Fuzzing Crash: unknown in file_io

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-array/src/scalar_fn/fns/binary/compare.rs:161:arrow_compare_arrays

Error Message:

lhs data_type: Struct("x0UUxUU.\u{6}-\0\u{10}\0\u{8}\u{1}\u{1}\0\u{c}\0vxUU.0xt\0-": non-null Binary, "": non-null BinaryView), rhs data_type: Struct("x0UUxUU.\u{6}-\0\u{10}\0\u{8}\u{1}\u{1}\0\u{c}\0vxUU.0xt\0-": non-null BinaryView, "": non-null BinaryView)

Stack Trace

stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: arrow_compare_arrays
             at ./vortex-array/src/scalar_fn/fns/binary/compare.rs:161:9
   3: execute_compare
             at ./vortex-array/src/scalar_fn/fns/binary/compare.rs:140:5
   4: execute
   5: execute<vortex_array::scalar_fn::fns::binary::Binary>
             at ./vortex-array/src/scalar_fn/typed.rs:149:22
   6: execute
             at ./vortex-array/src/scalar_fn/erased.rs:149:16
   7: execute
             at ./vortex-array/src/arrays/scalar_fn/vtable/mod.rs:152:14
   8: execute_unchecked<vortex_array::arrays::scalar_fn::vtable::ScalarFn>
             at ./vortex-array/src/array/mod.rs:474:9
   9: execute_encoding_unchecked
             at ./vortex-array/src/array/erased.rs:624:33
  10: execute_until<vortex_array::canonical::AnyCanonical>
             at ./vortex-array/src/executor.rs:231:40
  11: execute
             at ./vortex-array/src/canonical.rs:545:28
  12: execute<vortex_array::canonical::Canonical>
             at ./vortex-array/src/executor.rs:82:9
  13: append_to_builder<vortex_array::arrays::scalar_fn::vtable::ScalarFn>
             at ./vortex-array/src/array/vtable/mod.rs:152:14
  14: append_to_builder<vortex_array::arrays::scalar_fn::vtable::ScalarFn>
             at ./vortex-array/src/array/mod.rs:264:9
  15: append_to_builder
             at ./vortex-array/src/array/erased.rs:385:21
  16: append_to_builder
             at ./vortex-array/src/arrays/chunked/vtable/mod.rs:229:19
  17: append_to_builder<vortex_array::arrays::chunked::vtable::Chunked>
             at ./vortex-array/src/array/mod.rs:264:9
  18: append_to_builder
             at ./vortex-array/src/array/erased.rs:385:21
  19: execute_until<vortex_array::canonical::AnyCanonical>
             at ./vortex-array/src/executor.rs:266:27
   ... (119 more frames truncated)

Root Cause Analysis

The crash is a panic in arrow_compare_arrays (compare.rs:161) where an assertion requires that the left and right Arrow arrays have equal data types after conversion, but they diverge: both are Struct types with the same field names, yet the first field's type differs (Binary vs BinaryView). This happens because the Vortex-to-Arrow conversion (execute_arrow) for nested/struct types does not canonicalize binary field types consistently — when two Vortex arrays with the same logical DType are independently converted to Arrow, one field may be emitted as Binary while the other as BinaryView, depending on the underlying encoding. The fix should ensure that the Arrow export path for struct arrays canonicalizes child field types consistently, or that arrow_compare_arrays coerces mismatched but compatible Arrow types (e.g., Binary vs BinaryView) before comparing, rather than asserting strict equality.

Summary

• Target: file_io
• Crash File: crash-3ce00e1cbfa6855d3f20b3f6db94683438197879
• Branch: develop
• Commit: d71d3d3
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/25947674888/artifacts/7030285049

Reproduce

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-3ce00e1cbfa6855d3f20b3f6db94683438197879 -- -rss_limit_mb=0

Reproduction Steps

1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/25947674888/artifacts/7030285049

2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/file_io-crash-artifacts.zip

3. Reproduce the crash:

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-3ce00e1cbfa6855d3f20b3f6db94683438197879 -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-3ce00e1cbfa6855d3f20b3f6db94683438197879 -- -rss_limit_mb=0

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-3ce00e1cbfa6855d3f20b3f6db94683438197879 -- -rss_limit_mb=0

Single command to get a backtrace

mkdir -p ./fuzz/artifacts
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/file_io-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-3ce00e1cbfa6855d3f20b3f6db94683438197879 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow

[github-actions]

Seen 22 times

[joseph-isaacs]

@claude try and fix this

[vortex-claude]

Claude finished @joseph-isaacs's task in 4m 0s —— View job • claude/issue-7957-20260519-1039 • Create PR ➔

---

Fixing Fuzzing Crash: Binary vs BinaryView mismatch in arrow_compare_arrays

Todo

• Gather context: read crash site and related code
• Understand root cause in detail
• Implement fix
• Run tests (cargo commands require approval — CI will verify)
• Commit and push

Root cause

In arrow_compare_arrays (compare.rs:156–168), when both sides are nested types (e.g. structs), they were converted to Arrow independently with target = None. This lets each array pick its own "nearest" Arrow physical type:

• A VarBinArray (offset-based) child emits Binary
• A VarBinViewArray (view-based) child emits BinaryView

Both represent the same logical DType::Binary, but the assert! at line 161 required exact Arrow type equality — causing a panic from the fuzzer.

Fix

File changed: vortex-array/src/scalar_fn/fns/binary/compare.rs

Mirror the non-nested fast path: convert lhs first (with target = None), then pass its resulting Arrow DataType as a target Field when converting rhs. This ensures both sides produce matching Arrow types regardless of underlying encoding.

// Before (panics when encodings differ):
let rhs = session.arrow().execute_arrow(right.clone(), None, ctx)?;
let lhs = session.arrow().execute_arrow(left.clone(), None, ctx)?;
assert!(lhs.data_type().equals_datatype(rhs.data_type()), ...);

// After (rhs matches lhs type):
let lhs = session.arrow().execute_arrow(left.clone(), None, ctx)?;
let target_field = Field::new("", lhs.data_type().clone(), right.dtype().is_nullable());
let rhs = session.arrow().execute_arrow(right.clone(), Some(&target_field), ctx)?;

Also added a regression test struct_compare_mixed_binary_encodings that directly reproduces the fuzz crash pattern (struct with VarBinArray on LHS, VarBinViewArray on RHS).

|