Re: BUG #18908: DEREF_OF_NULL: After having been assigned to a NULL value at descriptor.c:203

Hello,

This is regarding bug report BUG #18908:
<https://www.postgresql.org/message-id/18908-6531c66d23729837%40postgresql.org>
18908-6531c66d23729837(at)postgresql(dot)org
<https://www.postgresql.org/message-id/18908-6531c66d23729837%40postgresql.org>
.

I have reviewed this block of code and concluded that it does not require
any fixes. This is a false positive from the static analyzer.

In the output_get_descr() function, there is a call:

```
ECPGdump_a_type(base_yyout, v->name, v->type, v->brace_level,
NULL, NULL, -1, NULL, NULL, str_zero, NULL, NULL);
```

where the 5th parameter is passed as NULL.

Then, in the ECPGdump_a_type() function, this 5th parameter is defined
as ind_name and is passed as the 3rd parameter to:
```
ECPGdump_a_struct(o, name, ind_name, str_one, type, ind_type, prefix,
ind_prefix);
```
In ECPGdump_a_struct(), there is a dereference of the ind_name pointer:
```
char *ind_pbuf = (char *) mm_alloc(strlen(ind_name) + ((ind_prefix ==
NULL) ? 0 : strlen(ind_prefix)) + 3);
```

Here, if ind_name == NULL, calling strlen(ind_name) would cause a
process crash (segmentation fault).

To demonstrate that this can never happen and that the analyzer is
mistaken, let’s look at the condition under which ECPGdump_a_struct()
is called from ECPGdump_a_type():
```
switch (type->type)
{
case ECPGt_struct:
```

That is, only if the processed variable is of type struct.

However, output_get_descr() never processes structs — it only works
with descriptors.

The field type->type (which is v->type) comes from:
```
const struct variable *v = find_variable(results->variable);
```

But in output_get_descr(), we process descriptor fields (SQLDA), and
results->value is one of the descriptor’s fields.

All these fields are primitive types, not structs:
```
/* descriptor items */
enum ECPGdtype
{
ECPGd_count = 1,
ECPGd_data,
ECPGd_di_code,
ECPGd_di_precision,
ECPGd_indicator,
ECPGd_key_member,
ECPGd_length,
ECPGd_name,
ECPGd_nullable,
ECPGd_octet,
ECPGd_precision,
ECPGd_ret_length,
ECPGd_ret_octet,
ECPGd_scale,
ECPGd_type,
ECPGd_EODT, /* End of descriptor types. */
ECPGd_cardinality
};

```

Therefore, ECPGdump_a_struct() will never be called from
output_get_descr() because:

1.

v->type->type will never be ECPGt_struct in this context;
2.

results->value refers to descriptor fields, not C structs.

Consequently, a call to strlen(ind_name) with ind_name == NULL is unreachable.

Best regards, Eugeny Goryachev