Null pointer dereference in ecall

[clayton-shopify]

The following input demonstrates a crash:

def a
  yield
ensure
  Array.new.uniq {}
end

def b
  yield
ensure
  lambda { a { a a { return proc{} } } }.call
end

GC.start

lambda { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { b { return proc{} } } } } } } } } } } } } } } } } } } } } } } }.call

ASAN report:

==53746==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x000107e76d81 bp 0x7fff57f13110 sp 0x7fff57f12d60 T0)
==53746==The signal is caused by a READ memory access.
==53746==Hint: address points to the zero page.
    #0 0x107e76d80 in ecall vm.c:323
    #1 0x107e5de06 in mrb_vm_exec vm.c:1920
    #2 0x107e459e6 in mrb_vm_run vm.c:866
    #3 0x107e79cdf in mrb_top_run vm.c:2768
    #4 0x107f4bdd5 in mrb_load_exec parse.y:5780
    #5 0x107f4c725 in mrb_load_file_cxt parse.y:5789
    #6 0x107ce4e46 in main mruby.c:227
    #7 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

==53746==Register values:
rax = 0x0000000000000002  rbx = 0x00007fff57f12dc0  rcx = 0x0000000000000002  rdx = 0x0000100000000000
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff57f13110  rsp = 0x00007fff57f12d60
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0x00001c280000148c  r11 = 0x0000100000000000
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeafe3448  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV vm.c:323 in ecall
==53746==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ahihi