Bug #85290 signed integer overflow: 361810122 * 10 cannot be represented in type 'int'
Submitted: 3 Mar 2017 9:57 Modified: 13 Mar 2017 1:22
Reporter: Erlend Dahl Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S3 (Non-critical)
Version:8.0.1 OS:Any
Assigned to: CPU Architecture:Any

[3 Mar 2017 9:57] Erlend Dahl 
Description:
After the RapidJSON upgrade, we have an ubsan failure in gis.geojson_functions

../../mysqlcom-pro-8.0.1-dmr/strings/dtoa.cc:1503:16: runtime error: signed integer overflow: 361810122 * 10 cannot be represented in type 'int'
    #0 0x5a57ef0 in my_strtod_int ../../mysqlcom-pro-8.0.1-dmr/strings/dtoa.cc:1503
    #1 0x5a541bb in my_strtod ../../mysqlcom-pro-8.0.1-dmr/strings/dtoa.cc:486
    #2 0x34de144 in RawNumber ../../mysqlcom-pro-8.0.1-dmr/sql/json_dom.cc:591
    #3 0x34fabcd in ParseNumber<64u, rapidjson::MemoryStream, (anonymous namespace)::Rapid_json_handler> ../../mysqlcom-pro-8.0.1-dmr/extra/rapidjson/include/rapidjson/reader.h:1352
    #4 0x34f66f5 in ParseValue<64u, rapidjson::MemoryStream, (anonymous namespace)::Rapid_json_handler> ../../mysqlcom-pro-8.0.1-dmr/extra/rapidjson/include/rapidjson/reader.h:1401
    #5 0x34f4d56 in Parse<64u, rapidjson::MemoryStream, (anonymous namespace)::Rapid_json_handler> ../../mysqlcom-pro-8.0.1-dmr/extra/rapidjson/include/rapidjson/reader.h:501
    #6 0x34def62 in Json_dom::parse(char const*, unsigned long, char const**, unsigned long*, bool) ../../mysqlcom-pro-8.0.1-dmr/sql/json_dom.cc:685
    #7 0x3277ffa in parse_json ../../mysqlcom-pro-8.0.1-dmr/sql/item_json_func.cc:142
    #8 0x3279104 in json_is_valid ../../mysqlcom-pro-8.0.1-dmr/sql/item_json_func.cc:308
    #9 0x3280092 in get_json_wrapper(Item**, unsigned int, String*, char const*, Json_wrapper*, bool) ../../mysqlcom-pro-8.0.1-dmr/sql/item_json_func.cc:1025
    #10 0x3b276ee in Item_func_geomfromgeojson::val_str(String*) ../../mysqlcom-pro-8.0.1-dmr/sql/item_geofunc.cc:787
    #11 0x2f0d81a in Item::send(Protocol*, String*) ../../mysqlcom-pro-8.0.1-dmr/sql/item.cc:7471
    #12 0x1d2ff01 in THD::send_result_set_row(List<Item>*) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_class.cc:2787
    #13 0x36c9704 in Query_result_send::send_data(List<Item>&) ../../mysqlcom-pro-8.0.1-dmr/sql/query_result.cc:96
    #14 0x1d8849a in JOIN::exec() ../../mysqlcom-pro-8.0.1-dmr/sql/sql_executor.cc:210
    #15 0x1fefa38 in Sql_cmd_dml::execute_inner(THD*) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_select.cc:736
    #16 0x1fed05c in Sql_cmd_dml::execute(THD*) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_select.cc:619
    #17 0x1ebe710 in mysql_execute_command(THD*, bool) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_parse.cc:4414
    #18 0x1ec8952 in mysql_parse(THD*, Parser_state*) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_parse.cc:5202
    #19 0x1e9a7eb in dispatch_command(THD*, COM_DATA const*, enum_server_command) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_parse.cc:1535
    #20 0x1e9497e in do_command(THD*) ../../mysqlcom-pro-8.0.1-dmr/sql/sql_parse.cc:1122
    #21 0x29210a6 in handle_connection ../../mysqlcom-pro-8.0.1-dmr/sql/conn_handler/connection_handler_per_thread.cc:322
    #22 0x53c839e in pfs_spawn_thread ../../../mysqlcom-pro-8.0.1-dmr/storage/perfschema/pfs.cc:2407
    #23 0x7f40126cc6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #24 0x7f40103ffb5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

How to repeat:
On an UBSAN run, ./mtr --sanitize gis.geojson_functions

Knut Anders points out that the problem probably isn't related to JSON, since

SELECT '1E-36181012216111515851075235238' + 1;

produces a similar warning.
[13 Mar 2017 1:22] Paul DuBois 
Posted by developer:
 
Noted in 8.0.2 changelogs.

For some double-precision calculations, overflow could occur when
calculating the exponent part.