An investigation in WT-16143 highlighted this issue. This code in __create_colgroup sets the index 1 of sourcecfg. To be non-NULL fmt.data.

That array is defined as:

    const char *sourcecfg[] = {config, NULL, NULL};

Which in position 0 uses config, which is passed into the function:

__create_colgroup(WT_SESSION_IMPL *session, const char *name, bool exclusive, const char *config)

There is no guarantee that config is not NULL here, so in theory the array could end up being sourcfg[] = {NULL, fmt.data, NULL.

This shape is incompatible with __wt_config_merge (called two lines after). Its loop requires that the array is not sparsely populate and as an aside must be null terminated.

    /*
     * Scan the configuration strings, entering them into the array. The list of configuration
     * values to be removed must be scanned last so their generation numbers are the highest.
     */
    for (; *cfg != NULL; ++cfg)
        WT_ERR(__config_merge_scan(session, NULL, *cfg, false, &merge));

Because of the NULL termination requirement it is not so trivial to fix this issue, however it is clear that we should review other usages in the codebase for this problem. If non are detected we can remove the FIXME for this ticket in schema_create.c.