Absent Member.
Absent Member.
19686 views

Sourceanalyzer complains not enough memory despite -Xmx36G

Jump to solution

Just upgraded SCA to 16.10 from 4.4.2 and having issues getting the TFS build definition to successfully complete the scan phase. The clean and translate task successfully execute but the scan task seems to get stuck in time and the log has the following message:

FortifyScan:

         "d:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_16.10\bin\sourceanalyzer.exe" -b myProject -Xmx36G -logfile "d:\TFS\Builds\Agent1\myProject\Solutions\Master\myProject.scan.log" -scan -format fpr -f myProject.fpr

[warning]: Scan progress is slowing due to JVM garbage collection, which may indicate low memory. For details on making more memory available, please consult the user manual.

[warning]: Scan progress is slow due to JVM garbage collection, which may indicate low memory. For details on making more memory available, please consult the user manual.

[error]: There is not enough memory available to complete analysis.  For details on making more memory available, please consult the user manual.

Running the scan manually via the Visual Studio 2015 plugin also results in the scan task freezing at 24% during the "building analysis model" phase.

I’ve noticed that Fortify seems to ship its own jre (it’s located in fortify install base dir\jre\bin\). Looking at the release it appears to be for Windows 5.2, or XP. I wonder if this may have something to do with it, that Fortify is perhaps using an inappropriate and outdated release of the jre for the host system on which it resides.

I'd appreciate any help or insight anyone can provide.

Thanks!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

All,

This was identified as a performance bug with 16.10 in which applications containing JavaScript files may experience abnormally long scan times. The bug has been fixed and is included in the 16.11 patch release.

Thanks

View solution in original post

0 Likes
20 Replies
Commodore
Commodore

Did you try ran the scan using the "-64" modifier?
Sometihing like this:

-b myProject -64 -Xmx36G

0 Likes
Absent Member.
Absent Member.

I'll be able to give this try later tonight and report on progress tomorrow morning. The translate task has the -64 flag on it and that works fine. Appreciate the help. Will follow up with an update tomorrow.

0 Likes
Absent Member.
Absent Member.

Okay adding the -64 to the scan step did not help. Same outcome. It gets to a point "Phase Zero Work" according to the logs and then starts writing out memory errors.

FortifyScan:

         "d:\Program Files\HP_Fortify\HP_Fortify_SCA_and_Apps_16.10\bin\sourceanalyzer.exe" -b myProject  -64 -Xmx36G -logfile "d:\TFS\Builds\Agent1\myProject\Solutions\Master\myProject.scan.log" -scan -format fpr -f myProject.fpr

Phase Zero Work: starting 1121 tasks

[warning]: Scan progress is slowing due to JVM garbage collection, which may indicate low memory. For details on making more memory available, please consult the user manual.

         [warning]: Scan progress is slow due to JVM garbage collection, which may indicate low memory. For details on making more memory available, please consult the user manual.

         [error]: There is not enough memory available to complete analysis.  For details on making more memory available, please consult the user manual.

0 Likes
Absent Member.
Absent Member.

Also wanted to add that I get the same error when I try using the plugin from within Visual Studio 2015.

0 Likes
Admiral Admiral
Admiral

How long does it run before reaching that point?

If you look at Task Manager - do you see 32G being used by Java?

0 Likes
Absent Member.
Absent Member.

Once the translation command finishes it looks like the scan runs for about 25 minutes before throwing the error. While I see my CPU utilization is high spiking at times to 98% attributed to sourceanalyzer.exe, the memory utilization is not quite high ranging from 12G to 18G.

0 Likes
Admiral Admiral
Admiral

A quick way to rule out the bundled jre would be to rename it and then create a link to your installed Java version jre something like this:

cd <SCA install folder>

mklink /d jre "<path to system java home>"

0 Likes
Absent Member.
Absent Member.

I actually tried this in my own crude way by renaming the original bin and lib folders in the SCA/jre path and replacing them with my 1.8.0-77 version and it didn't seem to make a difference.

0 Likes
Absent Member.
Absent Member.

Environment: Windows Server 2012 R2, 32G RAM, 2.30GHZ (8 processors), Visual Studio 2015, Fortify 16.10

After experiencing the same behavior on multiple systems I have to ask if anyone out there is able to successfully use version 16.10 in an enterprise environment for scanning a MVC based .NET framework driven web application. The same project worked fine with 4.4.2. I get the same out of memory error when I use the command line as well as the plugin from within Visual Studio 2015.

Is there a known memory leak issue with version 16.10?

0 Likes
Absent Member.
Absent Member.

We seem to have the same issue. As you mentioned did not have issues with version 4.4.2 and upgraded to 16.10 and ran into this issue.

Please let us know how you resolved this issue?

Thanks in advance.

0 Likes
Absent Member.
Absent Member.

There are two heaps we should be concerned. I suggest adding the item#2 (red chars) to your command line.

(1) java heap:-64 -Xmx36G breaks out the 1.3 GB limitation.

(2) class heap:

  • -XX:+CMSClassUnloadingEnabled (allow you to unload class if not used) 
  • -XX:MaxPermSize=128M (define class heap, retired in JDK1.8. leave it in wont' hurt, will not break your scan)  
  • -XX:+UseConcMarkSweepGC  or  -XX:+UseParallelGC ( if i recall correctly, they are mutual exclusive, you can use just one, i use -XX:+UseParallelGC in my commandline)

use command switch  -verbose -debug to see more details in the log

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.