Summary
The arithmetic_fuzz target found a panic in expand_brace_expr_in_arithmetic when processing the input [${#[ (bytes [91, 36, 123, 35, 91]).
Failing CI runs
All three failures are in Fuzz Test (arithmetic_fuzz) — parser and lexer fuzz targets pass.
Root cause
In crates/bashkit/src/interpreter/mod.rs, expand_brace_expr_in_arithmetic:
if let Some(bracket) = rest.find('[') {
let idx = &rest[bracket + 1..rest.len().saturating_sub(1)];When rest = "[" (from input ${#[}), bracket = 0, rest.len() = 1, so saturating_sub(1) = 0, producing the slice rest[1..0] which panics with:
byte range starts at 1 but ends at 0
Reproduce
cargo fuzz run arithmetic_fuzz -- -runs=0 # then with the crash artifact
# Or directly:
echo '$((0 + ${#[}))' | cargo run -p bashkit-cliFix
Guard bracket + 1 > end before slicing — return "0" for malformed expressions.
Fixed in commit ffdad8d on branch claude/run-maintenance-fIcsd with regression test arithmetic_malformed_brace_length_no_panic.
Summary
The
arithmetic_fuzztarget found a panic inexpand_brace_expr_in_arithmeticwhen processing the input[${#[(bytes[91, 36, 123, 35, 91]).Failing CI runs
All three failures are in
Fuzz Test (arithmetic_fuzz)— parser and lexer fuzz targets pass.Root cause
In
crates/bashkit/src/interpreter/mod.rs,expand_brace_expr_in_arithmetic:When
rest = "["(from input${#[}),bracket = 0,rest.len() = 1, sosaturating_sub(1) = 0, producing the slicerest[1..0]which panics with:Reproduce
Fix
Guard
bracket + 1 > endbefore slicing — return"0"for malformed expressions.Fixed in commit ffdad8d on branch
claude/run-maintenance-fIcsdwith regression testarithmetic_malformed_brace_length_no_panic.