Null pointer dereference in OP_HASH

[clayton-shopify]

The following input demonstrates a crash:

def to_str
  @@b + + -> {}
rescue {}
rescue -> {}
rescue ""
end

class A < to_str
end

ASAN report:

==51803==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fffaf668f44 bp 0x7fff5e129e80 sp 0x7fff5e129e80 T0)
    #0 0x7fffaf668f43 in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f43)
    #1 0x1008a1bf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10068a968 in mrb_vm_exec vm.c:2385
    #3 0x100661f99 in mrb_vm_run vm.c:820
    #4 0x10065b01e in mrb_run vm.c:2604
    #5 0x100658967 in mrb_funcall_with_block vm.c:451
    #6 0x100655337 in mrb_funcall_argv vm.c:461
    #7 0x1005dac9e in convert_type object.c:320
    #8 0x1005dbdba in mrb_check_convert_type object.c:356
    #9 0x100609b9d in mrb_check_string_type string.c:1754
    #10 0x10050c5ec in join_ary array.c:1051
    #11 0x10050af6d in mrb_ary_join array.c:1075
    #12 0x100566442 in mrb_vformat error.c:362
    #13 0x100567329 in mrb_name_error error.c:399
    #14 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #15 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #16 0x100665a5d in mrb_vm_exec vm.c:969
    #17 0x100661f99 in mrb_vm_run vm.c:820
    #18 0x10065b01e in mrb_run vm.c:2604
    #19 0x100658967 in mrb_funcall_with_block vm.c:451
    #20 0x100655337 in mrb_funcall_argv vm.c:461
    #21 0x1005dac9e in convert_type object.c:320
    #22 0x1005dbdba in mrb_check_convert_type object.c:356
    #23 0x100609b9d in mrb_check_string_type string.c:1754
    #24 0x10050c5ec in join_ary array.c:1051
    #25 0x10050af6d in mrb_ary_join array.c:1075
    #26 0x100566442 in mrb_vformat error.c:362
    #27 0x100567329 in mrb_name_error error.c:399
    #28 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #29 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #30 0x100665a5d in mrb_vm_exec vm.c:969
    #31 0x100661f99 in mrb_vm_run vm.c:820
    #32 0x10065b01e in mrb_run vm.c:2604
    #33 0x100658967 in mrb_funcall_with_block vm.c:451
    #34 0x100655337 in mrb_funcall_argv vm.c:461
    #35 0x1005dac9e in convert_type object.c:320
    #36 0x1005dbdba in mrb_check_convert_type object.c:356
    #37 0x100609b9d in mrb_check_string_type string.c:1754
    #38 0x10050c5ec in join_ary array.c:1051
    #39 0x10050af6d in mrb_ary_join array.c:1075
    #40 0x100566442 in mrb_vformat error.c:362
    #41 0x100567329 in mrb_name_error error.c:399
    #42 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #43 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #44 0x100665a5d in mrb_vm_exec vm.c:969
    #45 0x100661f99 in mrb_vm_run vm.c:820
    #46 0x10065b01e in mrb_run vm.c:2604
    #47 0x100658967 in mrb_funcall_with_block vm.c:451
    #48 0x100655337 in mrb_funcall_argv vm.c:461
    #49 0x1005dac9e in convert_type object.c:320
    #50 0x1005dbdba in mrb_check_convert_type object.c:356
    #51 0x100609b9d in mrb_check_string_type string.c:1754
    #52 0x10050c5ec in join_ary array.c:1051
    #53 0x10050af6d in mrb_ary_join array.c:1075
    #54 0x100566442 in mrb_vformat error.c:362
    #55 0x100567329 in mrb_name_error error.c:399
    #56 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #57 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #58 0x100665a5d in mrb_vm_exec vm.c:969
    #59 0x100661f99 in mrb_vm_run vm.c:820
    #60 0x10065b01e in mrb_run vm.c:2604
    #61 0x100658967 in mrb_funcall_with_block vm.c:451
    #62 0x100655337 in mrb_funcall_argv vm.c:461
    #63 0x1005dac9e in convert_type object.c:320
    #64 0x1005dbdba in mrb_check_convert_type object.c:356
    #65 0x100609b9d in mrb_check_string_type string.c:1754
    #66 0x10050c5ec in join_ary array.c:1051
    #67 0x10050af6d in mrb_ary_join array.c:1075
    #68 0x100566442 in mrb_vformat error.c:362
    #69 0x100567329 in mrb_name_error error.c:399
    #70 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #71 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #72 0x100665a5d in mrb_vm_exec vm.c:969
    #73 0x100661f99 in mrb_vm_run vm.c:820
    #74 0x10065b01e in mrb_run vm.c:2604
    #75 0x100658967 in mrb_funcall_with_block vm.c:451
    #76 0x100655337 in mrb_funcall_argv vm.c:461
    #77 0x1005dac9e in convert_type object.c:320
    #78 0x1005dbdba in mrb_check_convert_type object.c:356
    #79 0x100609b9d in mrb_check_string_type string.c:1754
    #80 0x10050c5ec in join_ary array.c:1051
    #81 0x10050af6d in mrb_ary_join array.c:1075
    #82 0x100566442 in mrb_vformat error.c:362
    #83 0x100567329 in mrb_name_error error.c:399
    #84 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #85 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #86 0x100665a5d in mrb_vm_exec vm.c:969
    #87 0x100661f99 in mrb_vm_run vm.c:820
    #88 0x10065b01e in mrb_run vm.c:2604
    #89 0x100658967 in mrb_funcall_with_block vm.c:451
    #90 0x100655337 in mrb_funcall_argv vm.c:461
    #91 0x1005dac9e in convert_type object.c:320
    #92 0x1005dbdba in mrb_check_convert_type object.c:356
    #93 0x100609b9d in mrb_check_string_type string.c:1754
    #94 0x10050c5ec in join_ary array.c:1051
    #95 0x10050af6d in mrb_ary_join array.c:1075
    #96 0x100566442 in mrb_vformat error.c:362
    #97 0x100567329 in mrb_name_error error.c:399
    #98 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #99 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #100 0x100665a5d in mrb_vm_exec vm.c:969
    #101 0x100661f99 in mrb_vm_run vm.c:820
    #102 0x10065b01e in mrb_run vm.c:2604
    #103 0x100658967 in mrb_funcall_with_block vm.c:451
    #104 0x100655337 in mrb_funcall_argv vm.c:461
    #105 0x1005dac9e in convert_type object.c:320
    #106 0x1005dbdba in mrb_check_convert_type object.c:356
    #107 0x100609b9d in mrb_check_string_type string.c:1754
    #108 0x10050c5ec in join_ary array.c:1051
    #109 0x10050af6d in mrb_ary_join array.c:1075
    #110 0x100566442 in mrb_vformat error.c:362
    #111 0x100567329 in mrb_name_error error.c:399
    #112 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #113 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #114 0x100665a5d in mrb_vm_exec vm.c:969
    #115 0x100661f99 in mrb_vm_run vm.c:820
    #116 0x10065b01e in mrb_run vm.c:2604
    #117 0x100658967 in mrb_funcall_with_block vm.c:451
    #118 0x100655337 in mrb_funcall_argv vm.c:461
    #119 0x1005dac9e in convert_type object.c:320
    #120 0x1005dbdba in mrb_check_convert_type object.c:356
    #121 0x100609b9d in mrb_check_string_type string.c:1754
    #122 0x10050c5ec in join_ary array.c:1051
    #123 0x10050af6d in mrb_ary_join array.c:1075
    #124 0x100566442 in mrb_vformat error.c:362
    #125 0x100567329 in mrb_name_error error.c:399
    #126 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #127 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #128 0x100665a5d in mrb_vm_exec vm.c:969
