Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w0yJe-002NLZ-20 for pgsql-bugs@arkaria.postgresql.org; Fri, 13 Mar 2026 08:56:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w0yJc-002i9D-1f for pgsql-bugs@arkaria.postgresql.org; Fri, 13 Mar 2026 08:56:17 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w0szW-001WvG-2Z for pgsql-bugs@lists.postgresql.org; Fri, 13 Mar 2026 03:15:11 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1w0szU-00000001sJt-3C4M for pgsql-bugs@lists.postgresql.org; Fri, 13 Mar 2026 03:15:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject: Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID: Content-Description:In-Reply-To:References; bh=ki31rTXCsskPhDIDApKfSXH4IWv8CmMymUraGBYi+P4=; b=ewDIN8yXd6DoD/oVS0nKjXB7jr 74GMQu/F356z8AuVzWbSYbKdC5lHXuXOzyS9SmCOriK2QR8ywHLJ2pKwibhEOjTjVIWnnIE//lnUI HMSwXgSfDZhWQxIt5GNvnKf+kuUWhPyiOC6C7ypa0qH57t+KBizl3uW4+JsCEMFrNQ9eHKMIgbO1Z WerNsm2za5MXdo6hXXQFZZxXMWcUxHmtUXwqZuqSRQr28VgV6vORU966zaAHUmOUu4s0XmItO+3h/ ykIPN90OBa9Dw2u+wAE+HNYYkVV4RkGGPAkplqLSdEjSEXW4CO3N+J5oY7A7fSSbPdXx4F0aM5Hmk RKZ7o6eA==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w0szS-004ge9-1O for pgsql-bugs@lists.postgresql.org; Fri, 13 Mar 2026 03:15:08 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w0szO-009QT2-31 for pgsql-bugs@lists.postgresql.org; Fri, 13 Mar 2026 03:15:04 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: BUG #19433: json_object_agg_unique Crashes When Used as Window Function To: pgsql-bugs@lists.postgresql.org From: PG Bug reporting form Cc: 303677365@qq.com Reply-To: 303677365@qq.com, pgsql-bugs@lists.postgresql.org Date: Fri, 13 Mar 2026 03:14:26 +0000 Message-ID: <19433-74818a14ca269428@postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk The following bug has been logged on the website: Bug reference: 19433 Logged by: chunling qin Email address: 303677365@qq.com PostgreSQL version: 15.0 Operating system: centos Description: =20 ## Summary `json_object_agg_unique()` causes a segmentation fault when used as a window function with `ORDER BY` clause. The crash occurs due to a use-after-free bug where the internal hash table pointer is accessed after being freed. --- ## Environment | Item | Value | |------|-------| | PostgreSQL Version | 15devel (development build) | | Commit | 7103ebb7aa | | Platform | x86_64-pc-linux-gnu | | Test Date | 2026-03-13 | ## Steps to Reproduce ### 1. Create Test Table ```sql CREATE TABLE test_json_window (partkey int, key text, value text); INSERT INTO test_json_window VALUES (1, 'k1', 'v1'), (1, 'k2', 'v2'), (1, 'k3', 'v3'), (2, 'k4', 'v4'), (2, 'k5', 'v5'); ``` ### 2. Trigger Crash ```sql -- This query causes segmentation fault SELECT partkey, key, json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY key) AS result FROM test_json_window; ``` ### 3. Expected vs Actual Behavior | Scenario | Result | |----------|--------| | Without `ORDER BY` | Works correctly | | With `ORDER BY` | Server crashes (SIGSEGV) | --- ## Error Output ``` 2026-03-13 11:06:13.546 CST [345156] LOG: server process (PID 345761) was terminated by signal 11: Segmentation fault 2026-03-13 11:06:13.546 CST [345156] DETAIL: Failed process was running: SELECT partkey, key, json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY key) AS result FROM test_json_window; ``` --- ## Stack Trace ``` #0 0x0000560eacfc155d in hash_search (hashp=3D0x560eb4bc7530, keyPtr=3D0x7fff9e580f38, action=3DHASH_ENTER, foundPtr=3D0x7fff9e580f37) at dynahash.c:961 #1 0x0000560eacdd4ca8 in json_unique_check_key (cxt=3D0x560eb4bab428, key=3D0x560eb4bab4af "\"k2\"", object_id=3D0) at json.c:1010 #2 0x0000560eacdd3fd0 in json_object_agg_transfn_worker (fcinfo=3D0x7fff9e581088, absent_on_null=3Dfalse, unique_keys=3Dtrue) at json.c:1164 #3 0x0000560eacdd41ee in json_object_agg_unique_transfn (fcinfo=3D0x7fff9e581088) at json.c:1210 #4 0x0000560eac9aa4b8 in advance_windowaggregate (winstate=3D0x560eb4b9ab0= 8, perfuncstate=3D0x560eb4bb0fa0, peraggstate=3D0x560eb4b9c630) at nodeWindowAgg.c:345 #5 0x0000560eac9a9163 in eval_windowaggregates (winstate=3D0x560eb4b9ab08)= at nodeWindowAgg.c:964 #6 0x0000560eac9a125e in ExecWindowAgg (pstate=3D0x560eb4b9ab08) at nodeWindowAgg.c:2207 #7 0x0000560eac91dae6 in ExecProcNode (node=3D0x560eb4b9ab08) at ../../../src/include/executor/executor.h:259 ... ```