Find NPE in SqlRunner.java

[containerAnalyzer]

Hello,
Our static analyzer found a following potential NPE. We have checked the feasibility of this execution trace. It is necessary to defend this vulnerability to improve the code quality.

1. Select the true branch at this point (class.equals(class)!=0 is true)
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 312 in b459c61

   } else if (!handler.getClass().equals(soleHandler.getClass())) {

2. Select the true branch at this point (jdbcHandlerMap.values().iterator().hasNext()==0 is true)
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 309 in b459c61

   for (TypeHandler<?> handler : jdbcHandlerMap.values()) {

3. Return soleHandler to caller, which can be null (The return value can be null)
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 317 in b459c61

   return soleHandler;

4. Function pickSoleHandler executes and returns
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 246 in b459c61

   handler = pickSoleHandler(jdbcHandlerMap);

5. Return handler to caller, which can be null (The return value can be null)
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 250 in b459c61

   return (TypeHandler<T>) handler;

6. Return the return value of function getTypeHandler to caller
   

   mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

   Line 213 in b459c61

   return getTypeHandler((Type) type, null);

7. Function getTypeHandler executes and stores the return value to typehandler (typehandler can be null)
   

   mybatis-3/src/main/java/org/apache/ibatis/jdbc/SqlRunner.java

   Line 216 in b459c61

   typeHandler = typeHandlerRegistry.getTypeHandler(Object.class);

8. Function add executes and typeHandlers contains null
   

   mybatis-3/src/main/java/org/apache/ibatis/jdbc/SqlRunner.java

   Line 218 in b459c61

   typeHandlers.add(typeHandler);

9. Function get executes and stores the return value to handler (handler can be null)
   

   mybatis-3/src/main/java/org/apache/ibatis/jdbc/SqlRunner.java

   Line 227 in b459c61

   TypeHandler<?> handler = typeHandlers.get(i);

10. handler is passed as the this pointer to function getResult (handler can be null), which will leak to null pointer dereference
    

    mybatis-3/src/main/java/org/apache/ibatis/jdbc/SqlRunner.java

    Line 228 in b459c61

    row.put(name.toUpperCase(Locale.ENGLISH), handler.getResult(rs, name));

Commit: b459c61

ContainerAnalyzer

[harawata]

Hello @containerAnalyzer ,

At 7, I cannot think of a situation where typeHandlerRegistry.getTypeHandler(Object.class) returns null.
If you think I am missing something (it's possible), please provide a repro.

[containerAnalyzer]

hello @harawata ,

mybatis-3/src/main/java/org/apache/ibatis/type/TypeHandlerRegistry.java

Lines 312 to 314 in b459c61

	} else if (!handler.getClass().equals(soleHandler.getClass())) {
	// More than one type handlers registered.
	return null;

pickSoleHandler may return null and pass to getTypeHandler 's return value, it is logically possible. There is no conflict in the path conditions, that can be proved by the smt solver. So I think this is a potential problem :)

[harawata]

@containerAnalyzer ,

Okay, then please provide a test case.
We need it to avoid future regression anyway.

[harawata]

No response. Closing.