bc: suppress try_depth around speculative compile-time fold prim call

try_fold_call and try_fold_arg invoke pure prims speculatively at
compile time to test whether a (head literal-args...) call can fold
to a constant. The contract assumes prim_throw_classified will take
the "set diag and return NULL" branch so the caller can clear_error
and decline. That branch only runs when try_depth == 0; with an
active try-frame in the surrounding eval context, the prim longjmps
into the user's catch instead, escaping the compile entirely.

Reproducer: (defn f [] (if (zero? 0) 43 (quot 1 0))) (f). The
constant-condition fold doesn't fire because (zero? 0) is a cons
(not self-evaluating), so both branches compile. The speculative
fold of (quot 1 0) raises and longjmps; the user sees a runtime
quot: division by zero error from an unreachable else-branch.

Fix: save and zero try_depth around the speculative prim call in
both try_fold_call and try_fold_arg. The prim sees a clean no-try
context, takes the diag-return-NULL path, and the existing
clear_error + decline logic works as documented. try_stack
contents stay untouched; only the depth counter is temporarily
masked. tests/bc_let_fold_test.clj gains
if-else-fold-error-stays-unreachable covering the anchor
reproducer plus mod / rem / when-with-quot / param-driven cond.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: leifericf

CHANGELOG.md

@@ -1,5 +1,43 @@
 # Changelog
 
+## v0.255.6 — Fix: BC Speculative Fold Longjmps Through Active Try-Frame
+
+Surfaced by mino-tests v0.7.0's `gen_program.clj`: a `defn` whose
+body contains an `(if cond then else)` where the else-branch holds
+a compile-time-foldable error (`(quot/mod/rem a 0)`, shift out of
+range, `LLONG_MIN/-1`) raised the error at runtime even when the
+cond was statically truthy and the else was unreachable. Top-level
+forms with the same shape worked. Reproducer:
+
+```
+(defn f [] (if (zero? 0) 43 (quot 1 0)))
+(f) ; => quot: division by zero  -- expected 43
+```
+
+Root cause: `try_fold_call` and `try_fold_arg` in
+`src/eval/bc/compile.c` speculatively invoke a pure prim at compile
+time to test whether the call can fold to a constant. The contract
+assumes `prim_throw_classified` will take the "set diag and return
+NULL" branch on error so the caller can `clear_error` and decline.
+But that branch only runs when `try_depth == 0`; with an active
+try-frame in the surrounding eval context (compile-on-call from
+inside any `(try ...)`), `prim_throw_classified` `longjmp`s into
+the active frame instead. The longjmp escapes the compile, the
+exception lands on the user's catch, and the unreachable else
+surfaces as if it were the actual eval path.
+
+Fix: save and zero `try_depth` around the speculative prim call in
+both `try_fold_call` and `try_fold_arg`. The prim sees a clean
+no-try context, takes the diag-return-NULL path, and the caller's
+existing `clear_error` + decline logic works as documented. The
+try-frame stack contents are untouched; only the depth counter is
+temporarily masked.
+
+Regression: `tests/bc_let_fold_test.clj` gains
+`if-else-fold-error-stays-unreachable` with 6 sub-tests covering
+the anchor reproducer plus mod/rem, `when`-with-unreachable-then,
+and param-driven cond paths.
+
 ## v0.255.5 — Fix: BC Bitwise Fast Path No Longer Promotes to Bigint
 
 Surfaced by mino-tests's `gen.clj` while building a seeded RNG: an

src/eval/bc/compile.c

@@ -2855,7 +2855,18 @@ static int try_fold_arg(compiler_t *c, mino_val_t *v, mino_val_t **out)
             args = mino_cons(c->S, stack[i], args);
             if (args == NULL) return 0;
         }
+        /* The speculative fold contract requires prim_throw_classified
+         * to take the "set diag + return NULL" branch on error, not the
+         * "longjmp to active try-frame" branch. If the compile is
+         * happening underneath a live try (compile-on-call from inside
+         * a user (try ...) block, for instance), longjmp would escape
+         * the compile and surface a stale exception. Suppress try_depth
+         * for the duration of the speculative prim call; the saved
+         * value is restored regardless of outcome. */
+        int saved_td = mino_current_ctx(c->S)->try_depth;
+        mino_current_ctx(c->S)->try_depth = 0;
         folded = pp->prim(c->S, args, c->env);
+        mino_current_ctx(c->S)->try_depth = saved_td;
         if (folded == NULL) { clear_error(c->S); return 0; }
         if (!fold_result_constable(folded)) return 0;
         *out = folded;
@@ -2893,7 +2904,13 @@ static int try_fold_call(compiler_t *c, mino_val_t *form, int dst,
         if (args == NULL) return 1;
     }
 
+    /* Same try_depth suppression as try_fold_arg: the speculative
+     * fold needs prim_throw_classified to take the diag-return-NULL
+     * branch, not longjmp. */
+    int saved_td = mino_current_ctx(c->S)->try_depth;
+    mino_current_ctx(c->S)->try_depth = 0;
     mino_val_t *folded = pp->prim(c->S, args, c->env);
+    mino_current_ctx(c->S)->try_depth = saved_td;
     if (folded == NULL) {
         /* The prim raised at fold time (e.g., division by zero).
          * Clear the diagnostic and decline -- the runtime path will

src/mino.h

@@ -28,7 +28,7 @@
  */
 #define MINO_VERSION_MAJOR 0
 #define MINO_VERSION_MINOR 255
-#define MINO_VERSION_PATCH 5
+#define MINO_VERSION_PATCH 6
 
 /*
  * Human-readable version string of the *linked* runtime, e.g. "0.48.0".

tests/bc_let_fold_test.clj

@@ -95,3 +95,30 @@
         (finally (def + old-plus))))
     ;; After restore, original semantics return.
     (is (= 30 (rd1)))))
+
+(deftest if-else-fold-error-stays-unreachable
+  ;; When an if-form's cond is statically truthy (or a compile-time
+  ;; resolvable shape) and the else-branch contains a call that would
+  ;; fold to a runtime error (division by zero, shift out of range,
+  ;; LLONG_MIN/-1 overflow), the compiler's speculative fold attempt
+  ;; on the else expression must NOT escape into the surrounding
+  ;; eval context. The unreachable else stays unreachable; the fn
+  ;; returns the then-branch value normally.
+  (testing "(zero? 0) cond + (quot 1 0) unreachable else"
+    (defn iea1 [] (if (zero? 0) 43 (quot 1 0)))
+    (is (= 43 (iea1))))
+  (testing "let-bound zero divisor under (zero? d) cond"
+    (defn iea2 [] (let [d 0] (if (zero? d) 43 (mod 43 d))))
+    (is (= 43 (iea2))))
+  (testing "rem under (zero? d) cond"
+    (defn iea3 [] (let [d 0] (if (zero? d) 99 (rem 100 d))))
+    (is (= 99 (iea3))))
+  (testing "when guarding an unreachable quot"
+    (defn iea4 [] (when (zero? 0) (quot 100 5)))
+    (is (= 20 (iea4))))
+  (testing "param-based cond doesn't pre-eval else"
+    (defn iea5 [c] (if c 43 (quot 1 0)))
+    (is (= 43 (iea5 true))))
+  (testing "param-false cond hits the runtime quot error"
+    (defn iea6 [c] (if c 43 (quot 1 0)))
+    (is (thrown? (iea6 false)))))