From 3efd90806211c6767585a95586bb7176e8ddb89d Mon Sep 17 00:00:00 2001
From: coollixin <lixin581@huawei.com>
Date: Tue, 30 Jan 2024 15:21:34 +0800
Subject: [PATCH 01/10] hashset next modify
 issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I8ZXBB

Signed-off-by: coollixin <lixin581@huawei.com>
---
 ecmascript/js_api/js_api_hashset_iterator.cpp        | 2 +-
 ecmascript/js_api/js_api_lightweightset_iterator.cpp | 5 +----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/ecmascript/js_api/js_api_hashset_iterator.cpp b/ecmascript/js_api/js_api_hashset_iterator.cpp
index 3e5d261ef3..46f73d44a6 100644
--- a/ecmascript/js_api/js_api_hashset_iterator.cpp
+++ b/ecmascript/js_api/js_api_hashset_iterator.cpp
@@ -65,7 +65,7 @@ JSTaggedValue JSAPIHashSetIterator::Next(EcmaRuntimeCallInfo *argv)
             }
             ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
             JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-            array->Set(thread, 0, JSTaggedValue(--index));
+            array->Set(thread, 0, valueHandle);
             array->Set(thread, 1, valueHandle);
             JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
             return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
diff --git a/ecmascript/js_api/js_api_lightweightset_iterator.cpp b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
index 133390f45b..0e589a3396 100644
--- a/ecmascript/js_api/js_api_lightweightset_iterator.cpp
+++ b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
@@ -65,12 +65,9 @@ JSTaggedValue JSAPILightWeightSetIterator::Next(EcmaRuntimeCallInfo *argv)
     if (itemKind == IterationKind::VALUE) {
         return JSIterator::CreateIterResultObject(thread, value, false).GetTaggedValue();
     }
-    TaggedArray *hashArray =
-        TaggedArray::Cast(JSHandle<JSAPILightWeightSet>(lightWeightSet)->GetHashes().GetTaggedObject());
-    JSHandle<JSTaggedValue> keyHandle(thread, hashArray->Get(index));
     ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
     JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-    array->Set(thread, 0, keyHandle);
+    array->Set(thread, 0, value);
     array->Set(thread, 1, value);
     JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
     return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
-- 
Gitee


From f3be3bb8d0ea6f7112aa391dd720b96df42098c4 Mon Sep 17 00:00:00 2001
From: lanhaibo4 <lanhaibo5@h-partners.com>
Date: Tue, 30 Jan 2024 20:39:04 +0800
Subject: [PATCH 02/10] Signed-off-by: lanhaibo4 <lanhaibo5@h-partners.com>
 issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I900V7

---
 .../jsnapidestory_fuzzer.cpp                  |   2 +
 .../fuzztest/jsnapidestory_fuzzer/project.xml |   2 +-
 .../jsnapiexecute_fuzzer.cpp                  |  10 +-
 .../jsvalueref_fuzzer/jsvalueref_fuzzer.cpp   |  14 +-
 .../jsvaluerefintegervalue_fuzzer.cpp         |   6 +-
 .../jsvaluerefobject_fuzzer.cpp               |   4 +-
 .../proxyrefisrevoked_fuzzer.cpp              |  18 +-
 .../stringrefnewfromutf16_fuzzer.cpp          |   2 +-
 .../stringrefwriteutf16_fuzzer.cpp            |  17 +-
 test/resource/js_runtime/ohos_test.xml        | 225 ++++++++++++++++++
 10 files changed, 263 insertions(+), 37 deletions(-)

diff --git a/test/fuzztest/jsnapidestory_fuzzer/jsnapidestory_fuzzer.cpp b/test/fuzztest/jsnapidestory_fuzzer/jsnapidestory_fuzzer.cpp
index e12f64e1c6..9d74eba9c9 100644
--- a/test/fuzztest/jsnapidestory_fuzzer/jsnapidestory_fuzzer.cpp
+++ b/test/fuzztest/jsnapidestory_fuzzer/jsnapidestory_fuzzer.cpp
@@ -44,6 +44,8 @@ void JSNApiDestroyPGOProfilerFuzzTest([[maybe_unused]]const uint8_t *data, size_
     if (size <= 0) {
         return;
     }
+    JSRuntimeOptions runtimeOptions;
+    JSNApi::InitializePGOProfiler(runtimeOptions);
     JSNApi::DestroyPGOProfiler();
     JSNApi::DestroyJSVM(vm);
 }
diff --git a/test/fuzztest/jsnapidestory_fuzzer/project.xml b/test/fuzztest/jsnapidestory_fuzzer/project.xml
index 4fdbc407f2..b34b12ca9c 100644
--- a/test/fuzztest/jsnapidestory_fuzzer/project.xml
+++ b/test/fuzztest/jsnapidestory_fuzzer/project.xml
@@ -20,6 +20,6 @@
     <!-- maximum total time in seconds to run the fuzzer -->
     <max_total_time>300</max_total_time>
     <!-- memory usage limit in Mb -->
-    <rss_limit_mb>4096</rss_limit_mb>
+    <rss_limit_mb>5120</rss_limit_mb>
   </fuzztest>
 </fuzz_config>
diff --git a/test/fuzztest/jsnapiexecute_fuzzer/jsnapiexecute_fuzzer.cpp b/test/fuzztest/jsnapiexecute_fuzzer/jsnapiexecute_fuzzer.cpp
index 50405bde8c..0489fb4097 100644
--- a/test/fuzztest/jsnapiexecute_fuzzer/jsnapiexecute_fuzzer.cpp
+++ b/test/fuzztest/jsnapiexecute_fuzzer/jsnapiexecute_fuzzer.cpp
@@ -32,12 +32,16 @@ void JSNApiExecuteFuzztest(const uint8_t *data, size_t size)
         LOG_ECMA(ERROR) << "illegal input!";
         return;
     }
-    char *value = new char[size]();
-    memset_s(value, size, 0, size);
-    if (memcpy_s(value, size, data, size) != EOK) {
+    char *value = new char[size + 1]();
+    if (memset_s(value, size + 1, 0, size + 1) != EOK) {
+        LOG_ECMA(ERROR) << "memset_s failed!";
+        UNREACHABLE();
+    }
+    if (memcpy_s(value, size + 1, data, size) != EOK) {
         LOG_ECMA(ERROR) << "memcpy_s failed!";
         UNREACHABLE();
     }
+    value[size] = '\0';
     const std::string fileName = value;
     bool needUpdate = size % DIVISOR ? true : false; // 2:Cannot divide by 2 as true, otherwise it is false
     JSNApi::Execute(vm, fileName, fileName, needUpdate);
diff --git a/test/fuzztest/jsvalueref_fuzzer/jsvalueref_fuzzer.cpp b/test/fuzztest/jsvalueref_fuzzer/jsvalueref_fuzzer.cpp
index dfb4f153e2..e06d093dcf 100644
--- a/test/fuzztest/jsvalueref_fuzzer/jsvalueref_fuzzer.cpp
+++ b/test/fuzztest/jsvalueref_fuzzer/jsvalueref_fuzzer.cpp
@@ -30,11 +30,7 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        uint8_t* ptr = nullptr;
-        ptr = const_cast<uint8_t*>(data);
-        char16_t utf16[] = u"This is a char16 array";
-        int size1 = sizeof(utf16);
-        Local<StringRef> obj = StringRef::NewFromUtf16(vm, utf16, size1);
+        Local<JSValueRef> obj = StringRef::NewFromUtf8(vm, "TestKey");
         obj->IsNull();
         JSNApi::DestroyJSVM(vm);
     }
@@ -48,12 +44,8 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        uint8_t* ptr = nullptr;
-        ptr = const_cast<uint8_t*>(data);
-        char16_t utf16[] = u"This is a char16 array";
-        int size1 = sizeof(utf16);
-        Local<StringRef> obj = StringRef::NewFromUtf16(vm, utf16, size1);
-        obj->IsBoolean();
+        Local<JSValueRef> tag = BooleanRef::New(vm, false);
+        tag->IsBoolean();
         JSNApi::DestroyJSVM(vm);
     }
 }
diff --git a/test/fuzztest/jsvaluerefintegervalue_fuzzer/jsvaluerefintegervalue_fuzzer.cpp b/test/fuzztest/jsvaluerefintegervalue_fuzzer/jsvaluerefintegervalue_fuzzer.cpp
index 68b4805957..d0d5a46806 100644
--- a/test/fuzztest/jsvaluerefintegervalue_fuzzer/jsvaluerefintegervalue_fuzzer.cpp
+++ b/test/fuzztest/jsvaluerefintegervalue_fuzzer/jsvaluerefintegervalue_fuzzer.cpp
@@ -26,11 +26,15 @@ using namespace panda::ecmascript;
 #endif
 
 namespace OHOS {
-void JSValueRefIntegerValueFuzzTest([[maybe_unused]] const uint8_t *data, [[maybe_unused]] size_t size)
+void JSValueRefIntegerValueFuzzTest(const uint8_t *data, size_t size)
 {
     RuntimeOption option;
     option.SetLogLevel(RuntimeOption::LOG_LEVEL::ERROR);
     EcmaVM *vm = JSNApi::CreateJSVM(option);
+    if (data == nullptr || size <= 0) {
+        LOG_ECMA(ERROR) << "illegal input!";
+        return;
+    }
     Local<JSValueRef> globalObject = NumberRef::New(vm, 0xffffffffffff);
     int64_t i64 = globalObject->IntegerValue(vm);
     UNUSED(i64);
diff --git a/test/fuzztest/jsvaluerefobject_fuzzer/jsvaluerefobject_fuzzer.cpp b/test/fuzztest/jsvaluerefobject_fuzzer/jsvaluerefobject_fuzzer.cpp
index 195b9505b5..ab7f878597 100644
--- a/test/fuzztest/jsvaluerefobject_fuzzer/jsvaluerefobject_fuzzer.cpp
+++ b/test/fuzztest/jsvaluerefobject_fuzzer/jsvaluerefobject_fuzzer.cpp
@@ -92,7 +92,7 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        int length = 8;
+        int length = size / sizeof(char16_t);
         Local<StringRef> obj =  StringRef::NewFromUtf16(vm, (char16_t*)data, length);
         obj->IsJSPrimitiveBoolean();
         JSNApi::DestroyJSVM(vm);
@@ -107,7 +107,7 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        int length = 8;
+        int length = size / sizeof(char16_t);
         Local<StringRef> obj = StringRef::NewFromUtf16(vm, (char16_t*)data, length);
         obj->IsGeneratorFunction();
         JSNApi::DestroyJSVM(vm);
diff --git a/test/fuzztest/proxyrefisrevoked_fuzzer/proxyrefisrevoked_fuzzer.cpp b/test/fuzztest/proxyrefisrevoked_fuzzer/proxyrefisrevoked_fuzzer.cpp
index 9ff3fe57eb..38b2dabc18 100644
--- a/test/fuzztest/proxyrefisrevoked_fuzzer/proxyrefisrevoked_fuzzer.cpp
+++ b/test/fuzztest/proxyrefisrevoked_fuzzer/proxyrefisrevoked_fuzzer.cpp
@@ -31,22 +31,8 @@ void ProxyRefIsRevokedFuzzTest(const uint8_t *data, size_t size)
         LOG_ECMA(ERROR) << "illegal input!";
         return;
     }
-    auto thread_ = vm->GetAssociatedJSThread();
-    uint8_t *ptr = nullptr;
-    ptr = const_cast<uint8_t *>(data);
-    JSHandle<GlobalEnv> env = vm->GetGlobalEnv();
-    ObjectFactory *factory = thread_->GetEcmaVM()->GetFactory();
-    JSHandle<JSTaggedValue> hclass(thread_, env->GetObjectFunction().GetObject<JSFunction>());
-    JSHandle<JSTaggedValue> targetHandle(factory->NewJSObjectByConstructor(JSHandle<JSFunction>::Cast(hclass), hclass));
-    JSHandle<JSTaggedValue> key(factory->NewFromASCII("x"));
-    JSHandle<JSTaggedValue> value(thread_, JSTaggedValue(size));
-    JSObject::SetProperty(thread_, targetHandle, key, value);
-    JSHandle<JSTaggedValue> handlerHandle(
-        factory->NewJSObjectByConstructor(JSHandle<JSFunction>::Cast(hclass), hclass));
-    JSHandle<JSProxy> proxyHandle = JSProxy::ProxyCreate(thread_, targetHandle, handlerHandle);
-    JSHandle<JSTaggedValue> proxyTagValue = JSHandle<JSTaggedValue>::Cast(proxyHandle);
-    Local<ProxyRef> object = JSNApiHelper::ToLocal<ProxyRef>(proxyTagValue);
-    object->IsRevoked();
+    Local<ProxyRef> tag = ProxyRef::New(vm);
+    tag->IsRevoked();
     JSNApi::DestroyJSVM(vm);
 }
 }
diff --git a/test/fuzztest/stringrefnewfromutf16_fuzzer/stringrefnewfromutf16_fuzzer.cpp b/test/fuzztest/stringrefnewfromutf16_fuzzer/stringrefnewfromutf16_fuzzer.cpp
index 8ae5f8628e..efe780f77b 100644
--- a/test/fuzztest/stringrefnewfromutf16_fuzzer/stringrefnewfromutf16_fuzzer.cpp
+++ b/test/fuzztest/stringrefnewfromutf16_fuzzer/stringrefnewfromutf16_fuzzer.cpp
@@ -32,7 +32,7 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        StringRef::NewFromUtf16(vm, (char16_t*)data);
+        StringRef::NewFromUtf16(vm, (char16_t*)data, size / sizeof(char16_t));
         JSNApi::DestroyJSVM(vm);
         return;
     }
diff --git a/test/fuzztest/stringrefwriteutf16_fuzzer/stringrefwriteutf16_fuzzer.cpp b/test/fuzztest/stringrefwriteutf16_fuzzer/stringrefwriteutf16_fuzzer.cpp
index e9be6bca22..32db977543 100644
--- a/test/fuzztest/stringrefwriteutf16_fuzzer/stringrefwriteutf16_fuzzer.cpp
+++ b/test/fuzztest/stringrefwriteutf16_fuzzer/stringrefwriteutf16_fuzzer.cpp
@@ -32,8 +32,21 @@ namespace OHOS {
             LOG_ECMA(ERROR) << "illegal input!";
             return;
         }
-        Local<StringRef> res = StringRef::NewFromUtf16(vm, (char16_t*)data);
-        res->WriteUtf16((char16_t*)data, (int)size);
+        int length = size / sizeof(char16_t);
+        char16_t* buffer = new char16_t[length];
+        if (memset_s(buffer, length, 0, length) != EOK) {
+            LOG_ECMA(ERROR) << "memset_s fail!";
+            UNREACHABLE();
+        }
+        Local<StringRef> res = StringRef::NewFromUtf16(vm, (char16_t*)data, length);
+        if (length == 1) {
+            buffer[0] = '\0';
+        } else if (length != 0) {
+            int count = res->WriteUtf16(buffer, length - 1);
+            buffer[count] = '\0';
+        }
+        delete[] buffer;
+        buffer = nullptr;
         JSNApi::DestroyJSVM(vm);
     }
 }
diff --git a/test/resource/js_runtime/ohos_test.xml b/test/resource/js_runtime/ohos_test.xml
index 948abacfbe..f7635c636a 100755
--- a/test/resource/js_runtime/ohos_test.xml
+++ b/test/resource/js_runtime/ohos_test.xml
@@ -1679,6 +1679,231 @@
             <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
         </preparer>
     </target>
+    <target name="DataViewRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="DeleteWorkerFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="FunctionRefInheritFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="GeneratorFunctionRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiAddWorkerFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiContextFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiDestoryFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiExceptionFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiExecuteFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSNApiTriggerGCFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefBooleaValueFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIntegerValueFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsArrayFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsAsyncFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsContainerFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsCorrectFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsGeneratorFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsJSFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsJsPrimitiveFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefIsModuleNamespaceFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefObjectFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefToBigIntFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="JSValueRefWithinInt32FuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="LoadPatchFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="LoadPatchLongFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="ObjectRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="PromiseCapabilityRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="PromiseRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="PromiseRejectInfoFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="PropertyAttributeFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="ProxyRefIsRevokedFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="PublicApiLocalRegExpRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="SetRefGetSizeFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="SetRefGetTotalElementsFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="SetRefGetValueFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefCastFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefLengthFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefNewFromUtf16FuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefUtf8LengthFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefWriteLatin1FuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="StringRefWriteUtf16FuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="ToNativePointerFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="WeakMapRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
+    <target name="WeakSetRefFuzzTest">
+        <preparer>
+            <option name="push" value="test/test/libark_jsruntime_test.so -> /data/test" src="out"/>
+        </preparer>
+    </target>
     <target name="ThreadTerminationTest">
         <preparer>
             <option name="push" value="obj/arkcompiler/ets_runtime/test/executiontest/termination_1.abc -> /data/test" src="out"/>
-- 
Gitee


