Fuzzing Crash: DType mismatch in SequentialStreamAdapter (expected U8, got U16) #5824
Description
Fuzzing Crash Report
Analysis
Crash Location: vortex-layout/src/sequence.rs:313 (in SequentialStreamAdapter::poll_next)
Error Message:
assertion `left == right` failed: Sequential stream of u8 got chunk of u16.
left: Primitive(U8, NonNullable)
right: Primitive(U16, NonNullable)
Stack Trace:
0: __rustc::rust_begin_unwind
at /rustc/1107bbac4b303d49c3e67a2ec62710902bf4b341/library/std/src/panicking.rs:689:5
1: core::panicking::panic_fmt
at /rustc/1107bbac4b303d49c3e67a2ec62710902bf4b341/library/core/src/panicking.rs:80:14
2: core::panicking::assert_failed_inner
3: core::panicking::assert_failed::<&vortex_dtype::dtype::DType, &mut vortex_dtype::dtype::DType>
at /rustc/1107bbac4b303d49c3e67a2ec62710902bf4b341/library/core/src/panicking.rs:394:5
4: poll_next<core::pin::Pin<alloc::boxed::Box<(dyn futures_core::stream::Stream...)>>>
at ./vortex-layout/src/sequence.rs:313:13
5: poll_next<alloc::boxed::Box<(dyn vortex_layout::sequence::SequentialStream...)>>
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/futures-core-0.3.31/src/stream.rs:130:33
6: poll_next<core::pin::Pin<alloc::boxed::Box<(dyn vortex_layout::sequence::SequentialStream...)>>, vortex_layout::layouts::repartition::{impl#4}::write_stream::{async_block#0}::{closure_env#0}>
at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/futures-util-0.3.31/src/stream/stream/map.rs:58:47
Root Cause: The SequentialStreamAdapter has a runtime assertion (line 313) that validates all arrays flowing through a sequential stream have the same dtype as initially specified. The fuzzer discovered a case where the stream was initialized expecting Primitive(U8, NonNullable) dtype, but received a chunk with Primitive(U16, NonNullable) dtype instead.
This indicates either:
- The stream dtype is being incorrectly determined during initialization
- Arrays with mismatched dtypes are being incorrectly added to the stream during processing
- Some transformation in the pipeline is changing dtypes without updating the stream's expected dtype
The input is a PrimitiveArray with U8 dtype and Nullable nullability, suggesting the issue may be in how nullable arrays are processed or how repartitioning handles dtype preservation.
Debug Output
FuzzFileAction {
array: PrimitiveArray {
dtype: Primitive(
U8,
Nullable,
),
buffer: Buffer<u8> {
length: 57,
alignment: Alignment(
1,
),
as_slice: [33, 34, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, ...],
},
validity: Array(
BoolArray {
dtype: Bool(
NonNullable,
),
bits: BitBuffer {
buffer: Buffer<u8> {
length: 8,
alignment: Alignment(
1,
),
as_slice: [169, 255, 255, 255, 39, 213, 63, 0],
},
offset: 0,
len: 57,
},
validity: NonNullable,
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
),
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
projection_expr: None,
filter_expr: None,
compressor_strategy: Compact,
}
Summary
- Target:
file_io - Crash File:
crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 - Branch: $BRANCH
- Commit: $COMMIT
- Crash Artifact: $ARTIFACT_URL
Reproduction
-
Download the crash artifact:
- Direct download: $ARTIFACT_URL
- Or find
$ARTIFACT_NAMEat: https://github.com/spiraldb/vortex/actions/runs/$GITHUB_RUN_ID - Extract the zip file
-
Reproduce locally:
# The artifact contains file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2
cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0- Get full backtrace:
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0Auto-created by fuzzing workflow with Claude analysis