expression, types: freeze unsafe datetime warning args

[D3Hunter]

What problem does this PR solve?

Issue Number: close #66834, close #56311, close #65231

Problem Summary:

SUBTIME/ADDTIME warning texts can become nondeterministic when the datetime input string comes from chunk-backed zero-copy memory. The warning message is formatted later, after chunk buffers may be reused, so the error argument can be corrupted and flaky tests appear as random warning values.

in pingcap/errors#82, we support freeze string args

What changed and how does it work?

1. Add string wrappers in pkg/types:
   • types.PlainStr for normal stable strings.
   • types.HackedStr for potentially aliased/unsafe strings; it implements FreezeStr() so pingcap/errors can snapshot arguments.
2. Add types.ParseTimeWithString and route internal datetime parse paths to accept types.String wrappers.
3. Update warning/error-producing datetime parse paths (parseDatetime, timestamp DST adjustment) to pass wrapped string args instead of raw strings.
4. Switch strDatetimeAddDuration and strDatetimeSubDuration to call ParseTimeWithString(..., types.HackedStr(d), ...), so warnings generated from chunk-backed inputs are frozen.
5. Add regression test TestStrDatetimeAddDurationFreezesWarningArg to verify warning args do not mutate after backing buffer rewrite.
6. Bump github.com/pingcap/errors to v0.11.5-0.20260310054046-9c8b3586e4b2 (includes hacked-string freezing support) and sync Bazel metadata.

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Manual verification steps:

# Unit (failpoint package)
make failpoint-enable && (
  pushd pkg/expression >/dev/null
  go test -run TestStrDatetimeAddDurationFreezesWarningArg -tags=intest,deadlock
  popd >/dev/null
); rc=$?; make failpoint-disable; exit $rc

# Required for go.mod/go.sum changes
make bazel_prepare

# Repo required lint
make lint

# Real cluster verification
make server
tiup playground nightly --mode tikv-slim --tag codex-verify-errors-freeze --without-monitor --db 1 --kv 1 --pd 1 --port-offset 13000 --db.binpath ./bin/tidb-server --db.timeout 60
# Then run SQL setup and 1000-loop warning check against 127.0.0.1:17000

Real cluster result:

• 1000 iterations, mismatch_count=0

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Fix nondeterministic `SUBTIME`/`ADDTIME` warning text caused by chunk-backed string alias reuse by freezing unsafe string arguments in datetime parse warnings.

Summary by CodeRabbit

• New Features

  • Introduced a lightweight string abstraction with a "freeze" capability and a new time-parsing path that accepts wrapped strings for safer handling of mutable inputs.

• Bug Fixes

  • Ensured datetime-related warnings remain stable and accurate even when input buffers are mutated.

• Tests

  • Added a test to verify warnings preserve original message content when inputs change.

• Chores

  • Updated dependencies including pingcap/errors and stretchr/testify.

[pantheon-ai]

❌ Failed to Create Project

We encountered an error while creating your project. Please try again or contact support if the issue persists.

[tiprow]

Hi @D3Hunter. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: e96a0e42-2f76-4c1c-bc33-5e1a1da2307c

📥 Commits

Reviewing files that changed from the base of the PR and between ef56824 and 76b33e6.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• pkg/util/gctuner/memory_limit_tuner_test.go

---

📝 Walkthrough

Walkthrough

This change introduces a lightweight string abstraction (String, PlainStr, HackedStr with FreezeStr) and switches time parsing APIs to accept the abstraction to freeze warning arguments; it adds a unit test for warning stability and updates two Go dependencies (pingcap/errors, stretchr/testify).

Changes

Cohort / File(s)	Summary
Dependency Updates DEPS.bzl, go.mod	Bumped com_github_pingcap_errors and com_github_stretchr_testify: updated sha256, strip_prefix, and ZIP urls / upgraded testify to v1.11.1.
String Abstraction pkg/types/string.go, pkg/types/BUILD.bazel	Added String interface, PlainStr, and HackedStr types; HackedStr.FreezeStr() clones strings to detach from mutable backing storage; included new source in BUILD.
Time Parsing Safety pkg/types/time.go, pkg/expression/builtin_time.go	Added ParseTimeWithString(ctx, str types.String, ...) and updated datetime add/sub routines to call ParseTimeWithString with types.HackedStr(...) to allow freezing warning args.
Tests pkg/expression/builtin_time_test.go	Added TestStrDatetimeAddDurationFreezesWarningArg and new imports (contextutil, hack) to assert warnings capture frozen string values despite mutating input buffers.
GC-related test tweak pkg/util/gctuner/memory_limit_tuner_test.go	Added explicit runtime.GC() calls inside GC-related require.Eventually checks.