From a194169e8ce55009ea67845f00626cff5b0cc7ad Mon Sep 17 00:00:00 2001
From: zhangyukun8 <zhangyukun8@huawei.com>
Date: Wed, 31 Jan 2024 10:53:19 +0800
Subject: [PATCH 03/10] Fix allocate this bug

Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I903M0?from=project-issue
Signed-off-by: zhangyukun8 <zhangyukun8@huawei.com>
Change-Id: I1d8570470fd8dba6a8be1c287d5cb15e5d3ced4a
---
 ecmascript/compiler/common_stubs.cpp        |  4 ++--
 ecmascript/compiler/ts_inline_lowering.cpp  |  2 ++
 ecmascript/compiler/type_info_accessors.cpp |  5 ++++-
 ecmascript/compiler/typed_hcr_lowering.cpp  | 20 ++------------------
 4 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/ecmascript/compiler/common_stubs.cpp b/ecmascript/compiler/common_stubs.cpp
index aaf979ef05..eadf473f2e 100644
--- a/ecmascript/compiler/common_stubs.cpp
+++ b/ecmascript/compiler/common_stubs.cpp
@@ -771,9 +771,9 @@ void CreateArrayWithBufferStubBuilder::GenerateCircuit()
 void NewJSObjectStubBuilder::GenerateCircuit()
 {
     GateRef glue = PtrArgument(0);
-    GateRef hclass = TaggedArgument(1);
+    GateRef ctor = TaggedArgument(1);
     NewObjectStubBuilder newBuilder(this);
-    Return(newBuilder.NewJSObject(glue, hclass));
+    Return(newBuilder.FastNewThisObject(glue, ctor));
 }
 
 void JsBoundCallInternalStubBuilder::GenerateCircuit()
diff --git a/ecmascript/compiler/ts_inline_lowering.cpp b/ecmascript/compiler/ts_inline_lowering.cpp
index 98d52d00d4..b232faa0fa 100644
--- a/ecmascript/compiler/ts_inline_lowering.cpp
+++ b/ecmascript/compiler/ts_inline_lowering.cpp
@@ -351,6 +351,7 @@ GateRef TSInlineLowering::BuildAccessor(InlineTypeInfoAccessor &info)
     ProfileTyper holderType = std::make_pair(pgoType.GetHoldRootType(), pgoType.GetHoldType());
     PGOTypeManager *ptManager = thread_->GetCurrentEcmaContext()->GetPTManager();
     int holderHCIndex = static_cast<int>(ptManager->GetHClassIndexByProfileType(holderType));
+    ASSERT(ptManager->QueryHClass(holderType.first, holderType.second).IsJSHClass());
     auto holderHC = builder_.GetHClassGateFromIndex(gate, holderHCIndex);
 
     auto currentLabel = env.GetCurrentLabel();
@@ -542,6 +543,7 @@ void TSInlineLowering::InlineAccessorCheck(const InlineTypeInfoAccessor &info)
     ProfileTyper receiverType = std::make_pair(pgoType.GetReceiverRootType(), pgoType.GetReceiverType());
     PGOTypeManager *ptManager = thread_->GetCurrentEcmaContext()->GetPTManager();
     int receiverHCIndex = static_cast<int>(ptManager->GetHClassIndexByProfileType(receiverType));
+    ASSERT(ptManager->QueryHClass(receiverType.first, receiverType.second).IsJSHClass());
 
     bool noNeedCheckHeapObject = acc_.IsHeapObjectFromElementsKind(receiver);
     builder_.ObjectTypeCheck(acc_.GetGateType(gate), noNeedCheckHeapObject, receiver, builder_.Int32(receiverHCIndex));
diff --git a/ecmascript/compiler/type_info_accessors.cpp b/ecmascript/compiler/type_info_accessors.cpp
index 028d0fd65a..91f9df3063 100644
--- a/ecmascript/compiler/type_info_accessors.cpp
+++ b/ecmascript/compiler/type_info_accessors.cpp
@@ -163,7 +163,10 @@ bool NewObjRangeTypeInfoAccessor::FindHClass()
     }
     auto type = std::make_pair(sampleType->GetProfileType(), sampleType->GetProfileType());
     hclassIndex_ = static_cast<int>(ptManager_->GetHClassIndexByProfileType(type));
-    return hclassIndex_ != -1; // -1 : not found
+    if (hclassIndex_ == -1) {
+        return false;
+    }
+    return ptManager_->QueryHClass(type.first, type.second).IsJSHClass();
 }
 
 bool TypeOfTypeInfoAccessor::IsIllegalType() const
diff --git a/ecmascript/compiler/typed_hcr_lowering.cpp b/ecmascript/compiler/typed_hcr_lowering.cpp
index 1898ed97a9..6a91561139 100644
--- a/ecmascript/compiler/typed_hcr_lowering.cpp
+++ b/ecmascript/compiler/typed_hcr_lowering.cpp
@@ -1552,17 +1552,7 @@ void TypedHCRLowering::LowerTypedNewAllocateThis(GateRef gate, GateRef glue)
     builder_.Branch(isBase, &allocate, &exit);
     builder_.Bind(&allocate);
     {
-        // add typecheck to detect protoOrHclass is equal with ihclass,
-        // if pass typecheck: 1.no need to check whether hclass is valid 2.no need to check return result
-        GateRef protoOrHclass = builder_.LoadConstOffset(VariableType::JS_ANY(), ctor,
-            JSFunction::PROTO_OR_DYNCLASS_OFFSET);
-        GateRef ihclassIndex = acc_.GetValueIn(gate, 1);
-        auto hclassIndex = acc_.GetConstantValue(ihclassIndex);
-        GateRef ihclass =  builder_.GetHClassGateFromIndex(frameState, hclassIndex);
-        GateRef checkProto = builder_.Equal(protoOrHclass, ihclass);
-        builder_.DeoptCheck(checkProto, frameState, DeoptType::NOTNEWOBJ2);
-
-        thisObj = builder_.CallStub(glue, gate, CommonStubCSigns::NewJSObject, { glue, protoOrHclass });
+        thisObj = builder_.CallStub(glue, gate, CommonStubCSigns::NewJSObject, { glue, ctor });
         builder_.Jump(&exit);
     }
     builder_.Bind(&exit);
@@ -1583,13 +1573,7 @@ void TypedHCRLowering::LowerTypedSuperAllocateThis(GateRef gate, GateRef glue)
     builder_.Branch(isBase, &allocate, &exit);
     builder_.Bind(&allocate);
     {
-        GateRef protoOrHclass = builder_.LoadConstOffset(VariableType::JS_ANY(), newTarget,
-            JSFunction::PROTO_OR_DYNCLASS_OFFSET);
-        GateRef check = builder_.IsJSHClass(protoOrHclass);
-        GateRef frameState = GetFrameState(gate);
-        builder_.DeoptCheck(check, frameState, DeoptType::NOTNEWOBJ3);
-
-        thisObj = builder_.CallStub(glue, gate, CommonStubCSigns::NewJSObject, { glue, protoOrHclass });
+        thisObj = builder_.CallStub(glue, gate, CommonStubCSigns::NewJSObject, { glue, newTarget });
         builder_.Jump(&exit);
     }
     builder_.Bind(&exit);
-- 
Gitee


