Null pointer dereference in each_backtrace

[clayton-shopify]

The following input demonstrates a crash:

GC.start

begin
  [0].all? do[].-
end

rescue => e
  GC.start
  e.dup.backtrace
end

ASAN report:

==90143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x0001078ac6a0 bp 0x7fff5836ba50 sp 0x7fff5836b700 T0)
==90143==The signal is caused by a READ memory access.
==90143==Hint: address points to the zero page.
    #0 0x1078ac69f in each_backtrace backtrace.c:132
    #1 0x1078ab4ea in output_backtrace backtrace.c:182
    #2 0x1078a9324 in exc_output_backtrace backtrace.c:199
    #3 0x1078a9ca4 in mrb_exc_backtrace backtrace.c:303
    #4 0x1078fd45e in exc_get_backtrace (mruby:x86_64+0x10007345e)
    #5 0x1079fbca5 in mrb_vm_exec (mruby:x86_64+0x100171ca5)
    #6 0x1079f0dbf in mrb_vm_run (mruby:x86_64+0x100166dbf)
    #7 0x107a24619 in mrb_top_run (mruby:x86_64+0x10019a619)
    #8 0x107af5a85 in mrb_load_exec (mruby:x86_64+0x10026ba85)
    #9 0x107af63d5 in mrb_load_file_cxt (mruby:x86_64+0x10026c3d5)
    #10 0x10788c0d6 in main mruby.c:227
    #11 0x7fffbdf72234 in start (libdyld.dylib:x86_64+0x5234)

==90143==Register values:
rax = 0x0000000000000009  rbx = 0x00007fff5836b760  rcx = 0x0000000000000009  rdx = 0x0000100000000001
rdi = 0x0000000000000001  rsi = 0x0000100000000000  rbp = 0x00007fff5836ba50  rsp = 0x00007fff5836b700
 r8 = 0x0000000100000010   r9 = 0x0000100000000000  r10 = 0x0000000000000080  r11 = 0xffffe060a7c9f1e0
r12 = 0x0000100000000000  r13 = 0x000062f0000099d0  r14 = 0x000061400000a460  r15 = 0x00001c280000148c
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV backtrace.c:132 in each_backtrace
==90143==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic & Denis Kasak (https://hackerone.com/dgaletic).