Server crashes at Item_func_json_keys::val_str

SELECT JSON_SET('{"c":4}', '$.a', 5) AS x HAVING (x IN (JSON_KEYS(x), ','));

Server version: 11.4.1-MariaDB-1:11.4.1+maria~ubu2204 source revision: fa69b085b10f19a3a8b6e7adab27c104924333ae

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to 

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468064 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f7720000c68

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f776c0c0c38 thread_stack 0x49000

Printing to addr2line failed

mariadbd(my_print_stacktrace+0x32)[0x559bfa21f4f2]

mariadbd(handle_fatal_signal+0x478)[0x559bf9cef1e8]

/lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7f776f41c520]

mariadbd(_ZN6String6appendEPKcm+0x30)[0x559bf9b18390]

mariadbd(_ZN19Item_func_json_keys7val_strEP6String+0x23a)[0x559bf9bf7a8a]

mariadbd(_ZN9in_string3setEjP4Item+0x31)[0x559bf9d2bea1]

mariadbd(_ZN12Item_func_in13fix_in_vectorEv+0x64)[0x559bf9d397b4]

mariadbd(_ZNK26Type_handler_string_result44Item_func_in_fix_comparator_compatible_typesEP3THDP12Item_func_in+0x1bc)[0x559bf9c361fc]

mariadbd(_ZN12Item_func_in18fix_length_and_decEP3THD+0x8a)[0x559bf9d3f04a]

mariadbd(_ZN9Item_func10fix_fieldsEP3THDPP4Item+0x11b)[0x559bf9d6378b]

mariadbd(_ZN4JOIN7prepareEP10TABLE_LISTP4ItemjP8st_orderbS5_S3_S5_P13st_select_lexP18st_select_lex_unit+0xc55)[0x559bf9ad67f5]

mariadbd(_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex+0x624)[0x559bf9aea8c4]

mariadbd(_Z13handle_selectP3THDP3LEXP13select_resulty+0x154)[0x559bf9aeabc4]

mariadbd(+0x84c285)[0x559bf9a5d285]

mariadbd(_Z21mysql_execute_commandP3THDb+0x440f)[0x559bf9a6c4af]

mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0x1e7)[0x559bf9a6da17]

mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14cd)[0x559bf9a7020d]

mariadbd(_Z10do_commandP3THDb+0x138)[0x559bf9a72118]

mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x559bf9b9ef6f]

mariadbd(handle_one_connection+0x5d)[0x559bf9b9f2bd]

mariadbd(+0xd10af6)[0x559bf9f21af6]

/lib/x86_64-linux-gnu/libc.so.6(+0x94ac3)[0x7f776f46eac3]

/lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7f776f4ffa04]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f7720012fa0): SELECT JSON_SET('{"c":4}', '$.a', 5) AS x HAVING (x IN (JSON_KEYS(x), ','))

Connection ID (thread ID): 3

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,cset_narrowing=off,sargable_casefold=on

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mariadbd/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /var/lib/mysql

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             2062276              2062276              processes 

Max open files            524288               524288               files     

Max locked memory         8388608              8388608              bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       2062276              2062276              signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

Kernel version: Linux version 6.1.10-1-pve (build@proxmox) (gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP PREEMPT_DYNAMIC PVE 6.1.10-1 (2023-02-07T00:00Z) ()