Working with code by cglib (aka dynamically generated code) - such as Spring Framework and MyBatis?

[fzyzcjy]

There are some libraries which generate code when running (instead of compiling).

Example 1: Spring framework

Dynamically generated code are very common in the Spring framework... So I do not know whether there will be much more such things hidden in the dark, generating NPEs... For instance:

@RestController class BookController {
    @GetMapping("/books/{name}")
    public List<Book> get(String name, @AuthenticationPrincipal Principal p) {
        p.someMethod(); // bug!
    }
}

There is nowhere directly calling this method at all. Actually, the only guy who will call this, is the dynamically generated code using cglib by Spring. Moreover, the p can be null when Spring calls this, by some manuals of Spring. I think the Checker framework cannot find this bug... :( What can I do?

Example 2: MyBatis

The full code looks like:

public interface BlogMapper {
  @Select("SELECT * FROM blog WHERE id = #{id}")
  Blog selectBlog(int id);
}

and nothing more - no implementation classes or anything more! MyBatis will generate code when starting the application. And note that the result Blog can be null (by their definition)...

What can I do? Thanks so much! I am so sad if I have to not use this wonderful framework, and go to write ugly asserts or checkArguments... :(

[wmdietl]

The Checker Framework operates on Java source code. It doesn't inspect Java bytecode (besides reading type signatures from the classfile) and also doesn't inspect code generated using bytecode libraries like cglib.

In your first example, you could annotate parameter p as @Nullable and the Nullness Checker will give you an error on the illegal dereference in the body.
You would need support from the Spring framework to help you correctly annotate all such parameters as @Nullable.

In the second example, you could annotate the return type as @Nullable and the Nullness Checker will give you an error on illegal dereferences of uses.
Again, you would need support from MyBatis to ensure that for all auto-generated methods the returns are correctly annotated.

Even with these frameworks, you will get some benefits out of using the Checker Framework.
Please let me know if this answered your question

[fzyzcjy]

Thanks very much for the reply! I think programmers may forget to annotate each of such things (e.g. the two @Nullables you mentioned... So in such cases, we will still encounter NPEs... :/

[mernst]

You are right. An analysis tool can only give warnings about the code it analyzes. If there is unanalyzed code, that code might misbehave.

[fzyzcjy]

Ah thanks! It is so sad that I may have to go back to use Preconditions.checkNotNull(...) :/

[mernst]

I have added documentation mentioning dynamically generated code as an example of unchecked code. It was not mentioned in the manual previously. Thanks for bringing this up.

[fzyzcjy]

You are welcome!