parser/deserializer/ThrowableDeserializer.java 里 deserialze() 可疑的空指针解引用 #1613

viennadd · 2017-11-27T09:43:35Z

Hi,

我们的代码检查器 Pinpoint 报告了一处可疑的空指针解引用，

fastjson/src/main/java/com/alibaba/fastjson/parser/deserializer/ThrowableDeserializer.java

Lines 131 to 150 in fcd2ae7

    
           if (otherValues != null) { 
        
               JavaBeanDeserializer exBeanDeser = null; 
        
               if (exClass != null) { 
        
                   if (exClass == clazz) { 
        
                       exBeanDeser = this; 
        
                   } else { 
        
                       ObjectDeserializer exDeser = parser.getConfig().getDeserializer(exClass); 
        
                       if (exDeser instanceof JavaBeanDeserializer) { 
        
                           exBeanDeser = (JavaBeanDeserializer) exDeser; 
        
                       } 
        
                   } 
        
               } 
        
               for (Map.Entry<String, Object> entry : otherValues.entrySet()) { 
        
                   String key = entry.getKey(); 
        
                   Object value = entry.getValue(); 
        
                   FieldDeserializer fieldDeserializer = exBeanDeser.getFieldDeserializer(key); 
        
                   if (fieldDeserializer != null) {

149 行的 exBeanDeser 变量是否有可能跳过全部初始化赋值（139 返回 false 的话）导致维持 null 值，然后触发空指针解用？

这处是真的有潜在问题?，还是 139 行的检查是非必要？

祝好，
Sourcebrella Inc.

The text was updated successfully, but these errors were encountered:

richardxx · 2017-11-30T08:22:29Z

阿里大神们麻烦抽空看看，多谢！

wenshao · 2017-12-01T12:35:37Z

谢谢反馈，问题已经修复，将会在下一版本中带上

wenshao · 2017-12-14T02:25:31Z

https://github.com/alibaba/fastjson/releases/tag/1.2.42
新版已发布，请使用新版本。

wenshao added a commit that referenced this issue Dec 1, 2017

bug fixed for issue #1613

6065965

wenshao added the bug label Dec 1, 2017

wenshao added this to the 1.2.42 milestone Dec 1, 2017

wenshao closed this as completed Dec 14, 2017

wenshao added a commit that referenced this issue Jan 1, 2018

bug fixed for issue #1613

9c48254

wenshao added a commit that referenced this issue Jul 17, 2019

bug fixed for issue #1613

8d967c1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

parser/deserializer/ThrowableDeserializer.java 里 deserialze() 可疑的空指针解引用 #1613

parser/deserializer/ThrowableDeserializer.java 里 deserialze() 可疑的空指针解引用 #1613

viennadd commented Nov 27, 2017 •

edited

Loading

richardxx commented Nov 30, 2017

wenshao commented Dec 1, 2017

wenshao commented Dec 14, 2017

parser/deserializer/ThrowableDeserializer.java 里 deserialze() 可疑的空指针解引用 #1613

parser/deserializer/ThrowableDeserializer.java 里 deserialze() 可疑的空指针解引用 #1613

Comments

viennadd commented Nov 27, 2017 • edited Loading

richardxx commented Nov 30, 2017

wenshao commented Dec 1, 2017

wenshao commented Dec 14, 2017

viennadd commented Nov 27, 2017 •

edited

Loading