Duplicate check - ONNX SplitToSequence scalar split=0 SIGFPE
Date: 2026-06-23
Candidate
Title: SplitToSequence scalar split=0 crashes ONNX shape inference via integer modulo by zero
Repo: onnx/onnx
Targets:
Huntr:model-onnxHuntr:github-onnx-onnx
Huntr repo page
Checked https://huntr.com/repos/onnx/onnx with the local Huntr dedup checker in Playwright mode.
Result:
- Total reports observed: 55
- Checker risk:
DUPE - Reason for tool risk: broad class overlap with ONNX denial-of-service reports, especially the existing
Integer divide-by-zero in ONNX Conv/Pool shape inference...report.
Manual assessment:
- No visible report title contains
SplitToSequence. - No visible report title contains
split=0, scalarsplit, or sequence split shape inference. - Closest class match is the existing Conv/Pool shape-inference divide-by-zero report. This is not an exact duplicate because this candidate uses
SplitToSequence, a scalarsplitinitializer, and root cause inonnx/defs/sequence/utils.cc. - Existing user-submitted ONNX reports in
hacnho-huntr/my-reports-submitted.mdare recursion/function-cycle findings and do not overlap this scalar modulo-by-zero path.
Saved raw checker outputs:
duplicate-check.jsonduplicate-check-playwright.json
GitHub issue search
Command:
gh issue list -R onnx/onnx --state all --search 'SplitToSequence zero split SIGFPE "Floating point exception" "modulo by zero"' --limit 20 --json number,title,state,url,createdAt,updatedAt
Result: []
Command:
gh issue list -R onnx/onnx --state all --search 'SplitToSequence zero split' --limit 20 --json number,title,state,url,createdAt,updatedAt
Relevant results:
#6356-Why does SplitToSequence not allow zeros in split input?- open -https://github.com/onnx/onnx/issues/6356#4742-Split-18 performs differently compared to np.array_split, torch.tensor_split for last element in uneven split- open -https://github.com/onnx/onnx/issues/4742
Assessment:
#6356is a spec/question issue about whether zero split values should be allowed. It does not report a crash, SIGFPE, security impact, or the scalar modulo-by-zero path.#4742is about Split behavior parity, notSplitToSequenceSIGFPE.
Command:
gh issue list -R onnx/onnx --state all --search 'SplitToSequence shape inference' --limit 20 --json number,title,state,url,createdAt,updatedAt
Relevant results:
#6656-Shape inference error after SplitToSequence- open -https://github.com/onnx/onnx/issues/6656#2693-Shape inference error in test_sequence_model8- closed -https://github.com/onnx/onnx/issues/2693
Assessment:
#6656is a wrong shape inference result involvingkeepdim=0, not a process crash or divide-by-zero.#2693is an old sequence model shape inference error, not this crash path.
Command:
gh issue list -R onnx/onnx --state all --search 'SIGFPE OR "Floating point exception" OR divide-by-zero OR "divide by zero"' --limit 20 --json number,title,state,url,createdAt,updatedAt
Assessment:
- Results did not include a
SplitToSequencescalar split crash.
Web search
Queries checked:
site:huntr.com/bounties onnx SplitToSequence zero splitsite:huntr.com/bounties onnx SplitToSequence SIGFPEsite:huntr.com/bounties onnx "Floating point exception" "SplitToSequence"site:huntr.com/bounties onnx "modulo by zero" "SplitToSequence"
Assessment:
- No public exact duplicate was found for
SplitToSequencescalarsplit=0SIGFPE.
Verdict
Not an exact duplicate based on public Huntr/GitHub checks.
Duplicate risk is still medium-high because ONNX has a crowded Huntr page and one pending Conv/Pool divide-by-zero shape-inference report. Submit only with precise root-cause distinction:
- Operator:
SplitToSequence - Input: scalar
splitinitializer with value0 - Source:
onnx/defs/sequence/utils.cc - Crash: native
SIGFPEatsplitDimValue % splitSizes[0]