MDEV-30354 Fix JSON escaping in optimizer trace

y2kwak · y2kwak · commit 28fb8923bca3 · 2025-08-25T23:29:29.000Z
The expanded_query field in optimizer trace could produce invalid JSON when
queries contained special characters. Use json_escape() to properly handle
quotes, backslashes and other special characters in the output.

Example:
Before: "expanded_query": "select length('a') AS `LENGTH("a")`"
After:  "expanded_query": "select length('a') AS `LENGTH(\"a\")`"

The output is now properly escaped and valid JSON while maintaining
readability.

Added mysql-test/main/opt_trace_json_escape.test to verify the fix.

All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
diff --git a/mysql-test/main/opt_trace.result b/mysql-test/main/opt_trace.result
@@ -11581,7 +11581,7 @@ SELECT 'a\0' LIMIT 0	{
         "select_id": 1,
         "steps": [
           {
-            "expanded_query": "select 'a\0' AS `a\x00` limit 0"
+            "expanded_query": "select 'a\\0' AS `a\\x00` limit 0"
           }
         ]
       }
diff --git a/mysql-test/main/opt_trace_json_escape.result b/mysql-test/main/opt_trace_json_escape.result
@@ -0,0 +1,160 @@
+# Testing JSON escaping in optimizer trace output
+set optimizer_trace="enabled=on";
+# Test 1: Simple double quotes
+SELECT LENGTH("a");
+LENGTH("a")
+1
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select octet_length('a') AS `LENGTH(\"a\")`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
+# Test 2: Nested quotes
+SELECT LENGTH("a\"b");
+LENGTH("a\"b")
+3
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select octet_length('a\"b') AS `LENGTH(\"a\\\"b\")`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
+# Test 3: Special characters with quotes
+SELECT LENGTH("a\n\"b\t\"c");
+LENGTH("a\n\"b\t\"c")
+7
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select octet_length('a\\n\"b\\t\"c') AS `LENGTH(\"a\\n\\\"b\\t\\\"c\")`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
+# Test 4: New line
+SELECT COLUMN_JSON(COLUMN_CREATE("foo", "New
+line" AS CHAR));
+COLUMN_JSON(COLUMN_CREATE("foo", "New
+line" AS CHAR))
+{"foo":"New\u000Aline"}
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select column_json(column_create('foo','New\\nline' AS char charset latin1 collate latin1_swedish_ci )) AS `COLUMN_JSON(COLUMN_CREATE(\"foo\", \"New\nline\" AS CHAR))`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
+# Test 5: Backslashes
+SELECT LENGTH("a\\b");
+LENGTH("a\\b")
+3
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select octet_length('a\\\\b') AS `LENGTH(\"a\\\\b\")`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
+# Test 6: JSON functions
+SELECT JSON_EXTRACT('{"key":"value"}', "$.key");
+JSON_EXTRACT('{"key":"value"}', "$.key")
+"value"
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+valid_json	trace
+1	{
+  "steps": [
+    {
+      "join_preparation": {
+        "select_id": 1,
+        "steps": [
+          {
+            "expanded_query": "select json_extract('{\"key\":\"value\"}','$.key') AS `JSON_EXTRACT('{\"key\":\"value\"}', \"$.key\")`"
+          }
+        ]
+      }
+    },
+    {
+      "join_optimization": {
+        "select_id": 1,
+        "steps": []
+      }
+    }
+  ]
+}
diff --git a/mysql-test/main/opt_trace_json_escape.test b/mysql-test/main/opt_trace_json_escape.test
@@ -0,0 +1,32 @@
+--echo # Testing JSON escaping in optimizer trace output
+
+#
+# MDEV-30354: Fix JSON escaping in optimizer trace output
+#
+
+set optimizer_trace="enabled=on";
+
+--echo # Test 1: Simple double quotes
+SELECT LENGTH("a");
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+
+--echo # Test 2: Nested quotes
+SELECT LENGTH("a\"b");
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+
+--echo # Test 3: Special characters with quotes
+SELECT LENGTH("a\n\"b\t\"c");
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+
+--echo # Test 4: New line
+SELECT COLUMN_JSON(COLUMN_CREATE("foo", "New
+line" AS CHAR));
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+
+--echo # Test 5: Backslashes
+SELECT LENGTH("a\\b");
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
+
+--echo # Test 6: JSON functions
+SELECT JSON_EXTRACT('{"key":"value"}', "$.key");
+SELECT json_valid(trace) AS valid_json, trace FROM information_schema.optimizer_trace;
diff --git a/sql/opt_trace.cc b/sql/opt_trace.cc
@@ -126,7 +126,23 @@ void opt_trace_print_expanded_query(THD *thd, SELECT_LEX *select_lex,
     The output is not very pretty lots of back-ticks, the output
     is as the one in explain extended , lets try to improved it here.
   */
-  writer->add("expanded_query", str.c_ptr_safe(), str.length());
+
+  StringBuffer<1024> escaped_str(system_charset_info);
+  escaped_str.alloc(str.length() * 2 + 1);
+  // Use json_escape function to properly escape the query string 
+  int result = json_escape(str.charset(),
+                          (const uchar*)str.ptr(),
+                          (const uchar*)str.ptr() + str.length(),
+                          &my_charset_utf8mb4_bin,
+                          (uchar*)escaped_str.ptr(),
+                          (uchar*)escaped_str.ptr() + escaped_str.alloced_length());
+  
+  if (result >= 0) {
+    escaped_str.length(result);
+    writer->add("expanded_query", escaped_str.c_ptr_safe(), escaped_str.length());
+  } else {
+    writer->add("expanded_query", str.c_ptr_safe(), str.length());
+  }
 }
 
 void opt_trace_disable_if_no_security_context_access(THD *thd)

Original file line number	Diff line number	Diff line change
`@@ -11581,7 +11581,7 @@ SELECT 'a\0' LIMIT 0 {`
`11581`	`11581`	`"select_id": 1,`
`11582`	`11582`	`"steps": [`
`11583`	`11583`	`{`
`11584`		- "expanded_query": "select 'a\0' AS `a\x00` limit 0"
	`11584`	+ "expanded_query": "select 'a\\0' AS `a\\x00` limit 0"
`11585`	`11585`	`}`
`11586`	`11586`	`]`
`11587`	`11587`	`}`