[MDEV-35715] UBSAN: runtime error: 1e+19 is outside the range of representable values of type 'long long' in Field_bit::store on INSERT - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4, 11.7(EOL), 11.8
Fix Version/s: 10.5, 10.6, 10.11, 11.4
Component/s: Data types
Labels:

Description

CREATE TABLE t (c BIT);

INSERT INTO t VALUES (1e+19);  # Issue does not reproduce with <19

Leads to:

CS 10.5.28 a226f12675c6312ca7632b90261397e313e6a7ae (Optimized, UBASAN, Clang)
/test/10.5_opt_san/sql/field.cc:9926:38: runtime error: 1e+19 is outside the range of representable values of type 'long long'
SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/10.5_opt_san/sql/field.cc:9926:38
#0 0x55cc6bc42b72 in Field_bit::store(double) /test/10.5_opt_san/sql/field.cc:9926:38
#1 0x55cc6bc42b72 in Field_bit_as_char::store(double) /test/10.5_opt_san/sql/field.h:5107:53
#2 0x55cc6aae4de8 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/10.5_opt_san/sql/sql_base.cc:8836:18
#3 0x55cc6aae63b0 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/10.5_opt_san/sql/sql_base.cc:8891:11
#4 0x55cc6ac01bcd in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_opt_san/sql/sql_insert.cc:1072:13
#5 0x55cc6adbf51b in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4664:10
#6 0x55cc6ad80e98 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8251:18
#7 0x55cc6ad739d0 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
#8 0x55cc6ad838d9 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
#9 0x55cc6b48b5c2 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
#10 0x55cc6b48aa24 in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
#11 0x55cc6a7eb10c in asan_thread_start(void*) asan_interceptors.cpp.o
#12 0x14b32469ca93 in start_thread nptl/pthread_create.c:447:8
#13 0x14b324729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/10.5_opt_san/sql/field.cc:9926:38

Setup:

Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18:

     # Note: llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools

     sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so

Compiled with: '-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++' and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter'. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

Bug confirmed present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Attachments

Issue Links

relates to

MDEV-36013 UBSAN: runtime error: X is outside the range of representable values of type 'long long' on INSERT to SET()

Confirmed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2024-12-28 02:41

An additional testcase to test any fixes with

CREATE TABLE t (c DOUBLE UNSIGNED ZEROFILL DEFAULT NULL, c2 bit(1) DEFAULT NULL);

INSERT INTO t VALUES (+3E+38,+3.4E+38);

Roel Van de Paar added a comment - 2024-12-28 02:41 An additional testcase to test any fixes with CREATE TABLE t (c DOUBLE UNSIGNED ZEROFILL DEFAULT NULL, c2 bit(1) DEFAULT NULL); INSERT INTO t VALUES (+3E+38,+3.4E+38);

Roel Van de Paar added a comment - 2024-12-30 05:00

Two additional stack variations with this testcase (CLI, can provide an MTR testcase as well if needed):

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE TABLE t (c BIT) ENGINE=Spider;

INSERT INTO t VALUES (1e100);

Leads to:

UBSAN|X is outside the range of representable values of type 'long long'|sql/field.cc|Field_bit::store|Item_float::save_in_field|fill_record|fill_record_n_invoke_before_triggers

UBSAN|X is outside the range of representable values of type 'long long'|sql/field.cc|Field_bit::store|fill_record|fill_record_n_invoke_before_triggers|mysql_insert

Roel Van de Paar added a comment - 2024-12-30 05:00 Two additional stack variations with this testcase (CLI, can provide an MTR testcase as well if needed): INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; CREATE TABLE t (c BIT ) ENGINE=Spider; INSERT INTO t VALUES (1e100); Leads to: UBSAN|X is outside the range of representable values of type 'long long'|sql/field.cc|Field_bit::store|Item_float::save_in_field|fill_record|fill_record_n_invoke_before_triggers UBSAN|X is outside the range of representable values of type 'long long'|sql/field.cc|Field_bit::store|fill_record|fill_record_n_invoke_before_triggers|mysql_insert Bug confirmed present in: MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Roel Van de Paar added a comment - 2025-02-03 05:10

