OutOfMemoryError when trying to analyse rule roslyn.sonaranalyzer.security.cs:S2083 since September 30th

We’re using Azure DevOps, with an on-premise build agent, and on one of our .net projects (a mix with 165k lines of VB.Net and 132k liens of c# at last successful analysis), between 29 Sept 2020 and 30 Sept 2020 at 9:14 BST, analysis has started failing with java.lang.OutOfMemoryError: Java heap space, per logs:

08:54:38.547 INFO: rule: S2631, entrypoints: 0
08:54:38.547 INFO: rule: S2631 done
08:54:38.547 INFO: rule: S2083, entrypoints: 26
08:54:38.547 DEBUG: Running rule roslyn.sonaranalyzer.security.cs:S2083
08:54:38.547 INFO: Running symbolic analysis
08:54:38.547 DEBUG: loaded 69 sanitizers for rule S2083
08:54:38.547 DEBUG: loaded 172 passthroughs for rule S2083
08:54:38.547 DEBUG: Resource file roslyn.sonaranalyzer.security.cs/collectionHandlers/common.json was not read
08:54:38.547 DEBUG: Resource file roslyn.sonaranalyzer.security.cs/collectionHandlers/S2083.json was not read
08:54:38.547 DEBUG: loaded 0 collectionHandlers for rule S2083
08:54:38.563 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H with argH( ) {
  0: N(value: "Changed " ) 
  1: E(name: propertyName, variadic: false, methodId: MscUk.AuditItemBase<T>.OnPropertyChanged<TP>(string, TP, TP) ) 
} .
08:54:38.578 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H.
08:54:38.578 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H.
08:54:38.578 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H.
08:54:38.578 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.N.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.N with arg_recentChanges .
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.N.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.N.
08:54:38.594 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.
08:54:38.609 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.
08:54:38.609 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.
08:54:38.625 DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.H with arg_deliveryUri .
##[error]Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
##[debug]Processed: ##vso[task.logissue type=error;]Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" java.lang.OutOfMemoryError: Java heap space%0D%0Ajava.lang.OutOfMemoryError: Java heap space%0D%0Ajava.lang.OutOfMemoryError: Java heap space%0D%0Ajava.lang.OutOfMemoryError: Java heap space
Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" Exception in thread "OkHttp ConnectionPool" java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: Java heap space
09:01:01.396 DEBUG: eslint-bridge server will shutdown
09:01:06.056 DEBUG: stylelint-bridge server will shutdown
09:01:06.212 INFO: ------------------------------------------------------------------------
09:01:06.212 INFO: EXECUTION FAILURE
09:01:06.212 INFO: ------------------------------------------------------------------------
09:01:06.243 INFO: Total time: 9:20.141s
09:01:06.790 INFO: Final Memory: 19M/108M
##[error]09:01:06.790 ERROR: Error during SonarScanner execution
java.lang.OutOfMemoryError: Java heap space
##[debug]Processed: ##vso[task.logissue type=error;]09:01:06.790 ERROR: Error during SonarScanner execution%0D%0Ajava.lang.OutOfMemoryError: Java heap space
09:01:06.790 ERROR: Error during SonarScanner execution
java.lang.OutOfMemoryError: Java heap space
09:01:06.790 INFO: ------------------------------------------------------------------------
Process returned exit code 1
##[error]The SonarQube Scanner did not complete successfully
##[debug]Processed: ##vso[task.logissue type=error;]The SonarQube Scanner did not complete successfully
The SonarQube Scanner did not complete successfully
##[error]09:01:07.681  Post-processing failed. Exit code: 1
##[debug]Processed: ##vso[task.logissue type=error;]09:01:07.681  Post-processing failed. Exit code: 1
09:01:07.681  Post-processing failed. Exit code: 1
##[debug]Exit code 1 received from tool 'D:\a1\_work\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.12.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
##[debug]STDIO streams have closed for tool 'D:\a1\_work\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.12.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe'
##[debug]task result: Failed
##[error]The process 'D:\a1\_work\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.12.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe' failed with exit code 1
##[debug]Processed: ##vso[task.issue type=error;]The process 'D:\a1\_work\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.12.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe' failed with exit code 1
##[debug]Processed: ##vso[task.complete result=Failed;]The process 'D:\a1\_work\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.12.0\classic-sonar-scanner-msbuild\SonarScanner.MSBuild.exe' failed with exit code 1
Finishing: Run Code Analysis

As the maximum java help space can be configured via a command line, this was upped by a factor of 4 from 4Gb (which the process had been working quite happily with, and is still twice the size of the source, intermediate build files, as well as final output) via the _JAVA_OPTIONS command line option up to 16Gb which seems excessive.

Watching memory consumption during the run seems that all is fine until it tries to run S2083, when it climbs rapidly, before sitting there for 5 - 6 minutes, before dying completely.

At present, this leaves us unable to analyse this project, as it happens for every build of this project.

It seems a little too coincidental that the fault started around the same time the new rulesets were published for some other languages, so I wonder if an issue has been introduced in the implementation of one of the existing rules, that may have been released in the same release.

Hello,
Thank you for reporting this issue.
Can you please let us know what version of SonarQube and of the analysers you have ?
The OOM occurs during the security engine execution, it sometimes happens and we continuously work on improving it.
If this is a blocker for you, you can still deactivate the rule until we can provide a solution.
Alex.

1 Like

We’re using SonarCloud, but the task reports:

Task         : Run Code Analysis
Description  : Run scanner and upload the results to the SonarCloud server.
Version      : 1.15.0
Author       : sonarsource
Help         : Version: 1.15.0. This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.

[More Information](https://sonarcloud.io/documentation/analysis/scan/sonarscanner-for-azure-devops/)
==============================================================================

Hello Rowland,

Thank you for the report! I’ve been looking into this issue on our end. There were some improvements to our security analysis recently, which seem to be connected to this issue.

To debug, I need some additional information. Could you compress and share the UCFGs created during analysis with me? They can be found in the hidden sub-directory of your project: .sonarqube/out/ucfg_cs2. You can send the archive to me via private message.

How do I send it as a private message?

You can click on my name and then on the blue Message button to the right of the pop-up. Alternatively, you can go to your messages and compose a new one there (click on your avatar at the top-right corner of the screen and then on the little envelop :email: button there).

I don’t appear to have permissions to create a private message, as those options don’t appear?

We have exactly the same problem in our java project with an simlier stacktrace. I deactivated the java sonar rules S5131, S2076, S2631 and S2083.

All these rules created the error message:

DEBUG: Did not expect to visit symbol class com.sonar.security.analysis.D.A.F.

For me only the rule S5131 leads to a java heap error: out of memory.

This thread leads me into the correct direction. Would be great, if this error will be fixed.

We are using the paid SonarCloud service with Gradle 6.7 and Gradle SonarScanner plugin 3.0.

Thanks and best regards.

We have analyzed the issue, were able to reproduce the behavior and have created a fix for it. It should be available on SonarCloud by early November (and with the next release of SonarQube). Until then, disabling the rule(s) that trigger that behavior may provide a temporary workaround. Thanks for reporting the issue!

3 Likes