From 2ed742a9e791ed530222e1e4533539ab1f4cd4d9 Mon Sep 17 00:00:00 2001
From: Robert Fancsik <frobert@inf.u-szeged.hu>
Date: Fri, 27 Mar 2020 11:28:23 +0100
Subject: [PATCH] Fix invalid free in ecma_op_function_get_super_constructor
 (#3644)

This patch fixes #3636.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
---
 .../ecma/operations/ecma-function-object.c    |  5 ++-
 .../es2015/regression-test-issue-3636.js      | 39 +++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 tests/jerry/es2015/regression-test-issue-3636.js

diff --git a/jerry-core/ecma/operations/ecma-function-object.c b/jerry-core/ecma/operations/ecma-function-object.c
index dadd26ba1..7f7ccbd72 100644
--- a/jerry-core/ecma/operations/ecma-function-object.c
+++ b/jerry-core/ecma/operations/ecma-function-object.c
@@ -681,7 +681,10 @@ ecma_op_function_get_super_constructor (ecma_object_t *func_obj_p) /**< function
 
   if (super_ctor_p == NULL || !ecma_object_is_constructor (super_ctor_p))
   {
-    ecma_deref_object (super_ctor_p);
+    if (super_ctor_p != NULL)
+    {
+      ecma_deref_object (super_ctor_p);
+    }
     return ecma_raise_type_error (ECMA_ERR_MSG ("Super binding must be a constructor."));
   }
 
diff --git a/tests/jerry/es2015/regression-test-issue-3636.js b/tests/jerry/es2015/regression-test-issue-3636.js
new file mode 100644
index 000000000..8a75d05ae
--- /dev/null
+++ b/tests/jerry/es2015/regression-test-issue-3636.js
@@ -0,0 +1,39 @@
+// Copyright JS Foundation and other contributors, http://js.foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+function f() {}
+var B = class extends f {
+    constructor() {
+        String(Reflect.setPrototypeOf(B, null));
+        super($)
+    }
+}
+C = class extends B {
+    g() {
+        return function() {}
+    }
+}
+D = class extends C {
+    constructor() {
+        super()
+    }
+    g() {}
+}
+
+try {
+  new D
+  assert (false);
+} catch (e) {
+  assert (e instanceof TypeError);
+}