    #129 0x100661f99 in mrb_vm_run vm.c:820
    #130 0x10065b01e in mrb_run vm.c:2604
    #131 0x100658967 in mrb_funcall_with_block vm.c:451
    #132 0x100655337 in mrb_funcall_argv vm.c:461
    #133 0x1005dac9e in convert_type object.c:320
    #134 0x1005dbdba in mrb_check_convert_type object.c:356
    #135 0x100609b9d in mrb_check_string_type string.c:1754
    #136 0x10050c5ec in join_ary array.c:1051
    #137 0x10050af6d in mrb_ary_join array.c:1075
    #138 0x100566442 in mrb_vformat error.c:362
    #139 0x100567329 in mrb_name_error error.c:399
    #140 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #141 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #142 0x100665a5d in mrb_vm_exec vm.c:969
    #143 0x100661f99 in mrb_vm_run vm.c:820
    #144 0x10065b01e in mrb_run vm.c:2604
    #145 0x100658967 in mrb_funcall_with_block vm.c:451
    #146 0x100655337 in mrb_funcall_argv vm.c:461
    #147 0x1005dac9e in convert_type object.c:320
    #148 0x1005dbdba in mrb_check_convert_type object.c:356
    #149 0x100609b9d in mrb_check_string_type string.c:1754
    #150 0x10050c5ec in join_ary array.c:1051
    #151 0x10050af6d in mrb_ary_join array.c:1075
    #152 0x100566442 in mrb_vformat error.c:362
    #153 0x100567329 in mrb_name_error error.c:399
    #154 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #155 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #156 0x100665a5d in mrb_vm_exec vm.c:969
    #157 0x100661f99 in mrb_vm_run vm.c:820
    #158 0x10065b01e in mrb_run vm.c:2604
    #159 0x100658967 in mrb_funcall_with_block vm.c:451
    #160 0x100655337 in mrb_funcall_argv vm.c:461
    #161 0x1005dac9e in convert_type object.c:320
    #162 0x1005dbdba in mrb_check_convert_type object.c:356
    #163 0x100609b9d in mrb_check_string_type string.c:1754
    #164 0x10050c5ec in join_ary array.c:1051
    #165 0x10050af6d in mrb_ary_join array.c:1075
    #166 0x100566442 in mrb_vformat error.c:362
    #167 0x100567329 in mrb_name_error error.c:399
    #168 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #169 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #170 0x100665a5d in mrb_vm_exec vm.c:969
    #171 0x100661f99 in mrb_vm_run vm.c:820
    #172 0x10065b01e in mrb_run vm.c:2604
    #173 0x100658967 in mrb_funcall_with_block vm.c:451
    #174 0x100655337 in mrb_funcall_argv vm.c:461
    #175 0x1005dac9e in convert_type object.c:320
    #176 0x1005dbdba in mrb_check_convert_type object.c:356
    #177 0x100609b9d in mrb_check_string_type string.c:1754
    #178 0x10050c5ec in join_ary array.c:1051
    #179 0x10050af6d in mrb_ary_join array.c:1075
    #180 0x100566442 in mrb_vformat error.c:362
    #181 0x100567329 in mrb_name_error error.c:399
    #182 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #183 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #184 0x100665a5d in mrb_vm_exec vm.c:969
    #185 0x100661f99 in mrb_vm_run vm.c:820
    #186 0x10065b01e in mrb_run vm.c:2604
    #187 0x100658967 in mrb_funcall_with_block vm.c:451
    #188 0x100655337 in mrb_funcall_argv vm.c:461
    #189 0x1005dac9e in convert_type object.c:320
    #190 0x1005dbdba in mrb_check_convert_type object.c:356
    #191 0x100609b9d in mrb_check_string_type string.c:1754
    #192 0x10050c5ec in join_ary array.c:1051
    #193 0x10050af6d in mrb_ary_join array.c:1075
