From 032c3e69e4b37bb370d2ded82672ad61897be4d6 Mon Sep 17 00:00:00 2001
From: hecunmao <hecunmao@huawei.com>
Date: Thu, 28 Aug 2025 20:41:02 +0800
Subject: [PATCH] =?UTF-8?q?cmcGC=20=E5=AF=B9=E4=BA=8EArray.prototype.fill?=
 =?UTF-8?q?=20=E5=A4=84=E7=90=86=E5=AD=98=E5=9C=A8=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/ICVBB7

Signed-off-by: hecunmao <hecunmao@huawei.com>
Change-Id: Ie97aa25f5a63e2ccd27e372157840bec00e1a2ba
---
 .../builtins_array_stub_builder_next_optimization.cpp     | 2 +-
 ecmascript/compiler/call_signature.cpp                    | 4 +++-
 ecmascript/stubs/runtime_stubs.cpp                        | 8 +++++++-
 ecmascript/stubs/runtime_stubs.h                          | 3 ++-
 test/moduletest/arrayRelease/arrayRelease.js              | 6 ++++++
 5 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ecmascript/compiler/builtins/builtins_array_stub_builder_next_optimization.cpp b/ecmascript/compiler/builtins/builtins_array_stub_builder_next_optimization.cpp
index ecd6dea47f..686dc9cdf7 100644
--- a/ecmascript/compiler/builtins/builtins_array_stub_builder_next_optimization.cpp
+++ b/ecmascript/compiler/builtins/builtins_array_stub_builder_next_optimization.cpp
@@ -2728,7 +2728,7 @@ void BuiltinsArrayStubBuilder::FastFill(GateRef glue, GateRef element, GateRef s
     env->SubCfgEntry(&entry);
     Label exit(env);
     GateRef dstAddr = GetDataPtrInTaggedArray(element, start);
-    CallNGCRuntime(glue, RTSTUB_ID(FillObject), {TaggedCastToIntPtr(dstAddr), value, count});
+    CallNGCRuntime(glue, RTSTUB_ID(FillObject), {glue, element, value, start, count});
     if (needBarrier) {
         CallCommonStub(glue, CommonStubCSigns::BatchBarrier,
             {glue, TaggedCastToIntPtr(element), TaggedCastToIntPtr(dstAddr), count});
diff --git a/ecmascript/compiler/call_signature.cpp b/ecmascript/compiler/call_signature.cpp
index faff89b72d..8292fe2539 100644
--- a/ecmascript/compiler/call_signature.cpp
+++ b/ecmascript/compiler/call_signature.cpp
@@ -1990,7 +1990,7 @@ DEF_CALL_SIGNATURE(SortTypedArray)
 
 DEF_CALL_SIGNATURE(FillObject)
 {
-    constexpr size_t paramCount = 3;
+    constexpr size_t paramCount = 5;
     // 3 : 3 input parameters
     CallSignature ObjectFill("FillObject", 0, paramCount,
         ArgumentsOrder::DEFAULT_ORDER, VariableType::VOID());
@@ -1999,6 +1999,8 @@ DEF_CALL_SIGNATURE(FillObject)
     std::array<VariableType, paramCount> params = {
         VariableType::NATIVE_POINTER(),
         VariableType::JS_ANY(),
+        VariableType::JS_ANY(),
+        VariableType::INT32(),
         VariableType::INT32()
     };
     callSign->SetParameters(params.data());
diff --git a/ecmascript/stubs/runtime_stubs.cpp b/ecmascript/stubs/runtime_stubs.cpp
index 4cc4a00550..4005039384 100644
--- a/ecmascript/stubs/runtime_stubs.cpp
+++ b/ecmascript/stubs/runtime_stubs.cpp
@@ -4224,10 +4224,16 @@ void RuntimeStubs::FinishObjSizeTracking(uintptr_t argGlue, JSHClass *cls)
     }
 }
 
-void RuntimeStubs::FillObject(JSTaggedType *dst, JSTaggedType value, uint32_t count)
+void RuntimeStubs::FillObject(uintptr_t argGlue, JSTaggedType elements,
+                                JSTaggedType value, uint32_t start, uint32_t count)
 {
     DISALLOW_GARBAGE_COLLECTION;
+    auto thread = JSThread::GlueToJSThread(argGlue);
+    JSTaggedType *dst = (JSTaggedType*)elements + (TaggedArray::DATA_OFFSET / sizeof(JSTaggedType)) + start;
     std::fill_n(dst, count, value);
+    if (g_isEnableCMCGC) {
+        Barriers::CMCWriteBarrier(thread, (TaggedObject*)(elements), 2, value);
+    }
 }
 
 bool RuntimeStubs::IsTargetBundleName(uintptr_t argGlue)
diff --git a/ecmascript/stubs/runtime_stubs.h b/ecmascript/stubs/runtime_stubs.h
index 9305cb5491..5c30fb1cb7 100644
--- a/ecmascript/stubs/runtime_stubs.h
+++ b/ecmascript/stubs/runtime_stubs.h
@@ -173,7 +173,8 @@ public:
                             JSTaggedType *dst, JSTaggedType *src, uint32_t count);
     static void CopyObjectPrimitive(uintptr_t argGlue, JSTaggedType *dstObj,
                                     JSTaggedType *dst, JSTaggedType *src, uint32_t count);
-    static void FillObject(JSTaggedType *dst, JSTaggedType value, uint32_t count);
+    static void FillObject(uintptr_t argGlue, JSTaggedType elements,
+                            JSTaggedType value, uint32_t start, uint32_t count);
     static void ReverseArray(uintptr_t argGlue, JSTaggedType *dst, uint32_t length);
 
     static JSTaggedValue FindPatchModule(uintptr_t argGlue, JSTaggedValue resolvedModule);
diff --git a/test/moduletest/arrayRelease/arrayRelease.js b/test/moduletest/arrayRelease/arrayRelease.js
index 76a0749fe5..e2a49f97c4 100644
--- a/test/moduletest/arrayRelease/arrayRelease.js
+++ b/test/moduletest/arrayRelease/arrayRelease.js
@@ -54,4 +54,10 @@
     }
 }
 
+let arr = new Array(24036);
+for(let i=0; i < 300; i++) {
+    let set = new Set(arr);
+    arr.fill(set, 0, 24036);
+}
+
 test_end();
\ No newline at end of file
-- 
Gitee