The reproducer resulted in the "block" OP being both on the parser stack and attacked to the CV. If an error occurred while parsing the rest of the list operator clean up would release the OP as attached to the CV, and the same OP on the parse stack, resulting in a double free.
It's unclear to me whether bison is intended to support modifying the parse stack entry like this, but it appears to work here.
The reproducer resulted in the "block" OP being both on the parser stack and attacked to the CV. If an error occurred while parsing the rest of the list operator clean up would release the OP as attached to the CV, and the same OP on the parse stack, resulting in a double free.
It's unclear to me whether bison is intended to support modifying the parse stack entry like this, but it appears to work here.
Fixes #21724