iframe-proxy

manuel-alvarez-alvarez · 2025-07-02T10:59:20Z

What Does This Do

This PR fixes an issue with call sites that incorrectly handle super calls inside constructors. Specifically, it ensures the return value of constructor-targeted call sites is properly managed when used in a super context.

Motivation

Constructor-targeted call sites are designed to return the newly constructed instance to maintain correct stack behavior. However, when such call sites are used within super calls, the returned value must be discarded (i.e., popped off the stack). Failing to do so can lead to incorrect behavior or runtime issues—such as the one recently reported by a customer

Caused by: java.lang.VerifyError: Inconsistent stackmap frames at branch target 57
Exception Details:
  Location:
    x/y/z/ResourceStreamReader.<init>(Lx/y/z/Resource;Ljava/io/InputStream;Ljava/nio/charset/Charset;)V @44: ifnonnull
  Reason:
    Current frame's stack size doesn't match stackmap.
  Current Frame:
    bci: @44
    flags: { }
    locals: { 'x/y/z/ResourceStreamReader', 'x/y/z/Resource', 'java/io/InputStream', 'java/nio/charset/Charset' }
    stack: { 'java/io/InputStreamReader', 'x/y/z/Resource' }
  Stackmap Frame:
    bci: @57
    flags: { }
    locals: { 'x/y/z/ResourceStreamReader.', 'x/y/z/Resource', 'java/io/InputStream', 'java/nio/charset/Charset' }
    stack: { }
  Bytecode:
    0000000: 2a2c 2d05 bd00 455a 5f10 015f 535a 5f10
    0000010: 005f 535a 5903 32c0 0028 5f59 0432 c000
    0000020: 395f 57b7 0017 1900 b800 4b2b c700 0dbb
    0000030: 0007 5912 09b7 000b bf2a 2bb5 000e b1
  Stackmap Table:
    full_frame(@57,{Object[#15],Object[#38],Object[#40],Object[#57]},{})

Additional Notes

Contributor Checklist

Format the title according the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any usefull labels
Don't use close, fix or any linking keywords when referencing an issue.
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, move, or deletion
Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-58131

pr-commenter · 2025-07-02T11:16:59Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date	1751437988	1751457606
git_commit_sha	`40561cd`	`1a14c5c`
release_version	1.51.0-SNAPSHOT~40561cd093	1.51.0-SNAPSHOT~1a14c5c414

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751459495	1751459495
ci_job_id	1009590244	1009590244
ci_pipeline_id	69419423	69419423
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-yygzstyr-project-304-concurrent-0-gszc7sm5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-yygzstyr-project-304-concurrent-0-gszc7sm5 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 8 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (999.335 ms) : 0, 999335
Total [baseline] (10.703 s) : 0, 10703313
Agent [candidate] (1.011 s) : 0, 1010780
Total [candidate] (10.687 s) : 0, 10686877
section appsec
Agent [baseline] (1.183 s) : 0, 1182655
Total [baseline] (10.713 s) : 0, 10713094
Agent [candidate] (1.179 s) : 0, 1178532
Total [candidate] (10.79 s) : 0, 10790171
section iast
Agent [baseline] (1.13 s) : 0, 1129575
Total [baseline] (10.07 s) : 0, 10069698
Agent [candidate] (1.138 s) : 0, 1137650
Total [candidate] (10.932 s) : 0, 10931537
section profiling
Agent [baseline] (1.244 s) : 0, 1244188
Total [baseline] (10.964 s) : 0, 10963776
Agent [candidate] (1.256 s) : 0, 1255569
Total [candidate] (11.083 s) : 0, 11083212

