Skip to content

Fuzzing Crash: AssertionFailed in file_io #7109

New issue
New issue
Open
Open
Fuzzing Crash: AssertionFailed in file_io#7109
Labels
bugA bug issuefuzzerIssues detected by the fuzzer
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 21, 2026

Fuzzing Crash Report

Analysis

Crash Location: fuzz/fuzz_targets/file_io.rs:95:__libfuzzer_sys_run

Error Message:

assertion `left == right` failed: Length was not preserved expected 235 actual 259.
  left: 235
 right: 259
Stack Trace 
stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: core::panicking::assert_failed_inner
   3: core::panicking::assert_failed::<usize, usize>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:394:5
   4: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/file_io.rs:95:5
   5: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
   6: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
   7: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
   8: __rust_try
   9: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
  10: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
  11: test_input_wrap
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
  12: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
  13: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
  14: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
  15: main
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
  16: <unknown>
  17: __libc_start_main
  18: _start

Root Cause Analysis

The crash is an assertion failure in the file_io fuzz target (fuzz/fuzz_targets/file_io.rs:95) where the array length after a write-read roundtrip (259) does not match the expected length after filtering and projection (235). This indicates a bug in the Vortex file write or read path where row count is not correctly preserved during serialization/deserialization, likely triggered by specific combinations of compression strategy, filter expressions, and array data that cause the file reader to produce more rows than were written. The fix should investigate the file scan/read pipeline (particularly filter pushdown and layout reading logic in vortex-file) to find where row counts diverge from the written data, especially when filters or projections are applied during scanning.

Summary

Reproduce

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-05a400183e6adfe49fd59e11260f41218a0d4cee -- -rss_limit_mb=0
Reproduction Steps

  1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23367544656/artifacts/6035836052

  2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/file_io-crash-artifacts.zip
  1. Reproduce the crash:
cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-05a400183e6adfe49fd59e11260f41218a0d4cee -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-05a400183e6adfe49fd59e11260f41218a0d4cee -- -rss_limit_mb=0
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-05a400183e6adfe49fd59e11260f41218a0d4cee -- -rss_limit_mb=0
Single command to get a backtrace 
mkdir -p ./fuzz/artifacts
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/file_io-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-05a400183e6adfe49fd59e11260f41218a0d4cee -- -rss_limit_mb=0

Auto-created by fuzzing workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugA bug issuefuzzerIssues detected by the fuzzer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions