epmapper.idl has this: error_status_t epm_Lookup( [in] epm_InquiryType inquiry_type, [in,ptr] GUID *object, [in,ptr] rpc_if_id_t *interface_id, [in] epm_VersionOption vers_option, [in,out] policy_handle *entry_handle, [in] uint32 max_ents, [out] uint32 *num_ents, [out, length_is(*num_ents), size_is(max_ents)] epm_entry_t entries[] ); which leads to this struct: struct epm_Lookup { struct { enum epm_InquiryType inquiry_type; struct GUID *object;/* [ptr] */ struct rpc_if_id_t *interface_id;/* [ptr] */ enum epm_VersionOption vers_option; uint32_t max_ents; struct policy_handle *entry_handle;/* [ref] */ } in; struct { uint32_t *num_ents;/* [ref] */ struct epm_entry_t *entries;/* [length_is(*num_ents),size_is(max_ents)] */ struct policy_handle *entry_handle;/* [ref] */ uint32_t result; } out; }; and the generated code includes this: static PyObject *py_epm_Lookup_out_get_entries(PyObject *obj, void *closure) { struct epm_Lookup *object; PyObject *py_entries; object = (struct epm_Lookup *)pytalloc_get_ptr(obj); if (object == NULL) { PyErr_SetString(PyExc_TypeError, "expected talloc object"); return NULL; } py_entries = PyList_New(*object->out.num_ents); if (py_entries == NULL) { return NULL; } { int entries_cntr_0; for (entries_cntr_0 = 0; entries_cntr_0 < (*object->out.num_ents); entries_cntr_0++) { PyObject *py_entries_0; py_entries_0 = pytalloc_reference_ex(&epm_entry_t_Type, object->out.entries, &object->out.entries[entries_cntr_0]); PyList_SetItem(py_entries, entries_cntr_0, py_entries_0); } } return py_entries; } When object->out is NULL, we crash at the PyList_New line (because *object->out.num_ents). I am not sure how PIDL can check for these intermediate level NULLs.
It looks like echo.TestDoublePointer was designed to test this (and also fails with a segfault).