The current cache lock implementation makes it easy for programmers to make mistakes. If there is an exception between acquire_lock and release_lock (and release_lock is not put into a finally block), the lock might never release. For example, look at \course_modinfo::purge_course_module_cache for such a mistake. However, there may be other reasons (crashes) why a process has not released a lock.

cachelock_file already supports a maximum lifetime for a lock file, but this is disabled by default.

Besides cache locks, Moodle also has another locking mechanism (\core\lock\lock_factory), which has a better implementation. get_lock has to return a \core\lock\lock instance, which ensures that the lock is released when the lock object is destructed. And because \core\lock\file_lock_factory::get_lock relies on flock (not just file existence), locks should always be released when a PHP script ends.