Fuzzing Crash: Missing cast kernel from bool to list(bool) during mask operation

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-array/src/compute/cast.rs:80 in the invoke function

Error Message:

mask operation should succeed in fuzz test:
  No compute kernel to cast array vortex.bool with dtype bool? to list(bool?)

Stack Trace:

   3: invoke
             at ./vortex-array/src/compute/cast.rs:80:13
   4: invoke
             at ./vortex-array/src/compute/mod.rs:149:34
   5: cast
             at ./vortex-array/src/compute/cast.rs:39:10
   6: cast
             at ./vortex-array/src/arrays/struct_/compute/cast.rs:53:38
   7: invoke<vortex_array::arrays::struct_::vtable::StructVTable>
             at ./vortex-array/src/compute/cast.rs:155:12
   8: invoke
             at ./vortex-array/src/compute/cast.rs:63:42
   9: invoke
             at ./vortex-array/src/compute/mod.rs:149:34
  10: cast
             at ./vortex-array/src/compute/cast.rs:39:10
  11: invoke
             at ./vortex-array/src/compute/mask.rs:116:23
  12: invoke
             at ./vortex-array/src/compute/mod.rs:149:34
  13: mask
             at ./vortex-array/src/compute/mask.rs:70:10
  14: run_fuzz_action
             at ./fuzz/src/array/mod.rs:613:33

Root Cause: The fuzzer discovered a missing cast implementation. During a mask operation on a StructArray, the code needs to cast a BoolArray field from bool? (nullable bool) to list(bool?) (list of nullable bools). However, no cast kernel exists for this conversion.

Looking at the code path:

1. Mask operation is called on a StructArray (fuzz/src/array/mod.rs:613)
2. Mask operation tries to cast the array to nullable (vortex-array/src/compute/mask.rs:116)
3. StructArray cast attempts to cast each field to the target type (vortex-array/src/arrays/struct_/compute/cast.rs:53)
4. One field needs to be cast from bool? to list(bool?), but this cast is not supported
5. The array is canonical (BoolArray), so it fails with "No compute kernel to cast" error (vortex-array/src/compute/cast.rs:80-85)

Array Structure:

• StructArray with 2 fields (both named "")
• Field 0: BoolArray with dtype bool?
• Field 1: ChunkedArray containing ListViewArrays with dtype list(bool?)
• All arrays have length 0

This reveals a type system issue where the fuzzer generated a struct with fields that require incompatible type conversions during mask operations.

Debug Output

FuzzArrayAction {
    array: StructArray {
        len: 0,
        dtype: Struct(
            StructFields {
                names: FieldNames(
                    [
                        FieldName(
                            "",
                        ),
                        FieldName(
                            "",
                        ),
                    ],
                ),
                dtypes: [
                    FieldDType {
                        inner: Owned(
                            Bool(
                                Nullable,
                            ),
                        ),
                    },
                    FieldDType {
                        inner: Owned(
                            List(
                                Bool(
                                    Nullable,
                                ),
                                NonNullable,
                            ),
                        ),
                    },
                ],
            },
            NonNullable,
        ),
        fields: [
            BoolArray {
                dtype: Bool(
                    Nullable,
                ),
                bits: BitBuffer {
                    buffer: Buffer<u8> {
                        length: 0,
                        alignment: Alignment(
                            1,
                        ),
                        as_slice: [],
                    },
                    offset: 0,
                    len: 0,
                },
                validity: AllValid,
                stats_set: ArrayStats {
                    inner: RwLock {
                        data: StatsSet {
                            values: [],
                        },
                    },
                },
            },
            ChunkedArray {
                dtype: List(
                    Bool(
                        Nullable,
                    ),
                    NonNullable,
                ),
                len: 0,
                chunk_offsets: PrimitiveArray {
                    dtype: Primitive(
                        U64,
                        NonNullable,
                    ),
                    buffer: Buffer<u8> {
                        length: 24,
                        alignment: Alignment(
                            8,
                        ),
                        as_slice: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ...],
                    },
                    validity: NonNullable,
                    stats_set: ArrayStats {
                        inner: RwLock {
                            data: StatsSet {
                                values: [],
                            },
                        },
                    },
                },
                chunks: [
                    ListViewArray {
                        dtype: List(
                            Bool(
                                Nullable,
                            ),
                            NonNullable,
                        ),
                        elements: BoolArray {
                            dtype: Bool(
                                Nullable,
                            ),
                            bits: BitBuffer {
                                buffer: Buffer<u8> {
                                    length: 0,
                                    alignment: Alignment(
                                        1,
                                    ),
                                    as_slice: [],
                                },
                                offset: 0,
                                len: 0,
                            },
                            validity: AllValid,
                            stats_set: ArrayStats {
                                inner: RwLock {
                                    data: StatsSet {
                                        values: [],
                                    },
                                },
                            },
                        },
                        offsets: PrimitiveArray { ... },
                        sizes: PrimitiveArray { ... },
                        is_zero_copy_to_list: true,
                        validity: NonNullable,
                        stats_set: ArrayStats { ... },
                    },
                    ListViewArray { ... },
                ],
                stats_set: ArrayStats { ... },
            },
        ],
    },
    actions: [
        Mask(...),
    ],
}

