Page History

Do not use the null value in any instance where an object is required, including the following cases:

• Calling the instance method of a null object
• Accessing or modifying the field of a null object
• Taking the length of null as if it were an array
• Accessing or modifying the elements of null as if it were an array
• Throwing null

...

• as if it were a Throwable value

Using a null in cases where an object is required valid object reference and used without checking its state. This condition results in a NullPointerException, which can in turn result in a denial of service. The denial of service is caused by the exception interrupting being thrown, which interrupts execution of the program or thread, and probably causing it to terminate. Termination is likely because catching NullPointerException is forbidden by . Code conforming to this coding standard will consequently terminate because ERR08-J. Do not catch NullPointerException or any of its ancestors. Consequently, code must never dereference null pointers.  requires that NullPointerException is not caught. 

Noncompliant Code Example

...

This noncompliant example shows a bug in Tomcat version 4.1.24, initially discovered by Reasoning \[ [Reasoning 2003|AA. References#Reasoning 03]\]. The {{cardinality}} method was designed to return the number of occurrences of object {{obj}} in collection {{col}}. One valid use of the {{cardinality}} method is to determine how many objects in the collection are {{null}}. However, because membership in the collection is checked using the expression {{ cardinality() method was designed to return the number of occurrences of object obj in collection col. One valid use of the cardinality() method is to determine how many objects in the collection are null. However, because membership in the collection is checked using the expression obj.equals(elt)}}, a null pointer dereference is guaranteed whenever {{obj}} is {{ null }} and {{elt}} is not {{ null}}.

Code Block
bgColor #FFcccc
public static int cardinality(Object obj, final CollectionCollection<?> col) { int count = 0; if (col == null) { return count; } IteratorIterator<?> it = col.iterator(); while (it.hasNext()) { Object elt = it.next(); if ((null == obj && null == elt) || obj.equals(elt)) { // nullNull pointer dereference count++; } } return count; }

Compliant Solution

This compliant solution eliminates the null pointer dereference .by adding an explicit check:

public static int cardinality(Object obj, final Collection col) {
  int count = 0;
  if (col == null) {
    return count;
  }
  Iterator it = col.iterator();
  while (it.hasNext()) {
    Object elt = it.next();
    if ((null == obj && null == elt) ||
        (null != obj && obj.equals(elt))) {
      count++;
    }
  }
  return count;
}

...

Noncompliant Code Example

This noncompliant code example defines an isNameisProperName () method that takes a String argument and returns that returns true if the given string specified String argument is a valid name . A valid name is defined as (two capitalized words separated by one or more spaces.):

public boolean isNameisProperName(String s) {
  String names[] = s.split(" ");
  if (names.length != 2) {
    return false;
  }
  return (isCapitalized(names[0]) && isCapitalized(names[1]));
}

Method isNameisProperName () is noncompliant because it may be called with a null argument results in isName() dereferencing , resulting in a null pointer dereference.

Compliant Solution (Wrapped Method)

This compliant solution demonstrates that the context in which code appears can impact its compliance. This example includes the same isNameisProperName() method implementation as the previous noncompliant example, but as part of a more general method that tests string arguments. it is now a private method with only one caller in its containing class.  

public class Foo {
  private boolean isNameisProperName(String s) {
    String names[] = s.split(" ");
    if (names.length != 2) {
      return false;
    }
    return (isCapitalized(names[0]) && isCapitalized(names[1]));
  }

  public boolean testString(String s) {
    if (s == null) return false;
    else return isNameisProperName(s);
  }
}

The isName() method is a private method with only one caller in its containing class. The calling method, testString(), guarantees that isNameisProperName () is always called with a valid string reference. As a result, the class conforms with this rule , even though isNamea public isProperName() in isolation does  method would not. In general, inter-procedural reasoning Guarantees of this sort is an acceptable approach to avoiding null pointer dereferences.

Exceptions

can be used to eliminate null pointer dereferences.

Compliant Solution (Optional Type)

This compliant solution uses an Optional String instead of a String object that may be null. The Optional class ( java.util.Optional [API 2014]) was introduced in Java 8 and can be used to mitigate against null pointer dereferences .

public boolean isProperName(Optional<String> os) {
  String names[] = os.orElse("").split(" ");
  return (names.length != 2) ? false : 
         (isCapitalized(names[0]) && isCapitalized(names[1]));
}

The Optional class contains methods that can be used to make programs shorter and more intuitive [ Urma 2014 ].

Exceptions

EXP01-J-EXP01-EX0: A method may dereference an object-typed parameter without guarantee that it is a valid object reference provided that the method documents that it (potentially) throws a NullPointerException, either via the throws clause of the method or in the method comments. However, this exception should be relied upon on sparingly.

Risk Assessment

Dereferencing a null pointer can lead to a denial of service. In multithreaded programs, null pointer dereferences can violate cache coherency policies and can cause resource leaks.

Automated Detection

Wiki MarkupNull pointer dereferences can happen in path-dependent ways. Limitations of automatic detection tools can require manual inspection of code \ [[Hovemeyer 2007|AA. References#Hovemeyer 07] \] to detect instances of null pointer dereferences. Annotations for method parameters that must be non-null can reduce the need for manual inspection by assisting automated null pointer dereference detection; use of these annotations is strongly encouraged.

Related Vulnerabilities

Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a {{NullPointerException}} \[[SDN 2008|AA. References#SDN 08]\]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.

Related Guidelines

encouraged.

Related Vulnerabilities

Java Web Start applications and applets particular to JDK version 1.6, prior to update 4, were affected by a bug that had some noteworthy security consequences. In some isolated cases, the application or applet's attempt to establish an HTTPS connection with a server generated a NullPointerException [SDN 2008]. The resulting failure to establish a secure HTTPS connection with the server caused a denial of service. Clients were temporarily forced to use an insecure HTTP channel for data exchange.

Related Guidelines

Bibliography

Android Implementation Details

Android applications are more sensitive to NullPointerException because of the constraint of the limited mobile device memory. Static members or members of an Activity may become null when memory runs out.

Bibliography

[API 2006]	Method doPrivileged()
[API 2014]	Class java.util.Optional
[Hovemeyer 2007]
[Reasoning 2003]	"Defect ID 00-0001" "Null Pointer Dereference"
[SDN 2008]	Bug ID 6514454
[ Seacord 2015 ]	Image Added EXP01-J. Never dereference null pointers LiveLesson
[Urma 2014]	Tired of Null Pointer Exceptions? Consider Using Java SE 8's Optional!

...

Image Added Image Added Image Added Image Removed      02. Expressions (EXP)      EXP02-J. Use the two-argument Arrays.equals() method to compare the contents of arrays