Fuzzing Crash: Error Display implementation fails during formatting #5839
Description
Fuzzing Crash Report
Analysis
Crash Location: fuzz/fuzz_targets/array_ops.rs:18 (in error formatting code)
Error Message:
panicked at /rustc/21cf7fb3ff9159b0b562431312969dd548ae8782/library/alloc/src/fmt.rs:650:14:
a formatting trait implementation returned an error when the underlying stream did not: Error
Stack Trace:
#0 __rustc::rust_begin_unwind at /rustc/.../library/std/src/panicking.rs:689:5
#1 core::panicking::panic_fmt at /rustc/.../library/core/src/panicking.rs:80:14
#2 core::result::unwrap_failed at /rustc/.../library/core/src/result.rs:1867:5
#3 <core::result::Result<(), core::fmt::Error>>::expect at /rustc/.../library/core/src/result.rs:1185:23
#4 alloc::fmt::format::format_inner at /rustc/.../library/alloc/src/fmt.rs:650:14
#5 __libfuzzer_sys_run at ./fuzz/fuzz_targets/array_ops.rs:18:13
Root Cause: The crash occurs when attempting to format a VortexError for display via vortex_panic!("{e}") at line 18 of array_ops.rs. The error's Display trait implementation fails during execution, causing a panic in the Rust standard library's formatting code.
This suggests one of the following issues:
- A cyclic error context chain (VortexError::Context wrapping itself)
- A Backtrace Display implementation failure
- Recursive formatting that exhausts resources
- A nested error type that doesn't implement Display correctly
The fuzzer input involves an ExtensionArray with date extension type undergoing a sequence of operations: SearchSorted, Mask, Compress(Compact), and FillNull. One of these operations produces an error that cannot be formatted.
Debug Output
FuzzArrayAction {
array: ExtensionArray {
dtype: Extension(
ExtDType {
id: ExtID(
"vortex.date",
),
storage_dtype: Primitive(
I64,
Nullable,
),
metadata: Some(
ExtMetadata(
[
2,
],
),
),
},
),
storage: PrimitiveArray {
dtype: Primitive(
I64,
Nullable,
),
buffer: Buffer<u8> {
length: 24,
alignment: Alignment(
8,
),
as_slice: [255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, ...],
},
validity: AllValid,
stats_set: ArrayStats { ... },
},
stats_set: ArrayStats { ... },
},
actions: [
(
SearchSorted(
Scalar { dtype: Extension(...), value: ScalarValue(Primitive(I64(-1))) },
Left,
),
Search(Found(0)),
),
(
Mask(Values(MaskValues { ... })),
Array(ExtensionArray { ... }),
),
(
Compress(Compact),
Array(ExtensionArray { ... }),
),
(
FillNull(
Scalar {
dtype: Extension(ExtDType { id: "vortex.date", storage_dtype: Primitive(I64, NonNullable), ... }),
value: ScalarValue(Primitive(I64(72055974718144526))),
},
),
Array(ExtensionArray { ... }),
),
],
}
Note: The debug output shows successful operations, but an error occurs somewhere that triggers the formatting crash when trying to display it.
Summary
- Target:
array_ops - Crash File:
crash-0d2869cb3cc3618b8345f76967f42d9ac6730add - Branch: alpha/ext
- Commit: fc25bd6
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs//artifacts/
Reproduction
-
Download the crash artifact:
- Direct download: https://github.com/vortex-data/vortex/actions/runs//artifacts/
- Or find
fuzzer-crashes-array_opsat: https://github.com/vortex-data/vortex/actions/runs/ - Extract the zip file
-
Reproduce locally:
# The artifact contains array_ops/crash-0d2869cb3cc3618b8345f76967f42d9ac6730add
cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-0d2869cb3cc3618b8345f76967f42d9ac6730add -- -rss_limit_mb=0- Get full backtrace:
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-0d2869cb3cc3618b8345f76967f42d9ac6730add -- -rss_limit_mb=0Auto-created by fuzzing workflow with Claude analysis