Fuzzing Crash: VortexError in file_io

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-layout/src/layouts/zoned/zone_map.rs:187:lower_stat_fn

Error Message:

collect should succeed in fuzz test:
  While evaluating pruning predicate ((fixed_size<1>[decimal64(-1614933715192829, precision=16, scale=-34)] > stat($, vortex.max())) or (stat($, vortex.min()) >= fixed_size<1>[decimal64(-7174211998512629, precision=16, scale=-34)])) (derived from (fixed_size<1>[decimal64(-1614933715192829, precision=16, scale=-34)] <= $ < fixed_size<1>[decimal64(-7174211998512629, precision=16, scale=-34)])):
  Other error: Aggregate function vortex.max() does not support input dtype fixed_size_list(decimal(16,-34))[1]?

Stack Trace

stack backtrace:
   0: __rustc::rust_begin_unwind
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:80:14
   2: panic_display<vortex_error::VortexError>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/panicking.rs:259:5
   3: {closure#1}<alloc::vec::Vec<vortex_array::array::erased::ArrayRef, alloc::alloc::Global>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:507:9
   4: unwrap_or_else<alloc::vec::Vec<vortex_array::array::erased::ArrayRef, alloc::alloc::Global>, vortex_error::VortexError, vortex_error::{impl#11}::vortex_expect::{closure_env#1}<alloc::vec::Vec<vortex_array::array::erased::ArrayRef, alloc::alloc::Global>, vortex_error::VortexError>>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/core/src/result.rs:1622:23
   5: vortex_expect<alloc::vec::Vec<vortex_array::array::erased::ArrayRef, alloc::alloc::Global>, vortex_error::VortexError>
             at ./vortex-error/src/lib.rs:347:14
   6: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/file_io.rs:92:10
   7: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:363:60
   8: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:62:9
   9: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:581:40
  10: __rust_try
  11: catch_unwind<i32, libfuzzer_sys::test_input_wrap::{closure_env#0}>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panicking.rs:544:19
  12: catch_unwind<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/db3e99bbab28c6ca778b13222becdea54533d908/library/std/src/panic.rs:359:14
  13: test_input_wrap
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/src/lib.rs:60:22
  14: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerLoop.cpp:619:13
  15: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:335:6
  16: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerDriver.cpp:871:9
  17: main
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.12/libfuzzer/FuzzerMain.cpp:20:10
  18: <unknown>
  19: __libc_start_main
  20: _start

Root Cause Analysis

The crash occurs in lower_stat_fn at vortex-layout/src/layouts/zoned/zone_map.rs:187 when the zoned pruning logic attempts to evaluate a min/max aggregate function on a fixed_size_list(decimal(16,-34)) dtype. The aggregate function (vortex.max) does not have a return_dtype mapping for this composite type, causing the ok_or_else branch to produce an error that propagates up and triggers the panic in the fuzz harness's vortex_expect call. The fix should either teach the max/min aggregate functions to support fixed_size_list-wrapped decimal types, or have lower_stat_fn gracefully handle unsupported dtypes by returning a null/unknown expression instead of erroring, so that pruning is simply skipped for columns with unsupported types.

Summary

• Target: file_io
• Crash File: crash-16049023182397c5044c516c27ce1aceae0676ed
• Branch: develop
• Commit: 57e1784
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/26728901324/artifacts/7322446536

Reproduce

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0

Reproduction Steps

1. Download the crash artifact: https://github.com/vortex-data/vortex/actions/runs/26728901324/artifacts/7322446536

2. Assuming you download the zipfile to ~/Downloads, and your working directory is the repository root:

# Create the artifacts directory if you haven't already.
mkdir -p ./fuzz/artifacts

# Move the zipfile.
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/

# Unzip the zipfile.
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/

# You can remove the zipfile now if you want to.
rm ./fuzz/artifacts/file_io-crash-artifacts.zip

3. Reproduce the crash:

cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0

If you want a backtrace:

RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0

Single command to get a backtrace

mkdir -p ./fuzz/artifacts
mv ~/Downloads/file_io-crash-artifacts.zip ./fuzz/artifacts/
unzip ./fuzz/artifacts/file_io-crash-artifacts.zip -d ./fuzz/artifacts/
rm ./fuzz/artifacts/file_io-crash-artifacts.zip
RUST_BACKTRACE=1 cargo +nightly fuzz run -D --sanitizer=none file_io ./fuzz/artifacts/file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow

[robert3005]

@gatesn I think this is a regression from your latest stat change. We used to just ignore it, now we panic

[github-actions]

🔍 Analysis

Root Cause: The fuzzer generated a column with dtype fixed_size_list(decimal(16,-34))[1]? along with a range predicate using fixed-size-list literals. The predicate is rewritten into a pruning predicate that calls stat($, vortex.max()) and stat($, vortex.min()). When ZoneMap::lower_stat_fn lowers these StatFns it asks the aggregate function for its return_dtype on the input dtype. vortex.max() does not support fixed_size_list inputs, so return_dtype returns None and the code propagates an error. The fuzz target wraps the collect with vortex_expect, turning that error into a panic.

Crash Location: vortex-layout/src/layouts/zoned/zone_map.rs in ZoneMap::lower_stat_fn (line 186).

Relevant Code (from zone_map.rs):

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }
    // ... AllNonNan, NanCount handling ...

    let return_dtype = options
        .aggregate_fn()
        .return_dtype(&input_dtype)
        .ok_or_else(|| {
            vortex_err!(
                "Aggregate function {} does not support input dtype {}",
                options.aggregate_fn(),
                input_dtype
            )
        })?;

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }
    // ...
}

The function already has a graceful "unknown" fallback for several cases (e.g. null_expr(return_dtype) when input is not root, null_expr(return_dtype) when there is no matching Stat). The unsupported-dtype branch should likewise fall back to an unknown rather than bubble an error, because a pruning predicate that cannot evaluate its stats should simply skip pruning that zone.

Next Step: Attempting fix — replace the error with a nullable "unknown" fallback that prevents pruning when the aggregate cannot be evaluated on the input dtype.

[github-actions]

🔧 Fix Implemented

Modified: vortex-layout/src/layouts/zoned/zone_map.rs

Changes: When AggregateFn::return_dtype returns None for the input dtype, return a nullable null expression (using input_dtype.as_nullable()) instead of raising a hard error. This matches the existing graceful fallbacks the function already uses for unavailable stats; the pruning evaluator treats null bounds as "cannot prune".

Complete Code Changes:

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    // This is the bridge from aggregate-backed bound expressions to the legacy
    // zoned stats columns. Exact NullCount and NanCount can prove richer
    // all-* aggregates; non-root or missing stats lower to nullable unknowns.
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(true));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, lit(0u64)));
    }

    if options.aggregate_fn().is::<NanCount>() && !has_nans(&input_dtype) {
        return Ok(lit(0u64));
    }

    // If the aggregate function does not support this input dtype, the
    // statistic cannot be computed for this column, so lower the StatFn to
    // a nullable "unknown" rather than failing the entire predicate. The
    // pruning evaluator treats nulls as "cannot prune", which is the
    // correct conservative behavior here.
    let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
        return Ok(null_expr(input_dtype.as_nullable()));
    };

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }

    if options.aggregate_fn().is::<AllNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
    }

    let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
        return Ok(null_expr(return_dtype));
    };

    self.stat_field_expr(stat)
}

Next Step: Writing regression test.

[github-actions]

✅ Automated Fix Complete

Root Cause: ZoneMap::lower_stat_fn errored when an aggregate function (e.g. vortex.max()) returned None from return_dtype for an unusual input dtype (fixed_size_list(decimal(16,-34))[1]? in this fuzz seed). The fuzz target wraps the resulting VortexResult collect with vortex_expect, turning the error into a panic. Other branches of this same function already lower unavailable stats to a nullable "unknown" so the predicate becomes "cannot prune"; the unsupported-aggregate branch was the only one that bailed.

Files Modified:

• vortex-layout/src/layouts/zoned/zone_map.rs (replace error with nullable-unknown fallback; add regression test).

