-
Kouhei Sutou authored
The following program reproduces this problem: #include <mruby.h> static mrb_value recursive(mrb_state *mrb, mrb_value self) { mrb_int n; mrb_get_args(mrb, "i", &n); if (n == 0) { mrb_raise(mrb, E_RUNTIME_ERROR, "XXX"); } else { mrb_funcall(mrb, self, "recursive", 1, mrb_fixnum_value(n - 1)); } return self; } int main(void) { mrb_state *mrb; mrb = mrb_open(); mrb_define_method(mrb, mrb->kernel_module, "recursive", recursive, MRB_ARGS_REQ(1)); mrb_funcall(mrb, mrb_top_self(mrb), "recursive", 1, mrb_fixnum_value(30)); mrb_close(mrb); } Recursive method call isn't required. It's just for expanding call info stack. If mrb_realloc() is called in cipush(), cibase address is changed. So, we shouldn't compare ci before mrb_realloc() and cibase after mrb_realloc(). It accesses unknown address and causes crash.3fefe52f
