Skip to content

Upgrade libddwaf-java to 17.4.0#11943

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
masterfrom
upgrtade-libddwaf
Jul 14, 2026
Merged

Upgrade libddwaf-java to 17.4.0#11943
gh-worker-dd-mergequeue-cf854d[bot] merged 2 commits into
masterfrom
upgrtade-libddwaf

Conversation

@jandro996

@jandro996 jandro996 commented Jul 14, 2026

Copy link
Copy Markdown
Member

What Does This Do

  • Bumps the io.sqreen:libsqreen (libddwaf-java) dependency in dd-java-agent/appsec/build.gradle from 17.3.0 to 17.4.0.

Motivation

libddwaf-java 17.4.0 fixes a production SIGSEGV where the JIT (observed on JDK 21.0.8+ and JDK 25) could elide the ArenaLease reference held by WafContext.run() before the native ddwaf_run call finished reading the backing off-heap memory, causing a crash. See libddwaf-java#198.

This release has no public API changes — the fix is internal to WafContext.run() (a reachability-fence write), so no other code in dd-trace-java needs to change.

Additional Notes

Gradle lockfiles across the repo still pin io.sqreen:libsqreen:17.3.0; per project convention these are not updated by hand — the weekly update-gradle-dependencies.yaml CI job regenerates them separately, and dependency locking runs in LockMode.LENIENT so this does not fail the build.

Contributor Checklist

Jira ticket: APPSEC-62784

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

Fixes a production SIGSEGV (APPSEC-62784) where the JIT (JDK 21.0.8+/25)
could elide the ArenaLease reference in WafContext.run() before the
native ddwaf_run call finished reading the backing memory
(libddwaf-java#198).
@jandro996

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Chef's kiss.

Reviewed commit: eee03be138

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 added the comp: asm waf Application Security Management (WAF) label Jul 14, 2026
@jandro996 jandro996 marked this pull request as ready for review July 14, 2026 10:48
@jandro996 jandro996 requested a review from a team as a code owner July 14, 2026 10:48
@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added the type: feature Enhancements and improvements label Jul 14, 2026

@datadog-prod-us1-5 datadog-prod-us1-5 Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Datadog Autotest: PASS

More details

Dependency upgrade from libddwaf-java 17.3.0 to 17.4.0 to fix a known SIGSEGV in the JIT on JDK 21.0.8+ and JDK 25. No API changes, no code modifications needed. Validation confirms clean public-API usage and full backward compatibility.

Was this helpful? React 👍 or 👎

📊 Validated against 6 scenarios · Open Bits AI session

🤖 Datadog Autotest · Commit eee03be · What is Autotest? · Any feedback? Reach out in #autotest

@datadog-prod-us1-5

datadog-prod-us1-5 Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 54.54% (-2.63%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f8cdbd8 | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 13.98 s 13.92 s [-0.3%; +1.3%] (no difference)
startup:insecure-bank:tracing:Agent 12.89 s 13.01 s [-1.7%; -0.2%] (maybe better)
startup:petclinic:appsec:Agent 16.84 s 16.66 s [-0.0%; +2.2%] (no difference)
startup:petclinic:iast:Agent 16.83 s 16.97 s [-1.7%; +0.1%] (no difference)
startup:petclinic:profiling:Agent 16.71 s 16.13 s [-0.9%; +8.2%] (no difference)
startup:petclinic:sca:Agent 16.47 s 16.75 s [-6.2%; +2.8%] (no difference)
startup:petclinic:tracing:Agent 15.67 s 16.20 s [-7.4%; +0.9%] (no difference)

Commit: f8cdbd88 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@jandro996 jandro996 enabled auto-merge July 14, 2026 11:22
@jandro996 jandro996 added this pull request to the merge queue Jul 14, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 14, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-14 11:36:21 UTC ℹ️ Start processing command /merge


2026-07-14 11:36:25 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-07-14 12:34:37 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 14, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit eaabb65 into master Jul 14, 2026
588 of 589 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the upgrtade-libddwaf branch July 14, 2026 12:34
@github-actions github-actions Bot added this to the 1.65.0 milestone Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) tag: no release note type: feature Enhancements and improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants