NullAway: Practical Type-Based Null Safety for Java

    Abstract

    NullPointerExceptions (NPEs) are a key source of crashes in modern Java programs. Previous work has shown how such errors can be prevented at compile time via code annotations and pluggable type checking. However, such systems have been difficult to deploy on large-scale software projects, due to significant build-time overhead and / or a high annotation burden. This paper presents NullAway, a new type-based null safety checker for Java that overcomes these issues. NullAway has been carefully engineered for low overhead, so it can run as part of every build. Further, NullAway reduces annotation burden through targeted unsound assumptions, aiming for no false negatives in practice on checked code. Our evaluation shows that NullAway has significantly lower build-time overhead (1.15X) than comparable tools (2.8-5.1X). Further, on a corpus of production crash data for widely-used Android apps built with NullAway, remaining NPEs were due to unchecked third-party libraries (64%), deliberate error suppressions (17%), or reflection and other forms of post-checking code modification (17%), never due to NullAway’s unsound assumptions for checked code.

    Authors

    Subarno Banerjee, Lazaro Clapp, Manu Sridharan

    Conference

    FSE 2019

    Full Paper

    ‘NullAway: Practical Type-Based Null Safety for Java’ (PDF)

    Programming Systems Team

    Comments
    Previous articleEvolvability ES: Scalable and Direct Optimization of Evolvability
    Next articleImprove User Retention with Causal Learning
    Lazaro Clapp
    Lazaro Clapp is a Senior Engineer at Uber's Programming Systems Team, where he works primarily on developing static analysis tools for Java applications. His current focus is to improve application reliability by preventing broad categories of bugs using fast type-system based tools that run on every local compilation, while minimizing developer annotation burden. His research interests more broadly include static and dynamic analysis, modeling of third-party code behavior, as well as automated test generation and UI exploration for mobile applications. He holds a Ph.D. in Computer Science from Stanford University.