[MDEV-28374] UBSAN: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int' in sql/sql_analyse.cc Created: 2022-04-21  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: UBSAN, overflow, procedure_analyse

Issue Links:
Relates
relates to MDEV-25454 Make MariaDB server UBSAN safe Confirmed
relates to MDEV-28345 ASAN: use-after-poison or unknown-cra... Confirmed
relates to MDEV-29473 UBSAN: Signed integer overflow: X * Y... Closed

 Description    

CREATE TABLE t (id BIGINT) ENGINE=InnoDB;
 
INSERT INTO t VALUES ('10000000000000');
 
SELECT * FROM t PROCEDURE ANALYSE();

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
/test/10.9_opt_san/sql/sql_analyse.cc:590:19: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int'
 
/test/10.9_opt_san/sql/sql_analyse.h:270:37: runtime error: signed integer overflow: 10000000000000 * 10000000000000 cannot be represented in type 'long long int'

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

 Comments   
Comment by Alexander Barkov [ 2022-07-06 ]

PROCEDURE ANALYSE is not something of a very high priority. Changing from Critical to Major.

Comment by Roel Van de Paar [ 2022-09-01 ]

Updated versions. Also new stacks observed with this testcase.

New UniqueID's added:

UBSAN|signed integer overflow: X * Y cannot be represented in type 'long long int'|sql/sql_analyse.h|field_longlong::std|analyse::end_of_records|end_send|do_select
 
UBSAN|signed integer overflow: X * Y cannot be represented in type 'long long int'|sql/sql_analyse.h|field_longlong::std|analyse::end_of_records|end_send|sub_select


SET sql_mode='';
 
CREATE TABLE t (a INT) ENGINE=InnoDB;
 
INSERT INTO t VALUES ('10000000000000'),('10000000000000');
 
SELECT * FROM t PROCEDURE ANALYSE();

Leads to:

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

 
/test/10.11_dbg_san/sql/sql_analyse.h:270:37: runtime error: signed integer overflow: 4294967294 * 4294967294 cannot be represented in type 'long long int'

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

 
    #0 0x55d9194a208b in field_longlong::std(String*, unsigned long long) /test/10.11_dbg_san/sql/sql_analyse.h:270
 
    #1 0x55d919484e50 in analyse::end_of_records() /test/10.11_dbg_san/sql/sql_analyse.cc:720
 
    #2 0x55d916e9de12 in end_send /test/10.11_dbg_san/sql/sql_select.cc:22963
 
    #3 0x55d916dcc1ed in sub_select(JOIN*, st_join_table*, bool) /test/10.11_dbg_san/sql/sql_select.cc:21708
 
    #4 0x55d916faa96c in do_select /test/10.11_dbg_san/sql/sql_select.cc:21310
 
    #5 0x55d916faa96c in JOIN::exec_inner() /test/10.11_dbg_san/sql/sql_select.cc:4812
 
    #6 0x55d916fac1c6 in JOIN::exec() /test/10.11_dbg_san/sql/sql_select.cc:4590
 
    #7 0x55d916f99bec in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.11_dbg_san/sql/sql_select.cc:5070
 
    #8 0x55d916f9e3bd in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.11_dbg_san/sql/sql_select.cc:581
 
    #9 0x55d916b22b58 in execute_sqlcom_select /test/10.11_dbg_san/sql/sql_parse.cc:6261
 
    #10 0x55d916b83352 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:3945
 
    #11 0x55d916af0c88 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
 
    #12 0x55d916b5d85f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
 
    #13 0x55d916b6fa70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
 
    #14 0x55d9175e0b41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
 
    #15 0x55d9175e332c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
 
    #16 0x150e8eb3c608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x150e8ddb1132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

Comment by Roel Van de Paar [ 2022-09-14 ]

Slightly different outcome with this testcase

SET sql_mode='';
 
CREATE TABLE t (a INT,KEY a USING BTREE (a));
 
INSERT INTO t VALUES (0),('1'),('1'),('1'),('1'),('00010101'),('99991231'),('00101000000'),('691231000000'),('700101000000'),('991231235959'),('10000101000000'),('99991231235959'),('20030100000000'),('20030000000000');
 
SELECT * FROM t PROCEDURE ANALYSE();

Results in (note the addition of the first message):

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

 
/test/10.11_dbg_san/sql/sql_analyse.cc:596:13: runtime error: signed integer overflow: 4631885260511346175 + 4611686014132420609 cannot be represented in type 'long long int'
 
/test/10.11_dbg_san/sql/sql_analyse.h:270:37: runtime error: signed integer overflow: 15233386865 * 15233386865 cannot be represented in type 'long long int'

Added

UBSAN|signed integer overflow: X + Y cannot be represented in type 'long long int'|sql/sql_analyse.cc|field_longlong::add|analyse::send_row|end_send|evaluate_join_record

Comment by Roel Van de Paar [ 2023-03-31 ]

Additional testcase

SET sql_mode='';
 
CREATE TABLE t (c BIGINT,c2 DATE,c3 BLOB,KEY(c)) ENGINE=InnoDB;
 
INSERT INTO t VALUES (-1.e+308,1,1);
 
SELECT * FROM t PROCEDURE ANALYSE();

Leads to the following stack/UniqueID on all versions and builds types (opt/dbg):

UBSAN|signed integer overflow: -X * -Y cannot be represented in type 'long long int'|sql/sql_analyse.cc|field_longlong::add|analyse::send_row|end_send|evaluate_join_record

Comment by Roel Van de Paar [ 2023-08-04 ]

Please also test any bugfix with this testcase:

CREATE TABLE t (c INT) ENGINE=InnoDB UNION=(t,t2) INSERT_METHOD=LAST;
 
CREATE TABLE t3 LIKE t;
 
INSERT INTO t VALUES (1),(2),(-685113344),(0);
 
INSERT INTO t3 SELECT * FROM t;
 
INSERT INTO t SELECT * FROM t;
 
INSERT INTO t SELECT * FROM t;
 
INSERT INTO t3 SELECT * FROM t;
 
SELECT * FROM t3 PROCEDURE ANALYSE();

Generated at Thu Feb 08 10:00:14 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.