[MDEV-29473] UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 11.0.0, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3, 10.11.2
Component/s: Data types
Labels:
- UBSAN
- overflow

Description

Similar to MDEV-28374 but no PROCEDURE ANALYSE() is required here.

CREATE TABLE t (c DOUBLE) ENGINE=InnoDB;

INSERT INTO t VALUES ('1e4294967297');

Leads to:

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)
/test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)
#0 0x557791cc50de in my_strtod_int /test/10.11_dbg_san/strings/dtoa.c:1481
#1 0x557791cc50de in my_strtod /test/10.11_dbg_san/strings/dtoa.c:469
#2 0x557791bb71e2 in my_strntod_8bit /test/10.11_dbg_san/strings/ctype-simple.c:799
#3 0x55778effb05a in charset_info_st::strntod(char, unsigned long, char, int) const /test/10.11_dbg_san/include/m_ctype.h:899
#4 0x55778effb05a in Field_real::get_double(char const, unsigned long, charset_info_st const, int*) /test/10.11_dbg_san/sql/field.cc:1838
#5 0x55778effbb02 in Field_double::store(char const, unsigned long, charset_info_st const) /test/10.11_dbg_san/sql/field.cc:4868
#6 0x55778f1c5fdd in Item::save_str_value_in_field(Field, String) /test/10.11_dbg_san/sql/item.cc:407
#7 0x55778f1c641f in Item_string::save_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:6867
#8 0x55778d4826df in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /test/10.11_dbg_san/sql/sql_base.cc:9196
#9 0x55778d482be8 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/10.11_dbg_san/sql/sql_base.cc:9251
#10 0x55778d6a3853 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.11_dbg_san/sql/sql_insert.cc:1089
#11 0x55778d8fe912 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:4563
#12 0x55778d861c88 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
#13 0x55778d8ce85f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
#14 0x55778d8e0a70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
#15 0x55778e351b41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
#16 0x55778e35432c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
#17 0x1474580e9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#18 0x14745735e132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

There are a large number of issues seen across versions. All UniqueID's seen:

UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|Field_real::get_double|Field_double::store

UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Field_real::get_double

UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Field_real::get_double

UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod

Attachments

Issue Links

relates to

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

MDEV-28374 UBSAN: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int' in sql/sql_analyse.cc

Confirmed

MDEV-28345 ASAN: use-after-poison or unknown-crash in my_strtod_int from charset_info_st::strntod or test_if_number

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2022-11-17 04:17

Debug build of more recent 10.11 no longer crashes, but it still shows the

/test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

Roel Van de Paar added a comment - 2022-11-17 04:17 Debug build of more recent 10.11 no longer crashes, but it still shows the /test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

Alexander Barkov added a comment - 2022-11-17 10:06

Repeatable with MyISAM (which is default in MTR) with this MTR test:

CREATE TABLE t1 (c DOUBLE);

--error ER_WARN_DATA_OUT_OF_RANGE

INSERT INTO t1 VALUES ('1e4294967297');

DROP TABLE t1;

main.AAA                                 [ fail ]  Found warnings/errors in server log file!

        Test ended at 2022-11-17 14:00:28

line

/home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in

/home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 10 * 429496729 cannot be represented in type 'int'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16 in

^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err

Alexander Barkov added a comment - 2022-11-17 10:06 Repeatable with MyISAM (which is default in MTR) with this MTR test: CREATE TABLE t1 (c DOUBLE ); --error ER_WARN_DATA_OUT_OF_RANGE INSERT INTO t1 VALUES ( '1e4294967297' ); DROP TABLE t1; main.AAA [ fail ] Found warnings/errors in server log file! Test ended at 2022-11-17 14:00:28 line /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in /home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 10 * 429496729 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16 in ^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err

Alexander Barkov added a comment - 2022-11-17 10:47

After adding this test into type_float.test, UBSAN issues more warnings:

/home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)'

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in

/home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17: runtime error: left shift of negative value -1

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17 in

/home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17: runtime error: left shift of negative value -1

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17 in

^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err

ok

Alexander Barkov added a comment - 2022-11-17 10:47 After adding this test into type_float.test, UBSAN issues more warnings: /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17: runtime error: left shift of negative value -1 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17 in /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17: runtime error: left shift of negative value -1 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17 in ^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err ok

MariaDB Server

UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration