Skip to content

Fuzzing Crash: VortexError in array_ops #7227

Open
Open
Fuzzing Crash: VortexError in array_ops#7227
Labels
bugA bug issuefuzzerIssues detected by the fuzzer
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 31, 2026

Fuzzing Crash Report

Analysis

Crash Location: vortex-compressor/src/builtins/dict/float.rs:24:dictionary_encode

Error Message:

Assertion failed error: this must be present since `DictScheme` declared that we need distinct values
Stack Trace 
stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: panic_display<vortex_error::VortexError>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
   3: {closure#0}<&vortex_compressor::stats::float::DistinctInfo<f32>>
             at ./vortex-error/src/lib.rs:500:9
   4: unwrap_or_else<&vortex_compressor::stats::float::DistinctInfo<f32>, vortex_error::{impl#12}::vortex_expect::{closure_env#0}<&vortex_compressor::stats::float::DistinctInfo<f32>>>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/option.rs:1067:21
   5: vortex_expect<&vortex_compressor::stats::float::DistinctInfo<f32>>
             at ./vortex-error/src/lib.rs:349:14
   6: dictionary_encode
             at ./vortex-compressor/src/builtins/dict/float.rs:24:42
   7: compress
             at ./vortex-compressor/src/builtins/dict/mod.rs:202:20
   8: estimate_compression_ratio_with_sampling<vortex_compressor::builtins::dict::FloatDictScheme>
             at ./vortex-compressor/src/scheme.rs:280:10
   9: expected_compression_ratio
             at ./vortex-compressor/src/builtins/dict/mod.rs:188:20
  10: choose_scheme
             at ./vortex-compressor/src/compressor.rs:336:32
  11: choose_and_compress
             at ./vortex-compressor/src/compressor.rs:305:36
  12: compress_canonical
             at ./vortex-compressor/src/compressor.rs:177:22
  13: compress
             at ./vortex-compressor/src/compressor.rs:160:14
  14: compress_array
             at ./fuzz/src/array/mod.rs:547:14
  15: run_fuzz_action
             at ./fuzz/src/array/mod.rs:595:33
  16: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/array_ops.rs:30:11
  17: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
  18: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
  19: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
   ... (19 more frames truncated)

Root Cause Analysis

The crash is a VortexError assertion failure in vortex-compressor/src/builtins/dict/float.rs:24, where dictionary_encode expects pre-computed distinct values to be present on the float stats but finds None. This happens because estimate_compression_ratio_with_sampling creates a sampled sub-array with fresh ArrayAndStats (line 276 of scheme.rs), and when it calls compress on that sample, the sample's stats have not had distinct values computed yet despite the original array having them. The fix should ensure that distinct values are recomputed for the sampled array before dictionary_encode is called, or that dictionary_encode gracefully handles the case where distinct values are missing by returning an error instead of panicking.

Summary

Reproduce

cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-fa34ba7b3b4eb4a74bd64261a83f928b4a5fa780 -- -rss_limit_mb=0
Reproduction Steps

  1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/23812682680/artifacts/6206809857

  2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
  1. Reproduce the crash:
cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-fa34ba7b3b4eb4a74bd64261a83f928b4a5fa780 -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-fa34ba7b3b4eb4a74bd64261a83f928b4a5fa780 -- -rss_limit_mb=0
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-fa34ba7b3b4eb4a74bd64261a83f928b4a5fa780 -- -rss_limit_mb=0
Single command to get a backtrace 
mkdir -p ./fuzz/artifacts
mv ~/Downloads/array_ops-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/array_ops-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/array_ops-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none array_ops ./fuzz/artifacts/array_ops/crash-fa34ba7b3b4eb4a74bd64261a83f928b4a5fa780 -- -rss_limit_mb=0

Auto-created by fuzzing workflow

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugA bug issuefuzzerIssues detected by the fuzzer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions