Open r33s3n6 opened 3 months ago
Reproduction simplified (note that -1
and 18446744073709551551
have the same binary representation):
create table t2(c text);
alter table t2 set tiflash replica 1;
insert into t2 values('abcd');
select /*+ read_from_storage(tikv[t2]) */ right(c, -1) from t2;
+--------------+
| right(c, -1) |
+--------------+
| |
+--------------+
-- Correct
select /*+ read_from_storage(tiflash[t2]) */ right(c, -1) from t2;
+--------------+
| right(c, -1) |
+--------------+
| |
+--------------+
-- Correct
select /*+ read_from_storage(tikv[t2]) */ right(c, 18446744073709551551) from t2;
+--------------------------------+
| right(c, 18446744073709551551) |
+--------------------------------+
| |
+--------------------------------+
-- Wrong
select /*+ read_from_storage(tiflash[t2]) */ right(c, 18446744073709551551) from t2;
+--------------------------------+
| right(c, 18446744073709551551) |
+--------------------------------+
| abcd |
+--------------------------------+
-- Correct
select /*+ read_from_storage(tikv[t2]) */ right(c, cast(-1 as unsigned)) from t2;
+--------------------------------+
| right(c, cast(-1 as unsigned)) |
+--------------------------------+
| |
+--------------------------------+
-- Wrong
select /*+ read_from_storage(tiflash[t2]) */ right(c, cast(-1 as unsigned)) from t2;
+--------------------------------+
| right(c, cast(-1 as unsigned)) |
+--------------------------------+
| abcd |
+--------------------------------+
-- Correct
tiflash result is correct for both signed and unsigned second argument. tikv result (it is not pushed down so it is actually tidb's own implementation) is wrong when the second argument's msb is 1
(negative when being interpreted as a signed integer) no matter the parameter itself is signed or unsigned.
The reason is tidb always evaluates the second argument as a signed integer: https://github.com/pingcap/tidb/blob/7a18952eb1478ab459f4c9d6c35c741c85c3108c/pkg/expression/builtin_string.go#L597
We should interpret the second argument based on the unsigned flag in its type info as MySQL does: https://github.com/mysql/mysql-server/blob/824e2b4064053f7daf17d7f3f84b7a3ed92e5fb4/sql/item_strfunc.cc#L1514
This is a relative edge case so lowering the severity to major.
1. Minimal reproduce step (Required)
2. What did you expect to see? (Required)
3. What did you see instead (Required)
4. What is your TiDB version? (Required)
topology:
distributed.yaml:
about us
We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database logic error.