Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File handle to findsecbugs-plugin.jar is leaking #128

Closed
Vampire opened this issue Aug 23, 2017 · 15 comments · Fixed by #696
Closed

File handle to findsecbugs-plugin.jar is leaking #128

Vampire opened this issue Aug 23, 2017 · 15 comments · Fixed by #696
Labels
bug

Comments

@Vampire
Copy link

Vampire commented Aug 23, 2017

A file handle to findsecbugs-plugin.jar is leaking.
When I run a SonarQube analysis with Gradle Scanner with activated Gradle Daemon on Windows and after the analysis is finished try to delete the build/sonar/ folder, Windows is yelling at me that the findsecbugs-plugin.jar files for each project are in use.
This means that the Findbugs plugin or Findbugs is leaking the reference to that JAR.
It would be nice if this would not be the case.
@h3xstream h3xstream added the bug label Aug 25, 2017
@svilenvul svilenvul mentioned this issue Feb 23, 2018
Closed
@svilenvul
Copy link

I have experienced similar problems with the spotbugs-maven-plugins.

@roberthubert roberthubert mentioned this issue Mar 17, 2018
Closed
@h3xstream
Copy link
Member

There is a fix in progress : spotbugs/spotbugs#591

@Vampire
Copy link
Author

Vampire commented Feb 15, 2019

Is this fixed?
The issue you referenced is marked with merged and milestone 3.1.4.

@AndreasPetersen
Copy link

I'm still having the issue with sonar-findbugs 3.11.0

@h3xstream
Copy link
Member

h3xstream commented May 28, 2019
edited
Loading

I did not do any advanced analysis..

Here is the code loading the plugin. I don't see any state kept in this class which could keep a reference to the file of the plugin.

sonar-findbugs/src/main/java/org/sonar/plugins/findbugs/FindbugsExecutor.java

Lines 271 to 278 in b7ca5dd

for (String path : pluginJarPathList) {
try {
Plugin plugin = Plugin.addCustomPlugin(new File(path).toURI(), contextClassLoader);
if (plugin != null) {
customPluginList.add(plugin);
LOG.info("Loading findbugs plugin: " + path);
}
} catch (PluginException e) {

Could it be SpotBugs which is keeping some sort of cache or having a circular reference? Or is specifically FSB ?

Heap analysis with VisualVM will likely help track this reference..

@KengoTODA
Copy link
Member

I know one case, is that, Windows uses cache and it keep file handle opened by JVM. Then URLConnection#setUseCaches(false) is necessary to avoid this handler leak.

In my understanding, SpotBugs has fixed this issue by the following commit, but we may miss other problem that still keeps handler in Windows.

spotbugs/spotbugs@5f88794#diff-dad40536bc9bd97552925b9c1566a005R286

@KengoTODA
Copy link
Member

I guess that we probably need a fix like this? Is there anybody can reproduce this issue?

diff --git a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
index f4112bb72..fbfe3c352 100644
--- a/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
+++ b/spotbugs/src/main/java/edu/umd/cs/findbugs/PluginLoader.java
@@ -222,6 +222,9 @@ public class PluginLoader {
             }
             partiallyInitialized.add(this);
         } else {
+            if (classLoader instanceof URLClassLoader) {
+                ((URLClassLoader) classLoader).setUseCaches(false);
+            }
             loadPluginComponents();
             Plugin.putPlugin(loadedFromUri, plugin);
         }

@ecast040
Copy link

I'm having this exact issue with the sonarqube plugin, Is there a fix for this yet? Where do I go to add the .setUseCaches(false) ?

@nubang7
Copy link

nubang7 commented Feb 12, 2020
edited
Loading

I`m having same issue still today. Can not build Gradle project cause findsecbugs-plugin.jar is locked after SonarQube task ran.

@KengoTODA
Copy link
Member

If you can reproduce this problem, try this patch and share the result if possible.

@paulthvt
Copy link

paulthvt commented Mar 23, 2020
edited
Loading

I'm still having the same issue. I was interested to try this patch out but it won't compile. There's no setUseCaches method on URLClassLoader unfortunately.

@Daemon2017
Copy link

I'm still having the same issue :(
Plugin version: 3.0

@yuriy-slobodchikov
Copy link

Reproduced

Plugin version: 3.1.1

@aantenan
Copy link

aantenan commented Feb 8, 2022

If you run gradle with --no-daemon, it kills all JVM processes upon completion. This may work for a few use cases.

@gtoison
Copy link
Contributor

gtoison commented Feb 8, 2022

I ran into that issue while working into another problem with Gradle and could reproduce it all the time.
It seems to me like the issue might actually be due to some sockets held by the SonarQube scanner and preventing the Garbage Collector from releasing these files.
There also seem to be some temporary folders accumulating, for me they land in:
C:\Users\gtoison\.sonar\cache\<some random string>\sonar-findbugs-plugin.jar_unzip\META-INF\lib
Anyone knows if it also happens for other plugins?

It would be great if anyone knowledgeable of the JVM internals could look into, maybe I completely misunderstood the problem.
I have posted a question on SonarQube's forum here: https://community.sonarsource.com/t/file-leak-with-gradle-plugin/57438/4

@gtoison gtoison mentioned this issue Feb 18, 2022
Closed
@gtoison gtoison mentioned this issue Apr 21, 2022
Closed
gtoison referenced this issue in gtoison/sonar-findbugs May 14, 2022
@gtoison
deps: drop deprecated RulesDefinitionXmlLoader
20eeed3 
- RulesDefinitionXmlLoader is deprecated and will be dropped in SQ 10
- RulesDefinitionXmlLoader does not populate the OWASP categories and
can't be extended (see spotbugs#392)
- Loading/unloading the plugins dynamically from jar files leads to file
leaks because SpotBugs does not close the classloaders (solves #128)
- The Groovy scripts seem to need some fixes to work with Groovy 4
@gtoison gtoison mentioned this issue May 14, 2022
Merged
gtoison added a commit that referenced this issue May 26, 2022
@gtoison
Drop deprecated RulesDefinitionXmlLoader (#550)
e1ab079 
* deps: drop deprecated RulesDefinitionXmlLoader

- RulesDefinitionXmlLoader is deprecated and will be dropped in SQ 10
- RulesDefinitionXmlLoader does not populate the OWASP categories and
can't be extended (see #392)
- Loading/unloading the plugins dynamically from jar files leads to file
leaks because SpotBugs does not close the classloaders (solves #128)
- The Groovy scripts seem to need some fixes to work with Groovy 4

* deps: removed usage of dependencies no longer provided

The sonar-java-plugin is provided by the SonarQube server but not its
transient dependencies
- Removed usage of Guava
- Replaced commons-lang usage by commons-lang3
@gtoison gtoison mentioned this issue Dec 17, 2022
Merged
gtoison added a commit that referenced this issue Dec 17, 2022
@gtoison
fix: close plugins at the end of the analysis (#696)
a23b14e 
* fix: close plugins at the end of the analysis

We have copied the plugin jar in the project's build directory. Now we
need to close the classloaders pointing to that jar so we do not prevent
the deletion of the build folder.
Fixes #128
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: close plugins at the end of the analysis gtoison/sonar-findbugs