RLK.SOCK

RLK (Resource Leak) issues are reported when resources are allocated but not properly disposed after use. Failing to properly dispose a resource can lead to such problems as:

• too many files being open
• an application not being able to access a temporary file when it is needed

An RLK.SOCK warning indicates that a Socket is not closed on exit.

Vulnerability and risk

Resources such as streams, connections and graphic objects must be explicitly closed. The close operation can unblock transactions or flush file changes in the file system. While a resource will eventually be closed by the garbage collector, resource exhaustion can occur before garbage collection starts. Depending on the nature of the resource, various exceptions will be thrown on a failed attempt to allocate another resource, for example: java.io.FileNotFoundException: Too many open files or too many database connections.

Mitigation and prevention

Explicitly close all resources that have the close method, even those that you think are not doing anything significant. Future code changes will then be safe from such errors.

Example 1

23
24
25
26
27
28
29
30
31
32
33
34
     public void accept() throws IOException {
         ServerSocket serverSocket = null;
         try {
             serverSocket = new ServerSocket(1034);
             Socket socket = serverSocket.accept();   // socket created
             final OutputStream outputStream = socket.getOutputStream();
             sendStatus(outputStream);
             outputStream.close();
         } finally {
             serverSocket.close();
         }
     }

RLK.SOCK is reported for the snippet on line 27: 'socket' created by 'serverSocket.accept()' call is not closed after creation.

Example 2

23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
     public void accept() throws IOException {
         ServerSocket serverSocket = null;
         try {
             serverSocket = new ServerSocket(1034);
             Socket socket = serverSocket.accept();   // socket created
             try {
                 final OutputStream outputStream = socket.getOutputStream();
                 sendStatus(outputStream);
                 outputStream.close();
             } finally {
                 socket.close();    // socket closed
             }
         } finally {
             serverSocket.close();
         }
     }

The snippet from the previous section is fixed; RLK.SOCK is not reported here.

External guidance

• CWE-772: Missing Release of Resource after Effective Lifetime
• CERT FIO04-J: Release resources when they are no longer needed

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.