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	999.335 ms	-
Agent	appsec	1.183 s	183.321 ms (18.3%)
Agent	iast	1.13 s	130.24 ms (13.0%)
Agent	profiling	1.244 s	244.854 ms (24.5%)
Total	tracing	10.703 s	-
Total	appsec	10.713 s	9.782 ms (0.1%)
Total	iast	10.07 s	-633.615 ms (-5.9%)
Total	profiling	10.964 s	260.463 ms (2.4%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.011 s	-
Agent	appsec	1.179 s	167.751 ms (16.6%)
Agent	iast	1.138 s	126.87 ms (12.6%)
Agent	profiling	1.256 s	244.789 ms (24.2%)
Total	tracing	10.687 s	-
Total	appsec	10.79 s	103.293 ms (1.0%)
Total	iast	10.932 s	244.66 ms (2.3%)
Total	profiling	11.083 s	396.335 ms (3.7%)

gantt
    title petclinic - break down per module: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (689.649 ms) : 0, 689649
BytebuddyAgent [candidate] (697.967 ms) : 0, 697967
GlobalTracer [baseline] (243.366 ms) : 0, 243366
GlobalTracer [candidate] (245.716 ms) : 0, 245716
AppSec [baseline] (30.506 ms) : 0, 30506
AppSec [candidate] (30.923 ms) : 0, 30923
Debugger [baseline] (6.055 ms) : 0, 6055
Debugger [candidate] (6.134 ms) : 0, 6134
Remote Config [baseline] (683.29 µs) : 0, 683
Remote Config [candidate] (679.34 µs) : 0, 679
Telemetry [baseline] (8.234 ms) : 0, 8234
Telemetry [candidate] (8.337 ms) : 0, 8337
section appsec
BytebuddyAgent [baseline] (717.073 ms) : 0, 717073
BytebuddyAgent [candidate] (713.483 ms) : 0, 713483
GlobalTracer [baseline] (237.211 ms) : 0, 237211
GlobalTracer [candidate] (236.676 ms) : 0, 236676
IAST [baseline] (22.214 ms) : 0, 22214
IAST [candidate] (22.217 ms) : 0, 22217
AppSec [baseline] (170.786 ms) : 0, 170786
AppSec [candidate] (170.674 ms) : 0, 170674
Debugger [baseline] (5.794 ms) : 0, 5794
Debugger [candidate] (5.804 ms) : 0, 5804
Remote Config [baseline] (600.819 µs) : 0, 601
Remote Config [candidate] (606.112 µs) : 0, 606
Telemetry [baseline] (8.071 ms) : 0, 8071
Telemetry [candidate] (8.219 ms) : 0, 8219
section iast
BytebuddyAgent [baseline] (807.37 ms) : 0, 807370
BytebuddyAgent [candidate] (811.855 ms) : 0, 811855
GlobalTracer [baseline] (232.258 ms) : 0, 232258
GlobalTracer [candidate] (234.673 ms) : 0, 234673
IAST [baseline] (29.839 ms) : 0, 29839
IAST [candidate] (27.759 ms) : 0, 27759
AppSec [baseline] (25.171 ms) : 0, 25171
AppSec [candidate] (27.908 ms) : 0, 27908
Debugger [baseline] (5.789 ms) : 0, 5789
Debugger [candidate] (5.937 ms) : 0, 5937
Remote Config [baseline] (570.927 µs) : 0, 571
Remote Config [candidate] (582.963 µs) : 0, 583
Telemetry [baseline] (7.863 ms) : 0, 7863
Telemetry [candidate] (8.07 ms) : 0, 8070
section profiling
BytebuddyAgent [baseline] (678.209 ms) : 0, 678209
BytebuddyAgent [candidate] (684.536 ms) : 0, 684536
GlobalTracer [baseline] (361.469 ms) : 0, 361469
GlobalTracer [candidate] (364.109 ms) : 0, 364109
AppSec [baseline] (32.957 ms) : 0, 32957
AppSec [candidate] (33.434 ms) : 0, 33434
Debugger [baseline] (11.33 ms) : 0, 11330
Debugger [candidate] (10.668 ms) : 0, 10668
Remote Config [baseline] (652.402 µs) : 0, 652
Remote Config [candidate] (685.307 µs) : 0, 685
Telemetry [baseline] (7.966 ms) : 0, 7966
Telemetry [candidate] (8.926 ms) : 0, 8926
ProfilingAgent [baseline] (103.137 ms) : 0, 103137
ProfilingAgent [candidate] (104.234 ms) : 0, 104234
Profiling [baseline] (103.161 ms) : 0, 103161
Profiling [candidate] (104.259 ms) : 0, 104259

