mysql: compute civil date from day count so pre-1970 Date params don't abort

[alii]

Binding a pre-1970 Date to a MySQL prepared-statement parameter aborted the whole process. gregorian_date(days) walked year/month forward with loops that assume days >= 0, so for a negative day count it fell through to u8::try_from(d + 1).expect(...) with a negative value and panicked (uncatchable in release).

Replace the loop with Howard Hinnant's branch-free civil_from_days (era arithmetic, div_euclid for correct floor division on negative counts). It's correct for any day count, so pre-1970 dates now produce the right calendar date instead of crashing — and it also fixes the latent wrong-date behavior the old code shared with the Zig version (e.g. 1969-12-31 → day 31, not day 0). The year is clamped into the wire format's u16 instead of panicking on an out-of-range value.

Adds a mock-MySQL-server test that round-trips several pre-1970 dates.

[alii]

@robobun adopt

[robobun]

^{Updated 7:33 PM PT - Jun 1st, 2026}

❌ @robobun, your commit e3ba13f has 9 failures in Build #59642 (All Failures):

• test/js/bun/test/parallel/test-docker-build-debian.ts - code 1 on 🍎 26 aarch64
• test/js/bun/test/parallel/test-docker-build-debian.ts - code 1 on 🍎 14 aarch64
• test/js/bun/test/parallel/test-docker-build-alpine.ts - code 1 on 🍎 26 aarch64
• test/js/bun/test/parallel/test-docker-build-alpine.ts - code 1 on 🍎 14 aarch64
• test/js/bun/test/parallel/test-docker-build-distroless.ts - code 1 on 🍎 26 aarch64
• test/js/bun/test/parallel/test-docker-build-distroless.ts - code 1 on 🍎 14 aarch64
• test/js/bun/test/parallel/test-docker-build-debian-slim.ts - code 1 on 🍎 26 aarch64
• test/js/bun/test/parallel/test-docker-build-debian-slim.ts - code 1 on 🍎 14 aarch64
• test/regression/issue/21311.test.ts - code 1 on 🍎 14 x64
• test/js/web/websocket/websocket-proxy.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql-postgres-datetime-roundtrip.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql-mysql.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql-mysql.test.ts - code 1 on 🍎 26 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 31209

That installs a local version of the PR into your bun-31209 executable, so you can run:

bun-31209 --bun

[robobun]

Updated to latest main and re-ran CI as requested. Investigated the red darwin lanes on build 59642 via its failure annotations — none of the failures are from this PR; the pre-1970/date tests all pass:

• sql-mysql.test.ts on darwin: 317 pass, 2 fail — this PR's tests pass; the 2 failures are the pre-existing MySQL 9 > Idle timeout … tests dying with ERR_MYSQL_CONNECTION_TIMEOUT (the mysql:9 container didn't accept connections within 5s/30s on the loaded runner — connect-time flake, nothing in this diff touches connection establishment).
• Postgres failures (sql.test.ts, sql-postgres-datetime-roundtrip.test.ts, regression/issue/21311.test.ts): role "bun_sql_test" does not exist / fixture never reached CONNECTED — the postgres container init didn't run on the macOS runner. Postgres-side, from main.
• websocket-proxy.test.ts: squid container fails to start — docker bind-mount error ("mount a directory onto a file") on the macOS runner.
• 4× test/js/bun/test/parallel/test-docker-build-*.ts: unknown flag: --progress — the darwin runners' docker CLI is the legacy builder without buildx, so these fail for any PR on those machines.

All 69 non-darwin lanes are green (including Linux ASAN, which runs this PR's tests under sanitizers). Everything red is macOS docker-infra or container-timing flake. I've spent my one re-roll already, so I'll leave CI as-is rather than spam retriggers — the diff itself is green and ready to merge.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 70cf65f2-94d6-49d0-960f-29cab4205a92

📥 Commits

Reviewing files that changed from the base of the PR and between 2407e24 and 331258f.

📒 Files selected for processing (2)

• src/sql_jsc/mysql/MySQLValue.rs
• test/js/sql/sql-mysql.test.ts

---

Walkthrough

This PR fixes MySQL DATETIME support for dates before 1970 by replacing an iterative calendar algorithm with 400-year-era arithmetic, making DateTime::from_unix_timestamp fallible to validate years fit MySQL's unsigned 16-bit range, and adding integration tests that verify pre-1970 round-trip fidelity and out-of-range year rejection.

Changes

Pre-1970 Date Support with Range Validation

Layer / File(s)	Summary
Calendar date algorithm for pre-1970 support src/sql_jsc/mysql/MySQLValue.rs	Replaced loop-based day-to-calendar conversion with Howard Hinnant 400-year-era arithmetic; computes proleptic year, month, day directly and handles negative day counts for dates before 1970.
Fallible DateTime conversion and year-range validation src/sql_jsc/mysql/MySQLValue.rs	DateTime::from_unix_timestamp now accepts global_object and returns Result, validating computed proleptic year fits u16 bounds and throwing JS/MySQL error when out of range. DateTime::from_js propagates fallibility for both date and numeric inputs.
Pre-1970 date and range validation tests test/js/sql/sql-mysql.test.ts	Process timezone pinned to UTC before imports. Containerized test inserts multiple pre-1970 Date values and leap-day 2024 case into DATETIME column and verifies select returns matching Date objects. Rejection test ensures Date with year 70000 fails during binding with year-specific error.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides clear context on the problem (abort on negative day counts), the solution (Howard Hinnant's algorithm), and the testing approach. However, it is incomplete against the repository's description template, which requires explicit sections for 'What does this PR do?' and 'How did you verify your code works?'	Restructure the description to follow the template: add 'What does this PR do?' and 'How did you verify your code works?' as explicit sections with the existing content reorganized accordingly.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: fixing pre-1970 Date parameters to MySQL by replacing the broken loop-based gregorian_date with Howard Hinnant's civil_from_days algorithm.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch ali/mysql-pre1970-date-abort

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/sql_jsc/mysql/MySQLValue.rs`:
- Around line 849-853: The code currently clamps proleptic years to 0..=65535
after using civil_from_days (silently collapsing distinct timestamps); instead,
detect when the computed year is outside the valid u16 range and return an error
rather than saturating: in src/sql_jsc/mysql/MySQLValue.rs (the Date/DateTime ->
MySQL wire conversion using civil_from_days) remove the collapse-to-0000/65535
logic and propagate a failure (Err) from the DateTime conversion path with a
descriptive InvalidDate/OutOfRange error when year < 0 or year > 65535; ensure
callers of the conversion (the DateTime conversion path) handle/propagate that
error accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e60b66d9-e7e3-4802-86be-45952ab1fbc6

📥 Commits

Reviewing files that changed from the base of the PR and between 346ce08 and 2407e24.

📒 Files selected for processing (2)

• src/sql_jsc/mysql/MySQLValue.rs
• test/js/sql/sql-mysql-pre1970-date.test.ts

[claude]

LGTM — faithful port of Hinnant's civil_from_days fixing a process abort; the inline nit about test TZ-dependence is non-blocking since bun test defaults to UTC.

Extended reasoning...

Overview

This PR replaces the gregorian_date(days: i32) helper in src/sql_jsc/mysql/MySQLValue.rs with Howard Hinnant's well-known civil_from_days algorithm, and adds a ~220-line mock-MySQL-server test that round-trips several pre-1970 Date parameters. The old implementation walked forward from 1970 with loops that assumed a non-negative day count, so any pre-1970 Date bound as a prepared-statement parameter fell through to u8::try_from(negative).expect(...) and aborted the process.

Security risks

None. This is pure integer date arithmetic on a value derived from a JS Date's epoch milliseconds. There is no parsing of untrusted network input, no auth/crypto/permissions, and the only behavioral change beyond the bug fix is replacing a panic on out-of-u16-range proleptic years with a clamp — strictly safer than the previous expect.

