...
- Calling the instance method of a null object
- Accessing or modifying the field of a null object
- Taking the length of
null
as if it were an array - Accessing or modifying the elements of
null
as if it were an array - Throwing
null
as if it were aThrowable
value
...
This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning [Reasoning 2003]. The cardinality()
method was designed to return the number of occurrences of object obj
in collection col
. One valid use of the cardinality()
method is to determine how many objects in the collection are null. However, because membership in the collection is checked using the expression obj.equals(elt)
, a null pointer dereference is guaranteed whenever obj
is null and elt
is not null.
Code Block | ||
---|---|---|
| ||
public static int cardinality(Object obj, final Collection<?> col) { int count = 0; if (col == null) { return count; } Iterator<?> it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || obj.equals(elt)) { // Null pointer dereference count++; } } return count; } |
...
Method isProperName
()
is noncompliant because it may be called with a null argument, resulting in a null pointer dereference.
...
The calling method, testString()
, guarantees that isProperName
()
is always called with a valid string reference. As As a result, the class conforms with this rule even though a public isProperName()
method would not. Guarantees of this sort can be used to eliminate null pointer dereferences.
...
The Optional
class contains methods that can be used to make programs shorter and more intuitive [ Urma 2014 ].
Exceptions
EXP01-J-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException
, either via the throws
clause of the method or in the method comments. However, this exception should be relied on sparingly.
Risk Assessment
Dereferencing a null pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP01-J | Low | Likely | High | P3 | L3 |
Automated Detection
Null pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code [Hovemeyer 2007] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Nullness Checker | Null pointer errors (see Chapter 3) | ||||||
CodeSonar |
| JAVA.DEEPNULL.PARAM.EACTUAL JAVA.DEEPNULL.EFIELD JAVA.DEEPNULL.FIELD JAVA.NULL.PARAM.ACTUAL JAVA.NULL.DEREF JAVA.DEEPNULL.DEREF JAVA.DEEPNULL.RET.EMETH JAVA.DEEPNULL.RET.METH JAVA.NULL.RET.ARRAY JAVA.NULL.RET.BOOL JAVA.NULL.RET.OPT JAVA.STRUCT.UPD JAVA.STRUCT.DUPD JAVA.STRUCT.UPED JAVA.DEEPNULL.PARAM.ACTUAL | Actual Parameter Element may be null Field Element may be null (deep) Field may be null (deep) Null Parameter Dereference Null Pointer Dereference Null Pointer Dereference (deep) Return Value may Contain null Element Return Value may be null Return null Array Return null Boolean Return null Optional Unchecked Parameter Dereference Unchecked Parameter Dereference (deep) Unchecked Parameter Element Dereference (deep) null Passed to Method (deep) | ||||||
Coverity | v7.5 |
FORWARD_NULL | Implemented | ||||||||
Fortify |
| Missing_Check_against_Null | Implemented | ||||||
Findbugs |
| NP_DEREFERENCE_OF_READLINE_VALUE | Implemented | ||||||
Parasoft Jtest |
| CERT.EXP01.NP CERT.EXP01.NCMD | Avoid NullPointerException Ensure that dereferenced variables match variables which were previously checked for "null" | ||||||
PVS-Studio |
| V6008, V6073, V6093 | |||||||
SonarQube |
| Null pointers should not be dereferenced "toString()" and "clone()" methods should not return null Null should not be returned from a "Boolean" method "@NonNull" values should not be set to null | |||||||
SpotBugs |
| NP_DEREFERENCE_OF_READLINE_VALUE NP_IMMEDIATE_DEREFERENCE_OF_READLINE NP_ALWAYS_NULL NP_NULL_ON_SOME_PATH NP_NULL_ON_SOME_PATH_EXCEPTION NP_NULL_PARAM_DEREF NP_NULL_PARAM_DEREF_NONVIRTUAL NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS NP_TOSTRING_COULD_RETURN_NULL | Implemented |
Related Vulnerabilities
Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException
[SDN 2008]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.
Related Guidelines
Null Pointer Dereference [XYH] | |
CWE-476, NULL Pointer Dereference |
Android Implementation Details
Android applications are more sensitive to NullPointerException
because of the constraint of the limited mobile device memory. Static members or members of an Activity may become null when memory runs out.
Bibliography
[API 2006] | |
[API 2014] | Class java.util.Optional |
"Defect ID 00-0001" | |
[SDN 2008] | |
[ Seacord 2015 ] | |
[Urma 2014] | Tired of Null Pointer Exceptions? Consider Using Java SE 8's Optional! |
...
...