!4643 [Bug]: 汇编解释器Constructor相关代码未对newTarget进行判断，导致直接取HClass崩溃

Merge pull request !4643 from 李晨帅/newTargetNotHeapIR

ecmascript/compiler/builtins/builtins_stubs.cpp

@@ -995,10 +995,13 @@ DECLARE_BUILTINS(BooleanConstructor)
     auto env = GetEnvironment();
     DEFVARIABLE(res, VariableType::JS_ANY(), Undefined());
 
+    Label newTargetIsHeapObject(env);
     Label newTargetIsJSFunction(env);
     Label slowPath(env);
     Label exit(env);
 
+    Branch(TaggedIsHeapObject(newTarget), &newTargetIsHeapObject, &slowPath);
+    Bind(&newTargetIsHeapObject);
     Branch(IsJSFunction(newTarget), &newTargetIsJSFunction, &slowPath);
     Bind(&newTargetIsJSFunction);
     {
@@ -1038,10 +1041,13 @@ DECLARE_BUILTINS(DateConstructor)
     auto env = GetEnvironment();
     DEFVARIABLE(res, VariableType::JS_ANY(), Undefined());
 
+    Label newTargetIsHeapObject(env);
     Label newTargetIsJSFunction(env);
     Label slowPath(env);
     Label exit(env);
 
+    Branch(TaggedIsHeapObject(newTarget), &newTargetIsHeapObject, &slowPath);
+    Bind(&newTargetIsHeapObject);
     Branch(IsJSFunction(newTarget), &newTargetIsJSFunction, &slowPath);
     Bind(&newTargetIsJSFunction);
     {
@@ -1120,10 +1126,13 @@ DECLARE_BUILTINS(ArrayConstructor)
     auto env = GetEnvironment();
     DEFVARIABLE(res, VariableType::JS_ANY(), Undefined());
 
+    Label newTargetIsHeapObject(env);
     Label newTargetIsJSFunction(env);
     Label slowPath(env);
     Label exit(env);
 
+    Branch(TaggedIsHeapObject(newTarget), &newTargetIsHeapObject, &slowPath);
+    Bind(&newTargetIsHeapObject);
     Branch(IsJSFunction(newTarget), &newTargetIsJSFunction, &slowPath);
     Bind(&newTargetIsJSFunction);
     {

test/moduletest/builtins/builtinsir.js

@@ -45,4 +45,16 @@ lastName: "Gates"
 }
 var a = new Uint32Array([1,2]);
 print(person.fullName.apply(person1, a));
+// xxxConstructor
+var a = {
+    test() {
+        this.foo();
+    }
+}
+a.foo = Array;
+a.test();
+a.foo = Boolean;
+a.test();
+a.foo = Date;
+a.test();
 print("builtins ir end");