Segfault due to invalid read in str_init_shared

[dkasak]

The following code causes an invalid read and subsequent crash on current master:

$s = "%43b" % 2
0 while $s.chop![3,34].to_f

Valgrind report:

==550328== Memcheck, a memory error detector
==550328== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==550328== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==550328== Command: mruby 145f728aa44f35ec123f8141b154fae0a5d59503
==550328== 
==550328== Invalid read of size 4
==550328==    at 0x11576D: str_init_shared (string.c:79)
==550328==    by 0x11576D: str_share (string.c:538)
==550328==    by 0x11759D: mrb_str_byte_subseq (string.c:593)
==550328==    by 0x11835B: str_substr (string.c:638)
==550328==    by 0x11835B: mrb_str_aref (string.c:1208)
==550328==    by 0x11835B: mrb_str_aref_m (string.c:1271)
==550328==    by 0x12393D: mrb_vm_exec (vm.c:1444)
==550328==    by 0x128A43: mrb_vm_run (vm.c:947)
==550328==    by 0x14E44E: mrb_load_exec (parse.y:6339)
==550328==    by 0x10DC3E: main (mruby.c:270)
==550328==  Address 0x2a is not stack'd, malloc'd or (recently) free'd
==550328== 
==550328== 
==550328== Process terminating with default action of signal 11 (SIGSEGV)
==550328==  Access not within mapped region at address 0x2A
==550328==    at 0x11576D: str_init_shared (string.c:79)
==550328==    by 0x11576D: str_share (string.c:538)
==550328==    by 0x11759D: mrb_str_byte_subseq (string.c:593)
==550328==    by 0x11835B: str_substr (string.c:638)
==550328==    by 0x11835B: mrb_str_aref (string.c:1208)
==550328==    by 0x11835B: mrb_str_aref_m (string.c:1271)
==550328==    by 0x12393D: mrb_vm_exec (vm.c:1444)
==550328==    by 0x128A43: mrb_vm_run (vm.c:947)
==550328==    by 0x14E44E: mrb_load_exec (parse.y:6339)
==550328==    by 0x10DC3E: main (mruby.c:270)
==550328==  If you believe this happened as a result of a stack
==550328==  overflow in your program's main thread (unlikely but
==550328==  possible), you can try to increase the size of the
==550328==  main thread stack using the --main-stacksize= flag.
==550328==  The main thread stack size used in this run was 8388608.
==550328== 
==550328== HEAP SUMMARY:
==550328==     in use at exit: 230,644 bytes in 3,006 blocks
==550328==   total heap usage: 3,068 allocs, 62 frees, 332,730 bytes allocated
==550328== 
==550328== LEAK SUMMARY:
==550328==    definitely lost: 0 bytes in 0 blocks
==550328==    indirectly lost: 0 bytes in 0 blocks
==550328==      possibly lost: 0 bytes in 0 blocks
==550328==    still reachable: 230,644 bytes in 3,006 blocks
==550328==         suppressed: 0 bytes in 0 blocks
==550328== Rerun with --leak-check=full to see details of leaked memory
==550328== 
==550328== For lists of detected and suppressed errors, rerun with: -s
==550328== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0)
zsh: segmentation fault (core dumped)  valgrind mruby 145f728aa44f35ec123f8141b154fae0a5d59503

[dkasak]

Probably related to chop! since this similar input

$s = "%80b" % 1
5 while $s.chop! while $s.chop

causes another invalid read (and crash) in a different function:

==565556== Invalid read of size 4
==565556==    at 0x116B04: mrb_str_modify_keep_ascii (string.c:820)
==565556==    by 0x116B04: mrb_str_modify_keep_ascii (string.c:814)
==565556==    by 0x116B04: mrb_str_chop_bang (string.c:1637)
==565556==    by 0x12393D: mrb_vm_exec (vm.c:1444)
==565556==    by 0x128A43: mrb_vm_run (vm.c:947)
==565556==    by 0x14E44E: mrb_load_exec (parse.y:6339)
==565556==    by 0x10DC3E: main (mruby.c:270)
==565556==  Address 0x50 is not stack'd, malloc'd or (recently) free'd