Fuzzing Crash: VortexError in array_ops #7108
Description
Fuzzing Crash Report
Analysis
Crash Location: fuzz/fuzz_targets/array_ops.rs:33:assert_array_eq
Error Message:
Other error: Mismatch at step 0 at index 402
Expected scalar:
4294967295u32
Actual scalar:
4248380709u32
Expected tree:
root: vortex.chunked(u32?, len=688) nbytes=2.85 kB (100.00%)
metadata: EmptyMetadata
chunk_offsets: vortex.primitive(u64, len=4) nbytes=32 B (100.00%)
metadata: EmptyMetadata
buffer: values host 32 B (align=8) (100.00%)
chunks[0]: vortex.primitive(u32?, len=89) nbytes=356 B (100.00%) [all_valid]
metadata: EmptyMetadata
buffer: values host 356 B (align=4) (100.00%)
chunks[1]: vortex.primitive(u32?, len=513) nbytes=2.12 kB (100.00%)
metadata: EmptyMetadata
buffer: values host 2.05 kB (align=4) (96.93%)
validity: vortex.bool(bool, len=513) nbytes=65 B (3.07%) [nulls=0, min=false, max=true]
metadata: BoolMetadata { offset: 0 }
buffer: bits host 65 B (align=1) (100.00%)
chunks[2]: vortex.primitive(u32?, len=86) nbytes=344 B (100.00%) [all_valid]
metadata: EmptyMetadata
buffer: values host 344 B (align=4) (100.00%)
Stack Trace
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
2: panic_display<vortex_error::VortexError>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
3: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/array_ops.rs:33:19
4: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
5: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
6: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
7: __rust_try
8: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
9: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
10: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
11: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
12: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
13: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
14: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
15: <unknown>
16: __libc_start_main
17: _start
Root Cause Analysis
The crash is a data corruption bug in the array_ops fuzzer (array_ops.rs:33) where a chunked u32 array returns incorrect values after some operation: at index 402, the expected value is 4294967295 (u32::MAX) but the actual value is 4248380709. The corrupted array is a ChunkedArray with three primitive u32 chunks, where the second chunk (len=513) has an explicit validity bitmap while the other two are marked all_valid, suggesting the bug likely occurs during an operation that processes chunks with mixed validity representations, causing values to be read from incorrect offsets or buffers. The fix should investigate how array operations (likely slice, filter, or take) handle chunked arrays where some chunks have explicit validity bitmaps and others use the all_valid shortcut, as the boundary between chunks 0 (len=89) and chunk 1 (len=513) is near index 402 where the mismatch occurs.
Summary
- Target:
array_ops - Crash File:
crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 - Branch: develop
- Commit: 18359a8
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23367544656/artifacts/6035704155
Reproduce
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 -- -rss_limit_mb=0Reproduction Steps
-
Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23367544656/artifacts/6035704155
-
Assuming you download the zipfile to
~/Downloads, and your working directory is the repository root:
# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts
# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip- Reproduce the crash:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 -- -rss_limit_mb=0If you want a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 -- -rss_limit_mb=0Single command to get a backtrace
mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-ef5fa8a391d92210b1ccdf2e063e8229bbc7cd86 -- -rss_limit_mb=0Auto-created by fuzzing workflow