Complete Fix:

// vortex-layout/src/layouts/zoned/zone_map.rs

// (unused import removed)
// use vortex_error::vortex_err;

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(true));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, lit(0u64)));
    }

    if options.aggregate_fn().is::<NanCount>() && !has_nans(&input_dtype) {
        return Ok(lit(0u64));
    }

    // If the aggregate function does not support this input dtype, the
    // statistic cannot be computed for this column, so lower the StatFn to
    // a nullable "unknown" rather than failing the entire predicate. The
    // pruning evaluator treats nulls as "cannot prune", which is the
    // correct conservative behavior here.
    let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
        return Ok(null_expr(input_dtype.as_nullable()));
    };

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }

    if options.aggregate_fn().is::<AllNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
    }

    let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
        return Ok(null_expr(return_dtype));
    };

    self.stat_field_expr(stat)
}

Regression Test:

/// Regression test for fuzzer crash #8189: lowering a `vortex.max()` stat
/// fn for a column whose dtype is not supported by the aggregate function
/// (here, `FixedSizeList(Decimal, 1)`) must lower to an unknown rather than
/// returning an error.
#[test]
fn lower_stat_fn_unsupported_input_dtype_falls_back_to_unknown() {
    let column_dtype = DType::FixedSizeList(
        Arc::new(DType::Decimal(
            DecimalDType::try_new(16, -34).unwrap(),
            Nullability::NonNullable,
        )),
        1,
        Nullability::Nullable,
    );

    let zone_map = ZoneMap::try_new(
        column_dtype,
        StructArray::try_new(FieldNames::empty(), vec![], 2, Validity::NonNullable).unwrap(),
        Arc::new([]),
        4,
        8,
    )
    .unwrap();

    let max_agg = Stat::Max
        .aggregate_fn()
        .expect("max should have an aggregate function");
    // Mirrors the predicate shape from the crash: stat(root(), max) is
    // compared against itself so the result has a Bool dtype. After lowering,
    // both sides become a nullable "unknown", so the not_eq evaluates to NULL
    // and no zone is pruned.
    let max_stat = stat(root(), max_agg);
    let pruning_expr = not_eq(max_stat.clone(), max_stat);

    let mask = zone_map.prune(&pruning_expr, &SESSION).unwrap();
    assert_arrays_eq!(mask.into_array(), BoolArray::from_iter([false, false]));
}

Test Result:

• cargo nextest run -p vortex-layout lower_stat_fn_unsupported_input_dtype_falls_back_to_unknown → 1 passed.
• cargo nextest run -p vortex-layout → 97 passed (0 failed).
• cargo clippy -p vortex-layout --all-targets --all-features → clean.
• cargo +nightly fuzz run --dev --sanitizer=none file_io file_io/crash-16049023182397c5044c516c27ce1aceae0676ed -- -rss_limit_mb=0 → input executed cleanly, no panic.

Checks I could not run locally:

• cargo +nightly fmt --all (nightly rustfmt component not installed in this sandbox and rustup component add is gated).

Note: This is an automated fix - please review carefully before merging.

[github-actions]

🔍 Analysis

Root Cause: When a fuzzed array has a fixed_size_list(decimal(16,-34))[1] column with a comparison filter, Expression::falsify generates a pruning predicate containing stat($, vortex.max()). When the zone map later tries to lower this stat via lower_stat_fn, it calls Max::return_dtype(fixed_size_list_dtype) which returns None (since min/max are only defined for primitive/decimal/utf8/binary/extension dtypes). The ok_or_else then synthesizes a VortexError instead of falling back to an "unknown" placeholder, which propagates up to the fuzz harness and panics.

Crash Location: vortex-layout/src/layouts/zoned/zone_map.rs:187 in ZoneMap::lower_stat_fn

Relevant Code (from crash location):

let return_dtype = options
    .aggregate_fn()
    .return_dtype(&input_dtype)
    .ok_or_else(|| {
        vortex_err!(
            "Aggregate function {} does not support input dtype {}",
            options.aggregate_fn(),
            input_dtype
        )
    })?;

The surrounding lower_stat_fn already has graceful fallbacks for several cases (non-root inputs lower to null_expr(return_dtype), unavailable stat slots lower to null_expr(dtype)). The unsupported-input-dtype case should similarly degrade to "unknown" instead of erroring — pruning is best-effort, and an undecidable predicate just means we keep the zone.

Next Step: Attempting fix — replace the error path with a null_expr fallback that mirrors the other "unknown stat" branches.

[github-actions]

🔧 Fix Implemented

Modified: vortex-layout/src/layouts/zoned/zone_map.rs

Changes: Replaced the vortex_err! bail in lower_stat_fn with a null_expr fallback. When an aggregate function does not support the input dtype (e.g. vortex.max() on fixed_size_list(decimal(...))[1]), the stat is undecidable — we now lower it to a nullable unknown with input_dtype.as_nullable() so the predicate evaluator treats the zone as un-prunable instead of erroring. This matches the existing graceful-fallback pattern for non-root inputs and missing stat slots already in the same function.

