Fix crash when calling a public Object method with invokesuper.

If the invokesuper is from a default method, fail the resolution as we
only expect interfaces in super calls from interface methods.

Test: 736-interface-super-Object
Change-Id: I7bd105cf1e441a9e575250db867678908b147477

8 files changed, 86 insertions, 0 deletions

diff --git a/runtime/entrypoints/entrypoint_utils-inl.h b/runtime/entrypoints/entrypoint_utils-inl.h
index 7ddf06f5ab..f0f8f8dce3 100644
--- a/runtime/entrypoints/entrypoint_utils-inl.h
+++ b/runtime/entrypoints/entrypoint_utils-inl.h
@@ -632,6 +632,13 @@ ALWAYS_INLINE ArtMethod* FindSuperMethodToCall(uint32_t method_idx,
   }
 
   if (referenced_class->IsInterface()) {
+    if (!resolved_method->GetDeclaringClass()->IsInterface()) {
+      // invoke-super from interface should not resolve to Object methods.
+      DCHECK(resolved_method->GetDeclaringClass()->IsObjectClass());
+      ThrowIncompatibleClassChangeError(
+          kSuper, resolved_method->GetInvokeType(), resolved_method, referrer);
+      return nullptr;
+    }
     // TODO We can do better than this for a (compiled) fastpath.
     ArtMethod* found_method = referenced_class->FindVirtualMethodForInterfaceSuper(
         resolved_method, linker->GetImagePointerSize());
diff --git a/test/736-interface-super-Object/expected-stderr.txt b/test/736-interface-super-Object/expected-stderr.txt
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/test/736-interface-super-Object/expected-stderr.txt
diff --git a/test/736-interface-super-Object/expected-stdout.txt b/test/736-interface-super-Object/expected-stdout.txt
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/test/736-interface-super-Object/expected-stdout.txt
diff --git a/test/736-interface-super-Object/info.txt b/test/736-interface-super-Object/info.txt
new file mode 100644
index 0000000000..48708f7a99
--- /dev/null
+++ b/test/736-interface-super-Object/info.txt
@@ -0,0 +1 @@
+Regression test calling super.toString from an interface method.
diff --git a/test/736-interface-super-Object/smali/Cls.smali b/test/736-interface-super-Object/smali/Cls.smali
new file mode 100644
index 0000000000..df8a0c2cd1
--- /dev/null
+++ b/test/736-interface-super-Object/smali/Cls.smali
@@ -0,0 +1,23 @@
+# Copyright (C) 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.class  LCls;
+.super  Ljava/lang/Object;
+.implements LItf;
+
+.method public constructor <init>()V
+.registers 2
+       invoke-direct {v1}, Ljava/lang/Object;-><init>()V
+       return-void
+.end method
diff --git a/test/736-interface-super-Object/smali/Itf.smali b/test/736-interface-super-Object/smali/Itf.smali
new file mode 100644
index 0000000000..dc6eefb480
--- /dev/null
+++ b/test/736-interface-super-Object/smali/Itf.smali
@@ -0,0 +1,22 @@
+# Copyright (C) 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.class public abstract interface LItf;
+.super Ljava/lang/Object;
+
+.method public doToString()V
+.registers 1
+       invoke-super {p0}, LItf;->toString()Ljava/lang/String;
+       return-void
+.end method
diff --git a/test/736-interface-super-Object/src/Main.java b/test/736-interface-super-Object/src/Main.java
new file mode 100644
index 0000000000..27806217d3
--- /dev/null
+++ b/test/736-interface-super-Object/src/Main.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.lang.reflect.InvocationTargetException;
+
+public class Main {
+
+  public static void main(String[] args) throws Exception {
+    Class<?> cls = Class.forName("Cls");
+    try {
+      cls.getMethod("doToString").invoke(cls.newInstance(), null);
+      throw new Error("Expected IncompatibleClassChangeError");
+    } catch (InvocationTargetException e) {
+      if (!(e.getCause() instanceof IncompatibleClassChangeError)) {
+        throw new Error("Expected IncompatibleClassChangeError, got " + e.getCause());
+      }
+    }
+  }
+}
diff --git a/test/knownfailures.json b/test/knownfailures.json
index 5f67f259bd..74be03cedc 100644
--- a/test/knownfailures.json
+++ b/test/knownfailures.json
@@ -1143,6 +1143,7 @@
                   "723-string-init-range",
                   "734-duplicate-fields",
                   "735-interface-clone",
+                  "736-interface-super-Object",
                   "808-checker-invoke-super",
                   "809-checker-invoke-super-bss",
                   "810-checker-invoke-super-default",