Additional stack variation with this testcase:

CREATE TABLE t (c INT ZEROFILL,c2 CHAR CHARACTER SET 'utf8' COLLATE 'utf8_bin',c3 ENUM ('') CHARACTER SET 'latin1' COLLATE 'latin1_bin',KEY(c)) ENGINE=InnoDB;

INSERT INTO t VALUES (-1.e-2,+1,-1.e+30);

Leads to:

CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang)
/test/11.8_dbg_san/sql/field.cc:9501:39: runtime error: -1e+30 is outside the range of representable values of type 'long long'
#0 0x56165ae24523 in Field_enum::store(double) /test/11.8_dbg_san/sql/field.cc:9501:39
#1 0x561659da50e3 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18
#2 0x561659da62e3 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11
#3 0x561659ed1127 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13
#4 0x56165a0585d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10
#5 0x56165a022588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#6 0x56165a01664b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#7 0x56165a024fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#8 0x56165a6e876c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#9 0x56165a6e8027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#10 0x561659a27b5c in asan_thread_start(void*) asan_interceptors.cpp.o
#11 0x1500b0c9ca93 in start_thread nptl/pthread_create.c:447:8
#12 0x1500b0d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:9501:39

CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang)
/test/11.8_dbg_san/sql/field.cc:9501:39: runtime error: -1e+30 is outside the range of representable values of type 'long long'
#0 0x55f07ee55523 in Field_enum::store(double) /test/11.8_dbg_san/sql/field.cc:9501:39
#1 0x55f07ddd60e3 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18
#2 0x55f07ddd72e3 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11
#3 0x55f07df02127 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13
#4 0x55f07e0895d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10
#5 0x55f07e053588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#6 0x55f07e04764b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#7 0x55f07e055fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#8 0x55f07e71976c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#9 0x55f07e719027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#10 0x55f07da58b5c in asan_thread_start(void*) asan_interceptors.cpp.o
#11 0x14faa569ca93 in start_thread nptl/pthread_create.c:447:8
#12 0x14faa5729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:9501:39

Roel Van de Paar added a comment - 2025-02-03 05:10 Additional stack variation with this testcase: CREATE TABLE t (c INT ZEROFILL,c2 CHAR CHARACTER SET 'utf8' COLLATE 'utf8_bin' ,c3 ENUM ( '' ) CHARACTER SET 'latin1' COLLATE 'latin1_bin' , KEY (c)) ENGINE=InnoDB; INSERT INTO t VALUES (-1.e-2,+1,-1.e+30); Leads to: CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang) /test/11.8_dbg_san/sql/field.cc:9501:39: runtime error: -1e+30 is outside the range of representable values of type 'long long' #0 0x56165ae24523 in Field_enum::store(double) /test/11.8_dbg_san/sql/field.cc:9501:39 #1 0x561659da50e3 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18 #2 0x561659da62e3 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11 #3 0x561659ed1127 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13 #4 0x56165a0585d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10 #5 0x56165a022588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #6 0x56165a01664b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #7 0x56165a024fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #8 0x56165a6e876c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #9 0x56165a6e8027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #10 0x561659a27b5c in asan_thread_start(void*) asan_interceptors.cpp.o #11 0x1500b0c9ca93 in start_thread nptl/pthread_create.c:447:8 #12 0x1500b0d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:9501:39 CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Debug, UBASAN, Clang) /test/11.8_dbg_san/sql/field.cc:9501:39: runtime error: -1e+30 is outside the range of representable values of type 'long long' #0 0x55f07ee55523 in Field_enum::store(double) /test/11.8_dbg_san/sql/field.cc:9501:39 #1 0x55f07ddd60e3 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18 #2 0x55f07ddd72e3 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11 #3 0x55f07df02127 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13 #4 0x55f07e0895d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10 #5 0x55f07e053588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #6 0x55f07e04764b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #7 0x55f07e055fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #8 0x55f07e71976c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #9 0x55f07e719027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #10 0x55f07da58b5c in asan_thread_start(void*) asan_interceptors.cpp.o #11 0x14faa569ca93 in start_thread nptl/pthread_create.c:447:8 #12 0x14faa5729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:9501:39

