Skip to content

Fuzzing Crash: VortexError in array_ops #6965

Closed
Closed
Fuzzing Crash: VortexError in array_ops#6965
Labels
bugA bug issuefuzzerIssues detected by the fuzzer
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 14, 2026

Fuzzing Crash Report

Analysis

Crash Location: vortex-array/src/scalar_fn/fns/cast/mod.rs:120:execute

Error Message:

Compact compress should succeed in fuzz test:
  Other error: No CastKernel to cast canonical array vortex.fixed_size_list from fixed_size_list(decimal(30,-22)?)[2]? to decimal(29,-11)?
Stack Trace 
stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: panic_display<vortex_error::VortexError>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
   3: {closure#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:500:9
   4: unwrap_or_else<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
   5: vortex_expect<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:340:14
   6: compress_array
             at ./fuzz/src/array/mod.rs:546:14
   7: run_fuzz_action
             at ./fuzz/src/array/mod.rs:582:33
   8: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/array_ops.rs:30:11
   9: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
  10: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
  11: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
  12: __rust_try
  13: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
  14: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
  15: test_input_wrap
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
  16: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
  17: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
  18: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
  19: main
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
   ... (3 more frames truncated)

Root Cause Analysis

The crash is a panic in the fuzz test at vortex-array/src/scalar_fn/fns/cast/mod.rs:120, triggered when attempting to cast a fixed_size_list containing decimals (decimal(30,-22)) to a different decimal type (decimal(29,-11)). The root cause is a missing CastKernel implementation: there is no registered kernel to handle casting from a canonical fixed_size_list array with decimal element type to a plain decimal type, which is an unsupported type coercion that the fuzzer discovered. The fix should either register a CastKernel that can unwrap/flatten a single-element fixed_size_list of decimals into the target decimal type, or the compress/cast path should gracefully handle this case by returning an error instead of panicking via vortex_expect.

Summary

Reproduce

cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-78c14eb7185a89efc413c4f98c457c401f404aea -- -rss_limit_mb=0
First-time setup: download and extract the crash artifact

  1. Download the crash artifact:

  2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
  1. Get a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-78c14eb7185a89efc413c4f98c457c401f404aea -- -rss_limit_mb=0
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-78c14eb7185a89efc413c4f98c457c401f404aea -- -rss_limit_mb=0

Auto-created by fuzzing workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugA bug issuefuzzerIssues detected by the fuzzer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions