Why does this command crash cmd?

Question

I came across a mind-blowing weird script that crashes the console:

set "h=/?" & call [if | for | rem] %%h%%

• IF, FOR and REM aren't normal internal commands. They use an own special parser, which possibly caused some interception errors so it crashed.

@jeb pointed out CALL doesn't execute the following special characters, but instead convert them into a "token" (version dependent):

• & returns /
• && returns 1
• | returns 2
• || returns 0
• /? returns <
• @ returns +
• @() returns ;

---

• @if a==a : returns ,
• @for %a in () do : returns +
• @rem : returns -

However, even though they have unique parsers, it still doesn't explain why they all crash. So I did some testing:

• Remove call

    C:\>set "h=/?" & for %h%
    %%h%% was unexpected at this time.

• Change the command to something else. (I tried all other internal commands, none works)
• Seperate two commands:

    C:\>set "h=/?"
    C:\>call for %%h%%
    --FOR help message--

• Add @

    C:\>set "h=/?" & call for @%%h%%
    CRASH!!!

• Surround the scriptblock by ()

    C:\>set "h=/?" & call for (%%h%%)
    CRASH!!!

Summary of question:

• What role does call play?
• What caused the parser to crash?

Answer 1

Summary of Research:

Calling linefeeds \n or FOR, IF & REM's help function crashes cmd, exiting with ERRORLEVEL -1073741819 aka 0xC0000005, which indicates an access violation error.

First, the cmd parser tries to start werfault to terminate the process.

If you prematurely terminate werfault, an error message will appear!

Access violation error:
The instruction at 0x00007FF7F18E937B referenced memory at 0x0000000000000070. The memory could not be read.

It is conjectured that if, for and rem uses special parsers, but when the help function is triggered by call, a non-command token is returned, which crashes the cmd parser.

---

Sources:

1. Why I can't CALL "IF" and "FOR" neither in batch nor in the cmd?
2. CALL me, or better avoid call
3. Limit CMD processing to internal commands, safer and faster?

Answer 2

The CALL is necessary to start a second round of the parser.

But there is a small bug (or more), in that phase it's not possible to execute any of the special commands or using &, |, &&, ||, redirection or command blocks.

The cause seems to be, that the parser build internally a token graph, replacing the special things into some kind of token values.
But with CALL the executer doesn't know anymore how to handle them.

This code tries to execute a batch file, named 3.bat !!!
(The name can be different, depending on the windows version)

set "cmd=(a) & (b)"
call %%cmd%%

But in your sample, the help function is triggered on a non executable token.
That seems to be the final death trigger for the executer to be completely out of sanity.