Roel Van de Paar added a comment - 2025-02-03 05:13

SET sql_mode='';

CREATE DEFINER=current_user FUNCTION f (i1 SET('','')) RETURNS INT CONTAINS SQL DETERMINISTIC NO SQL NO SQL RETURN CONCAT ('FUNCTION output:',i1);

SELECT f (-1.e+30);

Leads to:

CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang)
/test/11.8_dbg_san/sql/field.h:4972:40: runtime error: -1e+30 is outside the range of representable values of type 'long long'
#0 0x55ba3e1d1023 in Field_set::store(double) /test/11.8_dbg_san/sql/field.h:4972:40
#1 0x55ba3e0fbee7 in Field::sp_prepare_and_store_item(THD, Item*) /test/11.8_dbg_san/sql/field.cc:1507:14
#2 0x55ba3cfd4583 in THD::sp_eval_expr(Field, Item*) /test/11.8_dbg_san/sql/sp_head.cc:444:3
#3 0x55ba3d0208cf in sp_rcontext::set_variable(THD, unsigned int, Item*) /test/11.8_dbg_san/sql/sp_rcontext.cc:599:3
#4 0x55ba3cff1d91 in sp_head::bind_input_param(THD, Item, unsigned int, sp_rcontext*, bool) /test/11.8_dbg_san/sql/sp_head.cc:2426:15
#5 0x55ba3cfeebac in sp_head::execute_function(THD, Item, unsigned int, Field, sp_rcontext*, Query_arena) /test/11.8_dbg_san/sql/sp_head.cc:1963:17
#6 0x55ba3e2cbc2c in Item_sp::execute_impl(THD, Item*, unsigned int) /test/11.8_dbg_san/sql/item.cc:3014:26
#7 0x55ba3e2cac41 in Item_sp::execute(THD, bool, Item**, unsigned int) /test/11.8_dbg_san/sql/item.cc:2928:7
#8 0x55ba3e55a583 in Item_func_sp::execute() /test/11.8_dbg_san/sql/item_func.cc:6682:19
#9 0x55ba3e55a583 in Item_func_sp::val_int() /test/11.8_dbg_san/sql/item_func.h:4039:9
#10 0x55ba3ddbc024 in Type_handler::Item_send_long(Item, Protocol, st_value*) const /test/11.8_dbg_san/sql/sql_type.cc:7697:22
#11 0x55ba3cf1c878 in Protocol::send_result_set_row(List<Item>*) /test/11.8_dbg_san/sql/protocol.cc:1353:15
#12 0x55ba3d1918c3 in select_send::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_class.cc:3282:17
#13 0x55ba3d595331 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:4911:22
#14 0x55ba3d591a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8
#15 0x55ba3d50b634 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8_dbg_san/sql/sql_select.cc:5356:21
#16 0x55ba3d509f12 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10
#17 0x55ba3d3df167 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12
#18 0x55ba3d3cad39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12
#19 0x55ba3d39a588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#20 0x55ba3d38e64b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#21 0x55ba3d39cfad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#22 0x55ba3da6076c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#23 0x55ba3da60027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#24 0x55ba3cd9fb5c in asan_thread_start(void*) asan_interceptors.cpp.o
#25 0x14f29b69ca93 in start_thread nptl/pthread_create.c:447:8
#26 0x14f29b729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.h:4972:40

