Skip to content

Fix verify error when ctor params are used after a call site #9083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 3, 2025
Merged

Fix verify error when ctor params are used after a call site #9083

merged 2 commits into from
Jul 3, 2025

Conversation

manuel-alvarez-alvarez
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Jul 2, 2025
edited by atlassian bot
Loading

What Does This Do

This PR fixes an issue with call sites that incorrectly handle super calls inside constructors. Specifically, it ensures the return value of constructor-targeted call sites is properly managed when used in a super context.

Motivation

Constructor-targeted call sites are designed to return the newly constructed instance to maintain correct stack behavior. However, when such call sites are used within super calls, the returned value must be discarded (i.e., popped off the stack). Failing to do so can lead to incorrect behavior or runtime issues—such as the one recently reported by a customer

Caused by: java.lang.VerifyError: Inconsistent stackmap frames at branch target 57
Exception Details:
  Location:
    x/y/z/ResourceStreamReader.<init>(Lx/y/z/Resource;Ljava/io/InputStream;Ljava/nio/charset/Charset;)V @44: ifnonnull
  Reason:
    Current frame's stack size doesn't match stackmap.
  Current Frame:
    bci: @44
    flags: { }
    locals: { 'x/y/z/ResourceStreamReader', 'x/y/z/Resource', 'java/io/InputStream', 'java/nio/charset/Charset' }
    stack: { 'java/io/InputStreamReader', 'x/y/z/Resource' }
  Stackmap Frame:
    bci: @57
    flags: { }
    locals: { 'x/y/z/ResourceStreamReader.', 'x/y/z/Resource', 'java/io/InputStream', 'java/nio/charset/Charset' }
    stack: { }
  Bytecode:
    0000000: 2a2c 2d05 bd00 455a 5f10 015f 535a 5f10
    0000010: 005f 535a 5903 32c0 0028 5f59 0432 c000
    0000020: 395f 57b7 0017 1900 b800 4b2b c700 0dbb
    0000030: 0007 5912 09b7 000b bf2a 2bb5 000e b1
  Stackmap Table:
    full_frame(@57,{Object[#15],Object[#38],Object[#40],Object[#57]},{})

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-58131

@manuel-alvarez-alvarez manuel-alvarez-alvarez requested review from a team as code owners July 2, 2025 10:59
@manuel-alvarez-alvarez manuel-alvarez-alvarez added the type: bug Bug report and fix label Jul 2, 2025
@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Jul 2, 2025
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested review from bric3 and removed request for a team July 2, 2025 10:59
@pr-commenter
Copy link

