Steps to reproduce:

The attached sample triggers a MOZ_RELEASE_ASSERT on commit b25ff1fab82c2d3a91531ad3735e50422407b163 when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js.
Older commits such as c7854bdaa6bfa104bb6e94a5b84ecd3d32551425 from Dec 29 2021 are affected as well.
The missing property triggering the assert is named numberFormatCache.
Setting s-s because I found no precedent/similar bug for this assert.

function f0() {
    function f3(a4, a5) {
        this.setInterruptCallback(f3);
        const v8 = this.interruptIf(a5);
        (1).toLocaleString();
        return v8; 
    }   
    new Promise(f3);
}
new Promise(f0);

#0  0x0000555557b8c801 in GetComputedIntrinsic (cx=0x7ffff742f100, name=..., vp=...)
    at js/src/vm/SelfHosting.cpp:2715
#1  0x0000555557b8c373 in JSRuntime::getSelfHostedValue (this=0x7ffff7423000, cx=0x7ffff742f100, name=..., vp=...)
    at js/src/vm/SelfHosting.cpp:2737
#2  0x0000555557853a74 in js::GlobalObject::getIntrinsicValueSlow (cx=0x7ffff742f100, global=..., name=..., value=...)
    at js/src/vm/GlobalObject.cpp:893
#3  0x0000555557401ad5 in js::GlobalObject::getIntrinsicValue (cx=0x7ffff742f100, global=..., name=..., value=...)
    at js/src/vm/GlobalObject.h:912
#4  0x0000555557580190 in js::GetIntrinsicOperation (cx=0x7ffff742f100, script=..., pc=0x7ffff4d7cf5a "\273\004", 
    vp=...) at js/src/vm/Interpreter-inl.h:229
#5  0x00005555575532fb in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:3511
#6  0x0000555557543960 in js::RunScript (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:431
#7  0x000055555755fcbc in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:579
#8  0x0000555557560d91 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#9  0x0000555557560fd5 in js::Call (cx=0x7ffff742f100, fval=..., thisv=..., args=..., rval=..., 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:646
#10 0x000055555775d9f4 in JS_CallFunctionValue (cx=0x7ffff742f100, obj=..., fval=..., args=..., rval=...)
    at js/src/vm/CallAndConstruct.cpp:53
#11 0x00005555573581a2 in ShellInterruptCallback (cx=0x7ffff742f100)
    at js/src/shell/js.cpp:902
#12 0x0000555557b5d1f5 in HandleInterrupt (cx=0x7ffff742f100, invokeCallback=true)
    at js/src/vm/Runtime.cpp:408
#13 0x0000555557b5cf63 in JSContext::handleInterrupt (this=0x7ffff742f100)
    at js/src/vm/Runtime.cpp:476
#14 0x00005555573ea651 in js::CheckForInterrupt (cx=0x7ffff742f100)
    at js/src/vm/JSContext-inl.h:256
#15 0x000055555754616d in Interpret (cx=0x7ffff742f100, state=...)
    at js/src/vm/Interpreter.cpp:2305

Here's a simplified test case:

function f() {
    interruptIf(true);
    (1).toLocaleString();
}
setInterruptCallback(f);
f();

Number_toLocaleString wants to access the numberFormatCache computed intrinsic, so in GetComputedIntrinsic we execute the top-level self-hosted script where we define this. While executing this script, we trigger the interrupt callback (f) and we call Number_toLocaleString recursively. This time, however, in GetComputedIntrinsic we have an intrinsics holder so we now assert the holder has a property with this name. It doesn't because we're still executing the script defining it, so we hit the release assertion.

Maybe we should disable the interrupt callback before we execute the top-level self-hosted script.

Not security-sensitive: the interrupt callback is not controlled by content and this hits a release assertion anyway.

https://hg.mozilla.org/mozilla-central/rev/cd52a20c3ead