Apache
Home » Documentation » Development

Leveraging JSR-305 null annotations to prevent NullPointerExceptions

Introduction

The Sling API forces developers to sometimes check for null return values. Most prominently this is the case for Adaptable.adaptTo and ResourceResolver.getResource. This is often forgotten, which may lead to NullPointerExceptions. Sling API 2.9.0 introduced the JSR-305 annotations (SLING-4377) which allow tools to check automatically for missing null checks in the code.

Annotations

The annotations used within Sling are based on the JSR-305 which is dormant since 2012. Nevertheless those annotations are understood by most of the tools and used by other Apache Projects like Apache Oak OAK-37.

Due to the fact that Eclipse and FindBugs are interpreting annotations differently (Findbugs-1355). Sling only uses the following two different annotations which are supported by both tools:

  1. javax.annotation.CheckForNull
  2. javax.annotation.Nonnull

Annotations which support setting the default null semantics of return values and or parameters on a package level cannot be leveraged for that reason.

Use With Eclipse

Eclipse since Juno supports null analysis based on any annotations. Those need to be enabled in Preferences->Java->Compiler->Errors/Warnings via Enable annoation-based null analysis. Also the annotations need to be configured. For Sling/JSR 305 those are

Eclipse Settings for Null analysis

Unfortunately Eclipse cannot infer information about fields which are for sure either null or not null (reasoning is available in https://wiki.eclipse.org/JDT_Core/Null_Analysis/Options#Risks_of_flow_analysis_for_fields and Eclipse Bug 247564). This also affecs constants (static final fields) or enums which are known to be non null, but still Eclipse will emit a warning like The expression of type 'String' needs unchecked conversion to conform to '@Nonnull String'. The only known workaround is to disable the "Unchecked conversion from non-annotated type to @NonNull type" or to annotate also the field with @Nonnull.

More information are available at https://wiki.eclipse.org/JDT_Core/Null_Analysis.

Since Eclipse 4.5 (Mars) external annotations are supported as well (i.e. annotations maintained outside of the source code of the libraries, e.g. for the JRE, Apache Commons Lang). There are some external annotations being mainted at lastnpe.org and TraceCompass. There is no official repository yet though (Eclipse Bug 449653). Lastnpe.org provides also an m2e extension to ease setting up the classpaths with external annotations from within your pom.xml.

Use With Maven

You can use Eclipse JDT also in Maven (with null analysis enabled) for the regular compilation. That way it will give out the same warnings/errors as Eclipse and will also consider external annotations. JDT in its most recent version is provided by the tycho-compiler-plugin which can be hooked up with the maven-compiler-plugin. The full list of options for JDT is described in here. This method was presented by Michael Vorburger in his presentation The end of the world as we know it.

<plugin>
  <artifactId>maven-compiler-plugin</artifactId>
  <version>3.5.1</version>
  <configuration>
    <source>1.8</source>
    <target>1.8</target>
    <showWarnings>true</showWarnings>
    <compilerId>jdt</compilerId>
    <compilerArguments>
      <!-- just take the full Maven classpath as external annotations -->
      <annotationpath>CLASSPATH</annotationpath>
    </compilerArguments>
    <!-- maintain the org.eclipse.jdt.core.prefs properties to options listed on
         http://help.eclipse.org/neon/index.jsp?topic=/org.eclipse.jdt.doc.user/tasks/task-using_batch_compiler.htm -->
    <compilerArgument>-err:nullAnnot,null,-missingNullDefault</compilerArgument>
 </configuration>
 <dependencies>
    <dependency>
       <groupId>org.eclipse.tycho</groupId>
       <artifactId>tycho-compiler-jdt</artifactId>
       <version>1.0.0</version>
    </dependency>
  </dependencies>
</plugin>

Leveraging FindBugs

You can also let Maven automatically run FindBugs to execute those checks via the findbugs-maven-plugin. For that just add the following plugin to your pom.xml

<plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>findbugs-maven-plugin</artifactId>
  <version>3.0.0</version>
  <configuration>
  <visitors>InconsistentAnnotations,NoteUnconditionalParamDerefs,FindNullDeref,FindNullDerefsInvolvingNonShortCircuitEvaluation</visitors>
  </configuration>
  <executions>
    <execution>
      <id>run-findbugs-fornullchecks</id>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>

The results are often very imprecise (MFINDBUGS-208), especially when it comes to line numbers, therefore it is best to start the Findbugs GUI in case of errors found by this plugin via mvn findbugs:gui.

Use With FindBugs

FindBugs evaluates the JSR-305 annotations by default. You can restrict the rules to only the ones which check for those annotations, which are

A complete list of visitors class names in Findbugs can be found in the sourcecode. The according bug patterns have an identifier (in parenthesis) for which you can search in the according Java classes, in case you want to extend the checks.

Findbugs is also integrated in SonarQube but for SonarQube you should now rather use the native Java plugin (look at Use with SonarQube).

Use with SonarQube

At least rule squid:S2259 in SonarQube supports JSR-305 annotations as well for null checks.

Rev. 1785807 by kwin on Tue, 7 Mar 2017 07:57:17 +0000
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.