Issue #11409 has been updated by D.E. Akers.


Upon further investigation, I've discovered why replacing `Qnil` with `Qfalse` prevents the crash.

```c
static rb_cref_t *
check_cref(VALUE obj, int can_be_svar)
{
    if (obj == Qfalse) return NULL;
```

The prelude of `check_cref()` only checks whether `obj` is `Qfalse`; since `rb_block_clear_env_self()` uses `Qnil`, `check_cref()` continues by calling `imemo_type()` on `Qnil`, which eventually leads to `Qnil` being dereferenced and the interpreter crashing.

The fix is remarkably simple:

```diff
- if (obj == Qfalse) return NULL;
+ if (!RTEST(obj)) return NULL;
```

----------------------------------------
Bug #11409: {instance,module}_eval(&:foo) segfaults since r51243.
https://bugs.ruby-lang.org/issues/11409#change-53653

* Author: D.E. Akers
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.3.0dev (2015-08-02 trunk 51469) [x86_64-linux]
* Backport: 
----------------------------------------
The segfault only occurs when the argument is a `#to_proc`'d Symbol, and the receiver needn't actually respond to the named method.

This bug was introduced in [a rather large patch](http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51243), and should almost certainly be fixed in one of the files modified therein. That said, I've discovered that removing the call to `rb_block_clear_env_self()` in `sym_to_proc()` prevents the segfault, as does setting `env->env[0]` to `Qfalse` rather than `Qnil` in `rb_block_clear_env_self()`. Neither of those is a proper fix, of course, but I hope this information may be of use to somebody more intimately familiar with Ruby's internals.



-- 
https://bugs.ruby-lang.org/