BUG #19433: json_object_agg_unique Crashes When Used as Window Function

public inbox for [email protected]  
help / color / mirror / Atom feed

BUG #19433: json_object_agg_unique Crashes When Used as Window Function
3+ messages / 3 participants
[nested] [flat]

* BUG #19433: json_object_agg_unique Crashes When Used as Window Function
@ 2026-03-13 03:14 PG Bug reporting form <[email protected]>
  2026-03-13 10:41 ` Re: BUG #19433: json_object_agg_unique Crashes When Used as Window Function Dmitry Dolgov <[email protected]>
  2026-03-15 21:27 ` Re: BUG #19433: json_object_agg_unique Crashes When Used as Window Function Tom Lane <[email protected]>
  0 siblings, 2 replies; 3+ messages in thread

From: PG Bug reporting form @ 2026-03-13 03:14 UTC (permalink / raw)
  To: [email protected]; +Cc: [email protected]

The following bug has been logged on the website:

Bug reference:      19433
Logged by:          chunling qin
Email address:      [email protected]
PostgreSQL version: 15.0
Operating system:   centos
Description:        

## Summary

`json_object_agg_unique()` causes a segmentation fault when used as a window
function with `ORDER BY` clause. The crash occurs due to a use-after-free
bug where the internal hash table pointer is accessed after being freed.

---

## Environment

| Item | Value |
|------|-------|
| PostgreSQL Version | 15devel (development build) |
| Commit | 7103ebb7aa |
| Platform | x86_64-pc-linux-gnu |
| Test Date | 2026-03-13 |

## Steps to Reproduce

### 1. Create Test Table

```sql
CREATE TABLE test_json_window (partkey int, key text, value text);

INSERT INTO test_json_window VALUES
  (1, 'k1', 'v1'),
  (1, 'k2', 'v2'),
  (1, 'k3', 'v3'),
  (2, 'k4', 'v4'),
  (2, 'k5', 'v5');
```

### 2. Trigger Crash

```sql
-- This query causes segmentation fault
SELECT
  partkey,
  key,
  json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```

### 3. Expected vs Actual Behavior

| Scenario | Result |
|----------|--------|
| Without `ORDER BY` | Works correctly |
| With `ORDER BY` | Server crashes (SIGSEGV) |

---

## Error Output

```
2026-03-13 11:06:13.546 CST [345156] LOG:  server process (PID 345761) was
terminated by signal 11: Segmentation fault
2026-03-13 11:06:13.546 CST [345156] DETAIL:  Failed process was running:
SELECT
  partkey,
  key,
  json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```

---

## Stack Trace

```
#0  0x0000560eacfc155d in hash_search (hashp=0x560eb4bc7530,
keyPtr=0x7fff9e580f38,
    action=HASH_ENTER, foundPtr=0x7fff9e580f37) at dynahash.c:961
#1  0x0000560eacdd4ca8 in json_unique_check_key (cxt=0x560eb4bab428,
    key=0x560eb4bab4af "\"k2\"", object_id=0) at json.c:1010
#2  0x0000560eacdd3fd0 in json_object_agg_transfn_worker
(fcinfo=0x7fff9e581088,
    absent_on_null=false, unique_keys=true) at json.c:1164
#3  0x0000560eacdd41ee in json_object_agg_unique_transfn
(fcinfo=0x7fff9e581088) at json.c:1210
#4  0x0000560eac9aa4b8 in advance_windowaggregate (winstate=0x560eb4b9ab08,
    perfuncstate=0x560eb4bb0fa0, peraggstate=0x560eb4b9c630) at
nodeWindowAgg.c:345
#5  0x0000560eac9a9163 in eval_windowaggregates (winstate=0x560eb4b9ab08) at
nodeWindowAgg.c:964
#6  0x0000560eac9a125e in ExecWindowAgg (pstate=0x560eb4b9ab08) at
nodeWindowAgg.c:2207
#7  0x0000560eac91dae6 in ExecProcNode (node=0x560eb4b9ab08)
    at ../../../src/include/executor/executor.h:259
...
```








^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: BUG #19433: json_object_agg_unique Crashes When Used as Window Function
  2026-03-13 03:14 BUG #19433: json_object_agg_unique Crashes When Used as Window Function PG Bug reporting form <[email protected]>
@ 2026-03-13 10:41 ` Dmitry Dolgov <[email protected]>
  1 sibling, 0 replies; 3+ messages in thread

From: Dmitry Dolgov @ 2026-03-13 10:41 UTC (permalink / raw)
  To: [email protected]; [email protected]

> On Fri, Mar 13, 2026 at 03:14:26AM +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      19433
> Logged by:          chunling qin
> Email address:      [email protected]
> PostgreSQL version: 15.0
> Operating system:   centos
> Description:        
> 
> ## Summary
> 
> `json_object_agg_unique()` causes a segmentation fault when used as a window
> function with `ORDER BY` clause. The crash occurs due to a use-after-free
> bug where the internal hash table pointer is accessed after being freed.
> 
> ---
> 
> ## Environment
> 
> | Item | Value |
> |------|-------|
> | PostgreSQL Version | 15devel (development build) |
> | Commit | 7103ebb7aa |
> | Platform | x86_64-pc-linux-gnu |
> | Test Date | 2026-03-13 |

I think the problem you describe was fixed in 4eb97988796, which became
part of REL_15_RC1.






^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: BUG #19433: json_object_agg_unique Crashes When Used as Window Function
  2026-03-13 03:14 BUG #19433: json_object_agg_unique Crashes When Used as Window Function PG Bug reporting form <[email protected]>
@ 2026-03-15 21:27 ` Tom Lane <[email protected]>
  1 sibling, 0 replies; 3+ messages in thread

From: Tom Lane @ 2026-03-15 21:27 UTC (permalink / raw)
  To: [email protected]; +Cc: [email protected]

PG Bug reporting form <[email protected]> writes:
> The following bug has been logged on the website:
> Bug reference:      19433
> Logged by:          chunling qin
> Email address:      [email protected]
> PostgreSQL version: 15.0
> Operating system:   centos

It is not helpful to send us inaccurate bug reports against old
versions of Postgres, especially old development versions.

In this case, your report of "15.0" is incorrect, and so is this:

> | PostgreSQL Version | 15devel (development build) |
> | Commit | 7103ebb7aa |

How do I know?  Because json_object_agg_unique() didn't exist
before v16.

You're wasting our time and yours by sending such inaccurate
and outdated reports.  Please make sure that bug reports
can be reproduced against latest Postgres release versions or
very recent master branch.

			regards, tom lane

^ permalink  raw  reply  [nested|flat] 3+ messages in thread

end of thread, other threads:[~2026-03-15 21:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2026-03-13 03:14 BUG #19433: json_object_agg_unique Crashes When Used as Window Function PG Bug reporting form <[email protected]>
2026-03-13 10:41 ` Dmitry Dolgov <[email protected]>
2026-03-15 21:27 ` Tom Lane <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox