Upgrade libddwaf-java to 17.4.0#11943
Conversation
Fixes a production SIGSEGV (APPSEC-62784) where the JIT (JDK 21.0.8+/25) could elide the ArenaLease reference in WafContext.run() before the native ddwaf_run call finished reading the backing memory (libddwaf-java#198).
|
@codex review |
|
Codex Review: Didn't find any major issues. Chef's kiss. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
Hi! 👋 Thanks for your pull request! 🎉 To help us review it, please make sure to:
If you need help, please check our contributing guidelines. |
There was a problem hiding this comment.
More details
Dependency upgrade from libddwaf-java 17.3.0 to 17.4.0 to fix a known SIGSEGV in the JIT on JDK 21.0.8+ and JDK 25. No API changes, no code modifications needed. Validation confirms clean public-API usage and full backward compatibility.
📊 Validated against 6 scenarios · Open Bits AI session
🤖 Datadog Autotest · Commit eee03be · What is Autotest? · Any feedback? Reach out in #autotest
|
🎯 Code Coverage (details) 🔗 Commit SHA: f8cdbd8 | Docs | Datadog PR Page | Give us feedback! |
🟢 Java Benchmark SLOs — All performance SLOs passed
PR vs. master results
Commit: Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion. |
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
eaabb65
into
master
What Does This Do
io.sqreen:libsqreen(libddwaf-java) dependency indd-java-agent/appsec/build.gradlefrom17.3.0to17.4.0.Motivation
libddwaf-java 17.4.0 fixes a production SIGSEGV where the JIT (observed on JDK 21.0.8+ and JDK 25) could elide the
ArenaLeasereference held byWafContext.run()before the nativeddwaf_runcall finished reading the backing off-heap memory, causing a crash. See libddwaf-java#198.This release has no public API changes — the fix is internal to
WafContext.run()(a reachability-fence write), so no other code indd-trace-javaneeds to change.Additional Notes
Gradle lockfiles across the repo still pin
io.sqreen:libsqreen:17.3.0; per project convention these are not updated by hand — the weeklyupdate-gradle-dependencies.yamlCI job regenerates them separately, and dependency locking runs inLockMode.LENIENTso this does not fail the build.Contributor Checklist
type:and (comp:orinst:) labels in addition to any other useful labelsclose,fix, or any linking keywords when referencing an issueUse
solvesinstead, and assign the PR milestone to the issueJira ticket: APPSEC-62784
Note: Once your PR is ready to merge, add it to the merge queue by commenting
/merge./merge -ccancels the queue request./merge -f --reason "reason"skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.