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.002 s) : 0, 1002495
Total [baseline] (8.562 s) : 0, 8562216
Agent [candidate] (1.001 s) : 0, 1000715
Total [candidate] (8.603 s) : 0, 8603276
section iast
Agent [baseline] (1.137 s) : 0, 1136989
Total [baseline] (9.34 s) : 0, 9339820
Agent [candidate] (1.14 s) : 0, 1140281
Total [candidate] (9.308 s) : 0, 9307785

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.002 s	-
Agent	iast	1.137 s	134.493 ms (13.4%)
Total	tracing	8.562 s	-
Total	iast	9.34 s	777.604 ms (9.1%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.001 s	-
Agent	iast	1.14 s	139.566 ms (13.9%)
Total	tracing	8.603 s	-
Total	iast	9.308 s	704.509 ms (8.2%)

gantt
    title insecure-bank - break down per module: candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (693.38 ms) : 0, 693380
BytebuddyAgent [candidate] (690.598 ms) : 0, 690598
GlobalTracer [baseline] (242.925 ms) : 0, 242925
GlobalTracer [candidate] (243.296 ms) : 0, 243296
AppSec [baseline] (30.394 ms) : 0, 30394
AppSec [candidate] (30.817 ms) : 0, 30817
Debugger [baseline] (6.045 ms) : 0, 6045
Debugger [candidate] (6.144 ms) : 0, 6144
Remote Config [baseline] (676.152 µs) : 0, 676
Remote Config [candidate] (685.878 µs) : 0, 686
Telemetry [baseline] (8.223 ms) : 0, 8223
Telemetry [candidate] (8.373 ms) : 0, 8373
section iast
BytebuddyAgent [baseline] (811.94 ms) : 0, 811940
BytebuddyAgent [candidate] (813.899 ms) : 0, 813899
GlobalTracer [baseline] (233.67 ms) : 0, 233670
GlobalTracer [candidate] (234.988 ms) : 0, 234988
AppSec [baseline] (29.633 ms) : 0, 29633
AppSec [candidate] (30.26 ms) : 0, 30260
Debugger [baseline] (5.82 ms) : 0, 5820
Debugger [candidate] (5.856 ms) : 0, 5856
Remote Config [baseline] (577.31 µs) : 0, 577
Remote Config [candidate] (583.606 µs) : 0, 584
Telemetry [baseline] (8.01 ms) : 0, 8010
Telemetry [candidate] (8.019 ms) : 0, 8019
IAST [baseline] (26.554 ms) : 0, 26554
IAST [candidate] (25.766 ms) : 0, 25766

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date	1751437988	1751457606
git_commit_sha	`40561cd`	`1a14c5c`
release_version	1.51.0-SNAPSHOT~40561cd093	1.51.0-SNAPSHOT~1a14c5c414

