool, has_prototype)
 BIMODAL_ACCESSOR_C(JSFunction, bool, has_initial_map)
 BIMODAL_ACCESSOR_C(JSFunction, bool, PrototypeRequiresRuntimeLookup)
-BIMODAL_ACCESSOR(JSFunction, JSGlobalProxy, global_proxy)
+BIMODAL_ACCESSOR(JSFunction, NativeContext, native_context)
 BIMODAL_ACCESSOR(JSFunction, Map, initial_map)
 BIMODAL_ACCESSOR(JSFunction, Object, prototype)
 BIMODAL_ACCESSOR(JSFunction, SharedFunctionInfo, shared)

src/compiler/js-heap-broker.h

@@ -199,7 +199,7 @@ class JSFunctionRef : public JSObjectRef {
   // The following are available only after calling Serialize().
   ObjectRef prototype() const;
   MapRef initial_map() const;
-  JSGlobalProxyRef global_proxy() const;
+  NativeContextRef native_context() const;
   SharedFunctionInfoRef shared() const;
   int InitialMapInstanceSizeWithMinSlack() const;
 };
@@ -247,6 +247,7 @@ class ContextRef : public HeapObjectRef {
   V(JSFunction, promise_function)                  \
   V(JSFunction, string_function)                   \
   V(JSFunction, symbol_function)                   \
+  V(JSGlobalProxy, global_proxy_object)            \
   V(Map, fast_aliased_arguments_map)               \
   V(Map, initial_array_iterator_map)               \
   V(Map, initial_string_iterator_map)              \

src/compiler/js-typed-lowering.cc

@@ -1625,22 +1625,27 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
     // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList ).
     if (IsClassConstructor(shared.kind())) return NoChange();
 
-    // Load the context from the {target}.
-    Node* context = effect = graph()->NewNode(
-        simplified()->LoadField(AccessBuilder::ForJSFunctionContext()), target,
-        effect, control);
-    NodeProperties::ReplaceContextInput(node, context);
-
-    // Check if we need to convert the {receiver}.
+    // Check if we need to convert the {receiver}, but bailout if it would
+    // require data from a foreign native context.
     if (is_sloppy(shared.language_mode()) && !shared.native() &&
         !receiver_type.Is(Type::Receiver())) {
-      Node* global_proxy = jsgraph()->Constant(function.global_proxy());
+      if (!function.native_context().equals(broker()->native_context())) {
+        return NoChange();
+      }
+      Node* global_proxy =
+          jsgraph()->Constant(function.native_context().global_proxy_object());
       receiver = effect =
           graph()->NewNode(simplified()->ConvertReceiver(convert_mode),
                            receiver, global_proxy, effect, control);
       NodeProperties::ReplaceValueInput(node, receiver, 1);
     }
 
+    // Load the context from the {target}.
+    Node* context = effect = graph()->NewNode(
+        simplified()->LoadField(AccessBuilder::ForJSFunctionContext()), target,
+        effect, control);
+    NodeProperties::ReplaceContextInput(node, context);
+
     // Update the effect dependency for the {node}.
     NodeProperties::ReplaceEffectInput(node, effect);