Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPE in FunctionReference due to race condition in SpelExpression.getValue() [SPR-16255] #20802

Closed
spring-projects-issues opened this issue Dec 1, 2017 · 0 comments
Closed

NPE in FunctionReference due to race condition in SpelExpression.getValue() [SPR-16255] #20802

spring-projects-issues opened this issue Dec 1, 2017 · 0 comments
Assignees
@jhoeller
Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.0.3

Comments

@spring-projects-issues
Copy link
Collaborator

Alvaro Manuel Recio Perez opened SPR-16255 and commented

We have issues in a scenario in which several threads are evaluating the same expression (which include functions) in IMMEDIATE mode.

org.springframework.expression.spel.standard.getValue() includes the following piece of code:

Object result = this.ast.getValue(expressionState);
checkCompile(expressionState);

The call to checkCompile() goes through a synchronized block in compileExpression() which ends up in org.springframework.expression.spel.ast.FunctionReference.generateCode(). Inside this method, the field this.method is accessed twice, as follows:

@Override 
public void generateCode(MethodVisitor mv,CodeFlow cf) {
     Assert.state(this.method != null, "No method handle");
     String classDesc = this.method.getDeclaringClass().getName().replace('.', '/');
     generateCodeForArguments(mv, cf, this.method, this.children);
     mv.visitMethodInsn(INVOKESTATIC, classDesc, this.method.getName(),
               CodeFlow.createSignatureDescriptor(this.method), false);
     cf.pushDescriptor(this.exitTypeDescriptor);
}

However, the call to this.ast.getValue(expressionState) in org.springframework.expression.spel.standard.getValue() we saw earlier, which does not go through a synchronized block, ends up calling org.springframework.expression.spel.ast.FunctionReference.executeFunctionJLRMethod(). The first insruction of this method is:

private TypedValue executeFunctionJLRMethod(ExpressionState state, Method method) throws EvaluationException {
     this.method = null;

Because this code path is not synchronized, it may set this.method to null while the thread executing checkCompile() is running, causing a NullPointerException:

Exception in thread "Thread-95499" java.lang.NullPointerException
	at org.springframework.expression.spel.ast.FunctionReference.generateCode(FunctionReference.java:184)
	at org.springframework.expression.spel.standard.SpelCompiler.createExpressionClass(SpelCompiler.java:160)
	at org.springframework.expression.spel.standard.SpelCompiler.compile(SpelCompiler.java:105)
	at org.springframework.expression.spel.standard.SpelExpression.compileExpression(SpelExpression.java:467)
	at org.springframework.expression.spel.standard.SpelExpression.checkCompile(SpelExpression.java:437)
	at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:243)

Affects: 4.3.13, 5.0.2

Referenced from: commits 6a1fe0b, a9bad58

Backported to: 4.3.14
@spring-projects-issues spring-projects-issues added type: bug A general bug status: backported An issue that has been backported to maintenance branches in: core Issues in core modules (aop, beans, core, context, expression) labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 5.0.3 milestone Jan 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhoeller jhoeller

Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.0.3
Development

No branches or pull requests
2 participants
@jhoeller @spring-projects-issues