pr-commenter bot commented Jul 2, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date 1751437988 1751457606
git_commit_sha 40561cd 1a14c5c
release_version 1.51.0-SNAPSHOT~40561cd093 1.51.0-SNAPSHOT~1a14c5c414
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1751459495 1751459495
ci_job_id 1009590244 1009590244
ci_pipeline_id 69419423 69419423
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-yygzstyr-project-304-concurrent-0-gszc7sm5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-yygzstyr-project-304-concurrent-0-gszc7sm5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 8 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (999.335 ms) : 0, 999335
Total [baseline] (10.703 s) : 0, 10703313
Agent [candidate] (1.011 s) : 0, 1010780
Total [candidate] (10.687 s) : 0, 10686877
section appsec
Agent [baseline] (1.183 s) : 0, 1182655
Total [baseline] (10.713 s) : 0, 10713094
Agent [candidate] (1.179 s) : 0, 1178532
Total [candidate] (10.79 s) : 0, 10790171
section iast
Agent [baseline] (1.13 s) : 0, 1129575
Total [baseline] (10.07 s) : 0, 10069698
Agent [candidate] (1.138 s) : 0, 1137650
Total [candidate] (10.932 s) : 0, 10931537
section profiling
Agent [baseline] (1.244 s) : 0, 1244188
Total [baseline] (10.964 s) : 0, 10963776
Agent [candidate] (1.256 s) : 0, 1255569
Total [candidate] (11.083 s) : 0, 11083212
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 999.335 ms -
Agent appsec 1.183 s 183.321 ms (18.3%)
Agent iast 1.13 s 130.24 ms (13.0%)
Agent profiling 1.244 s 244.854 ms (24.5%)
Total tracing 10.703 s -
Total appsec 10.713 s 9.782 ms (0.1%)
Total iast 10.07 s -633.615 ms (-5.9%)
Total profiling 10.964 s 260.463 ms (2.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.011 s -
Agent appsec 1.179 s 167.751 ms (16.6%)
Agent iast 1.138 s 126.87 ms (12.6%)
Agent profiling 1.256 s 244.789 ms (24.2%)
Total tracing 10.687 s -
Total appsec 10.79 s 103.293 ms (1.0%)
Total iast 10.932 s 244.66 ms (2.3%)
Total profiling 11.083 s 396.335 ms (3.7%) 
gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (689.649 ms) : 0, 689649
BytebuddyAgent [candidate] (697.967 ms) : 0, 697967
GlobalTracer [baseline] (243.366 ms) : 0, 243366
GlobalTracer [candidate] (245.716 ms) : 0, 245716
AppSec [baseline] (30.506 ms) : 0, 30506
AppSec [candidate] (30.923 ms) : 0, 30923
Debugger [baseline] (6.055 ms) : 0, 6055
Debugger [candidate] (6.134 ms) : 0, 6134
Remote Config [baseline] (683.29 µs) : 0, 683
Remote Config [candidate] (679.34 µs) : 0, 679
Telemetry [baseline] (8.234 ms) : 0, 8234
Telemetry [candidate] (8.337 ms) : 0, 8337
section appsec
BytebuddyAgent [baseline] (717.073 ms) : 0, 717073
BytebuddyAgent [candidate] (713.483 ms) : 0, 713483
GlobalTracer [baseline] (237.211 ms) : 0, 237211
GlobalTracer [candidate] (236.676 ms) : 0, 236676
IAST [baseline] (22.214 ms) : 0, 22214
IAST [candidate] (22.217 ms) : 0, 22217
AppSec [baseline] (170.786 ms) : 0, 170786
AppSec [candidate] (170.674 ms) : 0, 170674
Debugger [baseline] (5.794 ms) : 0, 5794
Debugger [candidate] (5.804 ms) : 0, 5804
Remote Config [baseline] (600.819 µs) : 0, 601
Remote Config [candidate] (606.112 µs) : 0, 606
Telemetry [baseline] (8.071 ms) : 0, 8071
Telemetry [candidate] (8.219 ms) : 0, 8219
section iast
BytebuddyAgent [baseline] (807.37 ms) : 0, 807370
BytebuddyAgent [candidate] (811.855 ms) : 0, 811855
GlobalTracer [baseline] (232.258 ms) : 0, 232258
GlobalTracer [candidate] (234.673 ms) : 0, 234673
IAST [baseline] (29.839 ms) : 0, 29839
IAST [candidate] (27.759 ms) : 0, 27759
AppSec [baseline] (25.171 ms) : 0, 25171
AppSec [candidate] (27.908 ms) : 0, 27908
