[MDEV-22742] UBSAN: Many overflow issues in strings/decimal.c - runtime error: signed integer overflow: x * y cannot be represented in type 'long long int' (on optimized builds) Created: 2020-05-28  Updated: 2022-03-21  Resolved: 2022-03-21

Status: Closed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: UBSAN, affects-tests, overflow

Issue Links:
Relates
relates to MDEV-25454 Make MariaDB server UBSAN safe Confirmed

 Description   

Each of these testcases leads to UBSAN issues in strings/decimal.c, each with individual stack traces:

SELECT RIGHT('a', -10000000000000000000);


SELECT LPAD (0,-18446744073709551615,0);
 
SELECT RPAD (0,-18446744073709551615,0);


SELECT LOCATE (0,0,-18446744073709551615);


SELECT INSERT (0,18446744073709551616,1,0);


SELECT HEX(COLUMN_CREATE (1,99999999999999999999999999999 AS INT));


SELECT COLUMN_GET (COLUMN_CREATE (1,99999999999999999999999999999 AS DECIMAL),1 AS INT);


SELECT 0 + (10101010101010101010101010101010101010101010101010101010101010101<<4);

These issues and others like it significantly affect UBSAN testing. Please fix asap.

Setup (though ASAN can likely be left off):

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1



 Comments   
Comment by Roel Van de Paar [ 2020-11-20 ] 

SELECT RIGHT('a', -10000000000000000000);

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -10000000000 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x555d00829606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x555cfe6db9d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x555cfe6dbbda in my_decimal::to_longlong(bool) const /test/10.7_opt_san/sql/my_decimal.cc:375
 
    #3 0x555cfe10dd8c in max_length_for_string /test/10.7_opt_san/sql/item_strfunc.cc:66
 
    #4 0x555cfe173d74 in Item_str_func::left_right_max_length() /test/10.7_opt_san/sql/item_strfunc.cc:1644
 
    #5 0x555cfe174ab6 in Item_func_right::fix_length_and_dec() /test/10.7_opt_san/sql/item_strfunc.cc:1692
 
    #6 0x555cfde4fe53 in Item_func::fix_fields(THD*, Item**) /test/10.7_opt_san/sql/item_func.cc:359
 
    #7 0x555cfe10c94e in Item_str_func::fix_fields(THD*, Item**) /test/10.7_opt_san/sql/item_strfunc.cc:122
 
    #8 0x555cfc188604 in Item::fix_fields_if_needed(THD*, Item**) /test/10.7_opt_san/sql/item.h:1144
 
    #9 0x555cfc188604 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.7_opt_san/sql/item.h:1148
 
    #10 0x555cfc188604 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.7_opt_san/sql/sql_base.cc:7715
 
    #11 0x555cfc8ea9f8 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.7_opt_san/sql/sql_select.cc:1397
 
    #12 0x555cfc8f9436 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4967
 
    #13 0x555cfc8fb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #14 0x555cfc537f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #15 0x555cfc577a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #16 0x555cfc507fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #17 0x555cfc55d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #18 0x555cfc568e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #19 0x555cfce147bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #20 0x555cfce172b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #21 0x555cfeddfce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #22 0x148ee63fe608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x148ee5674292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x561b4fb87c8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x561b4dbb85ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x561b4dbb8984 in my_decimal::to_longlong(bool) const /test/10.7_dbg_san/sql/my_decimal.cc:375
 
    #3 0x561b4cd8cc4d in Item_decimal::val_int() /test/10.7_dbg_san/sql/item.h:4495
 
    #4 0x561b4d4c3f8c in max_length_for_string /test/10.7_dbg_san/sql/item_strfunc.cc:66
 
    #5 0x561b4d5303d6 in Item_str_func::left_right_max_length() /test/10.7_dbg_san/sql/item_strfunc.cc:1644
 
    #6 0x561b4d5311c9 in Item_func_right::fix_length_and_dec() /test/10.7_dbg_san/sql/item_strfunc.cc:1692
 
    #7 0x561b4d192e63 in Item_func::fix_fields(THD*, Item**) /test/10.7_dbg_san/sql/item_func.cc:359
 
    #8 0x561b4d4c3516 in Item_str_func::fix_fields(THD*, Item**) /test/10.7_dbg_san/sql/item_strfunc.cc:122
 
    #9 0x561b4af41c05 in Item::fix_fields_if_needed(THD*, Item**) /test/10.7_dbg_san/sql/item.h:1144
 
    #10 0x561b4af41c05 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.7_dbg_san/sql/item.h:1148
 
    #11 0x561b4af41c05 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.7_dbg_san/sql/sql_base.cc:7715
 
    #12 0x561b4b72b19e in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.7_dbg_san/sql/sql_select.cc:1397
 
    #13 0x561b4b800cc9 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4967
 
    #14 0x561b4b802a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #15 0x561b4b39c590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #16 0x561b4b4004ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #17 0x561b4b364c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #18 0x561b4b3d967a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x561b4b3f00c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #20 0x561b4be7b2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x561b4be7e143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x561b4e29e4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x14a5ba83e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x14a5b9ab4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-09-17 ] 

SELECT 0 + (10101010101010101010101010101010101010101010101010101010101010101<<4);

Leads to:

10.4.22 a10b63bf58795335b96281bfc22169c9b8613037 (Optimized)

 
/test/10.4_opt_san/strings/decimal.c:1161:8: runtime error: signed integer overflow: -10101010101 * 1000000000 cannot be represented in type 'long long int'

10.4.22 a10b63bf58795335b96281bfc22169c9b8613037 (Optimized)

 
    #0 0x563c5f8adf86 in decimal2longlong /test/10.4_opt_san/strings/decimal.c:1161                                    
    #1 0x563c5d4f57f4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.4_opt_san/sql/my_decimal.cc:356                                                                                     
    #2 0x563c5d4f59fa in my_decimal::to_longlong(bool) const /test/10.4_opt_san/sql/my_decimal.cc:374                      #3 0x563c5cd79d22 in Item_func_shift_left::val_int() /test/10.4_opt_san/sql/item_func.cc:2163                      
    #4 0x563c5cdbf9b0 in Item_func_plus::int_op() /test/10.4_opt_san/sql/item_func.cc:1106                             
    #5 0x563c5c0e5c50 in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/10.4_opt_san/sql/sql_type.cc:7111                                                                                                          
    #6 0x563c5af38b39 in Protocol::send_result_set_row(List<Item>*) /test/10.4_opt_san/sql/protocol.cc:1037            
    #7 0x563c5b2a6031 in select_send::send_data(List<Item>&) /test/10.4_opt_san/sql/sql_class.cc:3056                  
    #8 0x563c5b8831d3 in JOIN::exec_inner() /test/10.4_opt_san/sql/sql_select.cc:4402                                  
    #9 0x563c5b886689 in JOIN::exec() /test/10.4_opt_san/sql/sql_select.cc:4316                                            #10 0x563c5b87625b in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.4_opt_san/sql/sql_select.cc:4754                                                                                                 
    #11 0x563c5b87ba0d in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.4_opt_san/sql/sql_select.cc:436                                                                                                                   
    #12 0x563c5b50c1e8 in execute_sqlcom_select /test/10.4_opt_san/sql/sql_parse.cc:6449                               
    #13 0x563c5b55f482 in mysql_execute_command(THD*) /test/10.4_opt_san/sql/sql_parse.cc:3963                             #14 0x563c5b58c2a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.4_opt_san/sql/sql_parse.cc:7995                                                                                                          
    #15 0x563c5b59b3f0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.4_opt_san/sql/sql_parse.cc:1857                                                                                               
    #16 0x563c5b5a9b47 in do_command(THD*) /test/10.4_opt_san/sql/sql_parse.cc:1373                                    
    #17 0x563c5bd51e2e in do_handle_one_connection(CONNECT*) /test/10.4_opt_san/sql/sql_connect.cc:1420                
    #18 0x563c5bd52d2f in handle_one_connection /test/10.4_opt_san/sql/sql_connect.cc:1316                             
    #19 0x15168ec2c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477                        
    #20 0x15168dea2292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.4.22 a10b63bf58795335b96281bfc22169c9b8613037 (Debug)

 
/test/10.4_dbg_san/strings/decimal.c:1161:8: runtime error: signed integer overflow: -10101010101 * 1000000000 cannot be represented in type 'long long int'

