diff --git a/ecmascript/containers/containers_arraylist.cpp b/ecmascript/containers/containers_arraylist.cpp
index 796de1c05a..0bf2cdf7ba 100644
--- a/ecmascript/containers/containers_arraylist.cpp
+++ b/ecmascript/containers/containers_arraylist.cpp
@@ -87,7 +87,8 @@ JSTaggedValue ContainersArrayList::Insert(EcmaRuntimeCallInfo *argv)
     JSHandle<JSTaggedValue> value = GetCallArg(argv, 0);
     JSHandle<JSTaggedValue> index = GetCallArg(argv, 1);
     if (index->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         index = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(index->GetDouble()));
     }
     if (!index->IsInt()) {
diff --git a/ecmascript/js_api/js_api_arraylist.cpp b/ecmascript/js_api/js_api_arraylist.cpp
index 5a6ba4bf7c..318815e13d 100644
--- a/ecmascript/js_api/js_api_arraylist.cpp
+++ b/ecmascript/js_api/js_api_arraylist.cpp
@@ -456,7 +456,8 @@ OperationResult JSAPIArrayList::GetProperty(JSThread *thread, const JSHandle<JSA
     int length = obj->GetLength().GetInt();
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/js_api/js_api_deque.cpp b/ecmascript/js_api/js_api_deque.cpp
index fe93d5c363..e46c07e6ec 100644
--- a/ecmascript/js_api/js_api_deque.cpp
+++ b/ecmascript/js_api/js_api_deque.cpp
@@ -287,7 +287,8 @@ OperationResult JSAPIDeque::GetProperty(JSThread *thread, const JSHandle<JSAPIDe
     }
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/js_api/js_api_linked_list.cpp b/ecmascript/js_api/js_api_linked_list.cpp
index f574426ab9..d545aa7af9 100644
--- a/ecmascript/js_api/js_api_linked_list.cpp
+++ b/ecmascript/js_api/js_api_linked_list.cpp
@@ -272,7 +272,8 @@ OperationResult JSAPILinkedList::GetProperty(JSThread *thread, const JSHandle<JS
     int nodeLength = doubleList->Length();
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/js_api/js_api_list.cpp b/ecmascript/js_api/js_api_list.cpp
index 1aa5e48004..405d9a7149 100644
--- a/ecmascript/js_api/js_api_list.cpp
+++ b/ecmascript/js_api/js_api_list.cpp
@@ -285,7 +285,8 @@ OperationResult JSAPIList::GetProperty(JSThread *thread, const JSHandle<JSAPILis
     int nodeLength = singleList->Length();
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        /* Double variables like the form of Math.floor(1) are processed as TaggedInt,
+        while integers greater than INT32_MAX are still TaggedDouble */
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/js_api/js_api_plain_array.cpp b/ecmascript/js_api/js_api_plain_array.cpp
index 9fe51d0b94..ec828cdcc3 100644
--- a/ecmascript/js_api/js_api_plain_array.cpp
+++ b/ecmascript/js_api/js_api_plain_array.cpp
@@ -228,7 +228,8 @@ OperationResult JSAPIPlainArray::GetProperty(JSThread *thread, const JSHandle<JS
     }
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
@@ -260,7 +261,16 @@ bool JSAPIPlainArray::SetProperty(JSThread *thread, const JSHandle<JSAPIPlainArr
 {
     TaggedArray *keyArray = TaggedArray::Cast(obj->GetKeys().GetTaggedObject());
     uint32_t size = obj->GetLength();
-    int32_t index = obj->BinarySearch(keyArray, 0, size, key.GetTaggedValue().GetInt());
+    JSHandle<JSTaggedValue> indexKey = key;
+    if (indexKey->IsDouble()) {
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
+        indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
+    }
+    if (!indexKey->IsInt()) {
+        return false;
