Bug 205589

What steps will reproduce the problem? Executing following code: ``` var i = 0; var j = 0; function func(obj0) { { obj0.c = obj0.a; j++; } } function f() { try { f(); } catch (e) { i++; func(Array(123456789)); // can not delete } } f(); print(i); print(j); ``` What is the expected output? `func(Array(123456789));` and `i++` execute same times. What do you see instead? When I delete `func(Array(123456789));` , the output of `i` is 1. So, the statements in catch-clause only execute once. But when I keep the `func(Array(123456789));`, the output of `i` is more than 1, and different from value of `j`. Please use labels and text to provide additional information. This bug exists in all main stream js-engines, sm, d8, jsc, ch. I only analysis the cause in ch, but I think you can refer to it. In ch, f() is jitted, when stack is full during recursion, jitted code of f() will bailout. In procedure of bailout, `i++` is executed correctly, but `func(Array(123456789));` will throw an exception because of stack is full again. This exception will be caught by upper jitted f() caller, and will trigger bailout again. Repeat previous process, `i++` is executed and `func(Array(123456789));` will throw an exception again unless there is enough stack space for its execution. It results to the statements in catch clause execute different times. `i++` is executed several times but `func(Array(123456789));` only executed once. ISec Lab 2019.12.25