Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

min(truncate()) may lead to incorrect result #52978

Closed
r33s3n6 opened this issue Apr 29, 2024 · 11 comments · Fixed by #53075
Closed

min(truncate()) may lead to incorrect result #52978

r33s3n6 opened this issue Apr 29, 2024 · 11 comments · Fixed by #53075
Assignees
@yibin87
Labels
affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@r33s3n6
Copy link

r33s3n6 commented Apr 29, 2024

1. Minimal reproduce step (Required)

Firstly, execute init.sql to create the table. Then executing error.sql yields unexpected results. Note that reproducing these results might not be entirely stable. Typically, it can be completed within three attempts. You can try executing error.sql multiple times or execute init.sql again to rebuild the table.
init.sql.txt
error.sql.txt

2. What did you expect to see? (Required)

The first column represents the minimum value of the c_ou2 column within each group,
the second column represents the maximum value of the c_ou2 column within each group,
and the third column represents the minimum value of truncate(-26340, c_ou2). If there exists a c_ou2 greater than 0, there should be a result of -26340, which is necessarily the minimum value.

3. What did you see instead (Required)

In the multi-node version: correct.
In the single-node version: The value in the third column of the second row is incorrectly 0; it should be -26340.

output_re_main2.log
output_re_single2.log

4. What is your TiDB version? (Required)

Release Version: v8.0.0
Edition: Community
Git Commit Hash: 8ba1fa452b1ccdbfb85879ea94b9254aabba2916
Git Branch: HEAD
UTC Build Time: 2024-03-28 14:22:15
GoVersion: go1.21.4
Race Enabled: false
Check Table Before Drop: false
Store: tikv

topology:

distributed.yaml:

global:
  user: "tidb"
  ssh_port: 22
  deploy_dir: "/tidb-deploy"
  data_dir: "/tidb-data"

pd_servers:
  - host: 10.0.2.31

tidb_servers:
  - host: 10.0.2.21

tikv_servers:
  - host: 10.0.2.11
  - host: 10.0.2.12
  - host: 10.0.2.13

monitoring_servers:
  - host: 10.0.2.8

grafana_servers:
  - host: 10.0.2.8

alertmanager_servers:
  - host: 10.0.2.8

tiflash_servers:
  - host: 10.0.2.32

single.yaml

global:
  user: "tidb"
  ssh_port: 22
  deploy_dir: "/tidb-deploy"
  data_dir: "/tidb-data"

pd_servers:
  - host: 10.0.2.73

tidb_servers:
  - host: 10.0.2.72

tikv_servers:
  - host: 10.0.2.71

tiflash_servers:
  - host: 10.0.2.74

about us

We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database logic error.
@r33s3n6 r33s3n6 added the type/bug The issue is confirmed as a bug. label Apr 29, 2024
@jebter jebter added the affects-8.1 This bug affects the 8.1.x(LTS) versions. label Apr 30, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

Reproduced locally with latest tidb version.

@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024
edited
Loading 

mysql> create table t2 (a int);
Query OK, 0 rows affected (0.13 sec)

mysql> insert into t2 values(-1790816583),(2049821819), (-1366665321), (536581933), (-1613686445);
Query OK, 5 rows affected (0.01 sec)
Records: 5  Duplicates: 0  Warnings: 0

mysql> SELECT min(truncate(cast(-26340 as double), ref_11.a)) as c3 FROM t2 as ref_11;
+------+
| c3   |
+------+
|    0 |
+------+
1 row in set (0.00 sec)

mysql> select truncate(cast(-26340 as double), ref_11.a) as c3 FROM t2 as ref_11;
+--------+
| c3     |
+--------+
|      0 |
| -26340 |
|      0 |
| -26340 |
|      0 |
+--------+
5 rows in set (0.01 sec)

