[turbofan] Move JSCallFunction specialization to JSCallReducer.

src/ia32/code-stubs-ia32.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #if V8_TARGET_ARCH_IA32
 
 #include "src/base/bits.h"
 #include "src/bootstrapper.h"
 #include "src/code-stubs.h"
 #include "src/codegen.h"
@@ skipping 2194 matching lines @@
   // Goto miss case if we do not have a function.
   __ CmpObjectType(edi, JS_FUNCTION_TYPE, ecx);
   __ j(not_equal, &miss);
 
   // Make sure the function is not the Array() function, which requires special
   // behavior on MISS.
   __ LoadGlobalFunction(Context::ARRAY_FUNCTION_INDEX, ecx);
   __ cmp(edi, ecx);
   __ j(equal, &miss);
 
+  // Make sure the function belongs to the same native context (which implies
+  // the same global object).
+  __ mov(ecx, FieldOperand(edi, JSFunction::kContextOffset));
+  __ mov(ecx, ContextOperand(ecx, Context::GLOBAL_OBJECT_INDEX));
+  __ cmp(ecx, GlobalObjectOperand());
+  __ j(not_equal, &miss);
+
   // Update stats.
   __ add(FieldOperand(ebx, with_types_offset), Immediate(Smi::FromInt(1)));
 
   // Initialize the call counter.
   __ mov(FieldOperand(ebx, edx, times_half_pointer_size,
                       FixedArray::kHeaderSize + kPointerSize),
          Immediate(Smi::FromInt(CallICNexus::kCallCountIncrement)));
 
   // Store the function. Use a stub since we need a frame for allocation.
   // ebx - vector
@@ skipping 3520 matching lines @@
                            Operand(ebp, 7 * kPointerSize), NULL);
 }
 
 
 #undef __
 
 }  // namespace internal
 }  // namespace v8
 
 #endif  // V8_TARGET_ARCH_IA32