Debugger [baseline] (5.789 ms) : 0, 5789
Debugger [candidate] (5.937 ms) : 0, 5937
Remote Config [baseline] (570.927 µs) : 0, 571
Remote Config [candidate] (582.963 µs) : 0, 583
Telemetry [baseline] (7.863 ms) : 0, 7863
Telemetry [candidate] (8.07 ms) : 0, 8070
section profiling
BytebuddyAgent [baseline] (678.209 ms) : 0, 678209
BytebuddyAgent [candidate] (684.536 ms) : 0, 684536
GlobalTracer [baseline] (361.469 ms) : 0, 361469
GlobalTracer [candidate] (364.109 ms) : 0, 364109
AppSec [baseline] (32.957 ms) : 0, 32957
AppSec [candidate] (33.434 ms) : 0, 33434
Debugger [baseline] (11.33 ms) : 0, 11330
Debugger [candidate] (10.668 ms) : 0, 10668
Remote Config [baseline] (652.402 µs) : 0, 652
Remote Config [candidate] (685.307 µs) : 0, 685
Telemetry [baseline] (7.966 ms) : 0, 7966
Telemetry [candidate] (8.926 ms) : 0, 8926
ProfilingAgent [baseline] (103.137 ms) : 0, 103137
ProfilingAgent [candidate] (104.234 ms) : 0, 104234
Profiling [baseline] (103.161 ms) : 0, 103161
Profiling [candidate] (104.259 ms) : 0, 104259
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.002 s) : 0, 1002495
Total [baseline] (8.562 s) : 0, 8562216
Agent [candidate] (1.001 s) : 0, 1000715
Total [candidate] (8.603 s) : 0, 8603276
section iast
Agent [baseline] (1.137 s) : 0, 1136989
Total [baseline] (9.34 s) : 0, 9339820
Agent [candidate] (1.14 s) : 0, 1140281
Total [candidate] (9.308 s) : 0, 9307785
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.002 s -
Agent iast 1.137 s 134.493 ms (13.4%)
Total tracing 8.562 s -
Total iast 9.34 s 777.604 ms (9.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.001 s -
Agent iast 1.14 s 139.566 ms (13.9%)
Total tracing 8.603 s -
Total iast 9.308 s 704.509 ms (8.2%) 
gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (693.38 ms) : 0, 693380
BytebuddyAgent [candidate] (690.598 ms) : 0, 690598
GlobalTracer [baseline] (242.925 ms) : 0, 242925
GlobalTracer [candidate] (243.296 ms) : 0, 243296
AppSec [baseline] (30.394 ms) : 0, 30394
AppSec [candidate] (30.817 ms) : 0, 30817
Debugger [baseline] (6.045 ms) : 0, 6045
Debugger [candidate] (6.144 ms) : 0, 6144
Remote Config [baseline] (676.152 µs) : 0, 676
Remote Config [candidate] (685.878 µs) : 0, 686
Telemetry [baseline] (8.223 ms) : 0, 8223
Telemetry [candidate] (8.373 ms) : 0, 8373
section iast
BytebuddyAgent [baseline] (811.94 ms) : 0, 811940
BytebuddyAgent [candidate] (813.899 ms) : 0, 813899
GlobalTracer [baseline] (233.67 ms) : 0, 233670
GlobalTracer [candidate] (234.988 ms) : 0, 234988
AppSec [baseline] (29.633 ms) : 0, 29633
AppSec [candidate] (30.26 ms) : 0, 30260
Debugger [baseline] (5.82 ms) : 0, 5820
Debugger [candidate] (5.856 ms) : 0, 5856
Remote Config [baseline] (577.31 µs) : 0, 577
Remote Config [candidate] (583.606 µs) : 0, 584
Telemetry [baseline] (8.01 ms) : 0, 8010
Telemetry [candidate] (8.019 ms) : 0, 8019
IAST [baseline] (26.554 ms) : 0, 26554
IAST [candidate] (25.766 ms) : 0, 25766
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date 1751437988 1751457606
git_commit_sha 40561cd 1a14c5c
release_version 1.51.0-SNAPSHOT~40561cd093 1.51.0-SNAPSHOT~1a14c5c414
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1751459198 1751459198
ci_job_id 1009590245 1009590245
ci_pipeline_id 69419423 69419423
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-kg9uqfo1-project-304-concurrent-0-nygbh5nk 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-kg9uqfo1-project-304-concurrent-0-nygbh5nk 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:tracing:high_load worse
[+393.572µs; +634.280µs] or [+5.509%; +8.878%]		 unstable
