[MERGE #5528 @Cellule] Post Op Bailout before first instr

Merge pull request #5528 from Cellule:users/micfer/handlerscope

Handle cases where we try to bailout before the first bytecode instr.
OS#17686612
Right now, it is possible to have a post-op bailout on LdScopeHandler which is added in IRBuilder.
I am not sure how to write a test that triggers this path, it seems specific to browser/node scenario

I have checked with @rajatd that a bailout there is fine since we will re-execute the code in the bailout path (more specifically in the first iteration of the interpreter).

Author: Cellule

lib/Backend/IR.cpp

@@ -2717,11 +2717,21 @@ Instr::GetNextByteCodeInstr() const
     {
         nextInstr = getNext(nextInstr);
     }
-    // This can happen due to break block removal
-    while (nextInstr->GetByteCodeOffset() == Js::Constants::NoByteCodeOffset ||
-        nextInstr->GetByteCodeOffset() < currentOffset)
+
+    // Do not check if the instr trying to bailout is in the function prologue
+    // nextInstr->GetByteCodeOffset() < currentOffset would always be true and we would crash
+    if (currentOffset != Js::Constants::NoByteCodeOffset)
     {
-        nextInstr = getNext(nextInstr);
+        // This can happen due to break block removal
+        while (nextInstr->GetByteCodeOffset() == Js::Constants::NoByteCodeOffset ||
+            nextInstr->GetByteCodeOffset() < currentOffset)
+        {
+            nextInstr = getNext(nextInstr);
+        }
+    }
+    else
+    {
+        AssertMsg(nextInstr->GetByteCodeOffset() == 0, "Only instrs before the first one are allowed to not have a bytecode offset");
     }
     return nextInstr;
 }