Also removed the now-unused vortex_err import.

Complete Code Changes:

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    // This is the bridge from aggregate-backed bound expressions to the legacy
    // zoned stats columns. Exact NullCount and NanCount can prove richer
    // all-* aggregates; non-root or missing stats lower to nullable unknowns.
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(true));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, lit(0u64)));
    }

    if options.aggregate_fn().is::<NanCount>() && !has_nans(&input_dtype) {
        return Ok(lit(0u64));
    }

    // If the aggregate function does not support this input dtype (e.g. `max`
    // on a `fixed_size_list`), the stat is undecidable. Lower it to a nullable
    // unknown so callers treat the zone as un-prunable rather than erroring.
    let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
        return Ok(null_expr(input_dtype.as_nullable()));
    };

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }

    if options.aggregate_fn().is::<AllNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
    }

    let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
        return Ok(null_expr(return_dtype));
    };

    self.stat_field_expr(stat)
}

Next Step: Writing regression test...

[github-actions]

✅ Automated Fix Complete

Root Cause: ZoneMap::lower_stat_fn errored when an aggregate function did not support the input dtype (e.g. vortex.max() on fixed_size_list(decimal(...))[1]). Because the fuzz harness uses vortex_expect on the scan result, that error escalated into a process-level panic instead of being treated as "cannot decide — keep the zone."

Files Modified:

• vortex-layout/src/layouts/zoned/zone_map.rs (fix + regression test, removed unused vortex_err import)

Complete Fix:

// If the aggregate function does not support this input dtype (e.g. `max`
// on a `fixed_size_list`), the stat is undecidable. Lower it to a nullable
// unknown so callers treat the zone as un-prunable rather than erroring.
let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
    return Ok(null_expr(input_dtype.as_nullable()));
};

Regression Test:

// Regression for #8189: a pruning predicate over a `fixed_size_list` column
// generates `stat(col, vortex.max())` / `stat(col, vortex.min())`, but
// `min`/`max` reject `fixed_size_list` inputs. `lower_stat_fn` previously
// bailed with an error here; it must now degrade to an "unknown" placeholder
// so the zone cannot be pruned.
#[test]
fn unsupported_min_max_input_dtype_does_not_error() {
    let element_dtype = Arc::new(DType::Decimal(
        DecimalDType::new(16, -34),
        Nullability::Nullable,
    ));
    let column_dtype =
        DType::FixedSizeList(Arc::clone(&element_dtype), 1, Nullability::Nullable);

    let zone_map = ZoneMap::try_new(
        column_dtype.clone(),
        StructArray::try_new(FieldNames::empty(), vec![], 2, Validity::NonNullable).unwrap(),
        Arc::new([]),
        4,
        8,
    )
    .unwrap();

    let lit_value = lit(Scalar::fixed_size_list(
        element_dtype,
        vec![Scalar::null(DType::Decimal(
            DecimalDType::new(16, -34),
            Nullability::Nullable,
        ))],
        Nullability::Nullable,
    ));
    let expr = lt(root(), lit_value);
    let pruning_expr = falsify(&expr, column_dtype);

    let mask = zone_map.prune(&pruning_expr, &SESSION).unwrap();
    assert_arrays_eq!(mask.into_array(), BoolArray::from_iter([false, false]));
}

Test Result: All 99 vortex-layout tests pass (including the new regression test):

Summary [0.311s] 99 tests run: 99 passed, 0 skipped

Checks Run:

• cargo nextest run -p vortex-layout — 99/99 passed
• cargo clippy -p vortex-layout --all-targets --all-features — clean

Checks NOT Run (toolchain unavailable in this environment):

• cargo +nightly fmt --all — nightly rustfmt component not installed; stable cargo fmt -p vortex-layout reported only unstable-feature warnings (no formatting drift)
• Direct fuzz reproduction with cargo +nightly fuzz run — nightly rust-src component missing

Note: This is an automated fix — please review carefully before merging.

