From 7485da7ace55cf4318f0a3a02a54fed04bed2a7a Mon Sep 17 00:00:00 2001
From: adamk <adamk@chromium.org>
Date: Tue, 22 Sep 2015 10:43:26 -0700
Subject: [PATCH] Don't crash when preparsing destructured arguments

This adds the materialized literal count accumulated while parsing the
parameters (in the parser proper) to that accumulated by the preparser.

This should have been caught in cctest/test-parsing, but it's not covered
because the parsing tests call directly into the preparser rather than
using Parser::ParseFunctionLiteral (which fully-parses the parameters
and then calls into the preparser to skip over the function body).

Note that this further-inflates the materialized literal count for
functions with destructured arguments, since some of the counted
literals are actually binding patterns. But that's not specific to
binding patterns in formal parameters: it happens in function bodies, too.

BUG=v8:4400,v8:4407
LOG=n

Review URL: https://codereview.chromium.org/1350913005

Cr-Commit-Position: refs/heads/master@{#30868}
---
 src/parser.cc                                | 5 ++---
 test/mjsunit/harmony/regress/regress-4400.js | 8 ++++++++
 2 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/harmony/regress/regress-4400.js

diff --git a/src/parser.cc b/src/parser.cc
index e6fb69edf..3edde7dd1 100644
--- a/src/parser.cc
+++ b/src/parser.cc
@@ -4205,9 +4205,8 @@ FunctionLiteral* Parser::ParseFunctionLiteral(
                            &expected_property_count, /*CHECK_OK*/ ok,
                            maybe_bookmark);
 
-      if (formals.materialized_literals_count > 0) {
-        materialized_literal_count += formals.materialized_literals_count;
-      }
+      materialized_literal_count += formals.materialized_literals_count +
+                                    function_state.materialized_literal_count();
 
       if (bookmark.HasBeenReset()) {
         // Trigger eager (re-)parsing, just below this block.
diff --git a/test/mjsunit/harmony/regress/regress-4400.js b/test/mjsunit/harmony/regress/regress-4400.js
new file mode 100644
index 000000000..7c42e4f55
--- /dev/null
+++ b/test/mjsunit/harmony/regress/regress-4400.js
@@ -0,0 +1,8 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-default-parameters --min-preparse-length=0
+
+function borked(a = [], b = {}, c) {}
+borked();
-- 
2.34.1