Null pointer dereference in OP_RESCUE

[clayton-shopify]

The following input demonstrates a crash:

def f(k)
    H ||= Module.new { f(0) }
end

f(0)

Debug:

(lldb) frame select 2
frame #2: 0x000000010016d8cc mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002c50, pc=0x000060600000a474) + 29788 at vm.c:1121
   1118	        exc = mrb_obj_value(mrb->exc);
   1119	      }
   1120	      if (a != 0 && c == 0) {
-> 1121	        regs[GETARG_A(i)] = exc;
   1122	      }
   1123	      mrb->exc = 0;
   1124	      NEXT;
(lldb) print mrb->c->stack
(mrb_value *) $0 = 0x0000000000000000

ASAN report:

==72547==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fffaf668f44 bp 0x7fff55519ea0 sp 0x7fff55519ea0 T0)
    #0 0x7fffaf668f43 in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f43)
    #1 0x10a5c7bf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10a3958cb in mrb_vm_exec (mruby+0x10016d8cb)
    #3 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #4 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #5 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #6 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #7 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #8 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #9 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #10 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #11 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #12 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #13 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #14 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #15 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #16 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #17 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #18 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #19 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #20 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #21 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #22 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #23 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #24 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #25 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #26 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #27 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #28 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #29 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #30 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #31 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #32 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #33 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #34 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #35 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #36 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #37 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #38 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #39 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #40 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #41 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #42 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #43 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #44 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #45 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #46 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #47 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #48 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #49 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #50 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #51 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #52 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #53 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #54 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #55 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #56 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #57 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #58 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #59 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #60 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #61 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #62 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #63 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #64 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #65 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #66 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #67 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #68 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #69 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #70 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #71 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #72 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #73 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #74 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #75 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #76 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #77 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #78 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #79 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #80 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #81 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #82 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #83 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #84 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #85 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #86 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #87 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #88 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #89 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #90 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #91 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #92 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #93 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #94 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #95 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #96 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #97 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #98 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #99 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #100 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #101 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #102 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #103 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #104 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #105 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #106 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #107 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #108 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #109 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #110 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #111 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #112 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #113 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #114 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #115 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #116 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #117 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #118 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #119 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #120 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #121 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #122 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #123 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #124 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #125 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #126 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #127 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #128 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #129 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #130 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #131 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #132 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #133 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #134 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #135 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #136 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #137 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #138 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #139 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #140 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #141 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #142 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #143 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #144 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #145 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #146 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #147 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #148 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #149 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #150 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #151 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #152 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #153 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #154 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #155 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #156 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #157 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #158 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #159 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #160 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #161 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #162 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #163 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #164 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #165 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #166 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #167 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #168 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #169 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #170 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #171 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #172 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #173 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #174 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #175 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #176 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #177 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #178 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #179 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #180 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #181 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #182 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #183 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #184 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #185 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #186 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #187 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #188 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #189 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #190 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #191 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #192 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #193 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #194 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #195 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #196 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #197 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #198 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #199 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #200 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #201 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #202 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #203 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #204 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #205 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #206 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #207 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #208 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #209 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #210 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #211 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #212 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #213 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #214 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #215 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #216 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #217 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #218 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #219 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #220 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #221 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #222 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #223 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #224 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #225 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #226 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #227 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #228 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #229 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #230 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #231 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #232 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #233 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #234 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #235 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #236 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #237 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #238 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #239 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #240 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #241 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #242 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #243 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #244 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #245 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #246 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #247 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #248 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)
    #249 0x10a38737e in mrb_run (mruby+0x10015f37e)
    #250 0x10a38d043 in mrb_yield_with_class (mruby+0x100165043)
    #251 0x10a275499 in mrb_mod_initialize (mruby+0x10004d499)
    #252 0x10a3848c5 in mrb_funcall_with_block (mruby+0x10015c8c5)
    #253 0x10a267ea9 in mrb_instance_new (mruby+0x10003fea9)
    #254 0x10a398ed3 in mrb_vm_exec (mruby+0x100170ed3)
    #255 0x10a38e2f9 in mrb_vm_run (mruby+0x1001662f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f43) in _platform_memmove$VARIANT$Haswell
==72547==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic)