Fix false positive in AnnotateNullableParameters when parameter der…#868
Merged
timtebeek merged 4 commits intoJun 16, 2026
Conversation
…eferenced before null check
…ers` Replace cursor-message state with plain instance fields keyed by `JavaType.Variable` so scope-shadowed identifiers stay distinct, drop the redundant method-invocation/unary arms of `handleCondition` (now reached via the standard visitor traversal), and remove the narrative comments that duplicated what the code already says.
…notateNullableParameters
mergify Bot
added a commit
to robfrank/linklift
that referenced
this pull request
Jun 18, 2026
… 2.36.0 to 2.37.0 [skip ci] Bumps [org.openrewrite.recipe:rewrite-static-analysis](https://github.com/openrewrite/rewrite-static-analysis) from 2.36.0 to 2.37.0. Release notes *Sourced from [org.openrewrite.recipe:rewrite-static-analysis's releases](https://github.com/openrewrite/rewrite-static-analysis/releases).* > 2.37.0 > ------ > > What's Changed > -------------- > > * Preserve raw supertype cast on parameterized argument in `RemoveRedundantTypeCast` by [`@timtebeek`](https://github.com/timtebeek) in [openrewrite/rewrite-static-analysis#915](https://redirect.github.com/openrewrite/rewrite-static-analysis/pull/915) > * Preserve space when InstanceOfPatternMatch replaces a cast after a keyword by [`@timtebeek`](https://github.com/timtebeek) in [openrewrite/rewrite-static-analysis#913](https://redirect.github.com/openrewrite/rewrite-static-analysis/pull/913) > * `InstanceOfPatternMatch` not to remove double primitive cast by [`@greg-at-moderne`](https://github.com/greg-at-moderne) in [openrewrite/rewrite-static-analysis#918](https://redirect.github.com/openrewrite/rewrite-static-analysis/pull/918) > * Fix UseDiamondOperator throwing array index out of bounds when operating on a varargs method by [`@sambsnyd`](https://github.com/sambsnyd) in [openrewrite/rewrite-static-analysis#919](https://redirect.github.com/openrewrite/rewrite-static-analysis/pull/919) > * Fix false positive in `AnnotateNullableParameters` when parameter der… by [`@stefanodallapalma`](https://github.com/stefanodallapalma) in [openrewrite/rewrite-static-analysis#868](https://redirect.github.com/openrewrite/rewrite-static-analysis/pull/868) > > **Full Changelog**: <openrewrite/rewrite-static-analysis@v2.36.0...v2.37.0> Commits * [`3d2b173`](openrewrite/rewrite-static-analysis@3d2b173) Fix false positive in `AnnotateNullableParameters` when parameter der… ([#868](https://redirect.github.com/openrewrite/rewrite-static-analysis/issues/868)) * [`6d76624`](openrewrite/rewrite-static-analysis@6d76624) Fix UseDiamondOperator throwing array index out of bounds when operating on a... * [`dfc6176`](openrewrite/rewrite-static-analysis@dfc6176) `InstanceOfPatternMatch` not to remove double primitive cast ([#918](https://redirect.github.com/openrewrite/rewrite-static-analysis/issues/918)) * [`49d1bdc`](openrewrite/rewrite-static-analysis@49d1bdc) Preserve space when InstanceOfPatternMatch replaces a cast after a keyword (#... * [`23503ce`](openrewrite/rewrite-static-analysis@23503ce) Preserve raw supertype cast on parameterized argument in `RemoveRedundantType... * [`64e3203`](openrewrite/rewrite-static-analysis@64e3203) git-ignore .context/ * See full diff in [compare view](openrewrite/rewrite-static-analysis@v2.36.0...v2.37.0) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix false positive in
AnnotateNullableParameterswhen parameter dereferenced before null checkCo-authored with Factory Droid 0.102.0.
Problem
The
AnnotateNullableParametersrecipe had a false positive: it would annotate parameters as@Nullableeven when they were dereferenced (via method calls or field access) before being null-checked. This could lead to incorrect annotations that suggest a parameter can be null when it would actually cause aNullPointerException.Example of the false positive from actual code:
Previously, the recipe would incorrectly add
@CheckForNulltopostingAddendumRecordeven thoughpostingAddendumRecord.getLineNumber()is called before the null check, making the annotation misleading.Solution
Refactored the internal visitor to track both null checks and dereferences in a single pass:
Renamed visitor:
NullCheckVisitor→NullCheckAndDereferenceVisitorto reflect its expanded responsibilitiesState tracking via Cursor messaging: Replaced the reduce pattern with stateful tracking using three keys:
NULL_CHECKED_KEY- parameters that have been null-checkedDEREFERENCED_KEY- parameters that have been dereferenced before null-checkNULL_CHECK_STATE_KEY- tracks null-check status during AST traversalDereference detection: Added
visitFieldAccessand enhancedvisitMethodInvocationto detect when parameters are dereferenced via:param.method()param.fieldRefined null-checking method handling: Separated
Objects.requireNonNullElseandObjects.requireNonNullElseGetintoFIRST_ARG_NULLABLE_MATCHERSsince only their first argument can be null (second is the non-null fallback)Final filtering:
getNullCheckedIdentifiers()now filters out parameters that were dereferenced before being null-checkedTesting
noChangeWhenParameterDereferencedBeforeNullCheck()- verifies the recipe doesn't annotate parameters dereferenced before null checksAll existing tests pass, confirming backward compatibility.
Requested reviewer
@timtebeek