[-126.332op/s; +40.645op/s] or [-19.504%; +6.275%]		 7.659ms 604.875op/s 7.145ms 647.719op/s
scenario:load:insecure-bank:no_agent:high_load better
[-266.119µs; -155.265µs] or [-5.838%; -3.406%]		 unstable
[-77.704op/s; +173.516op/s] or [-7.711%; +17.219%]		 4.348ms 1055.625op/s 4.559ms 1007.719op/s
scenario:load:petclinic:profiling:high_load better
[-2.768ms; -1.838ms] or [-5.621%; -3.732%]		 unstable
[-1.885op/s; +11.303op/s] or [-1.959%; +11.743%]		 46.941ms 100.962op/s 49.243ms 96.253op/s
scenario:load:petclinic:iast:high_load worse
[+2.215ms; +3.067ms] or [+5.166%; +7.153%]		 unstable
[-17.032op/s; -0.844op/s] or [-15.414%; -0.764%]		 45.523ms 101.556op/s 42.881ms 110.494op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (38.216 ms) : 37911, 38521
.   : milestone, 38216,
appsec (47.94 ms) : 47519, 48361
.   : milestone, 47940,
code_origins (46.376 ms) : 45976, 46776
.   : milestone, 46376,
iast (42.881 ms) : 42495, 43268
.   : milestone, 42881,
profiling (49.243 ms) : 48789, 49698
.   : milestone, 49243,
tracing (44.049 ms) : 43664, 44434
.   : milestone, 44049,
section candidate
no_agent (38.199 ms) : 37897, 38502
.   : milestone, 38199,
appsec (47.534 ms) : 47116, 47953
.   : milestone, 47534,
code_origins (46.006 ms) : 45607, 46405
.   : milestone, 46006,
iast (45.523 ms) : 45117, 45928
.   : milestone, 45523,
profiling (46.941 ms) : 46532, 47349
.   : milestone, 46941,
tracing (43.702 ms) : 43338, 44067
.   : milestone, 43702,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 38.216 ms [37.911 ms, 38.521 ms] -
appsec 47.94 ms [47.519 ms, 48.361 ms] 9.724 ms (25.4%)
code_origins 46.376 ms [45.976 ms, 46.776 ms] 8.159 ms (21.4%)
iast 42.881 ms [42.495 ms, 43.268 ms] 4.665 ms (12.2%)
profiling 49.243 ms [48.789 ms, 49.698 ms] 11.027 ms (28.9%)
tracing 44.049 ms [43.664 ms, 44.434 ms] 5.833 ms (15.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 38.199 ms [37.897 ms, 38.502 ms] -
appsec 47.534 ms [47.116 ms, 47.953 ms] 9.335 ms (24.4%)
code_origins 46.006 ms [45.607 ms, 46.405 ms] 7.807 ms (20.4%)
iast 45.523 ms [45.117 ms, 45.928 ms] 7.323 ms (19.2%)
profiling 46.941 ms [46.532 ms, 47.349 ms] 8.741 ms (22.9%)
tracing 43.702 ms [43.338 ms, 44.067 ms] 5.503 ms (14.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.559 ms) : 4506, 4611
.   : milestone, 4559,
iast (9.27 ms) : 9113, 9426
.   : milestone, 9270,
iast_FULL (13.836 ms) : 13565, 14107
.   : milestone, 13836,
iast_GLOBAL (9.968 ms) : 9796, 10140
.   : milestone, 9968,
profiling (8.718 ms) : 8578, 8858
.   : milestone, 8718,
tracing (7.145 ms) : 7044, 7246
.   : milestone, 7145,
section candidate
no_agent (4.348 ms) : 4298, 4399
.   : milestone, 4348,
iast (9.078 ms) : 8916, 9240
.   : milestone, 9078,
iast_FULL (13.936 ms) : 13661, 14211
.   : milestone, 13936,
iast_GLOBAL (9.861 ms) : 9689, 10033
.   : milestone, 9861,
profiling (8.726 ms) : 8591, 8860
.   : milestone, 8726,
tracing (7.659 ms) : 7537, 7780
.   : milestone, 7659,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.559 ms [4.506 ms, 4.611 ms] -
iast 9.27 ms [9.113 ms, 9.426 ms] 4.711 ms (103.3%)
iast_FULL 13.836 ms [13.565 ms, 14.107 ms] 9.277 ms (203.5%)
iast_GLOBAL 9.968 ms [9.796 ms, 10.14 ms] 5.409 ms (118.7%)
profiling 8.718 ms [8.578 ms, 8.858 ms] 4.159 ms (91.2%)
tracing 7.145 ms [7.044 ms, 7.246 ms] 2.586 ms (56.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.348 ms [4.298 ms, 4.399 ms] -
iast 9.078 ms [8.916 ms, 9.24 ms] 4.73 ms (108.8%)
iast_FULL 13.936 ms [13.661 ms, 14.211 ms] 9.588 ms (220.5%)
iast_GLOBAL 9.861 ms [9.689 ms, 10.033 ms] 5.513 ms (126.8%)
profiling 8.726 ms [8.591 ms, 8.86 ms] 4.377 ms (100.7%)
