Here are descriptions of some of the more interesting or
significant changes made to Eclipse Memory Analyzer for the 1.10 release.
Enhancements and fixes
- The parsing of HPROF dumps is now multi-threaded which should improve the speed at
which dumps are parsed on multi-cored machines.
- The HPROF parser has been enhanced to let it directly read HPROF dumps compressed with Gzip or in the gzip file format.
- Object Query Language programming has been improved.
- The Leak Suspects report has been improved for the case where the leak suspect includes
multiple suspect objects.
Fix details
- Fix for 277422 Nice if heap parsing was multi-threaded
- Fix for 297052 HTML tree reports are not expanded for leak suspects
- Fix for 438844 Add ability to load a zipped hprof
- Fix for 442315 Java_version error when using Java Collections tools on HashMaps
- Fix for 536920 Provide extra links for top components report
- Fix for 551820 Update version to 1.10.0
- Fix for 552879 OQL enhancements for sub-selects, maps, context providers, DISTINCT
- Fix for 552917 org.eclipse.mat.ibmdumps project classpath issue
- Fix for 553312 infinite loop in the export hprof feature from "ParseHeapDump.bat" on multi-segment dumps
- Fix for 559247 OQL method call improvements
- Fix for 559273 Java 11 collection class updates
- Fix for 559538 p2 repo configuration for mirrors and download statistics
- Fix for 559905 Code tidy up
- Fix for 560295 ArrayIndexOutOfBoundsException in ObjectMarker.markMultiThreaded
- Fix for 560384 Eclipse.OSGi Bundle explorer extension point problems
- Fix for 551214 Add documentation about post-processed J9 JVM finalizer roots
- Fix for 552670 Add documentation for display of bytes in KB, MB, GB or Smart formats
- Fix for 324967 Hide queries which are not relevant
- Fix for 417467 Reports fail to display after report generation completes
- Fix for 445180 reports fail without information
- Fix for 545754 OQL syntax highlighting sometimes doesn't highlight keywords
- Fix for 548441 Overview background doesn't match Eclipse
- Fix for 551552 Exception running query with no editor open
- Fix for 551971 Reports not rendered in MAT
- Fix for 552621 Batch processing improvements
- Fix for 559255 MAT Calcite results can't be added to the compare basket
- Fix for 559284 Hovering over overview pie slice throws an exception
- Fix for 559873 OutOfMemoryError when selecting large totals row
- Fix for 560005 NullPointerException in PatternFilter
Security fixes
Memory Analyzer 1.10 includes the security fixes first included in Memory Analyzer 1.9.2.
We highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.10.0 (or 1.9.2) or subsequent versions.
- CVE-2019-17634
- PROBLEMTYPE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose to download, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could be specially crafted, or could come from a crafted application or from an application processing malicious data. The vulnerability is present when a report is generated and opened from the Memory Analyzer graphical user interface, or when a report generated in batch mode is then opened in Memory Analyzer or by a web browser. The vulnerability could possibly allow code execution on the local system when the report is opened in Memory Analyzer.
- CVE-2019-17635
- PROBLEMTYPE
- CWE-502: Deserialization of Untrusted Data
- DESCRIPTION
- Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted index for the problem to occur. The problem can be averted if the index files from an untrusted source are deleted and the heap dump is opened and reparsed. Also some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.
New and Noteworthy for Memory Analyzer 1.9
The New and Noteworthy document for version 1.9 is available
here.