+    }
+    int32_t index = obj->BinarySearch(keyArray, 0, size, indexKey->GetInt());
     if (index < 0 || index >= static_cast<int32_t>(size)) {
         return false;
     }
diff --git a/ecmascript/js_api/js_api_queue.cpp b/ecmascript/js_api/js_api_queue.cpp
index 3c258e12ef..babea3c0f0 100644
--- a/ecmascript/js_api/js_api_queue.cpp
+++ b/ecmascript/js_api/js_api_queue.cpp
@@ -228,7 +228,8 @@ OperationResult JSAPIQueue::GetProperty(JSThread *thread, const JSHandle<JSAPIQu
     int32_t length = static_cast<int32_t>(obj->GetSize());
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/js_api/js_api_stack.cpp b/ecmascript/js_api/js_api_stack.cpp
index 4451a24800..6d08973c06 100644
--- a/ecmascript/js_api/js_api_stack.cpp
+++ b/ecmascript/js_api/js_api_stack.cpp
@@ -105,6 +105,10 @@ JSTaggedValue JSAPIStack::Get(const uint32_t index)
 
 JSTaggedValue JSAPIStack::Set(JSThread *thread, const uint32_t index, JSTaggedValue value)
 {
+    uint32_t length = GetSize() + 1;
+    if (index >= length) {
+        return JSTaggedValue::Undefined();
+    }
     TaggedArray *elements = TaggedArray::Cast(GetElements().GetTaggedObject());
     elements->Set(thread, index, value);
     return JSTaggedValue::Undefined();
@@ -176,7 +180,8 @@ OperationResult JSAPIStack::GetProperty(JSThread *thread, const JSHandle<JSAPISt
     }
     JSHandle<JSTaggedValue> indexKey = key;
     if (indexKey->IsDouble()) {
-        /* 将Math.floor(1)等形式的double变量处理为Int，而大于INT32_MAX的整数仍然是double形式 */
+        // Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
+        // For integer which is greater than INT32_MAX, it will remain TaggedDouble
         indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
     }
     if (!indexKey->IsInt()) {
diff --git a/ecmascript/tests/js_api_plain_array_test.cpp b/ecmascript/tests/js_api_plain_array_test.cpp
index 551eb2244e..e085ef43a9 100644
--- a/ecmascript/tests/js_api_plain_array_test.cpp
+++ b/ecmascript/tests/js_api_plain_array_test.cpp
@@ -315,5 +315,7 @@ HWTEST_F_L0(JSAPIPlainArrayTest, SetProperty)
     EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key, value));
     JSHandle<JSTaggedValue> key1(thread, JSTaggedValue(elementsNums));
     EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key1, value));
+    JSHandle<JSTaggedValue> key2(thread, JSTaggedValue(int64_t(-9007199254740992))); // Out-of-Bounds test
+    EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key1, value));
 }
 }  // namespace panda::test
diff --git a/ecmascript/tests/js_api_stack_test.cpp b/ecmascript/tests/js_api_stack_test.cpp
index e588f7cea5..efc5e24d66 100644
--- a/ecmascript/tests/js_api_stack_test.cpp
+++ b/ecmascript/tests/js_api_stack_test.cpp
@@ -227,6 +227,12 @@ HWTEST_F_L0(JSAPIStackTest, SetProperty)
 {
     JSHandle<JSAPIStack> toor(thread, CreateStack());
     uint32_t elementsNums = 8;
+    {
+        JSHandle<JSTaggedValue> key(thread, JSTaggedValue(-1));
+        JSHandle<JSTaggedValue> value(thread, JSTaggedValue(-1));
+        EXPECT_EQ(JSTaggedValue::Undefined(), // when length = -1, return Undefine() instead of assert error
+            toor->Set(thread, key->GetInt(), value.GetTaggedValue()));
+    }
     for (uint32_t i = 0; i < elementsNums; i++) {
         JSHandle<JSTaggedValue> value(thread, JSTaggedValue(i));
         JSAPIStack::Push(thread, toor, value);