[vortex-claude]

🔍 Analysis

Root Cause: When evaluating a pruning predicate involving stat($, vortex.max()) on a column whose dtype is not supported by the vortex.max aggregate function (e.g. fixed_size_list(decimal(16,-34))[1]?), ZoneMap::lower_stat_fn calls return_dtype() which returns None, and then the code bails with a VortexError. This error propagates up through the scan and the fuzz target's vortex_expect("collect should succeed in fuzz test") panics.

Crash Location: vortex-layout/src/layouts/zoned/zone_map.rs:186 (inside ZoneMap::lower_stat_fn)

Relevant Code (from crash location):

let return_dtype = options
    .aggregate_fn()
    .return_dtype(&input_dtype)
    .ok_or_else(|| {
        vortex_err!(
            "Aggregate function {} does not support input dtype {}",
            options.aggregate_fn(),
            input_dtype
        )
    })?;

if !input_is_root {
    return Ok(null_expr(return_dtype));
}

if options.aggregate_fn().is::<AllNull>() {
    return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
}

if options.aggregate_fn().is::<AllNonNull>() {
    return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
}

let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
    return Ok(null_expr(return_dtype));
};

The crash log:

While evaluating pruning predicate ((fixed_size<1>[decimal64(...)] > stat($, vortex.max())) or (stat($, vortex.min()) >= fixed_size<1>[decimal64(...)])) (derived from (... <= $ < ...)):
Other error: Aggregate function vortex.max() does not support input dtype fixed_size_list(decimal(16,-34))[1]?

The existing code already follows a graceful-degradation pattern (e.g., stat.from_aggregate_fn() == None → null_expr, and stat_field_expr returning null when the stat is missing). The error path here is the same situation in spirit: when the stats path cannot be lowered, return an "unknown" so pruning becomes a no-op. The data scan still evaluates the predicate against the full data, so correctness is preserved.

Next Step: Attempting fix — replace the ok_or_else(...)? with a let-else that returns null_expr(input_dtype), matching the existing unknown-stat lowering pattern.

[vortex-claude]

🔧 Fix Implemented

Modified: vortex-layout/src/layouts/zoned/zone_map.rs

Changes: When the aggregate function (e.g., vortex.max) does not support the column's input dtype, lower the StatFn to a nullable "unknown" literal of the input dtype instead of returning an error. This matches the existing graceful-degradation pattern used a few lines below (e.g., Stat::from_aggregate_fn() == None → null_expr(return_dtype)). Pruning becomes a no-op for those zones; the predicate is still evaluated against the actual data column, so correctness is preserved.

Complete Code Changes (lower_stat_fn):

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    // This is the bridge from aggregate-backed bound expressions to the legacy
    // zoned stats columns. Exact NullCount and NanCount can prove richer
    // all-* aggregates; non-root or missing stats lower to nullable unknowns.
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(true));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, lit(0u64)));
    }

    if options.aggregate_fn().is::<NanCount>() && !has_nans(&input_dtype) {
        return Ok(lit(0u64));
    }

    // If the aggregate function does not support the input dtype, lower to a
    // nullable "unknown" so pruning becomes a no-op rather than failing the
    // scan. The data-side evaluation of the predicate still runs.
    let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
        return Ok(null_expr(input_dtype));
    };

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }

    if options.aggregate_fn().is::<AllNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
    }

    let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
        return Ok(null_expr(return_dtype));
    };

    self.stat_field_expr(stat)
}

Also removed the now-unused use vortex_error::vortex_err; import.

Verification: Ran the fuzz target on the original crash file with the fix applied — it executed cleanly instead of panicking:

target/x86_64-unknown-linux-gnu/debug/file_io ... -runs=1 file_io/crash-16049023182397c5044c516c27ce1aceae0676ed
INFO: Loaded 1 modules ...
target/x86_64-unknown-linux-gnu/debug/file_io: Running 1 inputs 1 time(s) each.
Running: file_io/crash-16049023182397c5044c516c27ce1aceae0676ed
Executed file_io/crash-16049023182397c5044c516c27ce1aceae0676ed in 98 ms

Next Step: Writing regression test...

[vortex-claude]

✅ Automated Fix Complete

Root Cause: ZoneMap::lower_stat_fn (vortex-layout/src/layouts/zoned/zone_map.rs) called aggregate_fn.return_dtype(input_dtype) and bubbled up a hard error when the aggregate (vortex.max / vortex.min) did not support the column dtype. A fuzzer-generated pruning predicate over a FixedSizeList(Decimal(16, -34), 1)? column triggered this path, and the file_io fuzz target's vortex_expect("collect should succeed in fuzz test") propagated it as a panic. The surrounding code already handles other unavailable-stat cases by lowering to a nullable "unknown" — this branch was the missing case.