Roel Van de Paar added a comment - 2025-02-03 05:13 SET sql_mode= '' ; CREATE DEFINER= current_user FUNCTION f (i1 SET ( '' , '' )) RETURNS INT CONTAINS SQL DETERMINISTIC NO SQL NO SQL RETURN CONCAT ( 'FUNCTION output:' ,i1); SELECT f (-1.e+30); Leads to: CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang) /test/11.8_dbg_san/sql/field.h:4972:40: runtime error: -1e+30 is outside the range of representable values of type 'long long' #0 0x55ba3e1d1023 in Field_set::store(double) /test/11.8_dbg_san/sql/field.h:4972:40 #1 0x55ba3e0fbee7 in Field::sp_prepare_and_store_item(THD*, Item**) /test/11.8_dbg_san/sql/field.cc:1507:14 #2 0x55ba3cfd4583 in THD::sp_eval_expr(Field*, Item**) /test/11.8_dbg_san/sql/sp_head.cc:444:3 #3 0x55ba3d0208cf in sp_rcontext::set_variable(THD*, unsigned int, Item**) /test/11.8_dbg_san/sql/sp_rcontext.cc:599:3 #4 0x55ba3cff1d91 in sp_head::bind_input_param(THD*, Item*, unsigned int, sp_rcontext*, bool) /test/11.8_dbg_san/sql/sp_head.cc:2426:15 #5 0x55ba3cfeebac in sp_head::execute_function(THD*, Item**, unsigned int, Field*, sp_rcontext**, Query_arena*) /test/11.8_dbg_san/sql/sp_head.cc:1963:17 #6 0x55ba3e2cbc2c in Item_sp::execute_impl(THD*, Item**, unsigned int) /test/11.8_dbg_san/sql/item.cc:3014:26 #7 0x55ba3e2cac41 in Item_sp::execute(THD*, bool*, Item**, unsigned int) /test/11.8_dbg_san/sql/item.cc:2928:7 #8 0x55ba3e55a583 in Item_func_sp::execute() /test/11.8_dbg_san/sql/item_func.cc:6682:19 #9 0x55ba3e55a583 in Item_func_sp::val_int() /test/11.8_dbg_san/sql/item_func.h:4039:9 #10 0x55ba3ddbc024 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/11.8_dbg_san/sql/sql_type.cc:7697:22 #11 0x55ba3cf1c878 in Protocol::send_result_set_row(List<Item>*) /test/11.8_dbg_san/sql/protocol.cc:1353:15 #12 0x55ba3d1918c3 in select_send::send_data(List<Item>&) /test/11.8_dbg_san/sql/sql_class.cc:3282:17 #13 0x55ba3d595331 in JOIN::exec_inner() /test/11.8_dbg_san/sql/sql_select.cc:4911:22 #14 0x55ba3d591a12 in JOIN::exec() /test/11.8_dbg_san/sql/sql_select.cc:4823:8 #15 0x55ba3d50b634 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.8_dbg_san/sql/sql_select.cc:5356:21 #16 0x55ba3d509f12 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.8_dbg_san/sql/sql_select.cc:633:10 #17 0x55ba3d3df167 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.8_dbg_san/sql/sql_parse.cc:6191:12 #18 0x55ba3d3cad39 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:3980:12 #19 0x55ba3d39a588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #20 0x55ba3d38e64b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #21 0x55ba3d39cfad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #22 0x55ba3da6076c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #23 0x55ba3da60027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #24 0x55ba3cd9fb5c in asan_thread_start(void*) asan_interceptors.cpp.o #25 0x14f29b69ca93 in start_thread nptl/pthread_create.c:447:8 #26 0x14f29b729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.h:4972:40

Roel Van de Paar added a comment - 2025-02-14 00:42

CREATE TABLE t (c ENUM (''''));

INSERT INTO t VALUES ((1-EXP(230)));

Leads to:

CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang) Build 17/01/2025
/test/10.5_dbg_san/sql/field.cc:9289:39: runtime error: -7.72202e+99 is outside the range of representable values of type 'long long'
#0 0x55dc7753ee83 in Field_enum::store(double) /test/10.5_dbg_san/sql/field.cc:9289:39
#1 0x55dc776a6cc6 in Item::save_in_field(Field*, bool) /test/10.5_dbg_san/sql/item.cc:6980:30
#2 0x55dc766a1ef5 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/10.5_dbg_san/sql/sql_base.cc:8840:18
#3 0x55dc766a3073 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/10.5_dbg_san/sql/sql_base.cc:8895:11
#4 0x55dc767a5a01 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_dbg_san/sql/sql_insert.cc:1072:13
#5 0x55dc7691f5b8 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4664:10
#6 0x55dc768ea1c7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18
#7 0x55dc768de119 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
#8 0x55dc768ec31e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
#9 0x55dc76ef4a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
#10 0x55dc76ef42cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
#11 0x55dc763ff03c in asan_thread_start(void*) asan_interceptors.cpp.o
#12 0x14ee29e9ca93 in start_thread nptl/pthread_create.c:447:8
#13 0x14ee29f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/10.5_dbg_san/sql/field.cc:9289:39

Bug confirmed present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Roel Van de Paar added a comment - 2025-02-14 00:42 CREATE TABLE t (c ENUM ( '' '' )); INSERT INTO t VALUES ((1-EXP(230))); Leads to: CS 10.5.28 df602ff7fa5ed9424a1d7ebaba67b665e2f6d1f6 (Debug, UBASAN, Clang) Build 17/01/2025 /test/10.5_dbg_san/sql/field.cc:9289:39: runtime error: -7.72202e+99 is outside the range of representable values of type 'long long' #0 0x55dc7753ee83 in Field_enum::store(double) /test/10.5_dbg_san/sql/field.cc:9289:39 #1 0x55dc776a6cc6 in Item::save_in_field(Field*, bool) /test/10.5_dbg_san/sql/item.cc:6980:30 #2 0x55dc766a1ef5 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/10.5_dbg_san/sql/sql_base.cc:8840:18 #3 0x55dc766a3073 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/10.5_dbg_san/sql/sql_base.cc:8895:11 #4 0x55dc767a5a01 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_dbg_san/sql/sql_insert.cc:1072:13 #5 0x55dc7691f5b8 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4664:10 #6 0x55dc768ea1c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8251:18 #7 0x55dc768de119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7 #8 0x55dc768ec31e in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17 #9 0x55dc76ef4a07 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11 #10 0x55dc76ef42cb in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5 #11 0x55dc763ff03c in asan_thread_start(void*) asan_interceptors.cpp.o #12 0x14ee29e9ca93 in start_thread nptl/pthread_create.c:447:8 #13 0x14ee29f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/10.5_dbg_san/sql/field.cc:9289:39 Bug confirmed present in: MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.7.2 (dbg), 11.7.2 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Roel Van de Paar added a comment - 2025-02-14 03:49

This interesting looking additional testcase

CREATE TABLE t(c BIT KEY,c2 INT ZEROFILL,c3 NUMERIC(0,0));