tracing 7.659 ms [7.537 ms, 7.78 ms] 3.311 ms (76.1%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date 1751437988 1751457606
git_commit_sha 40561cd 1a14c5c
release_version 1.51.0-SNAPSHOT~40561cd093 1.51.0-SNAPSHOT~1a14c5c414
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1751459718 1751459718
ci_job_id 1009590246 1009590246
ci_pipeline_id 69419423 69419423
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-quixwkwb-project-304-concurrent-0-anrbffc3 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-quixwkwb-project-304-concurrent-0-anrbffc3 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.476 ms) : 1465, 1488
.   : milestone, 1476,
appsec (2.412 ms) : 2362, 2462
.   : milestone, 2412,
iast (2.192 ms) : 2129, 2255
.   : milestone, 2192,
iast_GLOBAL (2.24 ms) : 2177, 2302
.   : milestone, 2240,
profiling (2.065 ms) : 2013, 2117
.   : milestone, 2065,
tracing (2.011 ms) : 1962, 2060
.   : milestone, 2011,
section candidate
no_agent (1.476 ms) : 1464, 1487
.   : milestone, 1476,
appsec (2.399 ms) : 2349, 2449
.   : milestone, 2399,
iast (2.199 ms) : 2136, 2261
.   : milestone, 2199,
iast_GLOBAL (2.238 ms) : 2174, 2302
.   : milestone, 2238,
profiling (2.064 ms) : 2012, 2116
.   : milestone, 2064,
tracing (2.028 ms) : 1980, 2077
.   : milestone, 2028,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.476 ms [1.465 ms, 1.488 ms] -
appsec 2.412 ms [2.362 ms, 2.462 ms] 935.771 µs (63.4%)
iast 2.192 ms [2.129 ms, 2.255 ms] 715.794 µs (48.5%)
iast_GLOBAL 2.24 ms [2.177 ms, 2.302 ms] 763.046 µs (51.7%)
profiling 2.065 ms [2.013 ms, 2.117 ms] 588.37 µs (39.8%)
tracing 2.011 ms [1.962 ms, 2.06 ms] 534.624 µs (36.2%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.476 ms [1.464 ms, 1.487 ms] -
appsec 2.399 ms [2.349 ms, 2.449 ms] 923.201 µs (62.5%)
iast 2.199 ms [2.136 ms, 2.261 ms] 722.551 µs (49.0%)
iast_GLOBAL 2.238 ms [2.174 ms, 2.302 ms] 762.168 µs (51.6%)
profiling 2.064 ms [2.012 ms, 2.116 ms] 588.295 µs (39.9%)
tracing 2.028 ms [1.98 ms, 2.077 ms] 552.393 µs (37.4%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.547 s) : 15547000, 15547000
.   : milestone, 15547000,
appsec (14.729 s) : 14729000, 14729000
.   : milestone, 14729000,
iast (18.554 s) : 18554000, 18554000
.   : milestone, 18554000,
iast_GLOBAL (17.841 s) : 17841000, 17841000
.   : milestone, 17841000,
profiling (15.247 s) : 15247000, 15247000
.   : milestone, 15247000,
tracing (14.623 s) : 14623000, 14623000
.   : milestone, 14623000,
section candidate
no_agent (14.894 s) : 14894000, 14894000
.   : milestone, 14894000,
appsec (14.753 s) : 14753000, 14753000
.   : milestone, 14753000,
iast (18.597 s) : 18597000, 18597000
.   : milestone, 18597000,
iast_GLOBAL (18.02 s) : 18020000, 18020000
.   : milestone, 18020000,
profiling (15.261 s) : 15261000, 15261000
.   : milestone, 15261000,
tracing (14.727 s) : 14727000, 14727000
.   : milestone, 14727000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.547 s [15.547 s, 15.547 s] -
appsec 14.729 s [14.729 s, 14.729 s] -818.0 ms (-5.3%)
iast 18.554 s [18.554 s, 18.554 s] 3.007 s (19.3%)
iast_GLOBAL 17.841 s [17.841 s, 17.841 s] 2.294 s (14.8%)
profiling 15.247 s [15.247 s, 15.247 s] -300.0 ms (-1.9%)
tracing 14.623 s [14.623 s, 14.623 s] -924.0 ms (-5.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.894 s [14.894 s, 14.894 s] -
appsec 14.753 s [14.753 s, 14.753 s] -141.0 ms (-0.9%)
iast 18.597 s [18.597 s, 18.597 s] 3.703 s (24.9%)
iast_GLOBAL 18.02 s [18.02 s, 18.02 s] 3.126 s (21.0%)
profiling 15.261 s [15.261 s, 15.261 s] 367.0 ms (2.5%)
tracing 14.727 s [14.727 s, 14.727 s] -167.0 ms (-1.1%)

