Heh, cool. There's a bunch of bugs here: the FEN parser accepts totally malformed stuff, which desynchronizes the internal state and leads to some odd behaviour (as far as I can tell, this is what causes it to erroneously output no moves for a reasonable position), and Stockfish will pretty happily analyze nonsensical positions and explode. I looked into the latter issue, which can be triggered even with "mostly-valid" FEN input, such as the "fixed" FEN from "The Endgame":
position fen 4kb1r/B2pqBpp/3P1n2/Q7/PP2PPP1/1K4RP/8/8 w - - 0 1
go searchmoves
With a debug build, Stockfish crashes immediately on the following line (Position::do_move, position.cpp:726):
assert(type_of(captured) != KING);
As noted in the article, the position is invalid as the black king is checked on white's turn. During move evaluation, the king capture is considered as a possible move for white, which crashes in the assertion.
In a release build, without that assumption, Stockfish happily continues examining this line without a black king present on the board, and somewhere deep in the evaluation attempts to locate the black king (evaluate.cpp:540):
const Square ksq = pos.square<KING>(Us);
This fails, producing a ksq value which is undefined: it uses tzcnt, which returns an "undefined" value if the register is zero (and it is, because there is no king so the bitboard is zero). The likely value is 0x40, which is out of bounds; any later operation that tries to index by this will explode in exciting ways. For example, in the same evaluation function, we have
In a release build, without that assumption, Stockfish happily continues examining this line without a black king present on the board, and somewhere deep in the evaluation attempts to locate the black king (evaluate.cpp:540):
This fails, producing a ksq value which is undefined: it uses tzcnt, which returns an "undefined" value if the register is zero (and it is, because there is no king so the bitboard is zero). The likely value is 0x40, which is out of bounds; any later operation that tries to index by this will explode in exciting ways. For example, in the same evaluation function, we have which indexes an array called BishopMagics with ksq; this goes out of bounds and accesses a wild pointer.I was unable to reproduce the second crash, "Win by Segfault Attack".