10.4.22 a10b63bf58795335b96281bfc22169c9b8613037 (Debug)

 
    #0 0x55c18089f8e1 in decimal2longlong /test/10.4_dbg_san/strings/decimal.c:1161                                    
    #1 0x55c17e549fce in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.4_dbg_san/sql/my_decimal.cc:356                                                                                     
    #2 0x55c17e54a364 in my_decimal::to_longlong(bool) const /test/10.4_dbg_san/sql/my_decimal.cc:374                  
    #3 0x55c17d804436 in Item_decimal::val_int() /test/10.4_dbg_san/sql/item.h:4298                                    
    #4 0x55c17dc1a97b in Item_func_shift_left::val_int() /test/10.4_dbg_san/sql/item_func.cc:2163                      
    #5 0x55c17dc7193f in Item_func_plus::int_op() /test/10.4_dbg_san/sql/item_func.cc:1106                             
    #6 0x55c17cc79ced in Item_func_hybrid_field_type::val_int_from_int_op() /test/10.4_dbg_san/sql/item_func.h:738     
    #7 0x55c17cc79ced in Type_handler_int_result::Item_func_hybrid_field_type_val_int(Item_func_hybrid_field_type*) const /test/10.4_dbg_san/sql/sql_type.cc:4926                                                                             
    #8 0x55c17be9fee2 in Item_func_hybrid_field_type::val_int() /test/10.4_dbg_san/sql/item_func.h:794                 
    #9 0x55c17cd30762 in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/10.4_dbg_san/sql/sql_type.cc:7111                                                                                                          
    #10 0x55c17cd7def8 in Type_handler_longlong::Item_send(Item*, Protocol*, st_value*) const /test/10.4_dbg_san/sql/sql_type.h:5212                                                                                                          
    #11 0x55c17b7d77a7 in Item::send(Protocol*, st_value*) /test/10.4_dbg_san/sql/item.h:1042                          
    #12 0x55c17b7c1d63 in Protocol::send_result_set_row(List<Item>*) /test/10.4_dbg_san/sql/protocol.cc:1037           
    #13 0x55c17bc1d384 in select_send::send_data(List<Item>&) /test/10.4_dbg_san/sql/sql_class.cc:3056                 
    #14 0x55c17c340223 in JOIN::exec_inner() /test/10.4_dbg_san/sql/sql_select.cc:4402                                     #15 0x55c17c346b57 in JOIN::exec() /test/10.4_dbg_san/sql/sql_select.cc:4316                                       
    #16 0x55c17c338013 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.4_dbg_san/sql/sql_select.cc:4754                                                                                                     #17 0x55c17c339acc in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.4_dbg_san/sql/sql_select.cc:436                                                                                                                       #18 0x55c17bf01534 in execute_sqlcom_select /test/10.4_dbg_san/sql/sql_parse.cc:6449                                   #19 0x55c17bf5eedb in mysql_execute_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:3963                             #20 0x55c17bfa9aad in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:7995                                                                                                              #21 0x55c17bfbe370 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:1857                                                                                                   #22 0x55c17bfd5d58 in do_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:1373                                    
    #23 0x55c17c9061f3 in do_handle_one_connection(CONNECT*) /test/10.4_dbg_san/sql/sql_connect.cc:1420                
    #24 0x55c17c9069ec in handle_one_connection /test/10.4_dbg_san/sql/sql_connect.cc:1316                             
    #25 0x14a9d574a608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477                        
    #26 0x14a9d49c0292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-10-09 ] 

SELECT LPAD (0,-18446744073709551615,0);
 
SELECT RPAD (0,-18446744073709551615,0);  # Alternative

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -18446744073 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x55c4b55b6606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x55c4b34689d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x55c4b3468bda in my_decimal::to_longlong(bool) const /test/10.7_opt_san/sql/my_decimal.cc:375
 
    #3 0x55c4b2e9ad8c in max_length_for_string /test/10.7_opt_san/sql/item_strfunc.cc:66
 
    #4 0x55c4b2ebc826 in Item_func_pad::fix_length_and_dec() /test/10.7_opt_san/sql/item_strfunc.cc:3238
 
    #5 0x55c4b2bdce53 in Item_func::fix_fields(THD*, Item**) /test/10.7_opt_san/sql/item_func.cc:359
 