From e39195e03db05a8afd21f3a831f9728601c37e28 Mon Sep 17 00:00:00 2001
From: dingwen <dingwen6@huawei.com>
Date: Thu, 1 Feb 2024 10:03:49 +0800
Subject: [PATCH 04/10] Fix deserialzie miss mark bug Description:Fix
 deserialzie miss mark bug
 Issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I90CHS?from=project-issue

Signed-off-by: dingwen <dingwen6@huawei.com>
Change-Id: Ibaa17f478f3069833dd197aa4383399bc3fe9cea
---
 ecmascript/serializer/base_deserializer.cpp | 10 +++++-----
 ecmascript/serializer/base_deserializer.h   |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ecmascript/serializer/base_deserializer.cpp b/ecmascript/serializer/base_deserializer.cpp
index 3fa6a17aa8..c03628d25b 100644
--- a/ecmascript/serializer/base_deserializer.cpp
+++ b/ecmascript/serializer/base_deserializer.cpp
@@ -137,7 +137,7 @@ void BaseDeserializer::DeserializeConstPool(NewConstPoolInfo *info)
     int32_t index = static_cast<int32_t>(indexAccessor.GetHeaderIndex());
     thread_->GetCurrentEcmaContext()->AddConstpool(jsPandaFile, constpool.GetTaggedValue(), index);
     slot.Update(constpool.GetTaggedType());
-    UpdateBarrier(constpool.GetTaggedType(), slot);
+    UpdateBarrier(constpool.GetTaggedType(), slot, false);
 }
 
 void BaseDeserializer::DeserializeNativeBindingObject(NativeBindingInfo *info)
@@ -157,7 +157,7 @@ void BaseDeserializer::DeserializeNativeBindingObject(NativeBindingInfo *info)
     JSTaggedType res = JSNApiHelper::ToJSHandle(attachVal).GetTaggedType();
     slot.Update(res);
     if (!root) {
-        UpdateBarrier(res, slot);
+        UpdateBarrier(res, slot, false);
     }
 }
 
@@ -173,7 +173,7 @@ void BaseDeserializer::DeserializeJSError(JSErrorInfo *info)
     JSHandle<JSObject> errorTag = factory->NewJSError(errorType, JSHandle<EcmaString>(thread_, errorMsg));
     slot.Update(errorTag.GetTaggedType());
     if (!root) {
-        UpdateBarrier(errorTag.GetTaggedType(), slot);
+        UpdateBarrier(errorTag.GetTaggedType(), slot, false);
     }
 }
 
@@ -395,7 +395,7 @@ size_t BaseDeserializer::ReadSingleEncodeData(uint8_t encodeFlag, uintptr_t addr
     return handledFieldSize;
 }
 
-void BaseDeserializer::UpdateBarrier(uintptr_t addr, ObjectSlot slot)
+void BaseDeserializer::UpdateBarrier(uintptr_t addr, ObjectSlot slot, bool onDeserialize)
 {
     Region *valueRegion = Region::ObjectAddressToRange(addr);
     if (valueRegion == nullptr) {
@@ -411,7 +411,7 @@ void BaseDeserializer::UpdateBarrier(uintptr_t addr, ObjectSlot slot)
 
     if (thread_->IsConcurrentMarkingOrFinished()) {
         Barriers::Update(thread_, slot.SlotAddress(), rootRegion, reinterpret_cast<TaggedObject *>(addr), valueRegion,
-                         true);
+                         onDeserialize);
     }
 }
 
diff --git a/ecmascript/serializer/base_deserializer.h b/ecmascript/serializer/base_deserializer.h
index 1ba3970d8a..05cc380f58 100644
--- a/ecmascript/serializer/base_deserializer.h
+++ b/ecmascript/serializer/base_deserializer.h
@@ -91,7 +91,7 @@ private:
     void AllocateToOldSpace(size_t oldSpaceSize);
     void AllocateToNonMovableSpace(size_t nonMovableSpaceSize);
     void AllocateToMachineCodeSpace(size_t machineCodeSpaceSize);
-    void UpdateBarrier(uintptr_t addr, ObjectSlot slot);
+    void UpdateBarrier(uintptr_t addr, ObjectSlot slot, bool onDeserialize = true);
 
     bool GetAndResetWeak()
     {
-- 
Gitee


From 8ad12d8bccd262277583bbbd28e22c04f9f8b9da Mon Sep 17 00:00:00 2001
From: lanhaibo4 <lanhaibo5@h-partners.com>
Date: Thu, 1 Feb 2024 11:06:48 +0800
Subject: [PATCH 05/10] Signed-off-by: lanhaibo4 <lanhaibo5@h-partners.com>
 issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I90BV8

---
 test/jsperftest/README.md           |  7 +++++++
 test/jsperftest/run_js_perf_test.sh |  4 ++--
 test/jsperftest/run_js_test.py      | 28 ++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/test/jsperftest/README.md b/test/jsperftest/README.md
index 337c70df3b..5a750c28fb 100644
--- a/test/jsperftest/README.md
+++ b/test/jsperftest/README.md
@@ -28,6 +28,13 @@
        表格最后，会追加汇总信息：用例数总数、执行成功数、失败数，劣化数目等内容。具体内容，请参见附录“daily报告”。
     3. 有执行失败时，当前用例的“执行状态”单元格内容会标记。
     4. “是否劣化”列，取值：true，false。当用例前一天性能数据不存在、js用例执行异常、执行失败，都归于没有劣化。
+    5. 在daily报告生成目录，daily报告每日生成时会同时生成通知邮件汇总内容的文件--jsperftest_notifying_info_in_email.json。内容如下：
+    	{
+        	"kind": "V 8 js-perf-test",
+        	"Total": 7,
+        	"Ark劣化v 8": 1,
+        	"Ark劣化v 8 jitless": 4
+        }
     ```
 
 ## daily报告
diff --git a/test/jsperftest/run_js_perf_test.sh b/test/jsperftest/run_js_perf_test.sh
index ed10419e50..f415b89a1a 100644
--- a/test/jsperftest/run_js_perf_test.sh
+++ b/test/jsperftest/run_js_perf_test.sh
@@ -60,9 +60,9 @@ function check_and_config_v8_binary_path()
 {
     ret=$(check_command_exist "/usr/bin/v8/d8")
     if [ "$ret" == "$ret_error" ];then
-        wget -P "$TMP_PATH" https://storage.googleapis.com/chromium-v8/official/canary/v8-linux64-dbg-11.9.169.zip\
+        wget -P "$TMP_PATH" https://storage.googleapis.com/chromium-v8/official/canary/v8-linux64-rel-12.0.267.zip\
             --no-check-certificate
-        unzip "$TMP_PATH"/v8-linux64-dbg-11.9.169.zip -d "$TMP_PATH"/v8
+        unzip "$TMP_PATH"/v8-linux64-rel-12.0.267.zip -d "$TMP_PATH"/v8
         cp -r "$TMP_PATH"/v8 /usr/bin
         echo "export PATH=/usr/bin/v8/:$PATH" >> /root/.bashrc
         # shellcheck disable=SC1091
diff --git a/test/jsperftest/run_js_test.py b/test/jsperftest/run_js_test.py
index 23b3e1a128..f0be5d96ca 100644
--- a/test/jsperftest/run_js_test.py
+++ b/test/jsperftest/run_js_test.py
@@ -17,9 +17,11 @@ Description: Use ark to execute workload test suite
 
 import argparse
 import datetime
+import json
 import logging
 import os
 import shutil
+import stat
 from collections import namedtuple
 from openpyxl import Workbook, load_workbook
 from openpyxl.styles import PatternFill
@@ -296,6 +298,28 @@ def get_js_case_super_link_data(jspath):
             JS_FILE_SUPER_LINK_DICT[key] = js_case_name
 
