From 1f71c7dc81628bfd141bb91ee10bd8ca44ccaf07 Mon Sep 17 00:00:00 2001
From: Koichi Sasada <ko1@atdot.net>
Date: Thu, 3 Dec 2020 06:49:52 +0900
Subject: [PATCH] add GC guard

new_prev_env is stored in the env_body memory block but this is not
a GC root, so new_prev_env could be freed.
---
 vm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/vm.c b/vm.c
index 1e1c06e0e2..bc3ec98c1a 100644
--- a/vm.c
+++ b/vm.c
@@ -1003,6 +1003,7 @@ env_copy(const VALUE *src_ep, VALUE read_only_variables)
 
     VALUE *env_body = ZALLOC_N(VALUE, src_env->env_size); // fill with Qfalse
     VALUE *ep = &env_body[src_env->env_size - 2];
+    volatile VALUE prev_env = Qnil;
 
     if (read_only_variables) {
         for (int i=0; i<RARRAY_LENINT(read_only_variables); i++) {
@@ -1030,13 +1031,16 @@ env_copy(const VALUE *src_ep, VALUE read_only_variables)
     if (!VM_ENV_LOCAL_P(src_ep)) {
         const VALUE *prev_ep = VM_ENV_PREV_EP(src_env->ep);
         const rb_env_t *new_prev_env = env_copy(prev_ep, read_only_variables);
+        prev_env = (VALUE)new_prev_env;
         ep[VM_ENV_DATA_INDEX_SPECVAL] = VM_GUARDED_PREV_EP(new_prev_env->ep);
     }
     else {
         ep[VM_ENV_DATA_INDEX_SPECVAL] = VM_BLOCK_HANDLER_NONE;
     }
 
-    return vm_env_new(ep, env_body, src_env->env_size, src_env->iseq);
+    const rb_env_t *copied_env = vm_env_new(ep, env_body, src_env->env_size, src_env->iseq);
+    RB_GC_GUARD(prev_env);
+    return copied_env;
 }
 
 static void