Null pointer dereference in OP_CALL

[clayton-shopify]

The following input demonstrates a crash:

s=proc{|f,g,x|f[x][g[x]]}.curry
k=proc{|x,y|x}.curry
i=proc{|x|x}.curry
fi0=[]
re0=proc{|x|fi0.size;x}.curry
[s[s[i][i]][k[i]]][0][s[s[k[s]][s[k[s]][s[s[k[s]][s[k[s[k[re0]]]][s[k[s]][k]]]][k]]]][k[s[k[s]][k]]]]

This appears to be a GC bug, since adding GC.disable to the top prevents the crash. The issue looks similar to #3491 so they could be related.

ASAN report:

==3466==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7fffc774bf3d bp 0x7fff5a5f9f00 sp 0x7fff5a5f9f00 T0)
    #0 0x7fffc774bf3c in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f3c)
    #1 0x10599ebf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10576db11 in mrb_vm_exec (mruby+0x100171b11)
    #3 0x1057609e9 in mrb_vm_run (mruby+0x1001649e9)
    #4 0x105792cb9 in mrb_top_run (mruby+0x100196cb9)
    #5 0x1058619e5 in mrb_load_exec (mruby+0x1002659e5)
    #6 0x1058627f5 in mrb_load_file_cxt (mruby+0x1002667f5)
    #7 0x1055fe9d6 in main mruby.c:227
    #8 0x7fffc753b254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f3c) in _platform_memmove$VARIANT$Haswell
==3466==ABORTING
Abort trap: 6

Debug shows that m->env->stack is 0x2:

$ lldb bin/mruby
(lldb) target create "bin/mruby"
Current executable set to 'bin/mruby' (x86_64).
(lldb) process launch -- 214845.rb
Process 3444 launched: '/Users/clayton/git/mruby/bin/mruby' (x86_64)
AddressSanitizer debugger support is active. Memory error breakpoint has been installed and you can now use the 'memory history' command.
Process 3444 stopped
* thread #1: tid = 0x5ddc, 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
    frame #0: 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
->  0x7fffc774bf3d <+157>: movq   (%rsi), %rcx
    0x7fffc774bf40 <+160>: movq   (%rsi,%rdx), %r8
    0x7fffc774bf44 <+164>: movq   %rcx, (%rdi)
    0x7fffc774bf47 <+167>: movq   %r8, (%rdi,%rdx)
(lldb) frame select 2
frame #2: 0x0000000100171b12 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f00006ba00, pc=0x00000001002f6380) + 53170 at vm.c:1361
   1358	          stack_extend(mrb, irep->nregs, ci->argc+2);
   1359	        }
   1360	        if(m->env) {
-> 1361	          regs[0] = m->env->stack[0];
   1362	        }
   1363	        pc = irep->iseq;
   1364	        JUMP;
(lldb) print *m->env
(REnv) $0 = {
  tt = MRB_TT_ARRAY
  color = 2
  flags = 0
  c = 0x000062f000009c40
  gcnext = 0x0000000000000000
  stack = 0x0000000000000002
  mid = 2
  cioff = 105759274967392
}

This issue was reported by https://hackerone.com/ston3