JD.LOCK

JD.LOCK occurs when a lock was acquired with a java.util.concurrent.locks.Lock.lock() method call, but it was never actually released; that is, the java.util.concurrent.locks.Lock.unlock() method was not called on some path.

Vulnerability and risk

This situation can cause deadlock.

Mitigation and prevention

Here is a pattern for implementing locking by means of a Lock object:

l.lock();

try { 
   ...
 } finally {
   l.unlock(); 
}

Example 1

12     void action() {
13         Lock l = new ReentrantLock();
14         l.lock();
15         try {
16             dosomething();
17         } catch (Exception e) {
18             l.unlock();
19         }
20     }
21 
22     private void dosomething() throws Exception {
23         // ...
24     }

JD.LOCK is reported for the line 13: Lock 'l' acquired but not released.

Example 2

11     void action() {
12         Lock l = new ReentrantLock();
13         l.lock();
14         try {
15             dosomething();
16         } catch (Exception e) {
17             // ...
18         } finally {
19             l.unlock();
20         }
21     }
22 
23     private void dosomething() throws Exception {
24         // ...
25     }

The problem from the previous snippet is fixed: the lock would be released whether an exception was thrown or not. JD.LOCK is not reported here.

Security guidelines

• STIG-ID:APP3630.4 Application vulnerable to race conditions
• STIG-ID:APP3780 Web Service Availability

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.