Leveraging JSR-305 null annotations to prevent NullPointerExceptions
The Sling API forces developers to sometimes check for
null return values. Most prominently this is the case for
ResourceResolver.getResource. This is often forgotten, which may lead to
NullPointerExceptions. Sling API 2.9.0 introduced the JSR-305 annotations (SLING-4377) which allow tools to check automatically for missing null checks in the code.
The annotations used within Sling are based on the JSR-305 which is dormant since 2012. Nevertheless those annotations are understood by most of the tools and used by other Apache Projects like Apache Oak OAK-37.
Due to the fact that Eclipse and FindBugs are interpreting annotations differently (Findbugs-1355). Sling only uses the following two different annotations which are supported by both tools:
Annotations which support setting the default null semantics of return values and or parameters on a package level cannot be leveraged for that reason.
Use With Eclipse¶
Eclipse since Juno supports null analysis based on any annotations. Those need to be enabled in Preferences->Java->Compiler->Errors/Warnings via Enable annoation-based null analysis. Also the annotations need to be configured. For Sling/JSR 305 those are
javax.annotation.CheckForNullas 'Nullable' annotation (primary annotation)
javax.annotation.Nonnullas 'NonNull' annotation (primary annotation)
Unfortunately Eclipse cannot infer information about fields which are for sure either null or not null (reasoning is available in https://wiki.eclipse.org/JDT_Core/Null_Analysis/Options#Risks_of_flow_analysis_for_fields and Eclipse Bug 247564). This also affecs constants (static final fields) or enums which are known to be non null, but still Eclipse will emit a warning like The expression of type 'String' needs unchecked conversion to conform to '@Nonnull String'. The only known workaround is to disable the "Unchecked conversion from non-annotated type to @NonNull type" or to annotate also the field with
More information are available at https://wiki.eclipse.org/JDT_Core/Null_Analysis.
Since Eclipse 4.5 (Mars) external annotations are supported as well (i.e. annotations maintained outside of the source code of the libraries, e.g. for the JRE, Apache Commons Lang). There are some external annotations being mainted at lastnpe.org and TraceCompass. There is no official repository yet though (Eclipse Bug 449653). Lastnpe.org provides also an m2e extension to ease setting up the classpaths with external annotations from within your pom.xml.
Use With Maven¶
Leveraging Eclipse JDT Compiler (recommended)¶
You can use Eclipse JDT also in Maven (with null analysis enabled) for the regular compilation. That way it will give out the same warnings/errors as Eclipse and will also consider external annotations.
JDT in its most recent version is provided by the
tycho-compiler-plugin which can be hooked up with the
The full list of options for JDT is described in here.
This method was presented by Michael Vorburger in his presentation The end of the world as we know it.
<plugin> <artifactId>maven-compiler-plugin</artifactId> <version>3.5.1</version> <configuration> <source>1.8</source> <target>1.8</target> <showWarnings>true</showWarnings> <compilerId>jdt</compilerId> <compilerArguments> <!-- just take the full Maven classpath as external annotations --> <annotationpath>CLASSPATH</annotationpath> </compilerArguments> <!-- maintain the org.eclipse.jdt.core.prefs properties to options listed on http://help.eclipse.org/neon/index.jsp?topic=/org.eclipse.jdt.doc.user/tasks/task-using_batch_compiler.htm --> <compilerArgument>-err:nullAnnot,null,-missingNullDefault</compilerArgument> </configuration> <dependencies> <dependency> <groupId>org.eclipse.tycho</groupId> <artifactId>tycho-compiler-jdt</artifactId> <version>1.0.0</version> </dependency> </dependencies> </plugin>
You can also let Maven automatically run FindBugs to execute those checks via the findbugs-maven-plugin. For that just add the following plugin to your
<plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>findbugs-maven-plugin</artifactId> <version>3.0.0</version> <configuration> <visitors>InconsistentAnnotations,NoteUnconditionalParamDerefs,FindNullDeref,FindNullDerefsInvolvingNonShortCircuitEvaluation</visitors> </configuration> <executions> <execution> <id>run-findbugs-fornullchecks</id> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
The results are often very imprecise (MFINDBUGS-208), especially when it comes to line numbers, therefore it is best to start the Findbugs GUI in case of errors found by this plugin via
Use With FindBugs¶
FindBugs evaluates the JSR-305 annotations by default. You can restrict the rules to only the ones which check for those annotations, which are
A complete list of visitors class names in Findbugs can be found in the sourcecode. The according bug patterns have an identifier (in parenthesis) for which you can search in the according Java classes, in case you want to extend the checks.
Use with SonarQube¶
At least rule squid:S2259 in SonarQube supports JSR-305 annotations as well for null checks.