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1751459198	1751459198
ci_job_id	1009590245	1009590245
ci_pipeline_id	69419423	69419423
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-kg9uqfo1-project-304-concurrent-0-nygbh5nk 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-kg9uqfo1-project-304-concurrent-0-nygbh5nk 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:insecure-bank:tracing:high_load	worse [+393.572µs; +634.280µs] or [+5.509%; +8.878%]	unstable [-126.332op/s; +40.645op/s] or [-19.504%; +6.275%]	7.659ms	604.875op/s	7.145ms	647.719op/s
scenario:load:insecure-bank:no_agent:high_load	better [-266.119µs; -155.265µs] or [-5.838%; -3.406%]	unstable [-77.704op/s; +173.516op/s] or [-7.711%; +17.219%]	4.348ms	1055.625op/s	4.559ms	1007.719op/s
scenario:load:petclinic:profiling:high_load	better [-2.768ms; -1.838ms] or [-5.621%; -3.732%]	unstable [-1.885op/s; +11.303op/s] or [-1.959%; +11.743%]	46.941ms	100.962op/s	49.243ms	96.253op/s
scenario:load:petclinic:iast:high_load	worse [+2.215ms; +3.067ms] or [+5.166%; +7.153%]	unstable [-17.032op/s; -0.844op/s] or [-15.414%; -0.764%]	45.523ms	101.556op/s	42.881ms	110.494op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (38.216 ms) : 37911, 38521
.   : milestone, 38216,
appsec (47.94 ms) : 47519, 48361
.   : milestone, 47940,
code_origins (46.376 ms) : 45976, 46776
.   : milestone, 46376,
iast (42.881 ms) : 42495, 43268
.   : milestone, 42881,
profiling (49.243 ms) : 48789, 49698
.   : milestone, 49243,
tracing (44.049 ms) : 43664, 44434
.   : milestone, 44049,
section candidate
no_agent (38.199 ms) : 37897, 38502
.   : milestone, 38199,
appsec (47.534 ms) : 47116, 47953
.   : milestone, 47534,
code_origins (46.006 ms) : 45607, 46405
.   : milestone, 46006,
iast (45.523 ms) : 45117, 45928
.   : milestone, 45523,
profiling (46.941 ms) : 46532, 47349
.   : milestone, 46941,
tracing (43.702 ms) : 43338, 44067
.   : milestone, 43702,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	38.216 ms [37.911 ms, 38.521 ms]	-
appsec	47.94 ms [47.519 ms, 48.361 ms]	9.724 ms (25.4%)
code_origins	46.376 ms [45.976 ms, 46.776 ms]	8.159 ms (21.4%)
iast	42.881 ms [42.495 ms, 43.268 ms]	4.665 ms (12.2%)
profiling	49.243 ms [48.789 ms, 49.698 ms]	11.027 ms (28.9%)
tracing	44.049 ms [43.664 ms, 44.434 ms]	5.833 ms (15.3%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	38.199 ms [37.897 ms, 38.502 ms]	-
appsec	47.534 ms [47.116 ms, 47.953 ms]	9.335 ms (24.4%)
code_origins	46.006 ms [45.607 ms, 46.405 ms]	7.807 ms (20.4%)
iast	45.523 ms [45.117 ms, 45.928 ms]	7.323 ms (19.2%)
profiling	46.941 ms [46.532 ms, 47.349 ms]	8.741 ms (22.9%)
tracing	43.702 ms [43.338 ms, 44.067 ms]	5.503 ms (14.4%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.559 ms) : 4506, 4611
.   : milestone, 4559,
iast (9.27 ms) : 9113, 9426
.   : milestone, 9270,
iast_FULL (13.836 ms) : 13565, 14107
.   : milestone, 13836,
iast_GLOBAL (9.968 ms) : 9796, 10140
.   : milestone, 9968,
profiling (8.718 ms) : 8578, 8858
.   : milestone, 8718,
tracing (7.145 ms) : 7044, 7246
.   : milestone, 7145,
section candidate
no_agent (4.348 ms) : 4298, 4399
.   : milestone, 4348,
iast (9.078 ms) : 8916, 9240
.   : milestone, 9078,
iast_FULL (13.936 ms) : 13661, 14211
.   : milestone, 13936,
iast_GLOBAL (9.861 ms) : 9689, 10033
.   : milestone, 9861,
profiling (8.726 ms) : 8591, 8860
.   : milestone, 8726,
tracing (7.659 ms) : 7537, 7780
.   : milestone, 7659,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.559 ms [4.506 ms, 4.611 ms]	-
iast	9.27 ms [9.113 ms, 9.426 ms]	4.711 ms (103.3%)
iast_FULL	13.836 ms [13.565 ms, 14.107 ms]	9.277 ms (203.5%)
iast_GLOBAL	9.968 ms [9.796 ms, 10.14 ms]	5.409 ms (118.7%)
profiling	8.718 ms [8.578 ms, 8.858 ms]	4.159 ms (91.2%)
tracing	7.145 ms [7.044 ms, 7.246 ms]	2.586 ms (56.7%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	4.348 ms [4.298 ms, 4.399 ms]	-
iast	9.078 ms [8.916 ms, 9.24 ms]	4.73 ms (108.8%)
iast_FULL	13.936 ms [13.661 ms, 14.211 ms]	9.588 ms (220.5%)
iast_GLOBAL	9.861 ms [9.689 ms, 10.033 ms]	5.513 ms (126.8%)
profiling	8.726 ms [8.591 ms, 8.86 ms]	4.377 ms (100.7%)
tracing	7.659 ms [7.537 ms, 7.78 ms]	3.311 ms (76.1%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	malvarez/fix-wrong-stack-advice-on-ctor
git_commit_date	1751437988	1751457606
git_commit_sha	`40561cd`	`1a14c5c`
release_version	1.51.0-SNAPSHOT~40561cd093	1.51.0-SNAPSHOT~1a14c5c414

