[parser] Fix func numbering inside for in.

BUG=chromium:789764

Change-Id: I6a466660159721683c4979af32019d740094151b
Reviewed-on: https://chromium-review.googlesource.com/803217
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49795}

src/ast/ast-traversal-visitor.h

@@ -243,6 +243,7 @@ void AstTraversalVisitor<Subclass>::VisitForStatement(ForStatement* stmt) {
 template <class Subclass>
 void AstTraversalVisitor<Subclass>::VisitForInStatement(ForInStatement* stmt) {
   PROCESS_NODE(stmt);
+  RECURSE(Visit(stmt->each()));
   RECURSE(Visit(stmt->enumerable()));
   RECURSE(Visit(stmt->body()));
 }

src/objects.cc

@@ -13444,6 +13444,10 @@ Handle<JSObject> Script::GetWrapper(Handle<Script> script) {
 MaybeHandle<SharedFunctionInfo> Script::FindSharedFunctionInfo(
     Isolate* isolate, const FunctionLiteral* fun) {
   CHECK_NE(fun->function_literal_id(), FunctionLiteral::kIdTypeInvalid);
+  // If this check fails, the problem is most probably the function id
+  // renumbering done by AstFunctionLiteralIdReindexer; in particular, that
+  // AstTraversalVisitor doesn't recurse properly in the construct which
+  // triggers the mismatch.
   CHECK_LT(fun->function_literal_id(), shared_function_infos()->length());
   Object* shared = shared_function_infos()->get(fun->function_literal_id());
   if (shared->IsUndefined(isolate) || WeakCell::cast(shared)->cleared()) {

test/mjsunit/regress/regress-crbug-789764.js

@@ -0,0 +1,15 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Original repro (used to crash):
+_v3 = ({ _v7 = (function outer() {
+        for ([...[]][function inner() {}] in []) {
+        }
+      })} = {}) => {
+};
+_v3();
+
+// Smaller repro (used to crash):
+a = (b = !function outer() { for (function inner() {}.foo in []) {} }) => {};
+a();