[MDEV-29473] UBSAN: Signed integer overflow: X * Y cannot be represented in type 'int' in strings/dtoa.c Created: 2022-09-06  Updated: 2022-12-13  Resolved: 2022-11-18

Status: Closed
Project: MariaDB Server
Component/s: Data types
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.11.2, 11.0.0, 10.3.38, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: UBSAN, overflow

Issue Links:
Relates
relates to MDEV-25454 Make MariaDB server UBSAN safe Confirmed
relates to MDEV-28374 UBSAN: runtime error: signed integer... Confirmed

 Description   

Similar to MDEV-28374 but no PROCEDURE ANALYSE() is required here.

CREATE TABLE t (c DOUBLE) ENGINE=InnoDB;
 
INSERT INTO t VALUES ('1e4294967297');

Leads to:

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

 
/test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug)

 
    #0 0x557791cc50de in my_strtod_int /test/10.11_dbg_san/strings/dtoa.c:1481
 
    #1 0x557791cc50de in my_strtod /test/10.11_dbg_san/strings/dtoa.c:469
 
    #2 0x557791bb71e2 in my_strntod_8bit /test/10.11_dbg_san/strings/ctype-simple.c:799
 
    #3 0x55778effb05a in charset_info_st::strntod(char*, unsigned long, char**, int*) const /test/10.11_dbg_san/include/m_ctype.h:899
 
    #4 0x55778effb05a in Field_real::get_double(char const*, unsigned long, charset_info_st const*, int*) /test/10.11_dbg_san/sql/field.cc:1838
 
    #5 0x55778effbb02 in Field_double::store(char const*, unsigned long, charset_info_st const*) /test/10.11_dbg_san/sql/field.cc:4868
 
    #6 0x55778f1c5fdd in Item::save_str_value_in_field(Field*, String*) /test/10.11_dbg_san/sql/item.cc:407
 
    #7 0x55778f1c641f in Item_string::save_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:6867
 
    #8 0x55778d4826df in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool) /test/10.11_dbg_san/sql/sql_base.cc:9196
 
    #9 0x55778d482be8 in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /test/10.11_dbg_san/sql/sql_base.cc:9251
 
    #10 0x55778d6a3853 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.11_dbg_san/sql/sql_insert.cc:1089
 
    #11 0x55778d8fe912 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:4563
 
    #12 0x55778d861c88 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
 
    #13 0x55778d8ce85f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
 
    #14 0x55778d8e0a70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
 
    #15 0x55778e351b41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
 
    #16 0x55778e35432c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
 
    #17 0x1474580e9608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x14745735e132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

There are a large number of issues seen across versions. All UniqueID's seen: 

UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|Field_real::get_double|Field_double::store
 
UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|charset_info_st::strntod|Field_real::get_double
 
UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|Field_real::get_double
 
UBSAN|signed integer overflow: X * Y cannot be represented in type 'int'|strings/dtoa.c|my_strtod_int|my_strtod|my_strntod_8bit|charset_info_st::strntod



 Comments   
Comment by Roel Van de Paar [ 2022-11-17 ]

Debug build of more recent 10.11 no longer crashes, but it still shows the 

/test/10.11_dbg_san/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 429496729 * 10 cannot be represented in type 'int'

Comment by Alexander Barkov [ 2022-11-17 ]

Repeatable with MyISAM (which is default in MTR) with this MTR test:

CREATE TABLE t1 (c DOUBLE);
 
--error ER_WARN_DATA_OUT_OF_RANGE
 
INSERT INTO t1 VALUES ('1e4294967297');
 
DROP TABLE t1;


main.AAA                                 [ fail ]  Found warnings/errors in server log file!
 
        Test ended at 2022-11-17 14:00:28
 
line
 
/home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)'
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in 
/home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16: runtime error: signed integer overflow: 10 * 429496729 cannot be represented in type 'int'
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/dtoa.c:1481:16 in 
^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err

Comment by Alexander Barkov [ 2022-11-17 ]

After adding this test into type_float.test, UBSAN issues more warnings:

/home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7: runtime error: call to function rpl_semi_sync_master_show_clients(THD*, st_mysql_show_var*, char*) through pointer to incorrect function type 'int (*)(THD *, st_mysql_show_var *, void *, system_status_var *, enum_var_type)'
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/sql/sql_show.cc:3812:7 in 
/home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17: runtime error: left shift of negative value -1
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1458:17 in 
/home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17: runtime error: left shift of negative value -1
 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/bar/maria-git/server.10.3.asan/strings/decimal.c:1499:17 in 
^ Found warnings in /home/bar/maria-git/server.10.3.asan/BUILD-DEB-CLANG/mysql-test/var/log/mysqld.1.err
 
ok

Generated at Thu Feb 08 10:08:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.