BUG #19491: Segmentation fault triggered by IS NULL

The following bug has been logged on the website:

Bug reference: 19491
Logged by: Chi Zhang
Email address: 798604270@qq.com
PostgreSQL version: 18.4
Operating system: Ubuntu 24.04
Description:

Hi,

I found that the following test case triggers a segmentation fault.

```
CREATE SCHEMA IF NOT EXISTS poc;

CREATE FUNCTION poc.mystring_in(cstring)
RETURNS poc.mystring
AS 'textin' LANGUAGE internal IMMUTABLE STRICT;

CREATE FUNCTION poc.mystring_out(poc.mystring)
RETURNS cstring
AS 'textout' LANGUAGE internal IMMUTABLE STRICT;

CREATE TYPE poc.mystring (
INPUT = poc.mystring_in,
OUTPUT = poc.mystring_out,
LIKE = text,
CATEGORY = 'S'
);

SELECT '{"a":1}'::poc.mystring IS JSON;

DROP SCHEMA IF EXISTS poc CASCADE;
```

This is the output:

```
sqlancer=# CREATE SCHEMA IF NOT EXISTS poc;
CREATE SCHEMA
sqlancer=# CREATE FUNCTION poc.mystring_in(cstring)
RETURNS poc.mystring
AS 'textin' LANGUAGE internal IMMUTABLE STRICT;
NOTICE: type "poc.mystring" is not yet defined
DETAIL: Creating a shell type definition.
CREATE FUNCTION
sqlancer=# CREATE FUNCTION poc.mystring_out(poc.mystring)
RETURNS cstring
AS 'textout' LANGUAGE internal IMMUTABLE STRICT;
NOTICE: argument type poc.mystring is only a shell
LINE 1: CREATE FUNCTION poc.mystring_out(poc.mystring)
^
CREATE FUNCTION
sqlancer=# CREATE TYPE poc.mystring (
INPUT = poc.mystring_in,
OUTPUT = poc.mystring_out,
LIKE = text,
CATEGORY = 'S'
);
CREATE TYPE
sqlancer=# SELECT '{"a":1}'::poc.mystring IS JSON;
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Succeeded.
```

This is the log:

```
2026-05-22 06:19:00.811 UTC [1] LOG: starting PostgreSQL 18.1 (Debian
18.1-1.pgdg13+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19)
14.2.0, 64-bit
2026-05-22 06:19:00.811 UTC [1] LOG: listening on IPv4 address "0.0.0.0",
port 5432
2026-05-22 06:19:00.811 UTC [1] LOG: listening on IPv6 address "::", port
5432
2026-05-22 06:19:00.816 UTC [1] LOG: listening on Unix socket
"/var/run/postgresql/.s.PGSQL.5432"
2026-05-22 06:19:00.825 UTC [32] LOG: database system was shut down at
2026-05-22 06:18:54 UTC
2026-05-22 06:19:00.830 UTC [1] LOG: database system is ready to accept
connections
2026-05-22 06:21:48.272 UTC [1] LOG: client backend (PID 42) was terminated
by signal 11: Segmentation fault
2026-05-22 06:21:48.272 UTC [1] DETAIL: Failed process was running: SELECT
'{"a":1}'::poc.mystring IS JSON;
2026-05-22 06:21:48.272 UTC [1] LOG: terminating any other active server
processes
2026-05-22 06:21:48.273 UTC [1] LOG: all server processes terminated;
reinitializing
2026-05-22 06:21:48.324 UTC [49] LOG: database system was interrupted; last
known up at 2026-05-22 06:19:00 UTC
2026-05-22 06:21:48.428 UTC [49] LOG: database system was not properly shut
down; automatic recovery in progress
2026-05-22 06:21:48.431 UTC [49] LOG: redo starts at 0/1C07F50
2026-05-22 06:21:48.432 UTC [49] LOG: invalid record length at 0/1C1AE88:
expected at least 24, got 0
2026-05-22 06:21:48.432 UTC [49] LOG: redo done at 0/1C1AE00 system usage:
CPU: user: 0.00 s, system: 0.00 s, elapsed: 0.00 s
2026-05-22 06:21:48.437 UTC [50] LOG: checkpoint starting: end-of-recovery
immediate wait
2026-05-22 06:21:48.450 UTC [50] LOG: checkpoint complete: wrote 15 buffers
(0.1%), wrote 3 SLRU buffers; 0 WAL file(s) added, 0 removed, 0 recycled;
write=0.003 s, sync=0.004 s, total=0.016 s; sync files=16, longest=0.002 s,
average=0.001 s; distance=75 kB, estimate=75 kB; lsn=0/1C1AE88, redo
lsn=0/1C1AE88
2026-05-22 06:21:48.455 UTC [1] LOG: database system is ready to accept
connections
```

I can reproduce this on the github commit
d8af73010033cb8ad6c941942d6b03d74d7e4f7e