The DECIMAL data type branch in Item_func_int_val::fix_length_and_dec()
incorrectly used DOUBLE-style length calculation, which resulted in
a smaller data type than the actual result of FLOOR()/CEIL() needs.
The problem happened in these line:
uval0= (ulonglong) (val0_negative ? -val0 : val0);
uval1= (ulonglong) (val1_negative ? -val1 : val1);
return check_integer_overflow(val0_negative ? -(longlong) res : res,
!val0_negative);
when unary minus was performed on -9223372036854775808.
This behavior is undefined in C/C++.
using a specially crafted strings one could overflow `shift`
variable and cause a crash by dereferencing d10[-2147483648]
(on a sufficiently old gcc).
This is a correct fix and a test case for
Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST
Also fixes:
MDEV-20560 Assertion `precision > 0' failed in decimal_bin_size upon SELECT with MOD short unsigned decimal
Changing the way how Item_func_mod calculates its max_length.
It now uses decimal_precision(), decimal_scale() and unsigned_flag
of its arguments, like all other Item_num_op descendants do.
This allows one to run the test suite even if any of the following
options are changed:
- character-set-server
- collation-server
- join-cache-level
- log-basename
- max-allowed-packet
- optimizer-switch
- query-cache-size and query-cache-type
- skip-name-resolve
- table-definition-cache
- table-open-cache
- Some innodb options
etc
Changes:
- Don't print out the value of system variables as one can't depend on
them to being constants.
- Don't set global variables to 'default' as the default may not
be the same as the test was started with if there was an additional
option file. Instead save original value and reset it at end of test.
- Test that depends on the latin1 character set should include
default_charset.inc or set the character set to latin1
- Test that depends on the original optimizer switch, should include
default_optimizer_switch.inc
- Test that depends on the value of a specific system variable should
set it in the test (like optimizer_use_condition_selectivity)
- Split subselect3.test into subselect3.test and subselect3.inc to
make it easier to set and reset system variables.
- Added .opt files for test that required specfic options that could
be changed by external configuration files.
- Fixed result files in rockdsb & tokudb that had not been updated for
a while.
When printing an expression, like a/(b*c), we need to print parentheses,
even though / and * have the same precedence. Basically, we should
always treat the second argument as having one level higher precedence
than it normally is.
use Item->neg to convert generate negative Item_num's
instead of Item_func_neg(Item_num).
Based on the following commit:
Author: Monty <monty@mariadb.org>
Date: Mon May 30 22:44:00 2016 +0300
Make negative number their own token
The negation (-) operator will call Item->neg() one underlying numeric constants
and remove itself (like the NOT() function does today for other NOT functions.
This simplifies things
- -1 is not anymore an expression but a basic_const_item
- improves optimizer
- DEFAULT -1 doesn't need special handling anymore
- When we add DEFAULT expressions, -1 will be treated exactly like 1
- printing of items doesn't anymore put braces around all negative numbers
Other things fixed:
- Fixed that longlong converted to decimal's has a more appropriate size
- Fixed that "-0.0" read into a decimal is interpreted as 0.0
don't use mysql-5.6 change.
correct fix: zero-out rounded tail after the number was shifted because
of the carry digit (otherwise the carry digit will be zeroed out too).
Truncate result of decimal division before converting to integer.
mysql-test/r/func_math.result:
New test case.
mysql-test/t/func_math.test:
New test case.
sql/item_func.cc:
Item_func_int_div::val_int():
Truncate result of decimal division before converting to integer.
Turns out the DBUG_ASSERT added by fix for Bug#11792200 was overly pessimistic:
'stop0' is used in the main loop of do_div_mod, but we only dereference 'buf0'
for div operations, not for mod.
mysql-test/r/func_math.result:
New test case.
mysql-test/t/func_math.test:
New test case.
strings/decimal.c:
Move DBUG_ASSERT down to where we actually dereference the loop pointer.
Assertion happens due to missing NULL value check in
Item_func_round::fix_length_and_dec() function.
The fix: added NULL value check for second parameter.
mysql-test/r/func_math.result:
test case
mysql-test/t/func_math.test:
test case
sql/item_func.cc:
added NULL value check for second parameter.
Bug#11764671 57533: UNINITIALISED VALUES IN COPY_AND_CONVERT (SQL_STRING.CC) WITH CERTAIN CHA
When ROUND evaluates decimal result it uses Item::decimal
value as fraction value for the result. In some cases
Item::decimal is greater than real result fraction value
and uninitialised memory of result(decimal) buffer can be
used in further calculations. Issue is introduced by
Bug33143 fix. The fix is to remove erroneous assignment.
mysql-test/r/func_math.result:
test case
mysql-test/t/func_math.test:
test case
sql/item_func.cc:
remove erroneous assignment
Assert fails due to overflow which happens in
Item_func_int_val::fix_num_length_and_dec() as
geometry functions have max_length value equal to
max_field_size(4294967295U). The fix is to skip
max_length calculation for some boundary cases.
mysql-test/r/func_math.result:
test case
mysql-test/t/func_math.test:
test case
sql/item_func.cc:
skip max_length calculation
if argument max_length is near max_field_size.