    #194 0x100566442 in mrb_vformat error.c:362
    #195 0x100567329 in mrb_name_error error.c:399
    #196 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #197 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #198 0x100665a5d in mrb_vm_exec vm.c:969
    #199 0x100661f99 in mrb_vm_run vm.c:820
    #200 0x10065b01e in mrb_run vm.c:2604
    #201 0x100658967 in mrb_funcall_with_block vm.c:451
    #202 0x100655337 in mrb_funcall_argv vm.c:461
    #203 0x1005dac9e in convert_type object.c:320
    #204 0x1005dbdba in mrb_check_convert_type object.c:356
    #205 0x100609b9d in mrb_check_string_type string.c:1754
    #206 0x10050c5ec in join_ary array.c:1051
    #207 0x10050af6d in mrb_ary_join array.c:1075
    #208 0x100566442 in mrb_vformat error.c:362
    #209 0x100567329 in mrb_name_error error.c:399
    #210 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #211 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #212 0x100665a5d in mrb_vm_exec vm.c:969
    #213 0x100661f99 in mrb_vm_run vm.c:820
    #214 0x10065b01e in mrb_run vm.c:2604
    #215 0x100658967 in mrb_funcall_with_block vm.c:451
    #216 0x100655337 in mrb_funcall_argv vm.c:461
    #217 0x1005dac9e in convert_type object.c:320
    #218 0x1005dbdba in mrb_check_convert_type object.c:356
    #219 0x100609b9d in mrb_check_string_type string.c:1754
    #220 0x10050c5ec in join_ary array.c:1051
    #221 0x10050af6d in mrb_ary_join array.c:1075
    #222 0x100566442 in mrb_vformat error.c:362
    #223 0x100567329 in mrb_name_error error.c:399
    #224 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #225 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #226 0x100665a5d in mrb_vm_exec vm.c:969
    #227 0x100661f99 in mrb_vm_run vm.c:820
    #228 0x10065b01e in mrb_run vm.c:2604
    #229 0x100658967 in mrb_funcall_with_block vm.c:451
    #230 0x100655337 in mrb_funcall_argv vm.c:461
    #231 0x1005dac9e in convert_type object.c:320
    #232 0x1005dbdba in mrb_check_convert_type object.c:356
    #233 0x100609b9d in mrb_check_string_type string.c:1754
    #234 0x10050c5ec in join_ary array.c:1051
    #235 0x10050af6d in mrb_ary_join array.c:1075
    #236 0x100566442 in mrb_vformat error.c:362
    #237 0x100567329 in mrb_name_error error.c:399
    #238 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #239 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #240 0x100665a5d in mrb_vm_exec vm.c:969
    #241 0x100661f99 in mrb_vm_run vm.c:820
    #242 0x10065b01e in mrb_run vm.c:2604
    #243 0x100658967 in mrb_funcall_with_block vm.c:451
    #244 0x100655337 in mrb_funcall_argv vm.c:461
    #245 0x1005dac9e in convert_type object.c:320
    #246 0x1005dbdba in mrb_check_convert_type object.c:356
    #247 0x100609b9d in mrb_check_string_type string.c:1754
    #248 0x10050c5ec in join_ary array.c:1051
    #249 0x10050af6d in mrb_ary_join array.c:1075
    #250 0x100566442 in mrb_vformat error.c:362
    #251 0x100567329 in mrb_name_error error.c:399
    #252 0x10064ac03 in mrb_mod_cv_get variable.c:792
    #253 0x10064c0f2 in mrb_vm_cv_get variable.c:863
    #254 0x100665a5d in mrb_vm_exec vm.c:969
    #255 0x100661f99 in mrb_vm_run vm.c:820

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f43) in _platform_memmove$VARIANT$Haswell
==51803==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

[matz]

crash is fixed by #3521

[matz]

crash is fixed by #3521