I found a bug which may be related to bailout. ```test.js``` for (let v0 = 0; v0 < 100; v0++) { try { const v5 = new Int8Array(v0); function f6(a7, a8) {} let v13 = 0; do { v13++; } while (v13 < 6); let [, v17] = v5; const v18 = v5[v0]; try { f6(Int8Array, Function, ...v5); } catch (e20) {} print(v0) } catch (e29) {print(e29)} } ````````````` JSC commit id: 269f0e8b5e51910decd0f6d55a87bac7f5ec4eb8 Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0 --useFTLJIT=0 JSC should print 0-99, but in baselineJIT after bailout, JSC throw TypeError: undefined is not a function (near '...[, v17]...') I debug JSC, and located in JITCall.cpp `JIT::emit_op_iterator_next`. `JIT::emit_op_iterator_next` will invoke `compileOpCall<OpIteratorNext>(instruction, m_callLinkInfoIndex++)`, and in compileOpCall, JSC will get `callee` from Stack(VirtualRegister -14). I found `callee` is 0xa (undefined) after bailout from DFG.