Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NPE in FunctionReference due to race condition in SpelExpression.getValue() [SPR-16255] #20802

spring-projects-issues opened this issue Dec 1, 2017 · 0 comments
in: core status: backported type: bug


Copy link

spring-projects-issues commented Dec 1, 2017

Alvaro Manuel Recio Perez opened SPR-16255 and commented

We have issues in a scenario in which several threads are evaluating the same expression (which include functions) in IMMEDIATE mode.

org.springframework.expression.spel.standard.getValue() includes the following piece of code:

Object result = this.ast.getValue(expressionState);

The call to checkCompile() goes through a synchronized block in compileExpression() which ends up in org.springframework.expression.spel.ast.FunctionReference.generateCode(). Inside this method, the field this.method is accessed twice, as follows:

public void generateCode(MethodVisitor mv,CodeFlow cf) {
     Assert.state(this.method != null, "No method handle");
     String classDesc = this.method.getDeclaringClass().getName().replace('.', '/');
     generateCodeForArguments(mv, cf, this.method, this.children);
     mv.visitMethodInsn(INVOKESTATIC, classDesc, this.method.getName(),
               CodeFlow.createSignatureDescriptor(this.method), false);

However, the call to this.ast.getValue(expressionState) in org.springframework.expression.spel.standard.getValue() we saw earlier, which does not go through a synchronized block, ends up calling org.springframework.expression.spel.ast.FunctionReference.executeFunctionJLRMethod(). The first insruction of this method is:

private TypedValue executeFunctionJLRMethod(ExpressionState state, Method method) throws EvaluationException {
     this.method = null;

Because this code path is not synchronized, it may set this.method to null while the thread executing checkCompile() is running, causing a NullPointerException:

Exception in thread "Thread-95499" java.lang.NullPointerException
	at org.springframework.expression.spel.ast.FunctionReference.generateCode(
	at org.springframework.expression.spel.standard.SpelCompiler.createExpressionClass(
	at org.springframework.expression.spel.standard.SpelCompiler.compile(
	at org.springframework.expression.spel.standard.SpelExpression.compileExpression(
	at org.springframework.expression.spel.standard.SpelExpression.checkCompile(
	at org.springframework.expression.spel.standard.SpelExpression.getValue(

Affects: 4.3.13, 5.0.2

Referenced from: commits 6a1fe0b, a9bad58

Backported to: 4.3.14

@spring-projects-issues spring-projects-issues added type: bug status: backported in: core labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 5.0.3 milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
in: core status: backported type: bug
None yet

No branches or pull requests

2 participants