Check for ByteCodeRegSlot before using in Inline (chakra-core#6741)

Author: ppenzin

lib/Backend/Inline.cpp

@@ -2203,7 +2203,7 @@ Inline::InlineBuiltInFunction(
             if (OpCodeAttr::BailOutRec(inlineCallOpCode))
             {
                 StackSym * sym = argInstr->GetSrc1()->GetStackSym();
-                if (!sym->m_isSingleDef || !sym->m_instrDef->GetSrc1() || !sym->m_instrDef->GetSrc1()->IsConstOpnd())
+                if (sym->HasByteCodeRegSlot() && (!sym->m_isSingleDef || !sym->m_instrDef->GetSrc1() || !sym->m_instrDef->GetSrc1()->IsConstOpnd()))
                 {
                     if (!sym->IsFromByteCodeConstantTable() && sym->GetByteCodeRegSlot() != callInstrDst->GetStackSym()->GetByteCodeRegSlot())
                     {

test/Function/bug6738.js

@@ -0,0 +1,15 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft Corporation and contributors. All rights reserved.
+// Copyright (c) 2021 ChakraCore Project Contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+function jit() {
+    let x = Math.round.call({}, 3133.7);
+}
+
+for (var i = 0; i < 0x1000; i++) {
+    jit();
+}
+
+print("pass");

test/Function/rlexe.xml

@@ -483,6 +483,11 @@
       <files>bug542360.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug6738.js</files>
+    </default>
+  </test>
   <test>
     <default>
       <files>crosssite_bind_main.js</files>