Null pointer dereference

[clayton-shopify]

The following input demonstrates a crash:

def to_str
  @b + + -> {}
rescue ""
end

class A < to_str
end

This results in recursion, but it seems to crash well before overflowing the stack:

Process 69290 stopped
* thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28)
    frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088
   1085
   1086	    CASE(OP_RESCUE) {
   1087	      /* A      R(A) := exc; clear(exc) */
-> 1088	      SET_OBJ_VALUE(regs[GETARG_A(i)], mrb->exc);
   1089	      mrb->exc = 0;
   1090	      NEXT;
   1091	    }
(lldb) bt
* thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28)
  * frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088
    frame #1: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dcc0, stack_keep=2) + 1114 at vm.c:822
    frame #2: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dea0) + 1599 at vm.c:2570
    frame #3: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ea00, mid=144, argc=0, argv=0x00007fff5f49ef80, blk=mrb_value @ 0x00007fff5f49e0b0) + 13496 at vm.c:454
    frame #4: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ed60, mid=144, argc=0, argv=0x00007fff5f49ef80) + 984 at vm.c:464
    frame #5: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ef60, name="to_str", argc=0) + 1743 at vm.c:342
    frame #6: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f460, str2=mrb_value @ 0x00007fff5f49f480) + 1661 at string.c:995
    frame #7: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f760) + 853 at string.c:1019
    frame #8: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0240, mid=10, argc=1, argv=0x00007fff5f4a07c0, blk=mrb_value @ 0x00007fff5f49f8f0) + 12470 at vm.c:447
    frame #9: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a05a0, mid=10, argc=1, argv=0x00007fff5f4a07c0) + 984 at vm.c:464
    frame #10: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a07a0, name="==", argc=1) + 1743 at vm.c:342
    frame #11: 0x00000001000dab77 mruby`mrb_equal(mrb=0x000061400000fe40, obj1=mrb_value @ 0x00007fff5f4a0ca0, obj2=mrb_value @ 0x00007fff5f4a0cc0) + 1351 at object.c:48
    frame #12: 0x00000001000ae055 mruby`mrb_equal_m(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0f20) + 853 at kernel.c:84
    frame #13: 0x000000010016fd85 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000cd08) + 41381 at vm.c:1229
    frame #14: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8920, stack_keep=2) + 1114 at vm.c:822
    frame #15: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8b00) + 1599 at vm.c:2570
    frame #16: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9660, mid=144, argc=0, argv=0x00007fff5f4a9be0, blk=mrb_value @ 0x00007fff5f4a8d10) + 13496 at vm.c:454
    frame #17: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a99c0, mid=144, argc=0, argv=0x00007fff5f4a9be0) + 984 at vm.c:464
    frame #18: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9bc0, name="to_str", argc=0) + 1743 at vm.c:342
    frame #19: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa0c0, str2=mrb_value @ 0x00007fff5f4aa0e0) + 1661 at string.c:995
    frame #20: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa3c0) + 853 at string.c:1019
    frame #21: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4aaea0, mid=10, argc=1, argv=0x00007fff5f4ab420, blk=mrb_value @ 0x00007fff5f4aa550) + 12470 at vm.c:447
    frame #22: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab200, mid=10, argc=1, argv=0x00007fff5f4ab420) + 984 at vm.c:464
    frame #23: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab400, name="==", argc=1) + 1743 at vm.c:342
    ...

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).

[dkasak]

The new recursion limit gets triggered and throws an exception, which prevents it from overflowing the stack. However, it appears the crash happens while rescuing that exception.

[dkasak]

The new recursion limit gets triggered and throws an exception, which prevents it from overflowing the stack. However, it appears the crash happens while rescuing that exception.