[parser] Fix off-by-one in parameter count check

Bug: chromium:902610
Change-Id: I4675e3089a09ee75aa81ba2958f30a17621a537e
Reviewed-on: https://chromium-review.googlesource.com/c/1326029
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57358}

src/message-template.h

@@ -460,7 +460,7 @@ namespace internal {
   T(TooManyArguments,                                                          \
     "Too many arguments in function call (only 65535 allowed)")                \
   T(TooManyParameters,                                                         \
-    "Too many parameters in function definition (only 65535 allowed)")         \
+    "Too many parameters in function definition (only 65534 allowed)")         \
   T(TooManySpreads,                                                            \
     "Literal containing too many nested spreads (up to 65534 allowed)")        \
   T(TooManyVariables, "Too many variables declared (only 4194303 allowed)")    \

src/parsing/parser-base.h

@@ -3544,7 +3544,8 @@ void ParserBase<Impl>::ParseFormalParameterList(FormalParametersT* parameters) {
 
   if (peek() != Token::RPAREN) {
     while (true) {
-      if (parameters->arity > Code::kMaxArguments) {
+      // Add one since we're going to be adding a parameter.
+      if (parameters->arity + 1 > Code::kMaxArguments) {
         ReportMessage(MessageTemplate::kTooManyParameters);
         return;
       }

test/mjsunit/regress/regress-crbug-902610.js

@@ -0,0 +1,11 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(() => {
+  // Make a function with 65535 args. This should throw a SyntaxError because -1
+  // is reserved for the "don't adapt arguments" sentinel.
+  var f_with_65535_args =
+      eval("(function(" + Array(65535).fill("x").join(",") + "){})");
+  f_with_65535_args();
+}, SyntaxError);