WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Fuzzing Crash: Out-of-memory in VarBinViewBuilder during ListViewArray rebuild #5827

New issue
New issue
Open
Open
Fuzzing Crash: Out-of-memory in VarBinViewBuilder during ListViewArray rebuild#5827
Labels
bugfuzzer
@github-actions

Description

@github-actions
github-actions
bot
opened on Dec 27, 2025

Fuzzing Crash Report

Analysis

Crash Location: vortex-array/src/builders/varbinview.rs:381 in the extend_from_compaction function

Error Message:

AddressSanitizer: out of memory: allocator is trying to allocate 0x1e762f000 bytes

Stack Trace:

#0 realloc
#1-#13 Vec::extend_from_slice (various internal allocator calls)
#14 extend_from_compaction at vortex-array/src/builders/varbinview.rs:381:35
#15 extend_from_array_unchecked at vortex-array/src/builders/varbinview.rs:285:18
#16 extend_from_array at vortex-array/src/builders/mod.rs:174:23
#17 naive_rebuild at vortex-array/src/arrays/listview/rebuild.rs:157:34
#18 rebuild_zero_copy_to_list at vortex-array/src/arrays/listview/rebuild.rs:94:36
#19 rebuild at vortex-array/src/arrays/listview/rebuild.rs:60:61
#20 filter (ListViewVTable) at vortex-array/src/arrays/listview/compute/filter.rs:72:14

Root Cause: The fuzzer created a deeply nested structure (ChunkedArray containing StructArrays with nested Structs and List fields). During a filter operation, the code attempts to rebuild a ListViewArray which triggers VarBinViewBuilder to extend its internal buffers. The allocator attempts to allocate approximately 125GB of memory (0x1e762f000 bytes), which exhausts available memory.

This appears to be an unbounded memory allocation issue where the buffer size calculation doesn't properly validate or limit the allocation size before attempting to allocate. The deeply nested and chunked structure likely causes the compaction logic to calculate an extremely large buffer requirement.

Debug Output 
FuzzArrayAction {
    array: ChunkedArray {
        dtype: Struct(...),
        len: 115,
        chunks: [nested StructArrays with List<Utf8> fields]
    },
    action: Filter(BoolArray)
}

Full debug output available in the crash artifact.

Summary

  • Target: array_ops
  • Crash File: crash-e8521064a2cd94e38ba670efe84a139ca8396be2
  • Branch: develop
  • Commit: 052025a
  • Crash Artifact: Check GitHub Actions workflow run for artifact

Reproduction

  1. Download the crash artifact from the GitHub Actions run
  2. Reproduce locally:
cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-e8521064a2cd94e38ba670efe84a139ca8396be2 -- -rss_limit_mb=0
  1. Get full backtrace:
RUST_BACKTRACE=full cargo +nightly fuzz run -D --sanitizer=none array_ops array_ops/crash-e8521064a2cd94e38ba670efe84a139ca8396be2 -- -rss_limit_mb=0

Auto-created by fuzzing workflow with Claude analysis

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugfuzzer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions