Skip to content

Fuzzing Crash: unknown in array_ops #7090

New issue
New issue
Open
Open
Fuzzing Crash: unknown in array_ops#7090
Assignees
AdamGS
Labels
bugA bug issuefuzzerIssues detected by the fuzzer
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 20, 2026

Fuzzing Crash Report

Analysis

Crash Location: /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fastlanes-0.5.0/src/rle.rs:58:rle_decompress

Error Message:

unsafe precondition(s) violated: slice::get_unchecked requires that the index is within the slice
Stack Trace 
stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_nounwind_fmt::runtime
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:122:22
   2: core::panicking::panic_nounwind_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/intrinsics/mod.rs:2435:9
   3: precondition_check
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/ub_checks.rs:73:21
   4: get_unchecked<half::binary16::f16>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/ub_checks.rs:78:17
   5: get_unchecked<half::binary16::f16, usize>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/slice/mod.rs:646:26
   6: decode<half::binary16::f16, u8>
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/fastlanes-0.5.0/src/rle.rs:58:42
   7: rle_decode_typed<u16, u8, u8>
             at ./encodings/fastlanes/src/rle/array/rle_decompress.rs:89:9
   8: rle_decompress
             at ./encodings/fastlanes/src/rle/array/rle_decompress.rs:33:30
   9: execute
             at ./encodings/fastlanes/src/rle/vtable/mod.rs:236:13
  10: execute<vortex_fastlanes::rle::vtable::RLE>
             at ./vortex-array/src/vtable/dyn_.rs:150:20
  11: execute_until<vortex_array::canonical::AnyCanonical>
             at ./vortex-array/src/executor.rs:145:36
  12: execute
             at ./vortex-array/src/canonical.rs:530:28
  13: execute
             at ./vortex-array/src/canonical.rs:801:30
  14: execute<vortex_array::arrays::primitive::array::PrimitiveArray>
             at ./vortex-array/src/executor.rs:54:9
  15: execute
             at ./encodings/zigzag/src/array.rs:154:51
  16: execute<vortex_zigzag::array::ZigZag>
             at ./vortex-array/src/vtable/dyn_.rs:150:20
  17: execute_until<vortex_array::canonical::AnyCanonical>
             at ./vortex-array/src/executor.rs:145:36
  18: execute
             at ./vortex-array/src/canonical.rs:530:28
  19: execute<vortex_array::canonical::Canonical>
   ... (35 more frames truncated)

Root Cause Analysis

The crash is an out-of-bounds access inside the fastlanes RLE decode function (fastlanes-0.5.0/src/rle.rs:58), where get_unchecked is called with an index beyond the slice length. This occurs during rle_decompress in encodings/fastlanes/src/rle/array/rle_decompress.rs, where chunk_values is sliced as values[value_idx_offset..] but the fastlanes decode kernel accesses indices beyond the available values. The root cause is that the values array provided to the RLE decoder does not contain enough elements to satisfy all the index lookups within a chunk, likely due to a malformed or fuzzed RLEArray where the values_idx_offsets or values count is inconsistent with the indices. The fix should validate that chunk_values has sufficient length for the maximum index value in chunk_indices before calling V::decode, returning an error instead of allowing the unchecked access to go out of bounds.

Summary

Reproduce

cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef9d5fc3363c1dce75a1ce1314ce2bc451767422 -- -rss_limit_mb=0
Reproduction Steps

  1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23351896343/artifacts/6029805640

  2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
  1. Reproduce the crash:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef9d5fc3363c1dce75a1ce1314ce2bc451767422 -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef9d5fc3363c1dce75a1ce1314ce2bc451767422 -- -rss_limit_mb=0
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef9d5fc3363c1dce75a1ce1314ce2bc451767422 -- -rss_limit_mb=0
Single command to get a backtrace 
mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef9d5fc3363c1dce75a1ce1314ce2bc451767422 -- -rss_limit_mb=0

Auto-created by fuzzing workflow

Metadata

Metadata

Assignees

Labels

bugA bug issuefuzzerIssues detected by the fuzzer

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions