[MERGE #5528 @Cellule] Post Op Bailout before first instr

Merge pull request #5528 from Cellule:users/micfer/handlerscope Handle cases where we try to bailout before the first bytecode instr. OS#17686612 Right now, it is possible to have a post-op bailout on LdScopeHandler which is added in IRBuilder. I am not sure how to write a test that triggers this path, it seems specific to browser/node scenario I have checked with @rajatd that a bailout there is fine since we will re-execute the code in the bailout path (more specifically in the first iteration of the interpreter).
chakra-core · Jul 27, 2018 · 9c23d50 · 9c23d50
2 parents eebca86 + 8de0522
commit 9c23d50
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/lib/Backend/IR.cpp b/lib/Backend/IR.cpp
@@ -2717,11 +2717,21 @@ Instr::GetNextByteCodeInstr() const
     {
         nextInstr = getNext(nextInstr);
     }
-    // This can happen due to break block removal
-    while (nextInstr->GetByteCodeOffset() == Js::Constants::NoByteCodeOffset ||
-        nextInstr->GetByteCodeOffset() < currentOffset)
+
+    // Do not check if the instr trying to bailout is in the function prologue
+    // nextInstr->GetByteCodeOffset() < currentOffset would always be true and we would crash
+    if (currentOffset != Js::Constants::NoByteCodeOffset)
     {
-        nextInstr = getNext(nextInstr);
+        // This can happen due to break block removal
+        while (nextInstr->GetByteCodeOffset() == Js::Constants::NoByteCodeOffset ||
+            nextInstr->GetByteCodeOffset() < currentOffset)
+        {
+            nextInstr = getNext(nextInstr);
+        }
+    }
+    else
+    {
+        AssertMsg(nextInstr->GetByteCodeOffset() == 0, "Only instrs before the first one are allowed to not have a bytecode offset");
     }
     return nextInstr;
 }