Fuzzing Crash: Sum operation on chunked decimal array returns null instead of expected value #5902
Description
Fuzzing Crash Report
Analysis
Crash Location: fuzz/src/array/mod.rs:721 in assert_scalar_eq function (called from run_fuzz_action at line 600)
Error Message:
Scalar mismatch: expected decimal256(21158192219502898184827793276925111097118417895871292770301872181674435414613, precision=76, scale=75), got null in step 1
Stack Trace:
#0 assert_scalar_eq at ./fuzz/src/array/mod.rs:721:13
#1 run_fuzz_action at ./fuzz/src/array/mod.rs:600:17
#2 __libfuzzer_sys_run at ./fuzz/fuzz_targets/array_ops.rs:14:11
Root Cause: The sum operation is being performed on a ChunkedArray containing decimal values with precision=76 and scale=75. The fuzzer expects the sum to return the decimal value 21158192219502898184827793276925111097118417895871292770301872181674435414613, but the actual result is null.
This indicates a bug in the sum aggregation logic for chunked decimal arrays where:
- The array contains two chunks of DecimalArray, both with valid decimal values (validity: AllValid)
- The first chunk has 4 elements, the second chunk has 3 elements (total 7 elements)
- Despite having valid values, the sum operation returns null instead of computing the actual sum
Debug Output
FuzzArrayAction {
array: ChunkedArray {
dtype: Decimal(
DecimalDType {
precision: 76,
scale: 75,
},
Nullable,
),
len: 7,
chunk_offsets: PrimitiveArray {
dtype: Primitive(
U64,
NonNullable,
),
buffer: Buffer<u8> {
length: 24,
alignment: Alignment(
8,
),
as_slice: [0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, ...],
},
validity: NonNullable,
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
chunks: [
DecimalArray {
dtype: Decimal(
DecimalDType {
precision: 76,
scale: 75,
},
Nullable,
),
values: Buffer<u8> {
length: 128,
alignment: Alignment(
16,
),
as_slice: [1, 0, 0, 0, 0, 0, 0, 0, 0, 208, 64, 171, 43, 14, 159, 191, ...],
},
values_type: I256,
validity: AllValid,
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
DecimalArray {
dtype: Decimal(
DecimalDType {
precision: 76,
scale: 75,
},
Nullable,
),
values: Buffer<u8> {
length: 96,
alignment: Alignment(
16,
),
as_slice: [5, 0, 0, 0, 0, 0, 0, 0, 0, 80, 152, 30, 160, 222, 241, 221, ...],
},
values_type: I256,
validity: AllValid,
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
],
stats_set: ArrayStats {
inner: RwLock {
data: StatsSet {
values: [],
},
},
},
},
actions: [
(
Sum,
Scalar(
Scalar {
dtype: Decimal(
DecimalDType {
precision: 76,
scale: 75,
},
Nullable,
),
value: ScalarValue(
Decimal(
I256(
i256(
21158192219502898184827793276925111097118417895871292770301872181674435414613,
),
),
),
),
},
),
),
(
Sum,
Scalar(
Scalar {
dtype: Decimal(
DecimalDType {
precision: 76,
scale: 75,
},
Nullable,
),
value: ScalarValue(
Decimal(
I256(
i256(
21158192219502898184827793276925111097118417895871292770301872181674435414613,
),
),
),
),
},
),
),
],
}
Summary
- Target:
array_ops - Crash File:
crash-0c4be7951d94bef1a37810859f98f640d9e2858e - Branch: develop
- Commit: 750a1c3
- Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/20851488762/artifacts/5075912079
Reproduction
-
Download the crash artifact:
- Direct download: https://github.com/vortex-data/vortex/actions/runs/20851488762/artifacts/5075912079
- Or find
operations-fuzzing-crash-artifactsat the workflow run - Extract the zip file
-
Reproduce locally:
# The artifact contains array_ops/crash-0c4be7951d94bef1a37810859f98f640d9e2858e
cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-0c4be7951d94bef1a37810859f98f640d9e2858e -- -rss_limit_mb=0- Get full backtrace:
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-0c4be7951d94bef1a37810859f98f640d9e2858e -- -rss_limit_mb=0Auto-created by fuzzing workflow with Claude analysis