Fuzzing Crash: VortexError in array_ops #6988
Description
Fuzzing Crash Report
Analysis
Crash Location: vortex-array/src/arrays/decimal/compute/cast.rs:41:cast
Error Message:
Compact compress should succeed in fuzz test:
Other error: Casting decimal with scale -59 to scale -2 not yet implemented
Stack Trace
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
2: panic_display<vortex_error::VortexError>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
3: {closure#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:500:9
4: unwrap_or_else<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
5: vortex_expect<alloc::sync::Arc<dyn vortex_array::array::DynArray, alloc::alloc::Global>, vortex_error::VortexError>
at ./vortex-error/src/lib.rs:340:14
6: compress_array
at ./fuzz/src/array/mod.rs:546:14
7: run_fuzz_action
at ./fuzz/src/array/mod.rs:582:33
8: __libfuzzer_sys_run
at ./fuzz/fuzz_targets/array_ops.rs:30:11
9: rust_fuzzer_test_input
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
10: {closure#0}
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
11: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
12: __rust_try
13: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
14: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
15: test_input_wrap
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
16: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
17: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
18: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
19: main
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
... (3 more frames truncated)
Root Cause Analysis
The crash is a panic in vortex-array/src/arrays/decimal/compute/cast.rs:41 triggered during fuzz testing when attempting to cast a decimal value with scale -59 to scale -2. The decimal cast implementation does not handle the case where the source scale is a large negative number differing from the target scale, hitting an unimplemented code path that returns a VortexError, which then causes a panic via vortex_expect during compress_array. The fix should extend the decimal cast logic at cast.rs:41 to support casting between arbitrary negative scales (likely by computing the scale difference and applying the appropriate multiplication or division), or alternatively validate and reject unsupported scale combinations earlier in the pipeline before reaching the cast operation.
Summary
- Target:
array_ops - Crash File:
crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 - Branch: develop
- Commit: 91e4e3f
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/23163830098/artifacts/5952699831
Reproduce
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 -- -rss_limit_mb=0Reproduction Steps
-
Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23163830098/artifacts/5952699831
-
Assuming you download the zipfile to
~/Downloads, and your working directory is the repository root:
# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts
# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip- Reproduce the crash:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 -- -rss_limit_mb=0If you want a backtrace:
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 -- -rss_limit_mb=0RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 -- -rss_limit_mb=0Single command to get a backtrace
mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-45ea95123b0508afea276b48119bac1bfcbbcbf4 -- -rss_limit_mb=0Auto-created by fuzzing workflow