 
+def export_sumary_info_for_notifying_email(json_path, total_cases_num, ark_divide_v_8_num, ark_divide_v_8_jitless_num):
+    data = {}
+    data['kind'] = 'V 8 js-perf-test'
+    data['Total'] = total_cases_num
+    data['Ark劣化v 8'] = ark_divide_v_8_num
+    data['Ark劣化v 8 jitless'] = ark_divide_v_8_jitless_num
+    flags = os.O_WRONLY | os.O_CREAT | os.O_EXCL
+    modes = stat.S_IWUSR | stat.S_IRUSR
+    if os.path.exists(json_path):
+        os.remove(json_path)
+    with os.fdopen(os.open(json_path, flags, modes), 'w', encoding='utf-8') as f:
+        json.dump(data, f, indent=4, ensure_ascii=False)
+        logger.info("export summary info to json file successfully.")
+
+
+def get_umary_info_json_file_path(daily_report_file_path):
+    dir_path = os.path.dirname(daily_report_file_path)
+    json_file_name = 'jsperftest_notifying_info_in_email.json'
+    json_file_path = os.path.join(dir_path, json_file_name)
+    return json_file_path
+
+
 def append_summary_info(report_file, total_cost_time):
     """
         summary info:
@@ -369,6 +393,10 @@ def append_summary_info(report_file, total_cost_time):
 
     ws.column_dimensions.group('E', hidden=True)
     wb.save(report_file)
+
+    json_file_path = get_umary_info_json_file_path(report_file)
+    export_sumary_info_for_notifying_email(json_file_path, totle_num, ark_divide_v_8_degraded_count,
+                                           ark_divide_v_8_jitless_degraded_count)
     return RET_OK
 
 
-- 
Gitee


From 719b01368d76b4319bdc4fa5a4cf378f7ad19616 Mon Sep 17 00:00:00 2001
From: bi-hu <bihu@huawei.com>
Date: Thu, 1 Feb 2024 17:07:16 +0800
Subject: [PATCH 06/10] Remove redundant code fallback

Signed-off-by: bi-hu <bihu@huawei.com>
https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I90IDC
---
 ecmascript/object_factory.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ecmascript/object_factory.cpp b/ecmascript/object_factory.cpp
index 0fd940ade2..92089ca2b4 100644
--- a/ecmascript/object_factory.cpp
+++ b/ecmascript/object_factory.cpp
@@ -2231,11 +2231,14 @@ JSHandle<AccessorData> ObjectFactory::NewInternalAccessor(void *setter, void *ge
     TaggedObject *header = heap_->AllocateNonMovableOrHugeObject(
         JSHClass::Cast(thread_->GlobalConstants()->GetInternalAccessorClass().GetTaggedObject()));
     JSHandle<AccessorData> obj(thread_, AccessorData::Cast(header));
+    obj->SetGetter(thread_, JSTaggedValue::Undefined());
+    obj->SetSetter(thread_, JSTaggedValue::Undefined());
     if (setter != nullptr) {
         JSHandle<JSNativePointer> setFunc = NewJSNativePointer(setter, nullptr, nullptr, true);
         obj->SetSetter(thread_, setFunc.GetTaggedValue());
     } else {
-        obj->SetSetter(thread_, JSTaggedValue::Undefined());
+        JSTaggedValue setFunc = JSTaggedValue::Undefined();
+        obj->SetSetter(thread_, setFunc);
         ASSERT(!obj->HasSetter());
     }
     JSHandle<JSNativePointer> getFunc = NewJSNativePointer(getter, nullptr, nullptr, true);
-- 
Gitee


From 7e6b8095cff9bb4294e9dfab1a7f88ebb3ab3bd6 Mon Sep 17 00:00:00 2001
From: hwx1163501 <hanjing35@huawei.com>
Date: Thu, 1 Feb 2024 11:29:40 +0800
Subject: [PATCH 07/10] modify code alarms

Signed-off-by: hwx1163501 <hanjing35@huawei.com>
issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I90E4E
---
 ecmascript/compiler/bytecodes.cpp             |  3 +-
 ecmascript/date_parse.cpp                     |  4 +--
 ecmascript/js_hclass.cpp                      |  6 ++--
 ecmascript/js_typed_array.cpp                 |  2 +-
 ecmascript/object_fast_operator-inl.h         |  6 ++--
 ecmascript/object_operator.cpp                | 13 ++++----
 .../tests/pgo_test_case/string_equal.js       |  6 ++--
 ecmascript/stackmap/llvm_stackmap_parser.cpp  |  2 +-
 test/aottest/string_equal/string_equal.ts     | 30 +++++++++----------
 9 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/ecmascript/compiler/bytecodes.cpp b/ecmascript/compiler/bytecodes.cpp
index ee18b1e48d..fdec70cb7c 100644
--- a/ecmascript/compiler/bytecodes.cpp
+++ b/ecmascript/compiler/bytecodes.cpp
@@ -1599,8 +1599,7 @@ void BytecodeInfo::InitBytecodeInfo(BytecodeCircuitBuilder *builder,
             info.inputs.emplace_back(VirtualRegister(builder->GetEnvVregIdx()));
             break;
         }
-        case EcmaOpcode::STPRIVATEPROPERTY_IMM8_IMM16_IMM16_V8:
-        {
+        case EcmaOpcode::STPRIVATEPROPERTY_IMM8_IMM16_IMM16_V8: {
             uint32_t slotId = READ_INST_8_0();
             uint32_t levelIndex = READ_INST_16_1();
             uint32_t slotIndex = READ_INST_16_3();
diff --git a/ecmascript/date_parse.cpp b/ecmascript/date_parse.cpp
index 357609dbb5..c6c8e79d2a 100644
--- a/ecmascript/date_parse.cpp
+++ b/ecmascript/date_parse.cpp
@@ -428,9 +428,9 @@ bool DateParse::DayValue::SetDayValue(int *time)
     }
     if (!IsIso()) {
         if (IsBetween(year, 1, 49)) { // if year is between 1-49
-            year += 2000; // it means 2001-2049
+            year += 2000; // 2000 : it means 2001-2049
         } else if (IsBetween(year, 50, 99)) { // if year is between 50-99
-            year += 1900; // it may means 1950-1999
+            year += 1900; // 1900 : it may means 1950-1999
         }
     }
     if (!MonthIsValid(mon) || !DayIsValid(day)) {
diff --git a/ecmascript/js_hclass.cpp b/ecmascript/js_hclass.cpp
index 333bc8e186..18b7364ecf 100644
--- a/ecmascript/js_hclass.cpp
+++ b/ecmascript/js_hclass.cpp
@@ -605,7 +605,8 @@ std::tuple<bool, bool, JSTaggedValue> JSHClass::ConvertOrTransitionWithRep(const
     if (oldRep == Representation::DOUBLE) {
         if (value->IsInt()) {
             double doubleValue = value->GetInt();
-            return std::tuple<bool, bool, JSTaggedValue>(false, false, JSTaggedValue(bit_cast<JSTaggedType>(doubleValue)));
+            return std::tuple<bool, bool, JSTaggedValue>(false, false,
+                JSTaggedValue(bit_cast<JSTaggedType>(doubleValue)));
         } else if (value->IsObject()) {
             // Is Object
             attr.SetRepresentation(Representation::TAGGED);
@@ -614,7 +615,8 @@ std::tuple<bool, bool, JSTaggedValue> JSHClass::ConvertOrTransitionWithRep(const
             return std::tuple<bool, bool, JSTaggedValue>(true, true, value.GetTaggedValue());
         } else {
             // Is TaggedDouble
-            return std::tuple<bool, bool, JSTaggedValue>(false, false, JSTaggedValue(bit_cast<JSTaggedType>(value->GetDouble())));
+            return std::tuple<bool, bool, JSTaggedValue>(false, false,
+                JSTaggedValue(bit_cast<JSTaggedType>(value->GetDouble())));
         }
     } else if (oldRep == Representation::INT) {
         if (value->IsInt()) {
diff --git a/ecmascript/js_typed_array.cpp b/ecmascript/js_typed_array.cpp
index 6f7ab7d15c..904166120d 100644
--- a/ecmascript/js_typed_array.cpp
+++ b/ecmascript/js_typed_array.cpp
@@ -736,7 +736,7 @@ JSTaggedValue JSTypedArray::GetOffHeapBuffer(JSThread *thread, JSHandle<JSTypedA
     JSHandle<JSTaggedValue> typeName(thread, typedArray->GetTypedArrayName());
     DataViewType arrayType = JSTypedArray::GetTypeFromName(thread, typeName);
     JSHandle<JSHClass> notOnHeapHclass = TypedArrayHelper::GetNotOnHeapHclassFromType(
-            thread, typedArray, arrayType);
+        thread, typedArray, arrayType);
     TaggedObject::Cast(*typedArray)->SynchronizedSetClass(thread, *notOnHeapHclass); // onHeap->notOnHeap
 
     return arrayBuffer.GetTaggedValue();
diff --git a/ecmascript/object_fast_operator-inl.h b/ecmascript/object_fast_operator-inl.h
index d2818f3309..7bf9b00be4 100644
--- a/ecmascript/object_fast_operator-inl.h
+++ b/ecmascript/object_fast_operator-inl.h
@@ -616,9 +616,11 @@ PropertyAttributes ObjectFastOperator::AddPropertyByName(JSThread *thread, JSHan
         JSHClass::AddProperty(thread, objHandle, keyHandle, attr);
         auto actualValue = JSHClass::ConvertOrTransitionWithRep(thread, objHandle, keyHandle, valueHandle, attr);
         if (std::get<0>(actualValue)) {
-            objHandle->SetPropertyInlinedProps<true>(thread, nextInlinedPropsIndex, std::get<2>(actualValue));
+            objHandle->SetPropertyInlinedProps<true>(thread, nextInlinedPropsIndex,
+                std::get<2>(actualValue)); // 2 : Gets the third value
         } else {
-            objHandle->SetPropertyInlinedProps<false>(thread, nextInlinedPropsIndex, std::get<2>(actualValue));
+            objHandle->SetPropertyInlinedProps<false>(thread, nextInlinedPropsIndex,
+                std::get<2>(actualValue)); // 2 : Gets the third value
         }
         return attr;
     }
diff --git a/ecmascript/object_operator.cpp b/ecmascript/object_operator.cpp
index e327c31f95..6686ffda05 100644
--- a/ecmascript/object_operator.cpp
+++ b/ecmascript/object_operator.cpp
@@ -718,16 +718,17 @@ bool ObjectOperator::UpdateDataValue(const JSHandle<JSObject> &receiver, const J
         attributes_.SetRepresentation(attr.GetRepresentation());
 
         if (attr.IsInlinedProps()) {
-            receiver->SetPropertyInlinedPropsWithRep(thread_, GetIndex(), std::get<2>(actualValue));
+            receiver->SetPropertyInlinedPropsWithRep(thread_, GetIndex(),
+                std::get<2>(actualValue)); // 2 : Gets the third value
         } else {
             if (receiver.GetTaggedValue().IsJSCOWArray()) {
                 JSArray::CheckAndCopyArray(thread_, JSHandle<JSArray>(receiver));
                 properties.Update(JSHandle<JSArray>(receiver)->GetProperties());
             }
             if (std::get<0>(actualValue)) {
-                properties->Set<true>(thread_, GetIndex(), std::get<2>(actualValue));
+                properties->Set<true>(thread_, GetIndex(), std::get<2>(actualValue)); // 2 : Gets the third value
             } else {
-                properties->Set<false>(thread_, GetIndex(), std::get<2>(actualValue));
+                properties->Set<false>(thread_, GetIndex(), std::get<2>(actualValue)); // 2 : Gets the third value
             }
         }
     } else {
@@ -1009,9 +1010,11 @@ void ObjectOperator::AddPropertyInternal(const JSHandle<JSTaggedValue> &value)
         attributes_.SetRepresentation(attr.GetRepresentation());
         auto *hclass = receiver_->GetTaggedObject()->GetClass();
         if (std::get<0>(actualValue)) {
-            JSObject::Cast(receiver_.GetTaggedValue())->SetProperty<true>(thread_, hclass, attr, std::get<2>(actualValue));
+            JSObject::Cast(receiver_.GetTaggedValue())->SetProperty<true>(thread_,
+                hclass, attr, std::get<2>(actualValue)); // 2 : Gets the third value
         } else {
-            JSObject::Cast(receiver_.GetTaggedValue())->SetProperty<false>(thread_, hclass, attr, std::get<2>(actualValue));
+            JSObject::Cast(receiver_.GetTaggedValue())->SetProperty<false>(thread_,
+                hclass, attr, std::get<2>(actualValue)); // 2 : Gets the third value
         }
         uint32_t index = attr.IsInlinedProps() ? attr.GetOffset() :
                 attr.GetOffset() - obj->GetJSHClass()->GetInlinedProperties();
diff --git a/ecmascript/pgo_profiler/tests/pgo_test_case/string_equal.js b/ecmascript/pgo_profiler/tests/pgo_test_case/string_equal.js
index 94056e7397..4f7c998ba1 100644
--- a/ecmascript/pgo_profiler/tests/pgo_test_case/string_equal.js
+++ b/ecmascript/pgo_profiler/tests/pgo_test_case/string_equal.js
@@ -14,14 +14,14 @@
  * limitations under the License.
  */
 
-let a = "abcString";
+let a = 'abcString';
 
 function foo1(a) {
-    typeof a == "string";
+  typeof a == 'string';
 }
 
 function foo2(a) {
-    a[0] == "a";
+  a[0] == "a";
 }
 
 foo1(a);
diff --git a/ecmascript/stackmap/llvm_stackmap_parser.cpp b/ecmascript/stackmap/llvm_stackmap_parser.cpp
index 5ac91108a2..2aeb2410a7 100644
--- a/ecmascript/stackmap/llvm_stackmap_parser.cpp
+++ b/ecmascript/stackmap/llvm_stackmap_parser.cpp
@@ -43,7 +43,7 @@ std::string LocationTy::TypeToString(Kind loc) const
 
 void LLVMStackMapParser::FilterCallSiteInfo(LLVMStackMapType::CallSiteInfo &info)
 {
-    ASSERT(GC_PAIR_SIZE == 2);
+    ASSERT(GC_PAIR_SIZE == 2); // 2 : The expected value of GC_PAIR_SIZE is 2
     ASSERT(info.size() % GC_PAIR_SIZE == 0);
     for (auto it = info.begin(); it != info.end();) {
         auto base = it;
diff --git a/test/aottest/string_equal/string_equal.ts b/test/aottest/string_equal/string_equal.ts
index ee0c055c1b..3b5db937a6 100644
--- a/test/aottest/string_equal/string_equal.ts
+++ b/test/aottest/string_equal/string_equal.ts
@@ -14,32 +14,32 @@
  */
 declare function print(arg:any, arg1?:any):string;
 
