search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.52k stars 1.5k forks source link

Java: Nullness: LGTM.com - false positive #3176

Open Zelldon opened 4 years ago

Zelldon commented 4 years ago

Description of the false positive

 if (!channel.isActive()) {
              CompletableFuture<Channel> currentFuture;
              synchronized (channelPool) {
                currentFuture = channelPool.get(offset);
                if (currentFuture == finalFuture) { // final future is not null since it is used also before
                  channelPool.set(offset, null);
                } else if (currentFuture == null) {
                  currentFuture = factory.apply(address); // <== assigned here
                  currentFuture.whenComplete(this::logConnection); // <== used here
                  channelPool.set(offset, currentFuture);
                }
              }

              if (currentFuture == finalFuture) {
                getChannel(address, messageType)
                    .whenComplete(
                        (recursiveResult, recursiveError) -> {
                          completeFuture(future, recursiveResult, recursiveError);
                        });
              } else {
                currentFuture.whenComplete( // <== can't be null here

We can see that if currentFuture is null then it is assigned a new value, which is used directly afterwards, which means it cant be null later. URL to the alert on the project page on LGTM.com https://lgtm.com/projects/g/zeebe-io/zeebe/snapshot/e722021d676bdbeee3366fa1c10a915f031bbf0c/files/atomix/cluster/src/main/java/io/atomix/cluster/messaging/impl/ChannelPool.java?sort=name&dir=ASC&mode=heatmap#xa937c5d4af2d26c1:1

aschackmull commented 4 years ago

Thank you for your report. You are correct that this is a FP, and for now I'd suggest suppressing the alert with an alert suppression comment.