Files Modified:

• vortex-layout/src/layouts/zoned/zone_map.rs

Complete Fix (relevant lines of lower_stat_fn):

// If the aggregate function does not support the input dtype, lower to a
// nullable "unknown" so pruning becomes a no-op rather than failing the
// scan. The data-side evaluation of the predicate still runs.
let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
    return Ok(null_expr(input_dtype));
};

The unused use vortex_error::vortex_err; import was also removed.

Regression Test (added to the existing tests module in zone_map.rs):

    #[test]
    fn lower_stat_fn_handles_aggregate_unsupported_dtype() -> vortex_error::VortexResult<()> {
        // Regression test for issue #8189: pruning predicates that reference
        // stat($, vortex.max())/vortex.min() on column dtypes those aggregates do not
        // support (e.g., FixedSizeList) must lower to an "unknown" rather than panic.
        let column_dtype = DType::FixedSizeList(
            Arc::new(DType::Decimal(
                DecimalDType::new(16, -34),
                Nullability::NonNullable,
            )),
            1,
            Nullability::Nullable,
        );
        let zone_map = ZoneMap::try_new(
            column_dtype.clone(),
            StructArray::try_new(FieldNames::empty(), vec![], 2, Validity::NonNullable)?,
            Arc::new([]),
            4,
            8,
        )?;

        let max_fn = Stat::Max
            .aggregate_fn()
            .expect("max should have an aggregate function");
        let null_literal = lit(Scalar::null(column_dtype));
        let pruning_expr = gt(null_literal, stat(root(), max_fn));

        let mask = zone_map.prune(&pruning_expr, &SESSION)?;
        assert_eq!(mask.len(), 2);
        Ok(())
    }

Test Result: All 11 zone_map tests pass with the fix. The new regression test fails with the exact same error from the crash log when the fix is reverted, confirming it actually exercises the bug.

With the fix:

running 11 tests
test layouts::zoned::zone_map::tests::lower_stat_fn_handles_aggregate_unsupported_dtype ... ok
... (all 11 pass)
test result: ok. 11 passed; 0 failed; 0 ignored; 0 measured; 86 filtered out

Without the fix:

---- layouts::zoned::zone_map::tests::lower_stat_fn_handles_aggregate_unsupported_dtype stdout ----
Error: Other error: Aggregate function vortex.max() does not support input dtype fixed_size_list(decimal(16,-34))[1]?
test result: FAILED. 0 passed; 1 failed

The original fuzz crash file also now executes cleanly:

Running: file_io/crash-16049023182397c5044c516c27ce1aceae0676ed
Executed file_io/crash-16049023182397c5044c516c27ce1aceae0676ed in 98 ms

Checks Run:

• cargo build -p vortex-layout — succeeds
• cargo test -p vortex-layout layouts::zoned::zone_map::tests — 11/11 pass
• cargo clippy -p vortex-layout --all-targets — succeeds with no new warnings
• cargo +nightly fuzz run --dev --sanitizer=none file_io <crash-file> — no longer crashes

Checks Not Run:

• cargo +nightly fmt — nightly rustfmt component not installed in this environment; stable cargo fmt -- --check reports no diff. CI should re-verify.

Note: This is an automated fix — please review carefully before merging.

[vortex-claude]

🔍 Analysis

Root Cause: When the fuzzer builds a filter like lower <= $ < upper over a column whose dtype is fixed_size_list(decimal(16,-34))[1]?, the pruning-predicate rewriter calls min(...) / max(...) to build a stats falsifier. stat_expr unconditionally generates StatFn(vortex.min, $) / StatFn(vortex.max, $) without checking that the aggregate function actually supports the column dtype. The MinMax aggregate's return_dtype returns None for FixedSizeList, so when the zone-map layout later tries to lower these StatFn nodes against the stats table, ZoneMap::lower_stat_fn errors with Aggregate function vortex.max() does not support input dtype ..., which propagates out of scan().into_array_iter()...try_collect() and panics the fuzz target.