-let str:string = "1234567890上下左右中";
+let str:string = '1234567890上下左右中';
 
 // two const
-print("123" == "123");
-print(str == "1234567890上下左右中");
-print("1" == "1")
-print(str[0] == "12")
+print('123' == '123');
+print(str == '1234567890上下左右中');
+print('1' == '1')
+print(str[0] == '12')
 
 // one const
 let ans = 0;
 for (let i = 0; i<15; ++i) {
-    let m:string = str[i];
-    if (m == "1" || m == "上" || m == "国") {
-        ans += 1;
-    }
+  let m:string = str[i];
+  if (m == '1' || m == '上' || m == '国') {
+    ans += 1;
+  }
 }
 print(ans);
 
 // no const
 function foo(flag) {
-    let str = "12";
-    if (flag) {
-        return str[0];
-    } else {
-        return str[1];
-    }
+  let str = '12';
+  if (flag) {
+    return str[0];
+  } else {
+    return str[1];
+  }
 }
 let left:string = foo(true);
 let right1:string = foo(true);
-- 
Gitee


From 7e095b10eeacbd172f0662d2648969a43357f914 Mon Sep 17 00:00:00 2001
From: chenhantao <chenhantao3@huawei.com>
Date: Wed, 31 Jan 2024 21:26:00 +0800
Subject: [PATCH 08/10] fix regress

Signed-off-by: chenhantao <chenhantao3@huawei.com>
Change-Id: I57cd674fbd5394d9d009e0ea5a3131118c088826
---
 ecmascript/base/typed_array_helper.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecmascript/base/typed_array_helper.cpp b/ecmascript/base/typed_array_helper.cpp
index ef7279a802..eee3b8d784 100644
--- a/ecmascript/base/typed_array_helper.cpp
+++ b/ecmascript/base/typed_array_helper.cpp
@@ -507,8 +507,13 @@ JSHandle<JSObject> TypedArrayHelper::TypedArraySpeciesCreate(JSThread *thread, c
         JSObject::GetProperty(thread, JSHandle<JSTaggedValue>(obj), key, JSHandle<JSTaggedValue>(obj)).GetValue();
     JSHandle<JSObject> result;
     JSHandle<JSTaggedValue> proto(thread, obj->GetJSHClass()->GetPrototype());
-    if (proto->IsJSTypedArray() && PropertyDetector::IsTypedArraySpeciesProtectDetectorValid(env) &&
-        buffHandle->IsInt() && objConstructor->IsECMAObject()) {
+    bool ctrVali = objConstructor->IsUndefined();
+    bool isJSTypedArr = proto->IsJSTypedArray();
+    bool isCtrUnchanged = PropertyDetector::IsTypedArraySpeciesProtectDetectorValid(env) &&
+        !objConstructor->IsClassConstructor();
+    bool isCtrBylen = buffHandle->IsInt();
+    bool isCtrObj = objConstructor->IsECMAObject();
+    if (ctrVali || (isJSTypedArr && isCtrUnchanged && isCtrBylen && isCtrObj)) {
         JSType type = obj->GetJSHClass()->GetObjectType();
         DataViewType arrayType = GetType(type);
         uint32_t length = buffHandle->GetInt();
-- 
Gitee


From 994049c1ab461812452e9f3876de67e6a28b4311 Mon Sep 17 00:00:00 2001
From: coollixin <lixin581@huawei.com>
Date: Wed, 31 Jan 2024 10:06:28 +0800
Subject: [PATCH 09/10] Add Compare function
 issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I902NW

Signed-off-by: coollixin <lixin581@huawei.com>
---
 ecmascript/js_api/js_api_hashset_iterator.cpp     |  2 +-
 .../js_api/js_api_lightweightset_iterator.cpp     |  5 ++++-
 ecmascript/tagged_tree.h                          | 15 +++++++++++++--
 test/moduletest/container/container_treemap.js    | 13 +++++++++++++
 test/moduletest/container/container_treeset.js    | 13 +++++++++++++
 5 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/ecmascript/js_api/js_api_hashset_iterator.cpp b/ecmascript/js_api/js_api_hashset_iterator.cpp
index 46f73d44a6..3e5d261ef3 100644
--- a/ecmascript/js_api/js_api_hashset_iterator.cpp
+++ b/ecmascript/js_api/js_api_hashset_iterator.cpp
@@ -65,7 +65,7 @@ JSTaggedValue JSAPIHashSetIterator::Next(EcmaRuntimeCallInfo *argv)
             }
             ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
             JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-            array->Set(thread, 0, valueHandle);
+            array->Set(thread, 0, JSTaggedValue(--index));
             array->Set(thread, 1, valueHandle);
             JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
             return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
diff --git a/ecmascript/js_api/js_api_lightweightset_iterator.cpp b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
index 0e589a3396..133390f45b 100644
--- a/ecmascript/js_api/js_api_lightweightset_iterator.cpp
+++ b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
@@ -65,9 +65,12 @@ JSTaggedValue JSAPILightWeightSetIterator::Next(EcmaRuntimeCallInfo *argv)
     if (itemKind == IterationKind::VALUE) {
         return JSIterator::CreateIterResultObject(thread, value, false).GetTaggedValue();
     }
+    TaggedArray *hashArray =
+        TaggedArray::Cast(JSHandle<JSAPILightWeightSet>(lightWeightSet)->GetHashes().GetTaggedObject());
+    JSHandle<JSTaggedValue> keyHandle(thread, hashArray->Get(index));
     ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
     JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-    array->Set(thread, 0, value);
+    array->Set(thread, 0, keyHandle);
     array->Set(thread, 1, value);
     JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
     return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
diff --git a/ecmascript/tagged_tree.h b/ecmascript/tagged_tree.h
index 4b4bb51236..8b7632f0f5 100644
--- a/ecmascript/tagged_tree.h
+++ b/ecmascript/tagged_tree.h
@@ -150,7 +150,17 @@ public:
         JSTaggedValue callResult = JSFunction::Call(info);
         RETURN_VALUE_IF_ABRUPT_COMPLETION(thread, ComparisonResult::UNDEFINED);
         int compareResult = 0;
-        if (callResult.IsInt()) {
+        if (callResult.IsBoolean()) {
+            if (callResult.IsTrue()) {
+                compareResult = -1;
+            } else {
+                info = EcmaInterpreter::NewRuntimeCallInfo(thread, compareFn, thisArgHandle, undefined, argsLength);
+                info->SetCallArg(valueY.GetTaggedValue(), valueX.GetTaggedValue());
+                callResult = JSFunction::Call(info);
+                RETURN_VALUE_IF_ABRUPT_COMPLETION(thread, ComparisonResult::UNDEFINED);
+                compareResult = callResult.IsTrue() ? 1 : 0;
+            }
+        } else if (callResult.IsInt()) {
             compareResult = callResult.GetInt();
         } else {
             JSHandle<JSTaggedValue> resultHandle(thread, callResult);
@@ -158,7 +168,8 @@ public:
             RETURN_VALUE_IF_ABRUPT_COMPLETION(thread, ComparisonResult::UNDEFINED);
             double value = v.GetNumber();
             if (std::isnan(value)) {
-                THROW_TYPE_ERROR_AND_RETURN(thread, "CompareFn has illegal return value", ComparisonResult::UNDEFINED);
+                THROW_TYPE_ERROR_AND_RETURN(thread, "CompareFn has illegal return value",
+                                            ComparisonResult::UNDEFINED);
             }
             compareResult = static_cast<int>(value);
         }
diff --git a/test/moduletest/container/container_treemap.js b/test/moduletest/container/container_treemap.js
index e195ede054..4c83561ea8 100644
--- a/test/moduletest/container/container_treemap.js
+++ b/test/moduletest/container/container_treemap.js
@@ -165,6 +165,19 @@ if (globalThis["ArkPrivate"] != undefined) {
     dProxy.clear();
     res.set("test clear:", dProxy.length == 0);
 
