[regexp] Fix numbered reference before named capture

src/regexp/regexp-parser.cc

Index: src/regexp/regexp-parser.cc
diff --git a/src/regexp/regexp-parser.cc b/src/regexp/regexp-parser.cc
index 33a16ef01fb2637c402d84a677c9feb3662f8fe3..cf0c05994c35ad411ffed6427bf17d560ed1de19 100644
--- a/src/regexp/regexp-parser.cc
+++ b/src/regexp/regexp-parser.cc
@@ -670,7 +670,25 @@ void RegExpParser::ScanForCaptures() {
         break;
       }
       case '(':
-        if (current() != '?') capture_count++;
+        if (current() == '?') {
+          // At this point we could be in
+          // * a non-capturing group '(:',
+          // * a lookbehind assertion '(?<=' '(?<!'
+          // * or a named capture '(?<'.
+          //
+          // Of these, only named captures are capturing groups.
+          if (!FLAG_harmony_regexp_named_captures) break;
+
+          Advance();
+          if (current() != '<') break;
+
+          // TODO(jgruber): To be more future-proof we could test for
+          // IdentifierStart here once it becomes clear whether group names
+          // allow unicode escapes.
+          Advance();
+          if (current() == '=' || current() == '!') break;
+        }
+        capture_count++;
         break;
     }
   }