The plan looks a little inefficiency but all right:

mysql> explain SELECT min(truncate(cast(-26340 as double), ref_11.a)) as c3 FROM t2 as ref_11;
+----------------------------------+---------+-----------+---------------+--------------------------------------------------+
| id                               | estRows | task      | access object | operator info                                    |
+----------------------------------+---------+-----------+---------------+--------------------------------------------------+
| StreamAgg_9                      | 1.00    | root      |               | funcs:min(Column#5)->Column#3                    |
| └─Projection_17                  | 1.00    | root      |               | truncate(-26340, test.t2.a)->Column#5            |
|   └─Projection_15                | 1.00    | root      |               | test.t2.a                                        |
|     └─TopN_10                    | 1.00    | root      |               | Column#4, offset:0, count:1                      |
|       └─Projection_16            | 5.00    | root      |               | test.t2.a, truncate(-26340, test.t2.a)->Column#4 |
|         └─TableReader_14         | 5.00    | root      |               | data:TableFullScan_13                            |
|           └─TableFullScan_13     | 5.00    | cop[tikv] | table:ref_11  | keep order:false, stats:pseudo                   |
+----------------------------------+---------+-----------+---------------+--------------------------------------------------+

@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/label affects-5.4

@ti-chi-bot ti-chi-bot bot added affects-5.4 This bug affects the 5.4.x(LTS) versions. and removed may-affects-5.4 This bug maybe affects 5.4.x versions. labels May 6, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/label affects-6.1

@ti-chi-bot ti-chi-bot bot added affects-6.1 This bug affects the 6.1.x(LTS) versions. and removed may-affects-6.1 labels May 6, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/label affects-6.5

@ti-chi-bot ti-chi-bot bot added affects-6.5 This bug affects the 6.5.x(LTS) versions. and removed may-affects-6.5 labels May 6, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/label affects-7.1

@ti-chi-bot ti-chi-bot bot added affects-7.1 This bug affects the 7.1.x(LTS) versions. and removed may-affects-7.1 labels May 6, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 6, 2024

/label affects-7.5

@ti-chi-bot ti-chi-bot bot added affects-7.5 This bug affects the 7.5.x(LTS) versions. and removed may-affects-7.5 labels May 6, 2024
@yibin87
Copy link
Contributor

yibin87 commented May 7, 2024

/assign @yibin87

@yibin87 yibin87 mentioned this issue May 7, 2024
Merged
13 tasks
ti-chi-bot bot pushed a commit that referenced this issue May 8, 2024
@yibin87
executor,types: Fix truncate function behavior when second param is l…
57b382b 
…arge negative (#53075)

close #52978
@yibin87
Copy link
Contributor

yibin87 commented May 8, 2024

/remove-severity critical

@yibin87
Copy link
Contributor

yibin87 commented May 8, 2024

/severity major

@yibin87
Copy link
Contributor

yibin87 commented May 8, 2024

Corner case for not common used 'truncate' function, change to major severity.

This was referenced May 9, 2024
Merged
Merged
ti-chi-bot bot pushed a commit that referenced this issue May 9, 2024
@ti-chi-bot
executor,types: Fix truncate function behavior when second param is l…
f8d7b96 
…arge negative (#53075) (#53124)

close #52978
ti-chi-bot bot pushed a commit that referenced this issue May 10, 2024
@ti-chi-bot
executor,types: Fix truncate function behavior when second param is l…
99f4d94 
…arge negative (#53075) (#53125)

close #52978
terry1purcell pushed a commit to terry1purcell/tidb that referenced this issue May 17, 2024
@yibin87 @terry1purcell
executor,types: Fix truncate function behavior when second param is l…
353afa0 
…arge negative (pingcap#53075)

close pingcap#52978
RidRisR pushed a commit to RidRisR/tidb that referenced this issue May 23, 2024
@yibin87 @RidRisR
executor,types: Fix truncate function behavior when second param is l…
6b35d1a 
…arge negative (pingcap#53075)

close pingcap#52978
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yibin87 yibin87

Labels
affects-5.4 This bug affects the 5.4.x(LTS) versions. affects-6.1 This bug affects the 6.1.x(LTS) versions. affects-6.5 This bug affects the 6.5.x(LTS) versions. affects-7.1 This bug affects the 7.1.x(LTS) versions. affects-7.5 This bug affects the 7.5.x(LTS) versions. affects-8.1 This bug affects the 8.1.x(LTS) versions. severity/major sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

executor,types: Fix truncate function behavior when second param is large negative yibin87/tidb
3 participants
@jebter @yibin87 @r33s3n6