Fuzzing Crash: Length not preserved in file I/O with projection on nested struct arrays

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: fuzz/fuzz_targets/file_io.rs:100 - assertion in __libfuzzer_sys_run function

Error Message:

assertion `left == right` failed: Length was not preserved expected 20 actual 2.
  left: 20
 right: 2

Stack Trace:

   0: __rustc::rust_begin_unwind
             at /rustc/22c74ba91873dd013479f86eac3e9ea10593bff9/library/std/src/panicking.rs:689:5
   1: core::panicking::panic_fmt
             at /rustc/22c74ba91873dd013479f86eac3e9ea10593bff9/library/core/src/panicking.rs:80:14
   2: core::panicking::assert_failed_inner
   3: core::panicking::assert_failed::<usize, usize>
             at /rustc/22c74ba91873dd013479f86eac3e9ea10593bff9/library/core/src/panicking.rs:394:5
   4: __libfuzzer_sys_run
             at ./fuzz/fuzz_targets/file_io.rs:100:5
   5: rust_fuzzer_test_input
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:363:60
   6: {closure#0}
             at /home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:62:9
   7: do_call<libfuzzer_sys::test_input_wrap::{closure_env#0}, i32>
             at /rustc/22c74ba91873dd013479f86eac3e9ea10593bff9/library/std/src/panicking.rs:581:40

Root Cause:

The fuzzer discovered a length mismatch in the file I/O round-trip when using projection expressions with nested struct arrays containing decimal fields.

The test:

1. Creates an expected array by applying a projection expression to a StructArray (length 55, with nested struct containing decimal data)
2. Writes the original array to a file
3. Reads it back with the same projection expression applied during scan
4. Asserts that the output length matches the expected length

The expected array has length 20, but after the file I/O round-trip with projection applied, only 2 elements are returned instead of 20.

The input array structure:

• StructArray with length 55
• Field name: "ggggg"
• Nested struct field with name "gg" containing Decimal(precision=1, scale=0) with nullable values
• ChunkedArray with 2 chunks (37 and 18 elements)
• Projection expression: Pack operation with 7 instances of the same field "ggggg", creating a nullable struct

This is similar to issue #5517 (which was closed) but with different characteristics:

• Different array structure (nested structs with decimals vs flat structs with UTF-8)
• Different length discrepancy (20→2 vs 18→22)
• Possibly a regression or related bug

Debug Output

See full debug output in fuzzer log (truncated for brevity - includes StructArray with nested ChunkedArray containing DecimalArray chunks)

Summary

• Target: file_io
• Crash File: crash-d4799c407bfe37c0331024001b6c513fc62206fd
• Branch: develop
• Commit: a30298b
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/21079342138/artifacts/5159215256

Reproduction

1. Download the crash artifact:

   • Direct download: https://github.com/vortex-data/vortex/actions/runs/21079342138/artifacts/5159215256
   • Or find io-fuzzing-crash-artifacts at:
   • Extract the zip file

2. Reproduce locally:

cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-d4799c407bfe37c0331024001b6c513fc62206fd -- -rss_limit_mb=0

3. Get full backtrace:

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-d4799c407bfe37c0331024001b6c513fc62206fd -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow with Claude analysis