Fuzzing Crash: VortexError in array_ops #6971
Description
Fuzzing Crash Report
Analysis
Crash Location: vortex-array/src/validity.rs:358:cast_nullability
Error Message:
Compact compress should succeed in fuzz test:
Invalid argument error: Cannot cast array with invalid values to non-nullable type.
Stack Trace
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
2: panic_display<vortex_error::VortexError>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
3: {closure#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:500:9
4: unwrap_or_else<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
5: vortex_expect<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:340:14
6: compress_array
at ./fuzz/src/array/mod.rs:546:14
7: run_fuzz_action
at ./fuzz/src/array/mod.rs:582:33
8: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/array_ops.rs:30:11
9: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
10: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
11: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
12: __rust_try
13: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
14: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
15: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
16: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
17: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
18: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
19: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
... (3 more frames truncated)
Root Cause Analysis
The crash occurs in cast_nullability at vortex-array/src/validity.rs:358, where the compact compression step attempts to cast an array containing null values to a non-nullable type, triggering an "Invalid argument error: Cannot cast array with invalid values to non-nullable type." This happens because the fuzz-generated array has nulls in its validity buffer, but the compression or casting pipeline does not properly handle or preserve nullability, leading to an invalid cast. The fix should ensure that cast_nullability (or the compress_array path in fuzz/src/array/mod.rs:546) either preserves the nullable DType when the array contains nulls, or strips nulls before attempting the non-nullable cast.
Summary
- Target:
array_ops - Crash File:
crash-8db414407b2e267967ed0a06add4d41ed801f7b8 - Branch: develop
- Commit: d08c89b
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23110125904/artifacts/5931464609
Reproduce
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-8db414407b2e267967ed0a06add4d41ed801f7b8 -- -rss_limit_mb=0First-time setup: download and extract the crash artifact
-
Download the crash artifact:
- Direct download: https://github.com/vortex-data/vortex/actions/runs/23110125904/artifacts/5931464609
- Extract the zip file (
unzip)- The path should look like
/path/to/array_ops/crash-8db414407b2e267967ed0a06add4d41ed801f7b8 - You can create a
./fuzz/artifactsdirectory that will be git-ignored in thevortexrepo - Full path would be
./fuzz/artifacts/array_ops/crash-8db414407b2e267967ed0a06add4d41ed801f7b8
- The path should look like
-
Assuming you download the zipfile to
~/Downloads, and your working directory is the repository root:
mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip- Get a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-8db414407b2e267967ed0a06add4d41ed801f7b8 -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-8db414407b2e267967ed0a06add4d41ed801f7b8 -- -rss_limit_mb=0Auto-created by fuzzing workflow