Fix NPE in JsonCodec.deserializeShape that suppresses deserialization errors (#1202)

etspaceman · adwsingh · commit 817384237689 · 2026-05-22T16:37:55.000-07:00
When deserializeShape() encounters invalid input (e.g., a nested struct
with missing required fields), the builder throws a SerializationException
mid-parse. The finally block then calls close(), which:

1. Calls parser.nextToken() (returns non-null due to unconsumed tokens)
2. Calls parser.close() then sets parser = null
3. Calls describeToken() which dereferences the now-null parser -&gt; NPE

This NPE suppresses the original helpful exception (e.g.,
"Missing required members: [field]").

Fix:
- In JacksonJsonDeserializer.close(), capture the token description
  before nulling the parser reference.
- In JsonCodec.deserializeShape(), use closeQuietly() on the error path
  so that exceptions from close() don't suppress the original
  deserialization/validation exception.
diff --git a/codecs/json-codec/src/main/java/software/amazon/smithy/java/json/JsonCodec.java b/codecs/json-codec/src/main/java/software/amazon/smithy/java/json/JsonCodec.java
@@ -56,20 +56,36 @@ public ShapeSerializer createSerializer(OutputStream sink) {
     @Override
     public <T extends SerializableShape> T deserializeShape(byte[] source, ShapeBuilder<T> builder) {
         var deserializer = createDeserializer(source);
+        T result;
         try {
-            return builder.deserialize(deserializer).errorCorrection().build();
-        } finally {
-            deserializer.close();
+            result = builder.deserialize(deserializer).errorCorrection().build();
+        } catch (Exception e) {
+            closeQuietly(deserializer);
+            throw e;
         }
+        deserializer.close();
+        return result;
     }
 
     @Override
     public <T extends SerializableShape> T deserializeShape(ByteBuffer source, ShapeBuilder<T> builder) {
         var deserializer = createDeserializer(source);
+        T result;
+        try {
+            result = builder.deserialize(deserializer).errorCorrection().build();
+        } catch (Exception e) {
+            closeQuietly(deserializer);
+            throw e;
+        }
+        deserializer.close();
+        return result;
+    }
+
+    private static void closeQuietly(ShapeDeserializer deserializer) {
         try {
-            return builder.deserialize(deserializer).errorCorrection().build();
-        } finally {
             deserializer.close();
+        } catch (Exception ignored) {
+            // Don't suppress the original deserialization exception.
         }
     }
 
diff --git a/codecs/json-codec/src/main/java/software/amazon/smithy/java/json/jackson/JacksonJsonDeserializer.java b/codecs/json-codec/src/main/java/software/amazon/smithy/java/json/jackson/JacksonJsonDeserializer.java
@@ -51,16 +51,18 @@ final class JacksonJsonDeserializer implements ShapeDeserializer {
     public void close() {
         if (parser != null && !parser.isClosed()) {
             try {
-                // Close the parser, but also ensure there's no trailing garbage input.
                 var nextToken = parser.nextToken();
+                // Capture token description before nulling parser to avoid NPE in describeToken().
+                var tokenDesc = nextToken != null ? JsonToken.valueDescFor(nextToken) : null;
                 parser.close();
                 parser = null;
-                if (nextToken != null) {
-                    throw new SerializationException("Unexpected JSON content: " + describeToken());
+                if (tokenDesc != null) {
+                    throw new SerializationException("Unexpected JSON content: " + tokenDesc);
                 }
             } catch (SerializationException e) {
                 throw e;
             } catch (Exception e) {
+                parser = null;
                 throw new SerializationException(e);
             }
         }
diff --git a/codecs/json-codec/src/test/java/software/amazon/smithy/java/json/GeneratedModelSerdeTest.java b/codecs/json-codec/src/test/java/software/amazon/smithy/java/json/GeneratedModelSerdeTest.java
@@ -745,4 +745,18 @@ static Stream<Arguments> invalidInputs() {
         }
         return arguments.stream();
     }
+
+    @PerProvider
+    void deserializeShapeWithNestedMissingRequiredFieldReportsFieldName(JsonSerdeProvider provider) {
+        var codec = codec(provider);
+        // NestedStruct requires field1 (String) and field2 (Integer).
+        // Omitting field2 from the nested struct inside a list should produce
+        // a SerializationException mentioning the missing field, not an NPE from close().
+        byte[] json =
+                "{\"id\":\"x\",\"count\":1,\"enabled\":true,\"ratio\":1.0,\"score\":1.0,\"bigCount\":1,\"structList\":[{\"field1\":\"hello\"}]}"
+                        .getBytes(StandardCharsets.UTF_8);
+        var e = assertThrows(SerializationException.class,
+                () -> codec.deserializeShape(json, ComplexStruct.builder()));
+        assertThat(e.getMessage()).contains("field2");
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -745,4 +745,18 @@ static Stream<Arguments> invalidInputs() {`
`745`	`745`	`}`
`746`	`746`	`return arguments.stream();`
`747`	`747`	`}`
	`748`	`+`
	`749`	`+ @PerProvider`
	`750`	`+ void deserializeShapeWithNestedMissingRequiredFieldReportsFieldName(JsonSerdeProvider provider) {`
	`751`	`+ var codec = codec(provider);`
	`752`	`+ // NestedStruct requires field1 (String) and field2 (Integer).`
	`753`	`+ // Omitting field2 from the nested struct inside a list should produce`
	`754`	`+ // a SerializationException mentioning the missing field, not an NPE from close().`
	`755`	`+ byte[] json =`
	`756`	`+ "{\"id\":\"x\",\"count\":1,\"enabled\":true,\"ratio\":1.0,\"score\":1.0,\"bigCount\":1,\"structList\":[{\"field1\":\"hello\"}]}"`
	`757`	`+ .getBytes(StandardCharsets.UTF_8);`
	`758`	`+ var e = assertThrows(SerializationException.class,`
	`759`	`+ () -> codec.deserializeShape(json, ComplexStruct.builder()));`
	`760`	`+ assertThat(e.getMessage()).contains("field2");`
	`761`	`+ }`
`748`	`762`	`}`