Fuzzing Crash: Sequential stream dtype mismatch (U8 vs U16)

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-layout/src/sequence.rs:313 in SequentialStreamAdapter::poll_next

Error Message:

assertion `left == right` failed: Sequential stream of u8 got chunk of u16.
  left: Primitive(U8, NonNullable)
 right: Primitive(U16, NonNullable)

Stack Trace:

#0 __rustc::rust_begin_unwind
#1 core::panicking::panic_fmt
#2 core::panicking::assert_failed_inner
#3 core::panicking::assert_failed::<&vortex_dtype::dtype::DType, &mut vortex_dtype::dtype::DType>
#4 poll_next at ./vortex-layout/src/sequence.rs:313:13
#5 poll_next (futures-core)
#6 poll_next at ./vortex-layout/src/layouts/repartition.rs
#7 poll_next (async-stream)

Root Cause:

The SequentialStreamAdapter enforces that all chunks in a sequential stream must have the same dtype. During file I/O operations with the file_io fuzzer target, the layout writing code is producing a stream where:

1. The stream was initialized with dtype Primitive(U8, NonNullable)
2. But received a chunk with dtype Primitive(U16, NonNullable)

This suggests an issue in one of the layout strategies (likely repartition, compressed, buffered, or dict layout based on the stack trace) where dtype consistency is not being maintained when transforming or passing arrays through the stream pipeline.

Note: The assertion error message itself has a bug - the format arguments are reversed.

Debug Output

FuzzFileAction {
    array: PrimitiveArray {
        dtype: Primitive(U8, Nullable),
        buffer: Buffer<u8> { length: 57, as_slice: [33, 34, 33, ...] },
        validity: Array(BoolArray { ... }),
    },
    projection_expr: None,
    filter_expr: None,
    compressor_strategy: Compact,
}

Summary

• Target: file_io
• Crash File: crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2
• Branch: develop
• Commit: 5d50f72
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/20543753894/artifacts/4976160210

Reproduction

1. Download the crash artifact:

   • Direct download: https://github.com/vortex-data/vortex/actions/runs/20543753894/artifacts/4976160210
   • Or find io-fuzzing-crash-artifacts at: https://github.com/vortex-data/vortex/actions/runs/20543753894
   • Extract the zip file

2. Reproduce locally:

cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0

3. Get full backtrace:

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow with Claude analysis