PerfectSlayer
PerfectSlayer approved these changes Jul 2, 2025
View reviewed changes
Copy link
Contributor

@PerfectSlayer PerfectSlayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good from LP team

@manuel-alvarez-alvarez
Copy link
Member Author

/merge

@dd-devflow
Copy link

dd-devflow bot commented Jul 3, 2025
edited
Loading

View all feedbacks in Devflow UI.

2025-07-03 12:24:08 UTC ℹ️ Start processing command /merge

2025-07-03 12:24:13 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 0s (p90).

2025-07-03 13:33:14 UTC ℹ️ MergeQueue: This merge request was merged

@dd-mergequeue dd-mergequeue bot merged commit 53e4f70 into master Jul 3, 2025
510 of 511 checks passed
@dd-mergequeue dd-mergequeue bot deleted the malvarez/fix-wrong-stack-advice-on-ctor branch July 3, 2025 13:33
@github-actions github-actions bot added this to the 1.51.0 milestone Jul 3, 2025
svc-squareup-copybara pushed a commit to cashapp/misk that referenced this pull request Jul 10, 2025
@github-cash-renovate-jvm-2 @svc-squareup-copybara
This PR contains the following updates:
48e635d 
| Package | Type | Package file | Manager | Update | Change |
|---|---|---|---|---|---|
|
[com.google.errorprone:error_prone_annotations](https://errorprone.info)
([source](https://github.com/google/error-prone)) | dependencies |
misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` |
|
[org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/)
([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) |
dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`3.17.0` -> `3.18.0` |
|
[org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator)
| plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` ->
`0.18.1` |
| [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java)
| dependencies | misk/gradle/libs.versions.toml | gradle | minor |
`1.50.1` -> `1.51.0` |
| [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
|
[software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava)
| dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |
| [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) |
dependencies | misk/gradle/libs.versions.toml | gradle | patch |
`2.31.77` -> `2.31.78` |

---

### Release Notes

<details>
<summary>google/error-prone
(com.google.errorprone:error_prone_annotations)</summary>

###
[`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0):
Error Prone 2.40.0

Changes:

- Bug fixes and improvements
- Releases (including snapshots) have migrated from [OSSRH to the
Central Publisher
Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate)

Full changelog:
google/error-prone@v2.39.0...v2.40.0

</details>

<details>
<summary>Kotlin/binary-compatibility-validator
(org.jetbrains.kotlinx.binary-compatibility-validator)</summary>

###
[`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1)

[Compare
Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1)

#### What's Changed

- Fixed a bug preventing use of cross-compilation support during KLIB
dump validation
\[[#&#8203;304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#&#8203;306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)]

</details>

<details>
<summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary>

###
[`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0):
1.51.0

### Components

#### Application Security Management (IAST)

- 🐛 Fix verify error when ctor params are used after a call site
([#&#8203;9083](DataDog/dd-trace-java#9083) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- 🐛 Limit the maximum size of the location path in IAST
vulnerabilities
([#&#8203;9028](DataDog/dd-trace-java#9028) -
[@&#8203;jandro996](https://github.com/jandro996))
- 🐛 Fix IAST gRPC handler with null superclass
([#&#8203;8984](DataDog/dd-trace-java#8984) -
[@&#8203;smola](https://github.com/smola))
- ✨ Optimize IAST Vulnerability Detection
([#&#8203;8885](DataDog/dd-trace-java#8885) -
[@&#8203;jandro996](https://github.com/jandro996))

