Fuzzing Crash: VortexError in array_ops

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-array/src/arrays/struct_/compute/rules.rs:65:reduce_parent

Error Message:

min_max operation should succeed in fuzz test:
  Other error: Cannot add non-nullable field '\u{5}\u{5}\u{5}\u{5}' during struct cast

Stack Trace

stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: panic_display<vortex_error::VortexError>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
   3: {closure#1}<core::option::Option<vortex_array::compute::min_max::MinMaxResult>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:500:9
   4: unwrap_or_else<core::option::Option<vortex_array::compute::min_max::MinMaxResult>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<core::option::Option<vortex_array::compute::min_max::MinMaxResult>, vortex_error::VortexError>>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
   5: vortex_expect<core::option::Option<vortex_array::compute::min_max::MinMaxResult>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:340:14
   6: run_fuzz_action
             at ./fuzz/src/array/mod.rs:649:22
   7: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/array_ops.rs:30:11
   8: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
   9: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
  10: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
  11: __rust_try
  12: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
  13: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
  14: test_input_wrap
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
  15: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
  16: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
  17: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
  18: main
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
  19: <unknown>
  20: __libc_start_main
   ... (1 more frames truncated)

Root Cause Analysis

The crash is a VortexError at vortex-array/src/arrays/struct_/compute/rules.rs:65 in the StructCastPushDownRule, where a struct cast attempts to add a field that does not exist in the source struct but is marked as non-nullable in the target schema. The root cause is that the optimizer's cast push-down path for structs correctly rejects creating a null-filled column for a non-nullable target field, but the upstream min_max fuzz operation does not gracefully handle this error, instead panicking via vortex_expect. The fix should either ensure the fuzzer generates only valid (nullable) fields for schema-evolution casts, or make the min_max fuzz action treat cast errors as non-fatal rather than panicking.

Summary

• Target: array_ops
• Crash File: crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4
• Branch: develop
• Commit: 5509cee
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23059817676/artifacts/5915226173

Reproduce

cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4 -- -rss_limit_mb=0

First-time setup: download and extract the crash artifact

1. Download the crash artifact:

   • Direct download: https://github.com/vortex-data/vortex/actions/runs/23059817676/artifacts/5915226173
   • Extract the zip file (unzip)
     • The path should look like /path/to/array_ops/crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4
     • You can create a ./fuzz/artifacts directory that will be git-ignored in the vortex repo
     • Full path would be ./fuzz/artifacts/array_ops/crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4

2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip

3. Get a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4 -- -rss_limit_mb=0

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-c546105eb9c693a301f9a33ea1c2e92cf79122f4 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow

[connortsui20]

The crash comes from a very strange cast:

StructCastPushDownRule: casting struct with dtype
Struct(StructFields { names: FieldNames([]), dtypes: [] }, Nullable)
to
Primitive(U16, NonNullable)

I dont think this makes any sense at all, will have to look next week on why this is even happening in the first place.

I made the error message a bit more descriptive, but it has nothing to do with the condition it is ensuring:

vortex-array/src/arrays/struct_/compute/rules.rs

for (target_name, target_dtype) in target_fields.names().iter().zip(target_fields.fields())
{
    match array.unmasked_field_by_name(target_name).ok() {
        Some(field) => {
            new_fields.push(field.cast(target_dtype)?);
        }
        None => {
            // Not found - create NULL array (schema evolution)
            vortex_ensure!(
                target_dtype.is_nullable(),
                "StructCastPushDownRule: could not find field '{target_name}' in the \
                    struct with dtype {}, which we want to cast to type {target_dtype}",
                array.dtype(),
            );
            new_fields.push(
                ConstantArray::new(crate::scalar::Scalar::null(target_dtype), array.len())
                    .into_array(),
            );
        }
    }
}

Output:

Other error: StructCastPushDownRule: could not find field '\u{5}\u{5}\u{5}\u{5}' in the struct with dtype {}?, which we want to cast to type u16

This is related to #6090