Level of scrutiny

Low-to-moderate. The production change is ~25 lines in a single self-contained leaf function, and it is a line-for-line transcription of a published, widely-cited algorithm (era = z.div_euclid(146097) for correct floor division on negatives; all subsequent divisions are on u32 so truncating / is correct). I spot-checked the constants and structure against the reference and they match. The removed is_leap_year/days_in_month helpers had no other callers in this file. The test file is larger but is test-only infrastructure exercising the encode path that previously crashed.

Other factors

The bug-hunting system flagged one nit: the test's round-trip assertion relies on encode (UTC) and decode (local time via gregorian_date_time_to_ms → WTF::LocalTime) agreeing, which only holds when the process TZ is UTC. Since bun test defaults JSC's timezone to Etc/UTC when TZ is unset, CI is unaffected; this is a developer-environment robustness suggestion, not a correctness issue with the fix. No CODEOWNERS cover these paths and there are no outstanding reviewer comments. Given the fix turns a hard process abort into correct behavior using a textbook algorithm, I'm comfortable approving.

[alii]

We should use a real mysql server. CI has one and @robobun your docker container should also have one. Look for the other mysql tests to see how that works.

[alii]

Reworked the test to use a real MySQL server (per review) — it now lives in sql-mysql.test.ts behind the docker-gated container and round-trips pre-1970 DATETIME values; validated locally against mariadb. Also, out-of-range years now return an error instead of being silently clamped. @robobun adopt

[claude]

All earlier review feedback has been addressed and I didn't find new issues, but this has grown beyond a localized date-math fix — the run() errguard change in JSMySQLQuery.rs alters error-path state transitions, and process.env.TZ is now pinned file-wide in sql-mysql.test.ts — so it's worth a human pass (CI is also showing failures on the latest build).

Extended reasoning...

Overview

The PR replaces the loop-based gregorian_date with Howard Hinnant's civil_from_days so pre-1970 Date parameters no longer abort, and over several review rounds has accumulated: a fallible DateTime::from_unix_timestamp with u16 year / i32 day range rejection, a check_finite_ms guard for Invalid Date, a .min(999) clamp on the sub-second residual, removal of the q.fail() call from JSMySQLQuery::run's errguard (to fix a swallowed-rejection hang on the prepare-then-execute path), a new real-server regression test file, three new tests in sql-mysql.test.ts, and a file-level process.env.TZ = "Etc/UTC" pin in that shared test file.

Security risks

None identified. Inputs are JS Date/number values flowing into the MySQL binary protocol encoder; the changes replace panics with catchable errors and tighten input validation. No auth, crypto, permissions, or untrusted-string handling is touched.

Level of scrutiny

Medium-high. The Hinnant algorithm itself is well-known and the transcription looks correct, but two pieces reach beyond pure date math: (1) the JSMySQLQuery::run errguard no longer flips the query to Fail on the error path — the in-code comment argues both callers (do_run and the request-queue advance() → on_error → reject_with_js_value) settle the promise themselves, and that checks out against the surrounding code, but it's a subtle state-machine change worth a maintainer's eye; (2) pinning TZ at the top of sql-mysql.test.ts affects every test in that ~900-line file, not just the new ones.

Other factors

All four of my earlier inline comments (TZ-dependent assertion, unguarded i32::try_from(days).expect(), Invalid-Date-as-epoch, ms * 1000 debug overflow) were addressed in follow-up commits, and robobun reports the new tests were verified fail-before/pass-after against a real MySQL. The bug-hunting system found nothing new this round. However, robobun's status comment shows Build #58415 failing on the latest pushed commits, which on its own is reason not to auto-approve.

[alii]

@robobun this was green earlier but CI went red after main moved (a single sub-job failing — looks flaky/infra). Please rebase onto main and re-run CI; if a test genuinely fails, investigate and fix it.