Обсуждение: BUG #19433: json_object_agg_unique Crashes When Used as Window Function
BUG #19433: json_object_agg_unique Crashes When Used as Window Function
От
PG Bug reporting form
Дата:
The following bug has been logged on the website:
Bug reference: 19433
Logged by: chunling qin
Email address: 303677365@qq.com
PostgreSQL version: 15.0
Operating system: centos
Description:
## Summary
`json_object_agg_unique()` causes a segmentation fault when used as a window
function with `ORDER BY` clause. The crash occurs due to a use-after-free
bug where the internal hash table pointer is accessed after being freed.
---
## Environment
| Item | Value |
|------|-------|
| PostgreSQL Version | 15devel (development build) |
| Commit | 7103ebb7aa |
| Platform | x86_64-pc-linux-gnu |
| Test Date | 2026-03-13 |
## Steps to Reproduce
### 1. Create Test Table
```sql
CREATE TABLE test_json_window (partkey int, key text, value text);
INSERT INTO test_json_window VALUES
(1, 'k1', 'v1'),
(1, 'k2', 'v2'),
(1, 'k3', 'v3'),
(2, 'k4', 'v4'),
(2, 'k5', 'v5');
```
### 2. Trigger Crash
```sql
-- This query causes segmentation fault
SELECT
partkey,
key,
json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```
### 3. Expected vs Actual Behavior
| Scenario | Result |
|----------|--------|
| Without `ORDER BY` | Works correctly |
| With `ORDER BY` | Server crashes (SIGSEGV) |
---
## Error Output
```
2026-03-13 11:06:13.546 CST [345156] LOG: server process (PID 345761) was
terminated by signal 11: Segmentation fault
2026-03-13 11:06:13.546 CST [345156] DETAIL: Failed process was running:
SELECT
partkey,
key,
json_object_agg_unique(key, value) OVER (PARTITION BY partkey ORDER BY
key) AS result
FROM test_json_window;
```
---
## Stack Trace
```
#0 0x0000560eacfc155d in hash_search (hashp=0x560eb4bc7530,
keyPtr=0x7fff9e580f38,
action=HASH_ENTER, foundPtr=0x7fff9e580f37) at dynahash.c:961
#1 0x0000560eacdd4ca8 in json_unique_check_key (cxt=0x560eb4bab428,
key=0x560eb4bab4af "\"k2\"", object_id=0) at json.c:1010
#2 0x0000560eacdd3fd0 in json_object_agg_transfn_worker
(fcinfo=0x7fff9e581088,
absent_on_null=false, unique_keys=true) at json.c:1164
#3 0x0000560eacdd41ee in json_object_agg_unique_transfn
(fcinfo=0x7fff9e581088) at json.c:1210
#4 0x0000560eac9aa4b8 in advance_windowaggregate (winstate=0x560eb4b9ab08,
perfuncstate=0x560eb4bb0fa0, peraggstate=0x560eb4b9c630) at
nodeWindowAgg.c:345
#5 0x0000560eac9a9163 in eval_windowaggregates (winstate=0x560eb4b9ab08) at
nodeWindowAgg.c:964
#6 0x0000560eac9a125e in ExecWindowAgg (pstate=0x560eb4b9ab08) at
nodeWindowAgg.c:2207
#7 0x0000560eac91dae6 in ExecProcNode (node=0x560eb4b9ab08)
at ../../../src/include/executor/executor.h:259
...
```
> On Fri, Mar 13, 2026 at 03:14:26AM +0000, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 19433 > Logged by: chunling qin > Email address: 303677365@qq.com > PostgreSQL version: 15.0 > Operating system: centos > Description: > > ## Summary > > `json_object_agg_unique()` causes a segmentation fault when used as a window > function with `ORDER BY` clause. The crash occurs due to a use-after-free > bug where the internal hash table pointer is accessed after being freed. > > --- > > ## Environment > > | Item | Value | > |------|-------| > | PostgreSQL Version | 15devel (development build) | > | Commit | 7103ebb7aa | > | Platform | x86_64-pc-linux-gnu | > | Test Date | 2026-03-13 | I think the problem you describe was fixed in 4eb97988796, which became part of REL_15_RC1.
PG Bug reporting form <noreply@postgresql.org> writes:
> The following bug has been logged on the website:
> Bug reference: 19433
> Logged by: chunling qin
> Email address: 303677365@qq.com
> PostgreSQL version: 15.0
> Operating system: centos
It is not helpful to send us inaccurate bug reports against old
versions of Postgres, especially old development versions.
In this case, your report of "15.0" is incorrect, and so is this:
> | PostgreSQL Version | 15devel (development build) |
> | Commit | 7103ebb7aa |
How do I know? Because json_object_agg_unique() didn't exist
before v16.
You're wasting our time and yours by sending such inaccurate
and outdated reports. Please make sure that bug reports
can be reproduced against latest Postgres release versions or
very recent master branch.
regards, tom lane