pingcap / tidb

TiDB - the open-source, cloud-native, distributed SQL database designed for modern applications.
https://pingcap.com
Apache License 2.0
37.17k stars 5.84k forks source link

TiDB and MySQL behave differently when union all `cast('xxxx' as char)` and a integer #56640

Open r33s3n6 opened 2 weeks ago

r33s3n6 commented 2 weeks ago

1. Minimal reproduce step (Required)

select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
union all
select 1 where false;

2. What did you expect to see? (Required)

mysql> select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
    -> union all
    -> select 1 where false;
+----------------------------+
| c1                         |
+----------------------------+
| abcdefghijklmnopqrstuvwxyz |
+----------------------------+
1 row in set (0.01 sec)

3. What did you see instead (Required)

mysql> select cast('abcdefghijklmnopqrstuvwxyz' as char) as c1
    -> union all
    -> select 1 where false;

+----------------------+
| c1                   |
+----------------------+
| abcdefghijklmnopqrst |
+----------------------+
1 row in set, 1 warning (0.00 sec)

mysql> show warnings;

+---------+------+------------------------------------------+
| Level   | Code | Message                                  |
+---------+------+------------------------------------------+
| Warning | 1406 | Data Too Long, field len 20, data len 26 |
+---------+------+------------------------------------------+
1 row in set (0.00 sec)

4. What is your TiDB version? (Required)

Release Version: v8.4.0-alpha-370-gf773b6eeb4
Edition: Community
Git Commit Hash: f773b6eeb4593a3e2c998c265f491a016570a426
Git Branch: HEAD
UTC Build Time: 2024-10-11 02:08:09
GoVersion: go1.23.2
Race Enabled: false
Check Table Before Drop: false
Store: tikv

about us

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database logic error.

windtalker commented 1 week ago

The root cause is in https://github.com/pingcap/tidb/blob/e13bfebaf0ecd18ef6fd2057869da7e2b2e734f2/pkg/planner/core/logical_plan_builder.go#L1557-L1559

It tries to adjust the flen for integer, but it does not consider the case that flen() == -1, which actually means no length limit, so after the adjustment, the flen is set to 20, which is not expected.