INSERT INTO t VALUES((ADDDATE('1-1-1 1:1:1',0)DIV COT(-1)) * (ATAN2('uT=qiRrMC,mnssYeK(~xIxdzOIFIlSOprZ.vM+R+tF6pcB$SZ}+Po6b%=V*1olvbKG0WPr%Gk]E_Z}LQ8(XHH/Z:J[L[Ck:Ca~,l{z2dKSS}1AkF=ytn=%UM%;Hk*[bdn@@8TXmQN~Rf7T*BtFJ[(=g{wTNMfDUMMY_[C]pHhna=D6uE=;c]m9=JOued=2bhQgPBaiSA4ej}Dfn)smPBi?4iCtjp}oRmOgGCD2/]pX^1Uf4ifHYJdt9]x1Lz:OY:6Uj7QscZE)=rl[9Gb-Q1:p0ko)M+##6SGe:3qcqDtxUG]}dr1F$YtLbDlaNC=UbA=C=6Zt,vos:=I1+0aVG3ZM[w:bK3=cE*~zN6wq9kRZgR5aj*4n=(_EG)Jk,~FuKUwd/,Gsvy}V4Mb;=JIZ/CT.#cx-yDUMMYtQ/+c)sGoWs]bcki=i{O_=F=[hm=~C.s=^R^#%=jca3gK1YBRtW[=C.S$9=DiT6N;rZ@DP_2DUMMYp]{RSr,I=tBPQ:+eP[TXulDUMMYc4=5VTpL=tUZB%qZjFQ4jV2*A7RYH/l7@l7nhpqf$=Wan}e4YO=DE/_xGJzN@BhA$D,=-DX=Ux[va7@DUMMYc%.+_S)NG5Lx[FFS9QtHDl=q^WrFMwMIss~(A=bQf%],d@@T$,NUFNlDUMMY+Xl^M*Vuogpz=IUn@Vh:~.TDUMMYr[bvs@a}1xq0+yBPWU+L0r^o=8i:;{Ex3h;=T*QB~NI]AF:#?#=E,V=/QswgI/uhR2TnU1s}f=A=L2cBeO~1k=:1Ia%^Gy5XDHcFzu4+=qs/=^~Ppxt@+Q/=~V^$gM7=x((*@dw2j0OUz2;tmGl].+_$=YL{kRBgvvP#,A]UMnQ5b%6ajFTQ4xj0wRIh@MC}a1AFM@,k~d=@V9R$lx%^uyf=#.c2#1VVI3?PGzY+PtxMW%AeZTR') - LOCALTIMESTAMP),0,(MOD(0,-1) % TAN(-1)) MOD (-1 / TIME('1-1-1 1:1:1')));

When executed with pquery and using Clang, also produces the following additional related stack:

CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang) Build 17/01/2025
/test/11.8_dbg_san/sql/field.cc:10128:38: runtime error: 3.18564e+23 is outside the range of representable values of type 'long long'
#0 0x55b3b8e3741d in Field_bit::store(double) /test/11.8_dbg_san/sql/field.cc:10128:38
#1 0x55b3b8e3741d in Field_bit_as_char::store(double) /test/11.8_dbg_san/sql/field.h:5210:53
#2 0x55b3b8f78c16 in Item::save_in_field(Field*, bool) /test/11.8_dbg_san/sql/item.cc:7103:30
#3 0x55b3b7d830e3 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18
#4 0x55b3b7d842e3 in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11
#5 0x55b3b7eaf127 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13
#6 0x55b3b80365d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10
#7 0x55b3b8000588 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18
#8 0x55b3b7ff464b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7
#9 0x55b3b8002fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17
#10 0x55b3b86c676c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11
#11 0x55b3b86c6027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5
#12 0x55b3b7a05b5c in asan_thread_start(void*) asan_interceptors.cpp.o
#13 0x14c14bc9ca93 in start_thread nptl/pthread_create.c:447:8
#14 0x14c14bd29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:10128:38

