Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33534

UBSAN: Negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself in my_double_round from sql/item_func.cc|

Details

    Description

      I found UBSAN bugs with a long query which, when simplified, lead to many different UBSAN stacks. In reverse order from short to long query (using UniqeID's to keep this report to a reasonable length):

      SELECT TRUNCATE(EXP(-1.e-2),-1.e+30);

      Leads to:

      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real
      		 
      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Type_handler::Item_send_double|Protocol::send_result_set_row|select_send::send_data


      SELECT (TRUNCATE(EXP(-1.e-2),-1.e+30) % RADIANS(-1));

      Leads to (opt/dbg):

      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Type_handler::Item_send_double|Protocol::send_result_set_row
      		 
      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real


      SELECT (TRUNCATE(EXP(-1.e-2),-1.e+30) % RADIANS(-1)) * (LAST_DAY('1-03-30 1:29:12') MOD 1 + COS(-1));

      Leads to (opt/dbg):

      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Type_handler::Item_send_double
      		 
      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real


      SELECT(ASIN(-1)+ LN(-1)) % (ATAN(-1) MOD FLOOR(1)) * (TRUNCATE(EXP(-1.e-2),-1.e+30) % RADIANS(-1)) * (LAST_DAY('1-03-30 1:29:12') MOD 1 + COS(-1));

      Leads to (opt/dbg):

      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Item_func_mul::real_op
      		 
      UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real

      The optimized outcomes are different for each testcase. The debug build outcomes are the same for the last three only, but different from the first testcase. However, for the first testcase the optimized build outcome is the same outcome as the three last testcases debug build outcomes.

      All versions and build types affected.

      Setup:

      Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          Roel Roel Van de Paar added a comment - - edited

          Summary of all UniqueID/stacks seen (including additional ones from comments below):

          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Type_handler::Item_send_double|Protocol::send_result_set_row|select_send::send_data
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Type_handler::Item_send_double|Protocol::send_result_set_row
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Type_handler::Item_send_double
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Item_func_mul::real_op
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_hybrid_field_type::val_decimal_from_real_op|VDec::VDec
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_plus::real_op|Type_handler::Item_send_double

          And example full UBSAN error log stack:

          11.4.2 9b6e267bfd8fbed66807b8ca81a84d1faa84ff34 (Debug, UBASAN)

          		 
          /test/11.4_dbg_san/sql/item_func.cc:2618:37: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
          		 
              #0 0x561b0b486d97 in my_double_round(double, long long, bool, bool) /test/11.4_dbg_san/sql/item_func.cc:2618
          		 
              #1 0x561b0b487730 in Item_func_round::real_op() /test/11.4_dbg_san/sql/item_func.cc:2662
          		 
              #2 0x561b0a5b7394 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.4_dbg_san/sql/item_func.h:928
          		 
              #3 0x561b0a5b7394 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.4_dbg_san/sql/sql_type.cc:5500
          		 
              #4 0x561b09531adb in Item_func_hybrid_field_type::val_real() /test/11.4_dbg_san/sql/item_func.h:974
          		 
              #5 0x561b0a66ed44 in Type_handler::Item_send_double(Item*, Protocol*, st_value*) const /test/11.4_dbg_san/sql/sql_type.cc:7558
          		 
              #6 0x561b0a6d73ec in Type_handler_double::Item_send(Item*, Protocol*, st_value*) const /test/11.4_dbg_san/sql/sql_type.h:6160
          		 
              #7 0x561b08d25c94 in Item::send(Protocol*, st_value*) /test/11.4_dbg_san/sql/item.h:1254
          		 
              #8 0x561b08eecdf4 in Protocol::send_result_set_row(List<Item>*) /test/11.4_dbg_san/sql/protocol.cc:1333
          		 
              #9 0x561b09216c08 in select_send::send_data(List<Item>&) /test/11.4_dbg_san/sql/sql_class.cc:3187
          		 
              #10 0x561b09a22e3c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_dbg_san/sql/sql_class.h:5995
          		 
              #11 0x561b09a22e3c in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:4862
          		 
              #12 0x561b09a2944e in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4774
          		 
              #13 0x561b09a17871 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5304
          		 
              #14 0x561b09a1bd82 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:630
          		 
              #15 0x561b095802f4 in execute_sqlcom_select /test/11.4_dbg_san/sql/sql_parse.cc:6094
          		 
              #16 0x561b095e5140 in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3943
          		 
              #17 0x561b0960c40e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7815
          		 
              #18 0x561b0961c252 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1893
          		 
              #19 0x561b0962a799 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1406
          		 
              #20 0x561b0a03c88b in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1437
          		 
              #21 0x561b0a03dda6 in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1339
          		 
              #22 0x148429694ac2 in start_thread nptl/pthread_create.c:442
          		 
              #23 0x14842972684f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)

