diff --git a/lib/Runtime/Library/JavascriptRegExpConstructor.cpp b/lib/Runtime/Library/JavascriptRegExpConstructor.cpp
index b4957e6b0b6..ef79fd4292c 100644
--- a/lib/Runtime/Library/JavascriptRegExpConstructor.cpp
+++ b/lib/Runtime/Library/JavascriptRegExpConstructor.cpp
@@ -355,8 +355,12 @@ namespace Js
         case PropertyIds::input:
         case PropertyIds::$_:
             //TODO: review: although the 'input' property is marked as readonly, it has a set on V5.8. There is no spec on this.
-            EnsureValues(); // The last match info relies on the last input. Use it before it is changed.
-            this->lastInput = JavascriptConversion::ToString(value, this->GetScriptContext());
+            {
+                auto tempInput = JavascriptConversion::ToString(value, this->GetScriptContext());
+                // Above toString call can cause user code to be called, which may call .match to invalidate our state, ensure that we have proper values in case that happens.
+                EnsureValues();  // The last match info relies on the last input. Use it before it is changed.
+                this->lastInput = tempInput;
+            }
             *result = true;
             return true;
         case PropertyIds::lastMatch:
diff --git a/lib/Runtime/Library/SubString.cpp b/lib/Runtime/Library/SubString.cpp
index 62ac8d40084..f318d19a6e6 100644
--- a/lib/Runtime/Library/SubString.cpp
+++ b/lib/Runtime/Library/SubString.cpp
@@ -33,7 +33,7 @@ namespace Js
 
         Recycler* recycler = scriptContext->GetRecycler();
 
-        Assert(string->GetLength() >= start + length);
+        AssertOrFailFast(string->GetLength() >= start + length);
         const char16 * subString = string->GetString() + start;
         void const * originalFullStringReference = string->GetOriginalStringReference();