Fix invalid free in ecma_op_function_get_super_constructor (#3644)

This patch fixes #3636.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu

jerry-core/ecma/operations/ecma-function-object.c

@@ -681,7 +681,10 @@ ecma_op_function_get_super_constructor (ecma_object_t *func_obj_p) /**< function
 
   if (super_ctor_p == NULL || !ecma_object_is_constructor (super_ctor_p))
   {
-    ecma_deref_object (super_ctor_p);
+    if (super_ctor_p != NULL)
+    {
+      ecma_deref_object (super_ctor_p);
+    }
     return ecma_raise_type_error (ECMA_ERR_MSG ("Super binding must be a constructor."));
   }
 

tests/jerry/es2015/regression-test-issue-3636.js

@@ -0,0 +1,39 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+function f() {}
+var B = class extends f {
+    constructor() {
+        String(Reflect.setPrototypeOf(B, null));
+        super($)
+    }
+}
+C = class extends B {
+    g() {
+        return function() {}
+    }
+}
+D = class extends C {
+    constructor() {
+        super()
+    }
+    g() {}
+}
+
+try {
+  new D
+  assert (false);
+} catch (e) {
+  assert (e instanceof TypeError);
+}