    #6 0x55c4b2e9994e in Item_str_func::fix_fields(THD*, Item**) /test/10.7_opt_san/sql/item_strfunc.cc:122
 
    #7 0x55c4b0f15604 in Item::fix_fields_if_needed(THD*, Item**) /test/10.7_opt_san/sql/item.h:1144
 
    #8 0x55c4b0f15604 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.7_opt_san/sql/item.h:1148
 
    #9 0x55c4b0f15604 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.7_opt_san/sql/sql_base.cc:7715
 
    #10 0x55c4b16779f8 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.7_opt_san/sql/sql_select.cc:1397
 
    #11 0x55c4b1686436 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4967
 
    #12 0x55c4b16885b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #13 0x55c4b12c4f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #14 0x55c4b1304a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #15 0x55c4b1294fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #16 0x55c4b12ea655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #17 0x55c4b12f5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #18 0x55c4b1ba17bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #19 0x55c4b1ba42b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #20 0x55c4b3b6cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #21 0x145ba0dd2608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #22 0x145ba0048292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x562d943ccc8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x562d923fd5ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x562d923fd984 in my_decimal::to_longlong(bool) const /test/10.7_dbg_san/sql/my_decimal.cc:375
 
    #3 0x562d915d1c4d in Item_decimal::val_int() /test/10.7_dbg_san/sql/item.h:4495
 
    #4 0x562d91d08f8c in max_length_for_string /test/10.7_dbg_san/sql/item_strfunc.cc:66
 
    #5 0x562d91d3f605 in Item_func_pad::fix_length_and_dec() /test/10.7_dbg_san/sql/item_strfunc.cc:3238
 
    #6 0x562d919d7e63 in Item_func::fix_fields(THD*, Item**) /test/10.7_dbg_san/sql/item_func.cc:359
 
    #7 0x562d91d08516 in Item_str_func::fix_fields(THD*, Item**) /test/10.7_dbg_san/sql/item_strfunc.cc:122
 
    #8 0x562d8f786c05 in Item::fix_fields_if_needed(THD*, Item**) /test/10.7_dbg_san/sql/item.h:1144
 
    #9 0x562d8f786c05 in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /test/10.7_dbg_san/sql/item.h:1148
 
    #10 0x562d8f786c05 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /test/10.7_dbg_san/sql/sql_base.cc:7715
 
    #11 0x562d8ff7019e in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/10.7_dbg_san/sql/sql_select.cc:1397
 
    #12 0x562d90045cc9 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4967
 
    #13 0x562d90047a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #14 0x562d8fbe1590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #15 0x562d8fc454ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #16 0x562d8fba9c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #17 0x562d8fc1e67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #18 0x562d8fc350c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #19 0x562d906c02aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #20 0x562d906c3143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #21 0x562d92ae34ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #22 0x1463534ef608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x146352765292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-10-12 ] 

SELECT LOCATE (0,0,-18446744073709551615);

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -18446744073 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x561ec2a95606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x561ec09479d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x561ec0947bda in my_decimal::to_longlong(bool) const /test/10.7_opt_san/sql/my_decimal.cc:375
 
    #3 0x561ec0097c9b in Item_func_locate::val_int() /test/10.7_opt_san/sql/item_func.cc:3140
 
    #4 0x561ebf4cb280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
 
    #5 0x561ebe141791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
 
    #6 0x561ebe4a9839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
 
    #7 0x561ebeb6fb77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
 
    #8 0x561ebeb73b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
 
    #9 0x561ebeb63705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
 
    #10 0x561ebeb675b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #11 0x561ebe7a3f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #12 0x561ebe7e3a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #13 0x561ebe773fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #14 0x561ebe7c9655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #15 0x561ebe7d4e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #16 0x561ebf0807bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #17 0x561ebf0832b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #18 0x561ec104bce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #19 0x1483b19d2608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #20 0x1483b0c48292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x55c9c6d37c8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x55c9c4d685ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x55c9c4d68984 in my_decimal::to_longlong(bool) const /test/10.7_dbg_san/sql/my_decimal.cc:375
 
    #3 0x55c9c3f3cc4d in Item_decimal::val_int() /test/10.7_dbg_san/sql/item.h:4495
 
    #4 0x55c9c4321d96 in Item_func_locate::val_int() /test/10.7_dbg_san/sql/item_func.cc:3140
 
    #5 0x55c9c35384a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
 
    #6 0x55c9c35a7e78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
 
    #7 0x55c9c1be835f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
 
    #8 0x55c9c1d8d9a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
 
    #9 0x55c9c21d74c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
 
    #10 0x55c9c29b8f9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
 
    #11 0x55c9c29b8f9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
 
    #12 0x55c9c29c07a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
 
    #13 0x55c9c29b10fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
 
    #14 0x55c9c29b2a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #15 0x55c9c254c590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #16 0x55c9c25b04ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #17 0x55c9c2514c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #18 0x55c9c258967a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x55c9c25a00c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #20 0x55c9c302b2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x55c9c302e143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x55c9c544e4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x1499b324a608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x1499b24c0292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-10-12 ]

sanja Hi! A fix for this bug would be really appreciated. There are many different UBSAN stacks showing, all integer overflows in strings/decimal.c, clogging up testing.

Update: Due to the frequency of these bugs in strings/decimal.c I made the filter much more generic to be workable, which means that there are many more of these issues missed. A fix would be very appreciated when possible.

Comment by Roel Van de Paar [ 2021-10-13 ] 

SELECT INSERT (0,18446744073709551616,1,0);

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -18446744073 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x5558796a7606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x5558775599d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x555877559bda in my_decimal::to_longlong(bool) const /test/10.7_opt_san/sql/my_decimal.cc:375
 
    #3 0x555876fa3f2d in Item_func_insert::val_str(String*) /test/10.7_opt_san/sql/item_strfunc.cc:1501
 
    #4 0x5558760dc2fd in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7455
 
    #5 0x555874d53791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
 
    #6 0x5558750bb839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
 
    #7 0x555875781b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
 
    #8 0x555875785b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
 
    #9 0x555875775705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
 
    #10 0x5558757795b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #11 0x5558753b5f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #12 0x5558753f5a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #13 0x555875385fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #14 0x5558753db655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #15 0x5558753e6e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #16 0x555875c927bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #17 0x555875c952b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #18 0x555877c5dce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #19 0x1485915d5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #20 0x14859084b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x55dd61fb9c8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x55dd5ffea5ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x55dd5ffea984 in my_decimal::to_longlong(bool) const /test/10.7_dbg_san/sql/my_decimal.cc:375
 
    #3 0x55dd5f1bec4d in Item_decimal::val_int() /test/10.7_dbg_san/sql/item.h:4495
 
    #4 0x55dd5f901287 in Item_func_insert::val_str(String*) /test/10.7_dbg_san/sql/item_strfunc.cc:1501
 
    #5 0x55dd5e7b9242 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7455
 
    #6 0x55dd5e20c1aa in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5440
 
    #7 0x55dd5ce6a35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
 
    #8 0x55dd5d00f9a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
 
    #9 0x55dd5d4594c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
 
    #10 0x55dd5dc3af9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
 
    #11 0x55dd5dc3af9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
 
    #12 0x55dd5dc427a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
 
    #13 0x55dd5dc330fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
 
    #14 0x55dd5dc34a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #15 0x55dd5d7ce590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #16 0x55dd5d8324ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #17 0x55dd5d796c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #18 0x55dd5d80b67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x55dd5d8220c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #20 0x55dd5e2ad2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x55dd5e2b0143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x55dd606d04ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x147555136608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x1475543ac292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB:

Comment by Roel Van de Paar [ 2021-10-14 ] 

SELECT HEX(COLUMN_CREATE (1,99999999999999999999999999999 AS INT));

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -99999999999 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x5598b67e8606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x5598b469a9d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x5598b469abda in my_decimal::to_longlong(bool) const /test/10.7_opt_san/sql/my_decimal.cc:375
 
    #3 0x5598b413bef7 in Item_func_dyncol_create::prepare_arguments(THD*, bool) /test/10.7_opt_san/sql/item_strfunc.cc:4536
 
    #4 0x5598b4140a70 in Item_func_dyncol_create::val_str(String*) /test/10.7_opt_san/sql/item_strfunc.cc:4609
 
    #5 0x5598b413838a in Item_func_hex::val_str_ascii_from_val_str(String*) /test/10.7_opt_san/sql/item_strfunc.cc:3767
 
    #6 0x5598b4129b76 in Item_func::val_str_from_val_str_ascii(String*, String*) /test/10.7_opt_san/sql/item_strfunc.cc:98
 
    #7 0x5598b321d2fd in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7455
 
    #8 0x5598b1e94791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
 
    #9 0x5598b21fc839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
 
    #10 0x5598b28c2b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
 
    #11 0x5598b28c6b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
 
    #12 0x5598b28b6705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
 
    #13 0x5598b28ba5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #14 0x5598b24f6f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #15 0x5598b2536a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #16 0x5598b24c6fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #17 0x5598b251c655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #18 0x5598b2527e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #19 0x5598b2dd37bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #20 0x5598b2dd62b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #21 0x5598b4d9ece1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #22 0x14aa1fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x14aa1f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x564da6cb4c8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x564da4ce55ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x564da4ce5984 in my_decimal::to_longlong(bool) const /test/10.7_dbg_san/sql/my_decimal.cc:375
 
    #3 0x564da3eb9c4d in Item_decimal::val_int() /test/10.7_dbg_san/sql/item.h:4495
 
    #4 0x564da4669e28 in Item_func_dyncol_create::prepare_arguments(THD*, bool) /test/10.7_dbg_san/sql/item_strfunc.cc:4536
 
    #5 0x564da466dbcc in Item_func_dyncol_create::val_str(String*) /test/10.7_dbg_san/sql/item_strfunc.cc:4609
 
    #6 0x564da46633b1 in Item_func_hex::val_str_ascii_from_val_str(String*) /test/10.7_dbg_san/sql/item_strfunc.cc:3767
 
    #7 0x564da33edc03 in Type_handler_string_result::Item_func_hex_val_str_ascii(Item_func_hex*, String*) const /test/10.7_dbg_san/sql/sql_type.cc:5320
 
    #8 0x564da423ae69 in Item_func_hex::val_str_ascii(String*) (/test/UBASAN_MD300921-mariadb-10.7.1-linux-x86_64-dbg/bin/mariadbd+0xa6cce69)
 
    #9 0x564da465439d in Item_func::val_str_from_val_str_ascii(String*, String*) /test/10.7_dbg_san/sql/item_strfunc.cc:98
 
    #10 0x564da389908b in Item_str_ascii_func::val_str(String*) /test/10.7_dbg_san/sql/item_strfunc.h:94
 
    #11 0x564da34b4242 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7455
 
    #12 0x564da2f071aa in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5440
 
    #13 0x564da1b6535f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
 
    #14 0x564da1d0a9a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
 
    #15 0x564da21544c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
 
    #16 0x564da2935f9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
 
    #17 0x564da2935f9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
 
    #18 0x564da293d7a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
 
    #19 0x564da292e0fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
 
    #20 0x564da292fa82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #21 0x564da24c9590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #22 0x564da252d4ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #23 0x564da2491c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #24 0x564da250667a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #25 0x564da251d0c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #26 0x564da2fa82aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #27 0x564da2fab143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #28 0x564da53cb4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #29 0x146c23b86608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #30 0x146c22dfc292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-10-14 ]

List of all stacks (generalized) seen across all testcases and all versions

UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_decimal::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_func_shift_left::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|max_length_for_string ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item::to_longlong_hybrid ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_func_insert::val_str ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_func_dyncol_create::prepare_arguments ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_func_locate::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_func_shift_left::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item::to_longlong_hybrid ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_str_func::left_right_max_length ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_func_pad::fix_length_and_dec ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_func_locate::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_func_insert::val_str ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_decimal::val_int|Item_func_dyncol_create::prepare_arguments ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_dyncol_get::val_int|Item_dyncol_get::val_int_signed_typecast ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Item_func_int_div::val_int|Type_handler::Item_send_longlong ## MDEV-22742
 
UBSAN|signed integer overflow: -X - Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Item_decimal::val_int ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|my_decimal::to_longlong|Dec_ptr::to_longlong ## MDEV-22742
 
UBSAN|signed integer overflow: -X * Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Field::convert_decimal2longlong|Field_int::store_decimal ## MDEV-22742
 
UBSAN|signed integer overflow: -X - Y cannot be represented in type 'long long int'|strings/decimal.c|decimal2longlong|my_decimal2int|Field::convert_decimal2longlong|Field_int::store_decimal ## MDEV-22742

Comment by Marko Mäkelä [ 2021-10-14 ]

This might explain numerous test failures on various POWER ISA platforms, like this:

10.6 b4911f5a34f8dcfb642c6f14535bc9d5d97ade44

 
main.func_math                           w7 [ fail ]
 
        Test ended at 2021-10-14 06:49:49
 
 
 
CURRENT_TEST: main.func_math
 
mysqltest: At line 425: query 'SELECT 9223372036854775807 + 9223372036854775807' succeeded - should have failed with error ER_DATA_OUT_OF_RANGE (1690)...

Comment by Roel Van de Paar [ 2021-10-14 ] 

SELECT COLUMN_GET (COLUMN_CREATE (1,99999999999999999999999999999 AS DECIMAL),1 AS INT);

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/strings/decimal.c:1169:8: runtime error: signed integer overflow: -99999999999 * 1000000000 cannot be represented in type 'long long int'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x55772709c606 in decimal2longlong /test/10.7_opt_san/strings/decimal.c:1169
 
    #1 0x557724f4e9d4 in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_opt_san/sql/my_decimal.cc:357
 
    #2 0x5577249fd22b in Item_dyncol_get::val_int() /test/10.7_opt_san/sql/item_strfunc.cc:5013
 
    #3 0x557724a08189 in Item_dyncol_get::val_int_signed_typecast() /test/10.7_opt_san/sql/item_strfunc.h:2127
 
    #4 0x55772475ebff in Item_func_signed::val_int() /test/10.7_opt_san/sql/item_func.h:1318
 
    #5 0x557723ad2760 in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7497
 
    #6 0x557722748791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
 
    #7 0x557722ab0839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
 
    #8 0x557723176b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
 
    #9 0x55772317ab99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
 
    #10 0x55772316a705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
 
    #11 0x55772316e5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
 
    #12 0x557722daaf4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
 
    #13 0x557722deaa53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
 
    #14 0x557722d7afe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #15 0x557722dd0655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #16 0x557722ddbe52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #17 0x5577236877bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #18 0x55772368a2b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #19 0x557725652ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #20 0x14d582d8e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #21 0x14d582004292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #0 0x55950f0a6c8d in decimal2longlong /test/10.7_dbg_san/strings/decimal.c:1169
 
    #1 0x55950d0d75ef in my_decimal2int(unsigned int, st_decimal_t const*, bool, long long*, decimal_round_mode) /test/10.7_dbg_san/sql/my_decimal.cc:357
 
    #2 0x55950ca6850d in Item_dyncol_get::val_int() /test/10.7_dbg_san/sql/item_strfunc.cc:5013
 
    #3 0x55950ca75e0f in Item_dyncol_get::val_int_signed_typecast() /test/10.7_dbg_san/sql/item_strfunc.h:2127
 
    #4 0x55950c77a96b in Item_func_signed::val_int() /test/10.7_dbg_san/sql/item_func.h:1318
 
    #5 0x55950b8a792e in Type_handler::Item_send_longlong(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7497
 
    #6 0x55950b917060 in Type_handler_longlong::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5745
 
    #7 0x559509f5735f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
 
    #8 0x55950a0fc9a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
 
    #9 0x55950a5464c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
 
    #10 0x55950ad27f9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
 
    #11 0x55950ad27f9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
 
    #12 0x55950ad2f7a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
 
    #13 0x55950ad200fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
 
    #14 0x55950ad21a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
 
    #15 0x55950a8bb590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
 
    #16 0x55950a91f4ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
 
    #17 0x55950a883c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #18 0x55950a8f867a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x55950a90f0c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #20 0x55950b39a2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x55950b39d143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x55950d7bd4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x14fc649ff608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x14fc63c75292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-11-04 ]

bar If we could get a fix for these, it would be very appreciated, and much improve testing work.

Comment by Alexey Botchkov [ 2021-11-22 ]

Proposed fix.
https://github.com/MariaDB/server/commit/ce507903d0c141d5ffb12ecab988d433723338a8

Generated at Thu Feb 08 09:17:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.