[interpreter] Fix label binding for unreached labels.

This fixes the label binding mechanism that forwards a label to another
already bound target label. For source labels that are not being reached
by a jump, we should not try to patch jump sites. We still bind the
source label to reflect the target position though, just in case this
binding method will be used for backwards branches in the future.

R=rmcilroy@chromium.org
TEST=webkit/fast/js/parser-syntax-check

Review URL: https://codereview.chromium.org/1804643002

Cr-Commit-Position: refs/heads/master@{#34759}

src/interpreter/bytecode-array-builder.cc

@@ -720,8 +720,12 @@ BytecodeArrayBuilder& BytecodeArrayBuilder::Bind(const BytecodeLabel& target,
                                                  BytecodeLabel* label) {
   DCHECK(!label->is_bound());
   DCHECK(target.is_bound());
-  PatchJump(bytecodes()->begin() + target.offset(),
-            bytecodes()->begin() + label->offset());
+  if (label->is_forward_target()) {
+    // An earlier jump instruction refers to this label. Update it's location.
+    PatchJump(bytecodes()->begin() + target.offset(),
+              bytecodes()->begin() + label->offset());
+    // Now treat as if the label will only be back referred to.
+  }
   label->bind_to(target.offset());
   LeaveBasicBlock();
   return *this;

test/webkit/webkit.status

@@ -100,9 +100,6 @@
 ['ignition == True', {
   # TODO(4680): Throws a RangeError due to stack overflow. Need investigation.
   'fast/js/excessive-comma-usage': [SKIP],  # Stack is brittle, SKIP not FAIL.
-
-  # TODO(4680): Assertion is C++ collection, looks like ordinary bug.
-  'fast/js/parser-syntax-check': [SKIP],  # Only some C++ libs, SKIP not FAIL.
 }],  # ignition == True
 
 ##############################################################################