This was a buffer overrun in do_div_mod(), overwriting the internal buffer
of auto variable 'tmp' in Item_func_int_div::val_int.
Result on windows: 'this' is set to zero, and crash.
Ran fine on other platforms (no valgrind warnings),
but this is undefined behaviour on any platform of course.
include/decimal.h:
Add const qualifiers to function prototypes which are used by sql/my_decimal.h
mysql-test/r/func_math.result:
New test case.
mysql-test/t/func_math.test:
New test case.
sql/my_decimal.h:
Remove several C-style casts:
- some of the were up-casts, and thus un-necessary
- some of them should have been const-casts, but it is better to make the
underlying library functions in (decimal.[h|c]) const instead.
strings/decimal.c:
Check for buffer overrun in do_div_mod()
Add const qualifiers to functions which are used by sql/my_decimal.h
mysql-test/r/func_math.result:
New test case.
mysql-test/t/func_math.test:
New test case.
sql/item_func.cc:
Check for null before converting value to my_decimal.
Fix: copy my_decimal by value, to avoid dangling pointers.
mysql-test/r/func_math.result:
New test case.
mysql-test/t/func_math.test:
New test case.
sql/item_cmpfunc.cc:
No need to call fix_buffer_pointer() anymore.
sql/item_func.cc:
Copy my_decimal by value, to avoid dangling pointers.
sql/my_decimal.h:
Implement proper copy constructor and assignment operator for my_decimal.
sql/sql_analyse.cc:
No need to call fix_buffer_pointer() anymore.
strings/decimal.c:
Remove #line directive: it messes up TAGS and it confuses gdb when debugging.
ASSERT happens due to improper calculation of the max_length
in Item_func_div object, if dividend has max_length == 0 then
Item_func_div::max_length is set to 0 under some circumstances.
The fix:
If decimals == NOT_FIXED_DEC then set
Item_func_div::max_length to max possible
DOUBLE length value.
mysql-test/r/func_math.result:
test case
mysql-test/t/func_math.test:
test case
sql/item_func.cc:
The fix:
If decimals == NOT_FIXED_DEC then set
Item_func_div::max_length to max possible
DOUBLE length value.
mysql-test/r/func_math.result:
Add test for Bug #58137
mysql-test/t/func_math.test:
Add test for Bug #58137
sql/field.cc:
Skip calling my_gcvt() if we are trying to insert a double into a char(0) column.
The problem is dividing by const value when
the result is out of supported range.
The fix:
-return LONGLONG_MIN if the result is out of supported range for DIV operator.
-return 0 if divisor is -1 for MOD operator.
mysql-test/r/func_math.result:
test case
mysql-test/t/func_math.test:
test case
sql/item_func.cc:
-return LONGLONG_MIN if the result is out of supported range for DIV operator.
-return 0 if divisor is -1 for MOD operator.
Buffer overrun when trying to format DBL_MAX
mysql-test/r/func_math.result:
Add test case for Bug#57209
mysql-test/t/func_math.test:
Add test case for Bug#57209
sql/item_strfunc.cc:
Allocate a larger buffer for the result.
All numeric operators and functions on integer, floating point
and DECIMAL values now throw an 'out of range' error rather
than returning an incorrect value or NULL, when the result is
out of supported range for the corresponding data type.
Some test cases in the test suite had to be updated
accordingly either because the test case itself relied on a
value returned in case of a numeric overflow, or because a
numeric overflow was the root cause of the corresponding bugs.
The latter tests are no longer relevant, since the expressions
used to trigger the corresponding bugs are not valid anymore.
However, such test cases have been adjusted and kept "for the
record".
mysql-test/r/func_math.result:
Added test cases for bug #8433.
Updated results of the test case for bug #31236.
mysql-test/r/func_misc.result:
Streamlined test cases.
mysql-test/r/func_test.result:
Streamlined test cases.
mysql-test/r/select.result:
Streamlined test cases.
mysql-test/r/sp.result:
Streamlined test cases.
mysql-test/r/strict.result:
Streamlined test cases.
mysql-test/r/type_newdecimal.result:
Streamlined test cases.
mysql-test/suite/sys_vars/r/sql_slave_skip_counter_basic.result:
Streamlined test cases.
mysql-test/suite/sys_vars/t/sql_slave_skip_counter_basic.test:
Streamlined test cases.
mysql-test/t/func_math.test:
Added test cases for bug #8433.
Updated results of the test case for bug #31236.
mysql-test/t/func_misc.test:
Streamlined test cases.
mysql-test/t/func_test.test:
Streamlined test cases.
mysql-test/t/select.test:
Streamlined test cases.
mysql-test/t/sp.test:
Streamlined test cases.
mysql-test/t/strict.test:
Streamlined test cases.
mysql-test/t/type_newdecimal.test:
Streamlined test cases.
sql/item_create.cc:
Changed Item_func_cot() to be defined as a standalone Item
rather than a combination of "1 / TAN(x)".
sql/item_func.cc:
Throw an 'out of range' error rather than returning an
incorrect value or NULL, when the result of a numeric
operator or a function is out of supported range for
the corresponding data type.
sql/item_func.h:
Added validation helpers as inline methods of Item_func.
sql/share/errmsg-utf8.txt:
New ER_DATA_OUT_OF_RANGE error.
