Fuzzing Crash: VortexError in array_ops #6932
Description
Fuzzing Crash Report
Analysis
Crash Location: vortex-array/src/scalar/validate.rs:19:validate
Error Message:
Compact compress should succeed in fuzz test:
Other error: non-nullable dtype u64 cannot hold a null value
Stack Trace
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
2: panic_display<vortex_error::VortexError>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
3: {closure#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:500:9
4: unwrap_or_else<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
5: vortex_expect<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:340:14
6: compress_array
at ./fuzz/src/array/mod.rs:546:14
7: run_fuzz_action
at ./fuzz/src/array/mod.rs:582:33
8: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/array_ops.rs:30:11
9: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
10: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
11: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
12: __rust_try
13: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
14: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
15: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
16: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
17: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
18: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
19: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
... (3 more frames truncated)
Root Cause Analysis
The crash is a VortexError during scalar validation at vortex-array/src/scalar/validate.rs:19, where a null value is being assigned to a non-nullable u64 dtype. The error propagates through a cast -> reduce_parent -> evaluate -> try_optimize -> optimize call chain, indicating that an optimization or reduction pass produces a null scalar result for a column with a non-nullable dtype. The root cause is likely that the cast or reduce operation does not properly handle nullability propagation — when reducing or casting arrays that may contain null values (e.g., from sparse or nullable-wrapped encodings), the result dtype remains non-nullable even though the operation can produce nulls. The fix should ensure that cast and reduce operations correctly propagate nullability into the output dtype, or that the reducer handles the case where input arrays contain nulls under a non-nullable dtype by either widening the output dtype to nullable or filtering nulls before reduction.
Summary
- Target:
array_ops - Crash File:
crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed - Branch: develop
- Commit: c870564
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23036394292/artifacts/5904898011
Reproduction
Details
-
Download the crash artifact:
- Direct download: https://github.com/vortex-data/vortex/actions/runs/23036394292/artifacts/5904898011
- Extract the zip file (
unzip)- The path should look like
/path/to/array_ops/crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed - You can create a
./fuzz/artifactsdirectory that will be git-ignored in thevortexrepo - Full path would be
./fuzz/artifacts/array_ops/crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed
- The path should look like
-
Reproduce locally:
cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0- Get a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops /path/to/crash_file -- -rss_limit_mb=0Workflow Example
Assuming you download the zipfile to ~/Downloads, and your working directory is the repository
root, you can follow these steps:
Details
# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts
# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zipYou can now reproduce with:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed -- -rss_limit_mb=0If you want a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-2b2c75bde8de538226c6e9c02e8350fdc058b9ed -- -rss_limit_mb=0Auto-created by fuzzing workflow