Fix crash on JDK 27

[msridhar]

It seems that in certain cases for annotations on lambda parameters, the parameter_index field of a TypePosition can be negative on JDK 27. This was causing a crash; fix by checking for a negative index.

Summary by CodeRabbit

• Bug Fixes

  • Fixed lambda parameter matching validation to properly guard against edge cases with invalid parameter indexes.

• Tests

  • Added test case for JDK 27 compatibility with generic method and lambda inference scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 047a0be1-f6b3-44d4-9828-2a14c660cd10

📥 Commits

Reviewing files that changed from the base of the PR and between e3e78aa and cfeb251.

📒 Files selected for processing (2)

• nullaway/src/main/java/com/uber/nullaway/NullabilityUtil.java
• nullaway/src/test/java/com/uber/nullaway/jspecify/GenericMethodLambdaOrMethodRefArgTests.java

---

Walkthrough

This pull request fixes a bounds-checking vulnerability in NullabilityUtil.java by adding a guard to ensure parameterIndex >= 0 before attempting to access the lambdaParams array. Previously, only the upper bounds check (parameterIndex < lambdaParams.size()) existed, allowing negative indexes to bypass validation. A new test method crasherOnJdk27 is also added to GenericMethodLambdaOrMethodRefArgTests.java to verify correct behavior when handling generic inference within lambdas passed to generic methods.

Possibly related PRs

• Fix for explicitly-typed lambda parameters in JDK 24+ #1452: Modifies NullabilityUtil to improve lambda-parameter and nullability handling through additional symbol type annotation inspection.

Suggested labels

jspecify

Suggested reviewers

• lazaroclapp
• seemantasaha
• yuxincs

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly matches the PR's main objective: fixing a crash on JDK 27 by adding validation for negative parameter indexes in lambda parameter annotation matching.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jdk-27-crash

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 88.48%. Comparing base (e3e78aa) to head (cfeb251).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
...c/main/java/com/uber/nullaway/NullabilityUtil.java	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #1541   +/-   ##
=========================================
  Coverage     88.48%   88.48%           
- Complexity     2843     2845    +2     
=========================================
  Files           103      103           
  Lines          9490     9491    +1     
  Branches       1905     1906    +1     
=========================================
+ Hits           8397     8398    +1     
  Misses          531      531           
  Partials        562      562           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.