#### Application Security Management (WAF)

- ✨ Upgrade libddwaf-java to 15.0.0
([#&#8203;9022](DataDog/dd-trace-java#9022) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Extract RestEasy json body response schemas
([#&#8203;9015](DataDog/dd-trace-java#9015) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Extract Jersey json body response schemas
([#&#8203;9014](DataDog/dd-trace-java#9014) -
[@&#8203;jandro996](https://github.com/jandro996))
- ✨ Extract Ratpack json body response schemas
([#&#8203;9013](DataDog/dd-trace-java#9013) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Enable API Security by default and make it lazy loading
([#&#8203;9009](DataDog/dd-trace-java#9009) -
[@&#8203;smola](https://github.com/smola))
- ✨ Extract Vert.x json body response schemas
([#&#8203;9001](DataDog/dd-trace-java#9001) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Extract Play json body response schemas
([#&#8203;8995](DataDog/dd-trace-java#8995) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- 🐛 Fix Jackson nodes introspection for request/response schema
extraction
([#&#8203;8980](DataDog/dd-trace-java#8980) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Extract Spring json body response schemas
([#&#8203;8938](DataDog/dd-trace-java#8938) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))
- ✨ Default obfuscation regexp update
([#&#8203;8937](DataDog/dd-trace-java#8937) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Build & Tooling

- ✨ Cancel GitLab running pipeline on new PR push
([#&#8203;9023](DataDog/dd-trace-java#9023) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))
- ✨ Migrate publishing to Maven Central Portal
([#&#8203;8807](DataDog/dd-trace-java#8807) -
[@&#8203;sarahchen6](https://github.com/sarahchen6))

#### Continuous Integration Visibility

- 🐛 Fix Test Optimization to work with JDK 24
([#&#8203;9114](DataDog/dd-trace-java#9114) -
[@&#8203;nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog))
- ✨ Add repo root as safe directory on git client creation
([#&#8203;9033](DataDog/dd-trace-java#9033) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Add PR number tag and improve PR information building
([#&#8203;8990](DataDog/dd-trace-java#8990) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))
- ✨ Update impacted tests logic
([#&#8203;8923](DataDog/dd-trace-java#8923) -
[@&#8203;daniel-mohedano](https://github.com/daniel-mohedano))

#### Data Streams Monitoring

- 🧹 Clean up DSM context injection
([#&#8203;8776](DataDog/dd-trace-java#8776) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

#### Database Monitoring

- 🐛 Set trace\_injected in try block
([#&#8203;9025](DataDog/dd-trace-java#9025) -
[@&#8203;natashadada](https://github.com/natashadada))

#### Dynamic Instrumentation

- 🐛 Add source file tracking enable option
([#&#8203;9115](DataDog/dd-trace-java#9115) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Add java.util.Date support
([#&#8203;9111](DataDog/dd-trace-java#9111) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Update file probe format
([#&#8203;9047](DataDog/dd-trace-java#9047) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ add safe local var hoisting
([#&#8203;9034](DataDog/dd-trace-java#9034) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- 🧹 Add new config for debugger upload interval
([#&#8203;8959](DataDog/dd-trace-java#8959) -
[@&#8203;jpbempel](https://github.com/jpbempel))
- ✨ Enable Code Origin with Dynamic instrumentation
([#&#8203;8940](DataDog/dd-trace-java#8940) -
[@&#8203;jpbempel](https://github.com/jpbempel))

#### ML Observability (LLMObs)

- 💡 LLM Observability SDK
([#&#8203;8781](DataDog/dd-trace-java#8781) -
[@&#8203;gary-huang](https://github.com/gary-huang),
[@&#8203;nayeem-kamal](https://github.com/nayeem-kamal))

#### Metrics

- 🐛 Ensure client stat reporter is started when the agent is not
available at bootstrap
([#&#8203;9082](DataDog/dd-trace-java#9082) -
[@&#8203;amarziali](https://github.com/amarziali))
- ✨ Create metric: appsec.waf.config\_errors
([#&#8203;8394](DataDog/dd-trace-java#8394) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Platform components

- ✨ Introduce environment component
([#&#8203;9071](DataDog/dd-trace-java#9071) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer))