Crash Location: vortex-layout/src/layouts/zoned/zone_map.rs:187 in ZoneMap::lower_stat_fn

Relevant Code (from vortex-layout/src/layouts/zoned/zone_map.rs):

let return_dtype = options
    .aggregate_fn()
    .return_dtype(&input_dtype)
    .ok_or_else(|| {
        vortex_err!(
            "Aggregate function {} does not support input dtype {}",
            options.aggregate_fn(),
            input_dtype
        )
    })?;

if !input_is_root {
    return Ok(null_expr(return_dtype));
}

The rewrite that introduces the unsupported StatFn (from vortex-array/src/stats/rewrite/builtins.rs):

fn stat_expr(expr: &Expression, stat: Stat) -> Option<Expression> {
    if let Some(literal) = literal_stat(expr, stat) {
        return Some(literal);
    }
    if expr.is::<Literal>() {
        return None;
    }
    if let Some(dtype) = expr.as_opt::<Cast>() {
        return cast_stat(expr.child(0), dtype, stat);
    }
    // BUG: emits StatFn even when aggregate_fn doesn't support the column dtype.
    stat.aggregate_fn()
        .map(|aggregate_fn| stat_fn(expr.clone(), aggregate_fn))
}

Next Step: Attempting fix — make ZoneMap::lower_stat_fn treat an unsupported aggregate input dtype the same as a missing stat (i.e. lower to a nullable "unknown" so the predicate cannot prove a prune), since the stat genuinely is not computable on that dtype.

[vortex-claude]

🔧 Fix Implemented

Modified: vortex-layout/src/layouts/zoned/zone_map.rs

Changes: When the aggregate function backing a StatFn does not support the column dtype, treat the stat as unknown and lower to a nullable null literal (same as the existing fallback for non-root inputs and missing stats) instead of returning vortex_err!. The pruning predicate then evaluates to "can't prove anything," which keeps every zone — the safe and correct behavior for a stat that genuinely is not computable on this dtype.

Complete Code Changes (ZoneMap::lower_stat_fn):

fn lower_stat_fn(&self, expr: Expression) -> VortexResult<Expression> {
    // This is the bridge from aggregate-backed bound expressions to the legacy
    // zoned stats columns. Exact NullCount and NanCount can prove richer
    // all-* aggregates; non-root or missing stats lower to nullable unknowns.
    let options = expr.as_::<StatFn>();
    let input = expr.child(0);
    let input_dtype = input.return_dtype(&self.column_dtype)?;
    let input_is_root = is_root(input);

    if options.aggregate_fn().is::<AllNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(false));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNan>() {
        if !has_nans(&input_dtype) {
            return Ok(lit(true));
        }
        if !input_is_root {
            return Ok(null_expr(DType::Bool(Nullability::NonNullable)));
        }
        return Ok(eq(self.stat_field_expr(Stat::NaNCount)?, lit(0u64)));
    }

    if options.aggregate_fn().is::<NanCount>() && !has_nans(&input_dtype) {
        return Ok(lit(0u64));
    }

    // When the aggregate function does not support the column dtype the stat is
    // not computable on this layout, so treat it the same as a missing stat and
    // lower to a nullable "unknown" rather than failing the whole scan. Min/Max
    // share their input dtype, so falling back to `input_dtype.as_nullable()`
    // keeps the rewrite well-typed for the most common case.
    let Some(return_dtype) = options.aggregate_fn().return_dtype(&input_dtype) else {
        return Ok(null_expr(input_dtype.as_nullable()));
    };

    if !input_is_root {
        return Ok(null_expr(return_dtype));
    }

    if options.aggregate_fn().is::<AllNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, row_count_expr()));
    }

    if options.aggregate_fn().is::<AllNonNull>() {
        return Ok(eq(self.stat_field_expr(Stat::NullCount)?, lit(0u64)));
    }

    let Some(stat) = Stat::from_aggregate_fn(options.aggregate_fn()) else {
        return Ok(null_expr(return_dtype));
    };

    self.stat_field_expr(stat)
}

The use vortex_error::vortex_err; import is no longer needed and was removed.

Verification: Reran the fuzzer with the original crash input:

target/x86_64-unknown-linux-gnu/debug/file_io ... file_io/crash-16049023182397c5044c516c27ce1aceae0676ed
Executed file_io/crash-16049023182397c5044c516c27ce1aceae0676ed in 98 ms

No panic — the scan now completes.

Next Step: Writing regression test...