Don't crash when preparsing destructured arguments

This adds the materialized literal count accumulated while parsing the
parameters (in the parser proper) to that accumulated by the preparser.

This should have been caught in cctest/test-parsing, but it's not covered
because the parsing tests call directly into the preparser rather than
using Parser::ParseFunctionLiteral (which fully-parses the parameters
and then calls into the preparser to skip over the function body).

Note that this further-inflates the materialized literal count for
functions with destructured arguments, since some of the counted
literals are actually binding patterns. But that's not specific to
binding patterns in formal parameters: it happens in function bodies, too.

BUG=v8:4400,v8:4407
LOG=n

Review URL: https://codereview.chromium.org/1350913005

Cr-Commit-Position: refs/heads/master@{#30868}

src/parser.cc

@@ -4205,9 +4205,8 @@ FunctionLiteral* Parser::ParseFunctionLiteral(
                            &expected_property_count, /*CHECK_OK*/ ok,
                            maybe_bookmark);
 
-      if (formals.materialized_literals_count > 0) {
-        materialized_literal_count += formals.materialized_literals_count;
-      }
+      materialized_literal_count += formals.materialized_literals_count +
+                                    function_state.materialized_literal_count();
 
       if (bookmark.HasBeenReset()) {
         // Trigger eager (re-)parsing, just below this block.

test/mjsunit/harmony/regress/regress-4400.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-default-parameters --min-preparse-length=0
+
+function borked(a = [], b = {}, c) {}
+borked();