SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 58

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 59

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The problem of resource pool exhaustion is aggravated in the case of database connections. Traditionally, Many database servers have allowed allow only a fixed number of connections, depending on configuration and licensing. Failure Consequently, failure to release database connections results can result in rapid exhaustion of available connections. This noncompliant code example fails to close the connection when an error occurs during execution of the SQL statement or during processing of the results.

...

This noncompliant code example attempts to address the above problem exhaustion of database connections by adding clean-up code in a finally block. However, either or both of rs and stmt could be null, in which case the clean-up causing the code in the finally block would result in to throw a NullPointerException.

Code Block
bgColor#FFcccc
Statement stmt = null;
ResultSet rs = null
Connection conn = getConnection();
try {
  stmt = conn.createStatement();
  rs = stmt.executeQuery(sqlQuery);
  processResults(rs);
} catch(SQLException e) { 
  // forward to handler  
} finally {
  rs.close();
  stmt.close();
}

...

In this noncompliant code example, the call to rs.close() might itself result in a SQLException, as a result of which could throw an SQLException; consequently, stmt.close() would never be called.

...

Code Block
bgColor#ccccff
FileInputStream stream = null;
BufferedReader bufRead = null;
String line;
try {
  stream = new FileInputStream(fileName);
  bufRead = new BufferedReader(new InputStreamReader(stream));

  while((line = bufRead.readLine()) != null) {
    sendLine(line);
  }
} catch (IOException e) { 
  // forward to handler 
} finally {
  if(stream != null) { 
    stream.close();
  } 
}

Risk Assessment

Acquiring Failure to explicitly release non-memory system resources failing to release them explicitly when they are no longer needed can result in resource exhaustion.

...

Although sound automated detection of this vulnerability is not feasible in the general case, many interesting cases can be soundly detected.

The Coverity Prevent Version 5.0 RESOURCE_LEAK checker can detect instances where there is leak of a socket resource or leak of a stream representing a file or other system resources.

...