Skip to content

Upgrade libddwaf-java to 17.4.0#11943

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
masterfrom
upgrtade-libddwaf
Jul 14, 2026
Merged

Upgrade libddwaf-java to 17.4.0#11943
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
masterfrom
upgrtade-libddwaf

Conversation

@jandro996

@jandro996 jandro996 commented Jul 14, 2026

Copy link
Copy Markdown
Member

What Does This Do

  • Bumps the io.sqreen:libsqreen (libddwaf-java) dependency in dd-java-agent/appsec/build.gradle from 17.3.0 to 17.4.0.

Motivation

libddwaf-java 17.4.0 fixes a production SIGSEGV where the JIT (observed on JDK 21.0.8+ and JDK 25) could elide the ArenaLease reference held by WafContext.run() before the native ddwaf_run call finished reading the backing off-heap memory, causing a crash. See libddwaf-java#198.

This release has no public API changes — the fix is internal to WafContext.run() (a reachability-fence write), so no other code in dd-trace-java needs to change.

Additional Notes

Gradle lockfiles across the repo still pin io.sqreen:libsqreen:17.3.0; per project convention these are not updated by hand — the weekly update-gradle-dependencies.yaml CI job regenerates them separately, and dependency locking runs in LockMode.LENIENT so this does not fail the build.

Contributor Checklist

Jira ticket: APPSEC-62784

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

Fixes a production SIGSEGV (APPSEC-62784) where the JIT (JDK 21.0.8+/25)
could elide the ArenaLease reference in WafContext.run() before the
native ddwaf_run call finished reading the backing memory
(libddwaf-java#198).
@jandro996

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Chef's kiss.

Reviewed commit: eee03be138

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 added the comp: asm waf Application Security Management (WAF) label Jul 14, 2026
@jandro996
jandro996 marked this pull request as ready for review July 14, 2026 10:48
@jandro996
jandro996 requested a review from a team as a code owner July 14, 2026 10:48
@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added the type: feature Enhancements and improvements label Jul 14, 2026

@datadog-prod-us1-5 datadog-prod-us1-5 Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Datadog Autotest: PASS

More details

Dependency upgrade from libddwaf-java 17.3.0 to 17.4.0 to fix a known SIGSEGV in the JIT on JDK 21.0.8+ and JDK 25. No API changes, no code modifications needed. Validation confirms clean public-API usage and full backward compatibility.

Was this helpful? React 👍 or 👎

📊 Validated against 6 scenarios · Open Bits AI session

🤖 Datadog Autotest · Commit eee03be · What is Autotest? · Any feedback? Reach out in #autotest

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 54.54% (-2.63%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f8cdbd8 | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.98 s 13.92 s [-0.3%; +1.3%] (no difference)
startup:insecure-bank:tracing:Agent 12.89 s 13.01 s [-1.7%; -0.2%] (maybe better)
startup:petclinic:appsec:Agent 16.84 s 16.66 s [-0.0%; +2.2%] (no difference)
startup:petclinic:iast:Agent 16.83 s 16.97 s [-1.7%; +0.1%] (no difference)
startup:petclinic:profiling:Agent 16.71 s 16.13 s [-0.9%; +8.2%] (no difference)
startup:petclinic:sca:Agent 16.47 s 16.75 s [-6.2%; +2.8%] (no difference)
startup:petclinic:tracing:Agent 15.67 s 16.20 s [-7.4%; +0.9%] (no difference)

Commit: f8cdbd88 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@jandro996
jandro996 enabled auto-merge July 14, 2026 11:22
@jandro996
jandro996 added this pull request to the merge queue Jul 14, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 14, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-14 11:36:21 UTC ℹ️ Start processing command /merge


2026-07-14 11:36:25 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-07-14 12:34:37 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue
github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 14, 2026
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot merged commit eaabb65 into master Jul 14, 2026
588 of 589 checks passed
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot deleted the upgrtade-libddwaf branch July 14, 2026 12:34
@github-actions github-actions Bot added this to the 1.65.0 milestone Jul 14, 2026
@PerfectSlayer PerfectSlayer added type: bug fix Bug fix tag: dependencies Dependencies related changes and removed type: feature Enhancements and improvements tag: no release note labels Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) tag: dependencies Dependencies related changes type: bug fix Bug fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants