[MERGE #5288 @boingoing] OS#17530048 - AssertMsg(i < this->Length(), "index out of bound") -- Chakra!BVFixed::AssertRange

Merge pull request #5288 from boingoing:correct_functioncount_bytecode

Function count saved in the serialized bytecode is computed based on the total number of functions we visit and add to the bytecode. It is possible, though, for us to have a higher function id after defer parsing due to the reparse scenario we have for lambda argument lists. We avoid lambda parameter reparse when using the parser state cache except in the presence of default arguments. So serializing and running bytecode containing a lambda function with a default argument containing another function will increment the next function id to be greater than the size of the startup functions array in SourceDynamicProfileManager which will hit this assert.

Example:
```js
    (a = () => 1) => 2;
    (function(){})(); // <-- function id of this function is equal to the size of startupFunctions array
```

Fix by serializing the function count from the source info instead of counting the functions we add to the bytecode one-by-one.

Fixes:
    https://microsoft.visualstudio.com/_workitems/edit/17530048
    https://microsoft.visualstudio.com/_workitems/edit/17529917

Author: boingoing

lib/Jsrt/Jsrt.cpp

@@ -3756,6 +3756,7 @@ JsErrorCode JsSerializeScriptCore(const byte *script, size_t cb,
 
         SourceContextInfo * sourceContextInfo = scriptContext->GetSourceContextInfo(JS_SOURCE_CONTEXT_NONE, nullptr);
         Assert(sourceContextInfo != nullptr);
+        sourceContextInfo->nextLocalFunctionId = 0;
 
         const int chsize = (loadScriptFlag & LoadScriptFlag_Utf8Source) ? sizeof(utf8char_t) : sizeof(WCHAR);
         SRCINFO si = {
@@ -5536,6 +5537,7 @@ CHAKRA_API JsSerializeParserStateCore(
 
         SourceContextInfo * sourceContextInfo = scriptContext->GetSourceContextInfo(JS_SOURCE_CONTEXT_NONE, nullptr);
         Assert(sourceContextInfo != nullptr);
+        sourceContextInfo->nextLocalFunctionId = 0;
 
         const int chsize = (loadScriptFlag & LoadScriptFlag_Utf8Source) ?
             sizeof(utf8char_t) : sizeof(WCHAR);

lib/Runtime/ByteCode/ByteCodeSerializer.cpp

@@ -2378,9 +2378,6 @@ class ByteCodeBufferBuilder
 #endif
         }
 
-        // Increment the function count
-        ++functionCount.value;
-
         // Reverse to put prepended items in correct order
         builder.list = builder.list->ReverseCurrentList();
         PrependStruct<SerializedFieldList>(builder, _u("Serialized Field List"), &definedFields);
@@ -2391,6 +2388,7 @@ class ByteCodeBufferBuilder
     HRESULT AddTopFunctionBody(FunctionBody * function, SRCINFO const * srcInfo, ByteCodeCache* cache)
     {
         topFunctionId = function->GetLocalFunctionId();
+        functionCount.value = srcInfo->sourceContextInfo->nextLocalFunctionId;
         return AddFunction(functionsTable, function, srcInfo, cache);
     }
 
@@ -2576,9 +2574,6 @@ class ByteCodeBufferBuilder
             {
                 AddDeferredStubs(builder, currentStub->deferredStubs, currentStub->nestedCount, cache, recursive);
             }
-
-            // Each deferred stub will turn into a function after we defer-parse the parent of the stub.
-            ++functionCount.value;
         }
 
         return S_OK;