How to increase memory for Fortify translation

Question

How do I resolve memory errors when running Fortify?

Answer

There are different types of memory errors that Fortify may report:

Fortify may fail to start up with an error along the lines of:

  Error occurred during initialization of VMCould not reserve enough space for object heap
  Error: Could not create the Java Virtual Machine.
  Error: A fatal exception has occurred. Program will exit.

Errors or warnings may be reported during the translation and scan which report low memory problems. Please see the technical note How to view error messages reported by Fortify for more information on viewing the error messages.
- Some of these warnings indicate performance problems, but do not affect the reported results. Warnings such as “Scan progress is slow due to [critically] low memory” fall into this category.
- Others indicate that there was not enough memory to complete the analysis and must be fixed. Errors such as “There is not enough memory available to complete analysis” fall into this category.

The solution to all of these issues is to increase the amount of memory that gets allocated for Fortify to do the translation and scan phases. This is done using the -Xmx<memory limit> option on the command line. For example, the memory limit can be increased to 3 gigabytes by adding the -Xmx3G or -Xmx3000M option to the sourceanalyzer command line. There is no way to calculate an appropriate memory value, so you’ll need to experiment with until you get a value that works.

The Fortify SCA User Guide gives the following information for the -Xmx option:

Specifies the maximum amount of memory Fortify Static Code Analyzer uses.

Heap sizes between 32 GB and 48 GB are not advised due to internal JVM implementations. Heap sizes in this range perform worse than at 32 GB. Heap sizes smaller than 32 GB are optimized by the JVM. If your scan requires more than 32 GB, then you probably need 64 GB or more. As a guideline, assuming no other memory intensive processes are running, do not allocate more than 2/3 of the available memory.

When you specify this option, make sure that you do not allocate more memory than is physically available, because this degrades performance. As a guideline, and the assumption that no other memory intensive processes are running, do not allocate more than 2/3 of the available memory.

Configuring Memory Settings

When scanning with the Audit Workbench, you can modify memory settings by using the above command-line options, or you can click “Configure Memory” on the following Advanced Scan screen:

Configure memory dialog in Audit Workbench

In the Visual Studio and Eclipse IDEs, memory values may be set using the Options menu. Open the Options dialog by selecting Fortify -> Options from the menu. Then select “Default Project Settings” and the “Analysis Configuration” tab. There you can set the memory limit in the text box labeled “Memory (MB)”. The following example shows setting the memory limit to 3GB:

Options, Default Project Seetings, Analysis Configuration dialog to configure memory

References

Fortify documentation