Sequence Diagram(s)

sequenceDiagram
    participant Chunk as Chunk (mutable)
    participant Expr as Expr (strDatetimeAdd/Sub)
    participant HStr as HackedStr
    participant Types as ParseTimeWithString
    participant ErrCtx as Warning (errors)

    Chunk->>Expr: GetString(i) (zero-copy)
    Expr->>HStr: wrap input as HackedStr
    Expr->>Types: ParseTimeWithString(ctx, HStr, ...)
    Types->>HStr: call FreezeStr()
    HStr->>Types: return frozen cloned string
    Types->>ErrCtx: AppendWarning(frozen string)
    Note over ErrCtx: Warning args now independent of chunk memory

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

approved, lgtm

Poem

🐰 Strings leapt from mutable hay to light,

Warnings once slippery now held tight.
HackedStr whispers, "Clone me, make me free,"
FreezeStr taps back memory's shaky spree —
Now errors bloom steady, safe in sight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: freezing unsafe datetime warning arguments to prevent corruption.
Description check	✅ Passed	The description follows the template with all required sections: issue numbers, problem summary, detailed explanation of changes, checkmarks for tests performed, and a release note.
Linked Issues check	✅ Passed	All code changes directly address the linked issues: implementing string freezing for datetime warnings (#66834), fixing TestIssue48756 flakiness (#56311, #65231) by preventing chunk-backed string corruption.
Out of Scope Changes check	✅ Passed	All changes are in scope: string wrapper types, ParseTimeWithString API, builtin_time updates, test additions, dependency updates, and BUILD file changes all directly support the warning-freezing objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Command failed

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hawkingrei]

/ok-to-test

[D3Hunter]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/expression/builtin_time.go`:
- Line 4824: The duration parsing paths still pass the raw string into
types.ParseDuration, which can produce ErrTruncatedWrongVal that embeds the
input and reintroduces the warning mutation vulnerability; update the two
helpers strDurationAddDuration and strDurationSubDuration to wrap the d
parameter with types.HackedStr (i.e. call types.ParseDuration(tc,
types.HackedStr(d), ...)) before parsing, mirroring the datetime fix you applied
for ParseTimeWithString, and add regression tests covering duration-shaped
inputs to ensure warnings no longer expose the raw string.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 778dbe31-10dd-469d-a4b4-540d3440df2e

📥 Commits

Reviewing files that changed from the base of the PR and between 88db262 and ef56824.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• DEPS.bzl
• go.mod
• pkg/expression/builtin_time.go
• pkg/expression/builtin_time_test.go
• pkg/types/BUILD.bazel
• pkg/types/string.go
• pkg/types/time.go

[windtalker]

lgtm

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: windtalker
Once this PR has been reviewed and has the lgtm label, please assign bb7133, windtalker for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS [windtalker]

  Need more approvers for rest parts.

• pkg/expression/OWNERS [windtalker]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-03-10 07:56:55.704977265 +0000 UTC m=+336847.217034946: ☑️ agreed by windtalker.

[codecov]

Codecov Report

❌ Patch coverage is 64.70588% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.1740%. Comparing base (bcac449) to head (b127235).
⚠️ Report is 9 commits behind head on master.

⚠️ Current head b127235 differs from pull request most recent head 76b33e6

Please upload reports for the commit 76b33e6 to get more accurate results.

Additional details and impacted files

@@               Coverage Diff                @@
##             master     #66870        +/-   ##
================================================
- Coverage   77.6758%   77.1740%   -0.5019%     
================================================
  Files          2009       1930        -79     
  Lines        549988     539955     -10033     
================================================
- Hits         427208     416705     -10503     
- Misses       121071     122952      +1881     
+ Partials       1709        298      -1411     

Flag	Coverage Δ
integration	41.1219% <64.7058%> (-7.0659%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	56.7974% <ø> (ø)
parser	∅ <ø> (∅)
br	48.8337% <ø> (-12.0920%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ti-chi-bot]

@D3Hunter: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-unit-test-next-gen	b127235	link	true	/test pull-unit-test-next-gen
idc-jenkins-ci-tidb/unit-test	b127235	link	true	/test unit-test
idc-jenkins-ci-tidb/check_dev_2	b127235	link	true	/test check-dev2
idc-jenkins-ci-tidb/mysql-test	b127235	link	true	/test mysql-test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[D3Hunter]

Adding runtime.GC() here makes this polling deterministic. After dependency updates (especially testify timing behavior), this test no longer always gets enough GC opportunities within the original wait window, causing flakes/timeouts even when tuner logic is correct.

[tiprow]

@D3Hunter: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
fast_test_tiprow	76b33e6	link	true	/test fast_test_tiprow

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.