          Roel Roel Van de Paar added a comment - - edited Summary of all UniqueID/stacks seen (including additional ones from comments below): UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Type_handler::Item_send_double|Protocol::send_result_set_row|select_send::send_data UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Type_handler::Item_send_double|Protocol::send_result_set_row UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Type_handler::Item_send_double UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_mul::real_op|Item_func_mul::real_op UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_hybrid_field_type::val_decimal_from_real_op|VDec::VDec UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_plus::real_op|Type_handler::Item_send_double And example full UBSAN error log stack: 11.4.2 9b6e267bfd8fbed66807b8ca81a84d1faa84ff34 (Debug, UBASAN) /test/11.4_dbg_san/sql/item_func.cc:2618:37: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself #0 0x561b0b486d97 in my_double_round(double, long long, bool, bool) /test/11.4_dbg_san/sql/item_func.cc:2618 #1 0x561b0b487730 in Item_func_round::real_op() /test/11.4_dbg_san/sql/item_func.cc:2662 #2 0x561b0a5b7394 in Item_func_hybrid_field_type::val_real_from_real_op() /test/11.4_dbg_san/sql/item_func.h:928 #3 0x561b0a5b7394 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /test/11.4_dbg_san/sql/sql_type.cc:5500 #4 0x561b09531adb in Item_func_hybrid_field_type::val_real() /test/11.4_dbg_san/sql/item_func.h:974 #5 0x561b0a66ed44 in Type_handler::Item_send_double(Item*, Protocol*, st_value*) const /test/11.4_dbg_san/sql/sql_type.cc:7558 #6 0x561b0a6d73ec in Type_handler_double::Item_send(Item*, Protocol*, st_value*) const /test/11.4_dbg_san/sql/sql_type.h:6160 #7 0x561b08d25c94 in Item::send(Protocol*, st_value*) /test/11.4_dbg_san/sql/item.h:1254 #8 0x561b08eecdf4 in Protocol::send_result_set_row(List<Item>*) /test/11.4_dbg_san/sql/protocol.cc:1333 #9 0x561b09216c08 in select_send::send_data(List<Item>&) /test/11.4_dbg_san/sql/sql_class.cc:3187 #10 0x561b09a22e3c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_dbg_san/sql/sql_class.h:5995 #11 0x561b09a22e3c in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:4862 #12 0x561b09a2944e in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4774 #13 0x561b09a17871 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5304 #14 0x561b09a1bd82 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:630 #15 0x561b095802f4 in execute_sqlcom_select /test/11.4_dbg_san/sql/sql_parse.cc:6094 #16 0x561b095e5140 in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:3943 #17 0x561b0960c40e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7815 #18 0x561b0961c252 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1893 #19 0x561b0962a799 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1406 #20 0x561b0a03c88b in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1437 #21 0x561b0a03dda6 in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1339 #22 0x148429694ac2 in start_thread nptl/pthread_create.c:442 #23 0x14842972684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
          Roel Roel Van de Paar added a comment - - edited

          Additional stack observed with:

          SELECT (1%TRUNCATE('a','a'-1*'99999999999999999999'))DIV(FLOOR(1))+(TRUNCATE(COT(1),-3));

          Leading to (first one is new/additional):

          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_hybrid_field_type::val_decimal_from_real_op|VDec::VDec
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real

          Reducing it to for example:

          SELECT (1%TRUNCATE('a','a'-1*'99999999999999999999'));

          Leads to a previously seen stack:

          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Type_handler::Item_send_double|Protocol::send_result_set_row

          And again varying it to:

          SELECT (1%TRUNCATE('a','a'-1*'99999999999999999999'))+(TRUNCATE(COT(1),-3));

          Leads to (first stack/UniqueID is again another new/additional one):

          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_plus::real_op|Type_handler::Item_send_double
          		 
          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real

          Roel Roel Van de Paar added a comment - - edited Additional stack observed with: SELECT (1% TRUNCATE ( 'a' , 'a' -1* '99999999999999999999' ))DIV(FLOOR(1))+( TRUNCATE (COT(1),-3)); Leading to (first one is new/additional): UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_hybrid_field_type::val_decimal_from_real_op|VDec::VDec UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real Reducing it to for example: SELECT (1% TRUNCATE ( 'a' , 'a' -1* '99999999999999999999' )); Leads to a previously seen stack: UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Type_handler::Item_send_double|Protocol::send_result_set_row And again varying it to: SELECT (1% TRUNCATE ( 'a' , 'a' -1* '99999999999999999999' ))+( TRUNCATE (COT(1),-3)); Leads to (first stack/UniqueID is again another new/additional one): UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mod::real_op|Item_func_plus::real_op|Type_handler::Item_send_double UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_round::real_op|Item_func_hybrid_field_type::val_real_from_real_op|Type_handler_real_result::Item_func_hybrid_field_type_val_real
          Roel Roel Van de Paar added a comment -

          Please also test any fixes with

          SELECT(ASIN(-1)+ LN(-1)) % (ATAN(-1) MOD FLOOR(1)) * (TRUNCATE(EXP(-1.e-2) + WEEKDAY('1-1-07 1:46:26'),-1.e+30) % RADIANS(-1)) * (LAST_DAY('1-03-30 1:29:12') MOD 1 + COS(-1));

          Roel Roel Van de Paar added a comment - Please also test any fixes with SELECT (ASIN(-1)+ LN(-1)) % (ATAN(-1) MOD FLOOR(1)) * ( TRUNCATE (EXP(-1.e-2) + WEEKDAY( '1-1-07 1:46:26' ),-1.e+30) % RADIANS(-1)) * (LAST_DAY( '1-03-30 1:29:12' ) MOD 1 + COS(-1));
          Roel Roel Van de Paar added a comment -

          Additional stack with:

          SELECT (ROUND (1)* POW(0,0))/(EXP(-1)* TRUNCATE ('',-664*763* utc_TIMESTAMP(1)));


          UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mul::real_op|Item_func_div::real_op|Type_handler::Item_send_double

          Roel Roel Van de Paar added a comment - Additional stack with: SELECT (ROUND (1)* POW(0,0))/(EXP(-1)* TRUNCATE ( '' ,-664*763* utc_TIMESTAMP(1))); UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|sql/item_func.cc|my_double_round|Item_func_mul::real_op|Item_func_div::real_op|Type_handler::Item_send_double
          Roel Roel Van de Paar added a comment -

          Thank you bar for the fix, much appreciated.

          Roel Roel Van de Paar added a comment - Thank you bar for the fix, much appreciated.

          People

            bar Alexander Barkov
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.