[esnext] fix OOB read in ASTPrinter::VisistTemplateLiteral

Fixes an error where TemplateLiteral printing in --print-ast
would try to read an element beyond the length of a vector.

BUG=v8:7415, chromium:820596
R=adamk@chromium.org, gsathya@chromium.org

Change-Id: Idf9e0da8c165ee62bc1a348a91c2ed5ed798404a
Reviewed-on: https://chromium-review.googlesource.com/957883Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Cr-Commit-Position: refs/heads/master@{#51857}

src/ast/prettyprinter.cc

@@ -1356,10 +1356,12 @@ void AstPrinter::VisitTemplateLiteral(TemplateLiteral* node) {
   IndentedScope indent(this, "TEMPLATE-LITERAL", node->position());
   const AstRawString* string = node->string_parts()->first();
   if (!string->IsEmpty()) PrintLiteralIndented("SPAN", string, true);
-  for (int i = 0; i < node->string_parts()->length();) {
+  for (int i = 0; i < node->substitutions()->length();) {
     PrintIndentedVisit("EXPR", node->substitutions()->at(i++));
-    string = node->string_parts()->at(i);
-    if (!string->IsEmpty()) PrintLiteralIndented("SPAN", string, true);
+    if (i < node->string_parts()->length()) {
+      string = node->string_parts()->at(i);
+      if (!string->IsEmpty()) PrintLiteralIndented("SPAN", string, true);
+    }
   }
 }
 

test/mjsunit/es6/regress/regress-crbug-820596.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --print-ast
+
+var x;
+`Crashes if OOB read with --print-ast ${x}`;