Summary

• Target: array_ops
• Crash File: crash-c16aa01a615890a85d1b0fe54cebbd2103fa7833
• Branch: develop
• Commit: 6a9f07a
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs//artifacts/

Reproduction

1. Download the crash artifact:

   • Direct download: https://github.com/vortex-data/vortex/actions/runs//artifacts/
   • Or find fuzzer-crashes-array_ops at: https://github.com/vortex-data/vortex/actions/runs/
   • Extract the zip file

2. Reproduce locally:

# The artifact contains array_ops/crash-c16aa01a615890a85d1b0fe54cebbd2103fa7833
cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-c16aa01a615890a85d1b0fe54cebbd2103fa7833 -- -rss_limit_mb=0

3. Get full backtrace:

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-c16aa01a615890a85d1b0fe54cebbd2103fa7833 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow with Claude analysis

[connortsui20]

Here is a regression test. This is related to how our struct cast works:

    /// Regression test for <https://github.com/vortex-data/vortex/issues/5865>.
    ///
    /// When casting a struct with duplicate field names using the name-based lookup path
    /// (triggered by schema evolution), [`StructFields::find()`] returns the same index for
    /// all fields with the same name, causing incorrect field casting.
    #[test]
    fn cast_struct_with_duplicate_names_schema_evolution() {
        // Source struct: Two fields both named "a" with different types.
        // Field 0: bool?
        // Field 1: list(bool?)
        let names = FieldNames::from(["a", "a"]);

        let bool_field = BoolArray::from_iter([Some(true), None, Some(false)]).into_array();

        let list_elements = BoolArray::from_iter([Some(true), Some(false)]).into_array();
        let list_offsets = buffer![0i32, 1, 1, 2].into_array(); // 3 lists: [true], [], [false]
        let list_field = ListArray::try_new(list_elements, list_offsets, Validity::NonNullable)
            .unwrap()
            .into_array();

        let struct_array = StructArray::try_new(
            names,
            vec![bool_field.clone(), list_field.clone()],
            3,
            Validity::NonNullable,
        )
        .unwrap();

        // Target dtype: Same fields PLUS a new nullable field "c".
        // This triggers name-based lookup because field count differs (2 vs 3).
        let target_dtype = DType::struct_(
            [
                ("a", bool_field.dtype().clone()),
                ("a", list_field.dtype().clone()),
                ("c", DType::Primitive(PType::I32, Nullability::Nullable)),
            ],
            Nullability::NonNullable,
        );

        // BUG: The name-based lookup path calls find("a") twice, getting index 0 both times.
        // This tries to cast bool_field to list(bool?) which fails.
        let result = crate::compute::cast(struct_array.as_ref(), &target_dtype);
        assert!(
            result.is_ok(),
            "cast with duplicate field names failed: {:?}",
            result.err()
        );
    }