[parser] Reparsing arrow function head upon failure can overflow the stack

Bug: chromium:923723
Change-Id: Ic397642c2e803b2ada95fa87ece31032eb104782
Reviewed-on: https://chromium-review.googlesource.com/c/1424857
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58949}

src/parsing/parser-base.h

@@ -3949,6 +3949,9 @@ ParserBase<Impl>::ParseArrowFunctionLiteral(
           // Parse again in the outer scope, since the language mode may change.
           BlockState block_state(&scope_, scope()->outer_scope());
           ExpressionT expression = ParseConditionalExpression();
+          // Reparsing the head may have caused a stack overflow.
+          if (has_error()) return impl()->FailureExpression();
+
           DeclarationScope* function_scope = next_arrow_function_info_.scope;
           FunctionState function_state(&function_state_, &scope_,
                                        function_scope);

test/mjsunit/regress/regress-923723.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack-size=50
+
+function __f_3() {
+  try {
+    __f_3();
+  } catch(e) {
+    eval("let fun = ({a} = {a: 30}) => {");
+  }
+}
+assertThrows(__f_3);