seems a optimization bug when an object escaped

[telnetgmike]

Seems only can effect the js code logic:
Maybe the stack obj memory should be discarded after the deep copy, and redirect the ref to the stack obj data to the new heap obj memory.
otherwise, the optimized code execution result "heap_arr[index] == stack_arr[index]" not true, which changed the code logic.

seems_a_bug_but_not_security_one.js.txt

[kfarnung]

@thomasmo Can you take a look and modify labels as appropriate?