Fuzzing Crash: Sequential stream dtype mismatch (expected vs actual swapped in error)

[github-actions]

Fuzzing Crash Report

Analysis

Crash Location: vortex-layout/src/sequence.rs:313 in SequentialStreamAdapter::poll_next

Error Message:

assertion `left == right` failed: Sequential stream of u8 got chunk of u16.
  left: Primitive(U8, NonNullable)
 right: Primitive(U16, NonNullable)

Stack Trace:

   0: __rustc::rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::assert_failed_inner
   3: core::panicking::assert_failed::<&vortex_dtype::dtype::DType, &mut vortex_dtype::dtype::DType>
   4: poll_next<core::pin::Pin<alloc::boxed::Box<...>>>
             at ./vortex-layout/src/sequence.rs:313:13
   5: poll_next<alloc::boxed::Box<...>>
   6: poll_next<core::pin::Pin<...>, repartition::{closure_env#0}>
             at ./vortex-layout/src/layouts/repartition.rs:89:70
   7: poll_next<async_stream::AsyncStream<...>>
             at ./vortex-layout/src/sequence.rs:311:48

Root Cause:

The SequentialStreamAdapter enforces that all arrays in a sequential stream have the same dtype. The fuzzer discovered a case where:

1. The stream was initialized with dtype Primitive(U16, NonNullable)
2. But an array chunk with dtype Primitive(U8, NonNullable) was received

This indicates an inconsistency in how sequential streams are constructed, likely in the repartition layout logic based on the stack trace.

Additional Issue: The error message has swapped arguments - it says "Sequential stream of u8 got chunk of u16" but the assertion shows the stream expected U16 and got U8. The format string at line 316-318 has the arguments backwards.

Relevant Code (vortex-layout/src/sequence.rs:313-319):

assert_eq!(
    array.dtype(),      // The actual chunk's dtype (U8)
    this.dtype,         // The expected stream dtype (U16)
    "Sequential stream of {} got chunk of {}.",
    array.dtype(),      // First {} - should be this.dtype
    this.dtype          // Second {} - should be array.dtype()
);

Summary

• Target: file_io
• Crash File: crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2
• Branch: develop
• Commit: da5d463
• Crash Artifact: https://github.com/vortex-data/vortex/actions/runs/20661624081/artifacts/5009167225

Reproduction

1. Download the crash artifact:

   • Direct download: https://github.com/vortex-data/vortex/actions/runs/20661624081/artifacts/5009167225
   • Or find io-fuzzing-crash-artifacts at: https://github.com/vortex-data/vortex/actions/runs/20661624081
   • Extract the zip file

2. Reproduce locally:

# The artifact contains file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2
cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0

3. Get full backtrace:

RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none file_io file_io/crash-f34f3a6108ae41cb796a5e9d27f0f636135656f2 -- -rss_limit_mb=0

---

Auto-created by fuzzing workflow with Claude analysis