Bug 259143

When processing some RegExp's with duplicate named capture groups where we have nested counted parenthesis, we can get a ASSERT / ASAN UAF. ASSERTION FAILED: index < m_length /Users/msaboff/src/WK.1/OpenSource/Source/JavaScriptCore/runtime/ButterflyInlines.h(46) : typename ContiguousData<T>::Data JSC::ContiguousData<const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>>::at(const JSC::JSCell *, size_t) [T = const JSC::WriteBarrier<JSC::Unknown, RawValueTraits<JSC::Unknown>>] 1 0x10987f6b4 WTFCrash 2 0x109f71154 JSC::IntlNumberFormat::initializeNumberFormat(JSC::JSGlobalObject*, JSC::JSValue, JSC::JSValue) 3 0x10acdef5c JSC::ContiguousData<JSC::WriteBarrier<JSC::Unknown, WTF::RawValueTraits<JSC::Unknown>> const>::at(JSC::JSCell const*, unsigned long) 4 0x10b4754ac JSC::JSObject::getIndexQuickly(unsigned int) const 5 0x10b8c0888 JSC::createRegExpMatchesArray(JSC::VM&, JSC::JSGlobalObject*, JSC::JSString*, WTF::String const&, JSC::RegExp*, unsigned int, JSC::MatchResult&) 6 0x10b8b8a8c JSC::RegExpObject::execInline(JSC::JSGlobalObject*, JSC::JSString*) 7 0x10b8b8754 JSC::RegExpObject::exec(JSC::JSGlobalObject*, JSC::JSString*) 8 0x10b8bcc1c JSC::regExpProtoFuncMatchFast(JSC::JSGlobalObject*, JSC::CallFrame*)