From ca54f9b706f66f8f7191551aec8eac8b86b0fb9b Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Sat, 5 Apr 2025 12:13:35 -0400 Subject: [PATCH] Avoid double transformation of json_array()'s subquery. transformJsonArrayQueryConstructor() applied transformStmt() to the same subquery tree twice. While this causes no issue in many cases, there are some where it causes a coredump, thanks to the parser's habit of scribbling on its input. Fix by making a copy before the first transformation (compare 0f43083d1). This is quite brute-force, but then so is the whole business of transforming the input twice. Per discussion in the bug thread, this implementation of json_array() parsing should be replaced completely. But that will take some work and will surely not be back-patchable, so for the moment let's take the easy way out. Oversight in 7081ac46a. Back-patch to v16 where that came in. Bug: #18877 Reported-by: Yu Liang Author: Tom Lane Discussion: https://postgr.es/m/18877-c3c3ad75845833bb@postgresql.org Backpatch-through: 16 --- src/backend/parser/parse_expr.c | 2 +- src/test/regress/expected/sqljson.out | 6 ++++++ src/test/regress/sql/sqljson.sql | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/backend/parser/parse_expr.c b/src/backend/parser/parse_expr.c index fa1777bbe42..26e862ce107 100644 --- a/src/backend/parser/parse_expr.c +++ b/src/backend/parser/parse_expr.c @@ -3626,7 +3626,7 @@ transformJsonArrayQueryConstructor(ParseState *pstate, /* Transform query only for counting target list entries. */ qpstate = make_parsestate(pstate); - query = transformStmt(qpstate, ctor->query); + query = transformStmt(qpstate, copyObject(ctor->query)); if (count_nonjunk_tlist_entries(query->targetList) != 1) ereport(ERROR, diff --git a/src/test/regress/expected/sqljson.out b/src/test/regress/expected/sqljson.out index 8554dc38a4e..8bffd007bd6 100644 --- a/src/test/regress/expected/sqljson.out +++ b/src/test/regress/expected/sqljson.out @@ -445,6 +445,12 @@ SELECT JSON_ARRAY(SELECT i FROM (VALUES (3), (1), (NULL), (2)) foo(i) ORDER BY i [1, 2, 3] (1 row) +SELECT JSON_ARRAY(WITH x AS (SELECT 1) VALUES (TRUE)); + json_array +------------ + [true] +(1 row) + -- Should fail SELECT JSON_ARRAY(SELECT FROM (VALUES (1)) foo(i)); ERROR: subquery must return only one column diff --git a/src/test/regress/sql/sqljson.sql b/src/test/regress/sql/sqljson.sql index 085606bf20b..f9e9429fba6 100644 --- a/src/test/regress/sql/sqljson.sql +++ b/src/test/regress/sql/sqljson.sql @@ -124,6 +124,8 @@ SELECT JSON_ARRAY(SELECT i FROM (VALUES (NULL::int[]), ('{1,2}'), (NULL), (NULL) --SELECT JSON_ARRAY(SELECT i FROM (VALUES (NULL::int[]), ('{1,2}'), (NULL), (NULL), ('{3,4}'), (NULL)) foo(i) NULL ON NULL); --SELECT JSON_ARRAY(SELECT i FROM (VALUES (NULL::int[]), ('{1,2}'), (NULL), (NULL), ('{3,4}'), (NULL)) foo(i) NULL ON NULL RETURNING jsonb); SELECT JSON_ARRAY(SELECT i FROM (VALUES (3), (1), (NULL), (2)) foo(i) ORDER BY i); +SELECT JSON_ARRAY(WITH x AS (SELECT 1) VALUES (TRUE)); + -- Should fail SELECT JSON_ARRAY(SELECT FROM (VALUES (1)) foo(i)); SELECT JSON_ARRAY(SELECT i, i FROM (VALUES (1)) foo(i));