Roel Van de Paar added a comment - 2025-02-14 03:49 This interesting looking additional testcase CREATE TABLE t(c BIT KEY ,c2 INT ZEROFILL,c3 NUMERIC (0,0)); INSERT INTO t VALUES ((ADDDATE( '1-1-1 1:1:1' ,0)DIV COT(-1)) * (ATAN2( 'uT=qiRrMC,mnssYeK(~xIxdzOIFIlSOprZ.vM+R+tF6pcB$SZ}+Po6b%=V*1olvbKG0WPr%Gk]E_Z}LQ8(XHH/Z:J[L[Ck:Ca~,l{z2dKSS}1AkF=ytn=%UM%;Hk*[bdn@@8TXmQN~Rf7T*BtFJ[(=g{wTNMfDUMMY_[C]pHhna=D6uE=;c]m9=JOued=2bhQgPBaiSA4ej}Dfn)smPBi?4iCtjp}oRmOgGCD2/]pX^1Uf4ifHYJdt9]x1Lz:OY:6Uj7QscZE)=rl[9Gb-Q1:p0ko)M+##6SGe:3qcqDtxUG]}dr1F$YtLbDlaNC=UbA=C=6Zt,vos:=I1+0aVG3ZM[w:bK3=cE*~zN6wq9kRZgR5aj*4n=(_EG)Jk,~FuKUwd/,Gsvy}V4Mb;=JIZ/CT.#cx-yDUMMYtQ/+c)sGoWs]bcki=i{O_=F=[hm=~C.s=^R^#%=jca3gK1YBRtW[=C.S$9=DiT6N;rZ@DP_2DUMMYp]{RSr,I=tBPQ:+eP[TXulDUMMYc4=5VTpL=tUZB%qZjFQ4jV2*A7RYH/l7@l7nhpqf$=Wan}e4YO=DE/_xGJzN@BhA$D,=-DX=Ux[va7@DUMMYc%.+_S)NG5Lx[FFS9QtHDl=q^WrFMwMIss~(A=bQf%],d@@T$,NUFNlDUMMY+Xl^M*Vuogpz=IUn@Vh:~.TDUMMYr[bvs@a}1xq0+yBPWU+L0r^o=8i:;{Ex3h;=T*QB~NI]AF:#?#=E,V=/QswgI/uhR2TnU1s}f=A=L2cBeO~1k=:1Ia%^Gy5XDHcFzu4+=qs/=^~Ppxt@+Q/=~V^$gM7=x((*@dw2j0OUz2;tmGl].+_$=YL{kRBgvvP#,A]UMnQ5b%6ajFTQ4xj0wRIh@MC}a1AFM@,k~d=@V9R$lx%^uyf=#.c2#1VVI3?PGzY+PtxMW%AeZTR' ) - LOCALTIMESTAMP),0,(MOD(0,-1) % TAN(-1)) MOD (-1 / TIME ( '1-1-1 1:1:1' ))); When executed with pquery and using Clang, also produces the following additional related stack: CS 11.8.0 cacaaebf01939d387645fb850ceeec5392496171 (Optimized, UBASAN, Clang) Build 17/01/2025 /test/11.8_dbg_san/sql/field.cc:10128:38: runtime error: 3.18564e+23 is outside the range of representable values of type 'long long' #0 0x55b3b8e3741d in Field_bit::store(double) /test/11.8_dbg_san/sql/field.cc:10128:38 #1 0x55b3b8e3741d in Field_bit_as_char::store(double) /test/11.8_dbg_san/sql/field.h:5210:53 #2 0x55b3b8f78c16 in Item::save_in_field(Field*, bool) /test/11.8_dbg_san/sql/item.cc:7103:30 #3 0x55b3b7d830e3 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /test/11.8_dbg_san/sql/sql_base.cc:9311:18 #4 0x55b3b7d842e3 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/11.8_dbg_san/sql/sql_base.cc:9366:11 #5 0x55b3b7eaf127 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.8_dbg_san/sql/sql_insert.cc:1118:13 #6 0x55b3b80365d3 in mysql_execute_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:4485:10 #7 0x55b3b8000588 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.8_dbg_san/sql/sql_parse.cc:7915:18 #8 0x55b3b7ff464b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1903:7 #9 0x55b3b8002fad in do_command(THD*, bool) /test/11.8_dbg_san/sql/sql_parse.cc:1416:17 #10 0x55b3b86c676c in do_handle_one_connection(CONNECT*, bool) /test/11.8_dbg_san/sql/sql_connect.cc:1415:11 #11 0x55b3b86c6027 in handle_one_connection /test/11.8_dbg_san/sql/sql_connect.cc:1327:5 #12 0x55b3b7a05b5c in asan_thread_start(void*) asan_interceptors.cpp.o #13 0x14c14bc9ca93 in start_thread nptl/pthread_create.c:447:8 #14 0x14c14bd29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 SUMMARY: UndefinedBehaviorSanitizer: float-cast-overflow /test/11.8_dbg_san/sql/field.cc:10128:38

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-12-24 05:39

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration