[MDEV-28386] UBSAN: runtime error: negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself in my_strntoull_8bit on SELECT Created: 2022-04-22  Updated: 2023-07-01

Status: Confirmed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: UBSAN

Issue Links:
Relates
relates to MDEV-31221 UBSAN runtime error: negation of -922... Confirmed
relates to MDEV-28387 UBSAN: runtime error: negation of -92... Open

 Description    

SET SESSION sql_buffer_result=1;
 
CREATE TABLE t (c BLOB) ENGINE=InnoDB;
 
INSERT INTO t VALUES ('-9223372036854775808.5');
 
SELECT OCT(c) FROM t;

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
/test/10.9_opt_san/strings/ctype-simple.c:761:22: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
    #0 0x55b2f28347e2 in my_strntoull_8bit /test/10.9_opt_san/strings/ctype-simple.c:761
 
    #1 0x55b2f01e4a31 in charset_info_st::strntoull(char const*, unsigned long, int, char**, int*) const /test/10.9_opt_san/include/m_ctype.h:782
 
    #2 0x55b2f01e4a31 in Item_func_conv::val_str(String*) /test/10.9_opt_san/sql/item_strfunc.cc:3652
 
    #3 0x55b2efb805f9 in Item::save_str_in_field(Field*, bool) /test/10.9_opt_san/sql/item.cc:6779
 
    #4 0x55b2efadad9c in Item::save_in_field(Field*, bool) /test/10.9_opt_san/sql/item.cc:6827
 
    #5 0x55b2ee834457 in copy_funcs(Item**, THD const*) /test/10.9_opt_san/sql/sql_select.cc:26302
 
    #6 0x55b2ee834ce4 in end_write /test/10.9_opt_san/sql/sql_select.cc:22580
 
    #7 0x55b2ee744ca9 in evaluate_join_record /test/10.9_opt_san/sql/sql_select.cc:21325
 
    #8 0x55b2ee791933 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21095
 
    #9 0x55b2ee93d123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
 
    #10 0x55b2ee93d123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
 
    #11 0x55b2ee9419f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
 
    #12 0x55b2ee92fb61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
 
    #13 0x55b2ee933a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #14 0x55b2ee54acdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #15 0x55b2ee58a88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #16 0x55b2ee51a0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #17 0x55b2ee570439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #18 0x55b2ee57bc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #19 0x55b2eee66d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #20 0x55b2eee69834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #21 0x55b2f0f671f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #22 0x14a1eb49d608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x14a1ea712162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)

 
/test/10.9_dbg_san/strings/ctype-simple.c:761:22: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug)

 
    #0 0x55885bc6b2b9 in my_strntoull_8bit /test/10.9_dbg_san/strings/ctype-simple.c:761
 
    #1 0x5588595b68c4 in charset_info_st::strntoull(char const*, unsigned long, int, char**, int*) const /test/10.9_dbg_san/include/m_ctype.h:782
 
    #2 0x5588595b68c4 in Item_func_conv::val_str(String*) /test/10.9_dbg_san/sql/item_strfunc.cc:3652
 
    #3 0x558858dfb0fd in Item::save_str_in_field(Field*, bool) /test/10.9_dbg_san/sql/item.cc:6779
 
    #4 0x55885835852a in Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const /test/10.9_dbg_san/sql/sql_type.cc:4339
 
    #5 0x558858d2d78c in Item::save_in_field(Field*, bool) /test/10.9_dbg_san/sql/item.cc:6827
 
    #6 0x558856b55b90 in Item_result_field::save_in_result_field(bool) /test/10.9_dbg_san/sql/item.h:3435
 
    #7 0x5588577399e5 in copy_funcs(Item**, THD const*) /test/10.9_dbg_san/sql/sql_select.cc:26302
 
    #8 0x558857739d36 in end_write /test/10.9_dbg_san/sql/sql_select.cc:22580
 
    #9 0x5588577a80e7 in AGGR_OP::put_record(bool) /test/10.9_dbg_san/sql/sql_select.cc:29475
 
    #10 0x5588577ab96b in AGGR_OP::put_record() /test/10.9_dbg_san/sql/sql_select.h:1056
 
    #11 0x5588577ab96b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:20811
 
    #12 0x5588575c6e43 in evaluate_join_record /test/10.9_dbg_san/sql/sql_select.cc:21325
 
    #13 0x558857669ffe in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21095
 
    #14 0x55885783c362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
 
    #15 0x55885783c362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
 
    #16 0x55885783dc94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
 
    #17 0x55885782d58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
 
    #18 0x55885782eef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #19 0x55885739bfc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #20 0x558857401216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #21 0x558857363728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #22 0x5588573d944e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #23 0x5588573effa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #24 0x558857ebcc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #25 0x558857ebfae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #26 0x55885a418c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #27 0x154efcd44608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #28 0x154efbfb9162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-04-22 ]

This testcase produces a long list of other stacks across versions and opt/dbg. UniqueID's/stacks:

UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|Item_func_conv::val_str|Item::save_in_field|Item_result_field::save_in_result_field
 
UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|Item_func_conv::val_str|Item::save_in_field|copy_funcs
 
UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|Item_func_conv::val_str|Item::save_str_in_field|Item::save_in_field
 
UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|Item_func_conv::val_str|Item::save_str_in_field|Type_handler_string_result::Item_save_in_field
 
UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|charset_info_st::strntoull|Item_func_conv::val_str|Item::save_str_in_field

Comment by Roel Van de Paar [ 2023-07-01 ]

Additional testcase:

CREATE TABLE t (c TEXT,KEY(c)) ENGINE=MyISAM;
 
INSERT INTO t VALUES ('-9223372036854775808');
 
SELECT CONCAT (OCT(c)) FROM t;

Which leads to the following new UniqueID's/stacks:

UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|Item_func_conv::val_str|Item_func_concat::val_str|Type_handler::Item_send_str
 
UBSAN|negation of -X cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself|strings/ctype-simple.c|my_strntoull_8bit|charset_info_st::strntoull|Item_func_conv::val_str|Item_func_concat::val_str

Note that the -9223372036854775808 value is very specific. Changing even the last digit from 8 to 0 will make the testcase fail to reproduce the bug.

Generated at Thu Feb 08 10:00:20 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.