[MERGE #6214 @MikeHolman] don't record call site info until call completes

Merge pull request #6214 from MikeHolman:callsiteprofile

We can end up with partially initialized profile data which leads to failfast when JITing

Fixes #6202

Author: MikeHolman

lib/Runtime/Language/InterpreterStackFrame.cpp

@@ -3960,22 +3960,26 @@ namespace Js
     template <class T>
     void InterpreterStackFrame::OP_ProfileCallCommon(const unaligned T * playout, RecyclableObject * function, unsigned flags, ProfileId profileId, InlineCacheIndex inlineCacheIndex, const Js::AuxArray<uint32> *spreadIndices)
     {
+        JavascriptFunction * targetFunction = VarIs<JavascriptFunction>(m_outParams[0]) ? UnsafeVarTo<JavascriptFunction>(m_outParams[0]) : nullptr;
         FunctionBody* functionBody = this->m_functionBody;
-        DynamicProfileInfo * dynamicProfileInfo = functionBody->GetDynamicProfileInfo();
         FunctionInfo* functionInfo = function->GetTypeId() == TypeIds_Function ?
             VarTo<JavascriptFunction>(function)->GetFunctionInfo() : nullptr;
+        DynamicProfileInfo* dynamicProfileInfo = functionBody->GetDynamicProfileInfo();
         bool isConstructorCall = (CallFlags_New & flags) == CallFlags_New;
-        dynamicProfileInfo->RecordCallSiteInfo(functionBody, profileId, functionInfo, functionInfo ? static_cast<JavascriptFunction*>(function) : nullptr, playout->ArgCount, isConstructorCall, inlineCacheIndex);
-        
-        JavascriptFunction * targetFunction = VarIs<JavascriptFunction>(m_outParams[0]) ? UnsafeVarTo<JavascriptFunction>(m_outParams[0]) : nullptr;
-        
+
+
         OP_CallCommon<T>(playout, function, flags, spreadIndices);
 
+
+        // Profile call site
+
+        dynamicProfileInfo->RecordCallSiteInfo(functionBody, profileId, functionInfo, functionInfo ? static_cast<JavascriptFunction*>(function) : nullptr, playout->ArgCount, isConstructorCall, inlineCacheIndex);
+
         if (functionInfo && !functionInfo->HasBody())
         {
             if ((functionInfo->IsBuiltInApplyFunction() || functionInfo->IsBuiltInCallFunction()) && targetFunction)
             {
-                Js::ProfileId * callSiteToCallApplyCallSiteMap = this->m_functionBody->GetCallSiteToCallApplyCallSiteArray();
+                Js::ProfileId* callSiteToCallApplyCallSiteMap = this->m_functionBody->GetCallSiteToCallApplyCallSiteArray();
                 if (callSiteToCallApplyCallSiteMap)
                 {
                     Js::ProfileId callApplyCallSiteId = callSiteToCallApplyCallSiteMap[profileId];

test/inlining/profilingbug.js

@@ -0,0 +1,15 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+try {
+    function f(){}
+    function foo(){
+        f.call();
+        foo.call(0x1)++;
+    }
+    foo();
+} catch(e) {   }
+
+print("Pass")

test/inlining/rlexe.xml

@@ -285,6 +285,11 @@
       <files>bug11265991.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>profilingbug.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>bug12528802.js</files>