+    let commap = new fastmap((firstValue, secondValue) => {return firstValue > secondValue});
+    commap.set("c","1");
+    commap.set("a","8");
+    commap.set("b","2");
+    commap.set("d","4");
+    if (commap.length == 4) {
+        commap.remove("a");
+        commap.remove("b");
+        commap.remove("c");
+        commap.remove("d");
+    }
+    res.set("test commpare", commap.length == 0);
+
     flag = false;
     try {
         proxy["aa"] = 3;
diff --git a/test/moduletest/container/container_treeset.js b/test/moduletest/container/container_treeset.js
index d38e7441d9..ccb457292f 100644
--- a/test/moduletest/container/container_treeset.js
+++ b/test/moduletest/container/container_treeset.js
@@ -93,6 +93,19 @@ if (globalThis["ArkPrivate"] != undefined) {
     }
     map.set("test set throw error", flag);
 
+    let comset =  new fastset((firstValue, secondValue) => {return firstValue < secondValue});
+    comset.add("c");
+    comset.add("a");
+    comset.add("b");
+    comset.add("d");
+    if (comset.length == 4) {
+        comset.remove("a");
+        comset.remove("b");
+        comset.remove("c");
+        comset.remove("d");
+    }
+    map.set("test commpare", comset.length == 0);
+
     let set1 = new fastset();
     let proxy = new Proxy(set1, {});
     proxy.add("aa");
-- 
Gitee


From b81e62c491a9b24e6d63aa0dbc56d19a9e2e7d5f Mon Sep 17 00:00:00 2001
From: coollixin <lixin581@huawei.com>
Date: Tue, 30 Jan 2024 15:21:34 +0800
Subject: [PATCH 10/10] hashset next modify
 issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I8ZXBB

Signed-off-by: coollixin <lixin581@huawei.com>
---
 .../tests/containers_hashset_test.cpp           |  1 -
 ecmascript/js_api/js_api_hashset_iterator.cpp   |  2 +-
 .../js_api/js_api_lightweightset_iterator.cpp   |  5 +----
 test/moduletest/container/container_hashset.js  | 16 ++++++++++++++++
 .../container/container_lightweightset.js       | 17 +++++++++++++++++
 5 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/ecmascript/containers/tests/containers_hashset_test.cpp b/ecmascript/containers/tests/containers_hashset_test.cpp
index c8bc55a2a2..7a2b7f27cd 100644
--- a/ecmascript/containers/tests/containers_hashset_test.cpp
+++ b/ecmascript/containers/tests/containers_hashset_test.cpp
@@ -403,7 +403,6 @@ HWTEST_F_L0(ContainersHashSetTest, KeysAndValuesAndEntries)
             result2.Update(JSAPIHashSetIterator::Next(callInfo6));
             TestHelper::TearDownFrame(thread, prev4);
             entries.Update(JSIterator::IteratorValue(thread, result2).GetTaggedValue());
-            EXPECT_EQ(JSTaggedValue(i), JSObject::GetProperty(thread, entries, first).GetValue().GetTaggedValue());
             JSHandle<JSTaggedValue> iterValue = JSObject::GetProperty(thread, entries, second).GetValue();
             JSTaggedValue valueFlag = tSet->Has(thread, iterValue.GetTaggedValue());
             EXPECT_EQ(JSTaggedValue::True(), valueFlag);
diff --git a/ecmascript/js_api/js_api_hashset_iterator.cpp b/ecmascript/js_api/js_api_hashset_iterator.cpp
index 3e5d261ef3..46f73d44a6 100644
--- a/ecmascript/js_api/js_api_hashset_iterator.cpp
+++ b/ecmascript/js_api/js_api_hashset_iterator.cpp
@@ -65,7 +65,7 @@ JSTaggedValue JSAPIHashSetIterator::Next(EcmaRuntimeCallInfo *argv)
             }
             ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
             JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-            array->Set(thread, 0, JSTaggedValue(--index));
+            array->Set(thread, 0, valueHandle);
             array->Set(thread, 1, valueHandle);
             JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
             return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
diff --git a/ecmascript/js_api/js_api_lightweightset_iterator.cpp b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
index 133390f45b..0e589a3396 100644
--- a/ecmascript/js_api/js_api_lightweightset_iterator.cpp
+++ b/ecmascript/js_api/js_api_lightweightset_iterator.cpp
@@ -65,12 +65,9 @@ JSTaggedValue JSAPILightWeightSetIterator::Next(EcmaRuntimeCallInfo *argv)
     if (itemKind == IterationKind::VALUE) {
         return JSIterator::CreateIterResultObject(thread, value, false).GetTaggedValue();
     }
-    TaggedArray *hashArray =
-        TaggedArray::Cast(JSHandle<JSAPILightWeightSet>(lightWeightSet)->GetHashes().GetTaggedObject());
-    JSHandle<JSTaggedValue> keyHandle(thread, hashArray->Get(index));
     ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
     JSHandle<TaggedArray> array = factory->NewTaggedArray(2); // 2 means the length of array
-    array->Set(thread, 0, keyHandle);
+    array->Set(thread, 0, value);
     array->Set(thread, 1, value);
     JSHandle<JSTaggedValue> keyAndValue(JSArray::CreateArrayFromList(thread, array));
     return JSIterator::CreateIterResultObject(thread, keyAndValue, false).GetTaggedValue();
diff --git a/test/moduletest/container/container_hashset.js b/test/moduletest/container/container_hashset.js
index 152aba9dba..50b8e6ff51 100644
--- a/test/moduletest/container/container_hashset.js
+++ b/test/moduletest/container/container_hashset.js
@@ -130,6 +130,22 @@ if (globalThis["ArkPrivate"] != undefined) {
     proxy.clear();
     map.set("test clear:", proxy.length == 0 && !proxy.has("cc") && proxy.isEmpty());
 
+    flag = false;
+    let seten = new fastset();
+    seten.add(1);
+    seten.add(2);
+    seten.add(3);
+    seten.add(4);
+    seten.add(5);
+    let iter = seten.entries();
+    let temp = iter.next();
+    while(!temp.done) {
+        if ((temp.value[0]) == (temp.value[1])) {
+            flag = true;
+        }
+        temp = iter.next();
+    }
+    map.set("test entries return type", flag);
     flag = false;
     try {
         proxy["aa"] = 3;
diff --git a/test/moduletest/container/container_lightweightset.js b/test/moduletest/container/container_lightweightset.js
index bb82472bd3..2541fc0d2e 100644
--- a/test/moduletest/container/container_lightweightset.js
+++ b/test/moduletest/container/container_lightweightset.js
@@ -111,6 +111,23 @@ if (globalThis["ArkPrivate"] != undefined) {
     let b = myTest.toArray();
     res.set("test COW - check b.length :", b.length == (LOOP_COUNT + 1));
 
+    flag = false;
+    let seten = new fastset();
+    seten.add(1);
+    seten.add(2);
+    seten.add(3);
+    seten.add(4);
+    seten.add(5);
+    let iter = seten.entries();
+    let temp = iter.next();
+    while(!temp.done) {
+        if ((temp.value[0]) == (temp.value[1])) {
+            flag = true;
+        }
+        temp = iter.next();
+    }
+    res.set("test entries return type", flag);
+
     flag = false;
     try {
         proxy["aa"] = 3;
-- 
Gitee