Fuzzing Crash: VortexError in array_ops #6895
Description
Fuzzing Crash Report
Analysis
Crash Location: fuzz/fuzz_targets/array_ops.rs:33:assert_search_sorted
Error Message:
Other error: Expected to find 62965u16 at Found(171) in root: vortex.runend(u16?, len=244) nbytes=87 B (100.00%) [all_valid]
metadata: RunEndMetadata { ends_ptype: U8, num_runs: 29, offset: 0 }
ends: vortex.primitive(u8, len=29) nbytes=29 B (33.33%) [nulls=0, min=15u8, max=244u8, strict]
metadata: EmptyMetadata
buffer: values host 29 B (align=1) (100.00%)
values: vortex.primitive(u16?, len=29) nbytes=58 B (66.67%) [nulls=0, min=6939u16, max=65535u16]
metadata: EmptyMetadata
buffer: values host 58 B (align=2) (100.00%)
from left but instead found it at Found(162) in step 2
Stack Trace
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
2: panic_display<vortex_error::VortexError>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
3: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/array_ops.rs:33:19
4: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
5: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
6: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
7: __rust_try
8: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
9: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
10: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
11: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
12: _ZN6fuzzer6Fuzzer6RunOneEPKhmbPNS_9InputInfoEbPb
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:516:7
13: _ZN6fuzzer6Fuzzer25ReadAndExecuteSeedCorporaERSt6vectorINS_9SizedFileESaIS2_EE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:834:7
14: _ZN6fuzzer6Fuzzer4LoopERSt6vectorINS_9SizedFileESaIS2_EE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:872:3
15: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:923:6
16: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
17: <unknown>
18: __libc_start_main
19: _start
Root Cause Analysis
The crash is a correctness bug in the SearchSorted implementation for RunEnd-encoded arrays. After applying a Mask filter and FillNull on a chunked u16 array (producing a RunEnd-encoded result with 29 runs over 244 elements), searching for value 62965u16 from the left returns Found(171) but a verification step finds the value at index Found(162), indicating the search result is inconsistent. The root cause is likely that the RunEnd encoding's search_sorted logic incorrectly translates between run-level indices and element-level indices, or fails to account for the offset/run-end boundaries when mapping a found position in the values array back to the corresponding position in the expanded array. The fix should be in the RunEnd encoding's SearchSorted implementation, ensuring correct index translation from the compressed runs to the logical element positions.
Summary
- Target:
array_ops - Crash File:
crash-39852ca4462497e3b10749f2e7ad9699f0831d29 - Branch: ct/fuzzer-report-template
- Commit: 09dfb09
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/22959766498/artifacts/5873413353
Reproduction
-
Download the crash artifact:
- Direct download: https://github.com/vortex-data/vortex/actions/runs/22959766498/artifacts/5873413353
- Extract the zip file (
unzip)- The path should look like
/path/to/array_ops/crash-39852ca4462497e3b10749f2e7ad9699f0831d29 - You can create a
./fuzz/artifactsdirectory that will be git-ignored in thevortexrepo - Full path would be
./fuzz/artifacts/array_ops/crash-39852ca4462497e3b10749f2e7ad9699f0831d29
- The path should look like
-
Reproduce locally:
cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0- Get a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0Workflow Example
Assuming you download the zipfile to ~/Downloads, and your working directory is the repository
root, you can follow these steps:
# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts
# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zipYou can now reproduce with:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-39852ca4462497e3b10749f2e7ad9699f0831d29 -- -rss_limit_mb=0If you want a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-39852ca4462497e3b10749f2e7ad9699f0831d29 -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-39852ca4462497e3b10749f2e7ad9699f0831d29 -- -rss_limit_mb=0Auto-created by fuzzing workflow