#### Profiling

- 🐛 Remove annoying warning for smap event parsing
([#&#8203;9119](DataDog/dd-trace-java#9119) -
[@&#8203;jbachorik](https://github.com/jbachorik))
- 🐛 Fix ByteCountingInputStream when reading past EOF
([#&#8203;8988](DataDog/dd-trace-java#8988) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Realtime User Monitoring

- ✨ Add RUM SDK injection for servlet based web servers
([#&#8203;9110](DataDog/dd-trace-java#9110) -
[@&#8203;PerfectSlayer](https://github.com/PerfectSlayer)
[@&#8203;amarziali](https://github.com/amarziali))

#### Telemetry

- ✨ Update the config origin metric to match what it's mapping
([#&#8203;9045](DataDog/dd-trace-java#9045) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

#### Testing

- ✨ Add testing for latest stable version (JDK 24)
([#&#8203;8875](DataDog/dd-trace-java#8875) -
[@&#8203;sarahchen6](https://github.com/sarahchen6))

#### Trace context propagation

- 🐛 Fix bug with dropping baggage when
`TracePropagationBehaviorExtract=IGNORE`
([#&#8203;9037](DataDog/dd-trace-java#9037) -
[@&#8203;mhlidd](https://github.com/mhlidd))
- 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper
([#&#8203;9032](DataDog/dd-trace-java#9032) -
[@&#8203;mhlidd](https://github.com/mhlidd))

#### Tracer core

- 🐛 Fix `Error` handling for trace interceptors
([#&#8203;9097](DataDog/dd-trace-java#9097) -
[@&#8203;AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD))
- 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling
for Http Response headers
([#&#8203;9067](DataDog/dd-trace-java#9067) -
[@&#8203;mhlidd](https://github.com/mhlidd))

#### Tracer public API

- 💡 Add LLM Observability SDK
([#&#8203;8781](DataDog/dd-trace-java#8781) -
[@&#8203;gary-huang](https://github.com/gary-huang))

### Instrumentations

#### Akka instrumentation

- 🐛 Fix NPE in akka-http and pekko-http integrations
([#&#8203;9019](DataDog/dd-trace-java#9019) -
[@&#8203;mcculls](https://github.com/mcculls))

#### Eclipse Vert.x instrumentation

- ✨ Extract Vert.x json body response schemas
([#&#8203;9001](DataDog/dd-trace-java#9001) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))
- ✨ Write http.route tag as soon as possible in vert.x
([#&#8203;8952](DataDog/dd-trace-java#8952) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### JAX-WS instrumentation

- 💡⚠️ Enable jax-ws integration by default
([#&#8203;9030](DataDog/dd-trace-java#9030) -
[@&#8203;bm1549](https://github.com/bm1549))
- ✨ Extract Jersey json body response schemas
([#&#8203;9014](DataDog/dd-trace-java#9014) -
[@&#8203;jandro996](https://github.com/jandro996))

#### Mule instrumentation

- 🐛 Propagate grizzly http span in filters if nothing is active
([#&#8203;9016](DataDog/dd-trace-java#9016) -
[@&#8203;amarziali](https://github.com/amarziali))

#### Play Framework instrumentation

- ✨ Extract Play json body response schemas
([#&#8203;8995](DataDog/dd-trace-java#8995) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Ratpack instrumentation

- ✨ Extract Ratpack json body response schemas
([#&#8203;9013](DataDog/dd-trace-java#9013) -
[@&#8203;manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez))

#### Spring instrumentation

- ✨ Extract Spring json body response schemas
([#&#8203;8938](DataDog/dd-trace-java#8938) -
[@&#8203;sezen-datadog](https://github.com/sezen-datadog))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am
every weekday" in timezone Australia/Melbourne, Automerge - At any time
(no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://github.com/renovatebot/renovate).

GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer approved these changes

@jandro996 jandro996 Awaiting requested review from jandro996 jandro996 is a code owner automatically assigned from DataDog/asm-java

@bric3 bric3 Awaiting requested review from bric3 bric3 is a code owner automatically assigned from DataDog/apm-lang-platform-java

@smola smola Awaiting requested review from smola

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: bug Bug report and fix
Projects
None yet
Milestone
1.51.0
Development

Successfully merging this pull request may close these issues.
3 participants
@manuel-alvarez-alvarez @smola @PerfectSlayer