MySQL Bugs: #91959: UBSAN: signed integer overflow in lock_update_trx

Bug #91959	UBSAN: signed integer overflow in lock_update_trx_age
Submitted:	10 Aug 2018 9:10	Modified:	14 May 2019 17:33
Reporter:	Shane Bester (Platinum Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: InnoDB storage engine	Severity:	S3 (Non-critical)
Version:	8.0.14	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
Seen on trunk ubsan build:

[Server] mysqld: Version: '8.0.14-tr-ubsan'  (Built on 09 August 2018 with gcc (GCC) 8.0.1 20180220 (experimental)).
[Server] X Plugin ready for connections. Socket: '/tmp/mysqlx.sock' bind-address: '::' port: 33060
./storage/innobase/lock/lock0lock.cc:1312:12: runtime error: signed integer overflow: 1702094847 + 1702094848 cannot be represented in type 'int'
#0 in lock_update_trx_age ./storage/innobase/lock/lock0lock.cc:1312
#1 in lock_update_age ./storage/innobase/lock/lock0lock.cc:1407
#2 in RecLock::add_to_waitq ../storage/innobase/lock/lock0lock.cc:1687
#3 in lock_rec_lock_slow ./storage/innobase/lock/lock0lock.cc:1939
#4 in lock_clust_rec_read_check_and_lock ./storage/innobase/lock/lock0lock.cc:6131
#5 in sel_set_rec_lock ./storage/innobase/row/row0sel.cc:1174
#6 in row_search_mvcc ./storage/innobase/row/row0sel.cc:5075
#7 in ha_innobase::index_read ./storage/innobase/handler/ha_innodb.cc:8869
#8 in ha_innobase::index_first ./storage/innobase/handler/ha_innodb.cc:9209
#9 in ha_innobase::rnd_next ./storage/innobase/handler/ha_innodb.cc:9283
#10 in handler::ha_rnd_next ./sql/handler.cc:2822
#11 in TableScanIterator::Read() ./sql/records.cc:396
#12 in Sql_cmd_update::update_single_table ./sql/sql_update.cc:749
#13 in Sql_cmd_dml::execute ./sql/sql_select.cc:593
#14 in mysql_execute_command ./sql/sql_parse.cc:3316
#15 in mysql_parse ./sql/sql_parse.cc:5033
#16 in dispatch_command ./sql/sql_parse.cc:1677
#17 in do_command ./sql/sql_parse.cc:1233
#18 in handle_connection ./sql/conn_handler/connection_handler_per_thread.cc:303
#19 in pfs_spawn_thread ./../storage/perfschema/pfs.cc:2836

(gdb) list lock0lock.cc:1312
1307        return;
1308      }
1309
1310      ut_ad(trx->age_updated < lock_sys->mark_age_updated);
1311
1312      trx->age += age;
1313
1314      /* In an incorrect implementation the `trx->age` could grow exponentially due
1315      to double-counting trx's own weight when a cycle is formed in the
1316      wait-for graph. A correct implementation should keep the `trx->age` value
(gdb)

[x@x mysql-git]$ git log|more
commit d90fd101768538b261963822b87bb3c58f5eb7f6
Merge: 4ee8bcc b02f5de
Author: Neha Kumari <neha.n.kumari@oracle.com>
Date:   Thu Aug 9 17:49:22 2018 +0530

How to repeat:
run a generic dml workload in many connections on trunk ubsan build. the more lock waits the better, it seems.

Suggested fix:
make trx->age 64-bit variable?

Posted by developer:
 
Fixed as of the upcoming 8.0.17 release, and here's the changelog entry:

Inaccuracies in the Variance-Aware Transaction Scheduling (VATS)
implementation raised a signed integer overflow error in an UBSan build of
MySQL.