Fuzz BugFix

Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IACTIU

Signed-off-by: yaoyuan <yuanyao14@huawei.com>
Change-Id: Id413a0e3fbc047184960a05a52505c409c9ad681

ecmascript/js_function.cpp

@@ -609,7 +609,8 @@ JSTaggedValue JSFunction::ConstructInternal(EcmaRuntimeCallInfo *info)
 {
     ASSERT(info != nullptr);
     JSThread *thread = info->GetThread();
-    JSHandle<JSFunction> func(info->GetFunction());
+    // func need to create a new handle, because optimized EcmaRuntimeCallInfo may overwrite this position.
+    JSHandle<JSFunction> func(thread, info->GetFunction().GetTaggedValue());
     JSHandle<JSTaggedValue> newTarget(info->GetNewTarget());
     ASSERT(newTarget->IsECMAObject());
     if (!func->IsConstructor()) {

test/aottest/constructor/constructor.js

@@ -37,3 +37,30 @@
   print(result)
 
 })();
+
+let v0 = [1, 2, 3];
+
+function f3() {
+  return v0;
+}
+
+class C7 {
+  constructor(a9, a10, a11) {
+    a11 / a11;
+    return v0;
+  }
+  static toString(a21, a22) {
+    this["toString"] = a22;
+    const v23 = "2Al" / f3;
+    v0 &= a22;
+    const v24 = new f3();
+    Reflect.construct(C7, [], C7);
+    return "toString";
+  }
+}
+
+try {
+  const v39 = new C7("toString", "toString", C7);
+} catch(e) {
+  print(e);
+}

test/aottest/constructor/expect_output.txt

@@ -14,3 +14,4 @@
 [object Object]
 [object Object]
 [object Object]
+TypeError: Cannot convert a illegal value to a Primitive

test/aottest/constructor/pgo_expect_output.txt

@@ -14,3 +14,4 @@
 [object Object]
 [object Object]
 [object Object]
+TypeError: Cannot convert a illegal value to a Primitive