Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TiDB and MySQL behave differently when union all cast('xxxx' as char) and a integer #56640

Closed
r33s3n6 opened this issue Oct 14, 2024 · 1 comment · Fixed by #57416
Closed

TiDB and MySQL behave differently when union all cast('xxxx' as char) and a integer #56640

r33s3n6 opened this issue Oct 14, 2024 · 1 comment · Fixed by #57416
Assignees
@zimulala
Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-8.5 This bug affects the 8.5.x(LTS) versions. severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@r33s3n6
Copy link

r33s3n6 commented Oct 14, 2024

1. Minimal reproduce step (Required)

select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
union all
select 1 where false;

2. What did you expect to see? (Required)

mysql> select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
    -> union all
    -> select 1 where false;
+----------------------------+
| c1                         |
+----------------------------+
| abcdefghijklmnopqrstuvwxyz |
+----------------------------+
1 row in set (0.01 sec)

3. What did you see instead (Required)

mysql> select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
    -> union all
    -> select 1 where false;

+----------------------+
| c1                   |
+----------------------+
| abcdefghijklmnopqrst |
+----------------------+
1 row in set, 1 warning (0.00 sec)

mysql> show warnings;

+---------+------+------------------------------------------+
| Level   | Code | Message                                  |
+---------+------+------------------------------------------+
| Warning | 1406 | Data Too Long, field len 20, data len 26 |
+---------+------+------------------------------------------+
1 row in set (0.00 sec)

4. What is your TiDB version? (Required)

Release Version: v8.4.0-alpha-370-gf773b6eeb4
Edition: Community
Git Commit Hash: f773b6eeb4593a3e2c998c265f491a016570a426
Git Branch: HEAD
UTC Build Time: 2024-10-11 02:08:09
GoVersion: go1.23.2
Race Enabled: false
Check Table Before Drop: false
Store: tikv

about us

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database logic error.
@r33s3n6 r33s3n6 added the type/bug The issue is confirmed as a bug. label Oct 14, 2024
@windtalker
Copy link
Contributor

The root cause is in

tidb/pkg/planner/core/logical_plan_builder.go

Lines 1557 to 1559 in e13bfeb

if resultTp.EvalType() != types.ETInt && (a.EvalType() == types.ETInt || b.EvalType() == types.ETInt) && resultTp.GetFlen() < mysql.MaxIntWidth {
resultTp.SetFlen(mysql.MaxIntWidth)
}

It tries to adjust the flen for integer, but it does not consider the case that flen() == -1, which actually means no length limit, so after the adjustment, the flen is set to 20, which is not expected.

@ti-chi-bot ti-chi-bot bot added the affects-8.5 This bug affects the 8.5.x(LTS) versions. label Nov 1, 2024
@zimulala zimulala self-assigned this Nov 15, 2024
@zimulala zimulala added affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. and removed may-affects-5.4 This bug maybe affects 5.4.x versions. may-affects-6.1 may-affects-6.5 may-affects-7.1 may-affects-7.5 may-affects-8.1 affects-5.4 This bug affects the 5.4.x(LTS) versions. labels Nov 15, 2024
@zimulala zimulala mentioned this issue Nov 15, 2024
Merged
13 tasks
ti-chi-bot bot pushed a commit that referenced this issue Nov 16, 2024
@zimulala
*: fix the issue when union all cast('xxxx' as char) and a integer (#…
4a6bf46 
…57416)

close #56640
@ti-chi-bot ti-chi-bot mentioned this issue Nov 16, 2024
Merged
13 tasks
ti-chi-bot bot pushed a commit that referenced this issue Nov 19, 2024
@ti-chi-bot
*: fix the issue when union all cast('xxxx' as char) and a integer (#…
7196f50 
…57416) (#57432)

close #56640
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimulala zimulala

Labels
affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. affects-8.5 This bug affects the 8.5.x(LTS) versions. severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

*: fix the issue when union all cast('xxxx' as char) and a integer zimulala/tidb
4 participants
@windtalker @zimulala @jebter @r33s3n6