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1751459718	1751459718
ci_job_id	1009590246	1009590246
ci_pipeline_id	69419423	69419423
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-quixwkwb-project-304-concurrent-0-anrbffc3 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-quixwkwb-project-304-concurrent-0-anrbffc3 6.8.0-1030-aws #32~22.04.1-Ubuntu SMP Thu Jun 5 08:38:24 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.476 ms) : 1465, 1488
.   : milestone, 1476,
appsec (2.412 ms) : 2362, 2462
.   : milestone, 2412,
iast (2.192 ms) : 2129, 2255
.   : milestone, 2192,
iast_GLOBAL (2.24 ms) : 2177, 2302
.   : milestone, 2240,
profiling (2.065 ms) : 2013, 2117
.   : milestone, 2065,
tracing (2.011 ms) : 1962, 2060
.   : milestone, 2011,
section candidate
no_agent (1.476 ms) : 1464, 1487
.   : milestone, 1476,
appsec (2.399 ms) : 2349, 2449
.   : milestone, 2399,
iast (2.199 ms) : 2136, 2261
.   : milestone, 2199,
iast_GLOBAL (2.238 ms) : 2174, 2302
.   : milestone, 2238,
profiling (2.064 ms) : 2012, 2116
.   : milestone, 2064,
tracing (2.028 ms) : 1980, 2077
.   : milestone, 2028,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.476 ms [1.465 ms, 1.488 ms]	-
appsec	2.412 ms [2.362 ms, 2.462 ms]	935.771 µs (63.4%)
iast	2.192 ms [2.129 ms, 2.255 ms]	715.794 µs (48.5%)
iast_GLOBAL	2.24 ms [2.177 ms, 2.302 ms]	763.046 µs (51.7%)
profiling	2.065 ms [2.013 ms, 2.117 ms]	588.37 µs (39.8%)
tracing	2.011 ms [1.962 ms, 2.06 ms]	534.624 µs (36.2%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.476 ms [1.464 ms, 1.487 ms]	-
appsec	2.399 ms [2.349 ms, 2.449 ms]	923.201 µs (62.5%)
iast	2.199 ms [2.136 ms, 2.261 ms]	722.551 µs (49.0%)
iast_GLOBAL	2.238 ms [2.174 ms, 2.302 ms]	762.168 µs (51.6%)
profiling	2.064 ms [2.012 ms, 2.116 ms]	588.295 µs (39.9%)
tracing	2.028 ms [1.98 ms, 2.077 ms]	552.393 µs (37.4%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.51.0-SNAPSHOT~1a14c5c414, baseline=1.51.0-SNAPSHOT~40561cd093
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.547 s) : 15547000, 15547000
.   : milestone, 15547000,
appsec (14.729 s) : 14729000, 14729000
.   : milestone, 14729000,
iast (18.554 s) : 18554000, 18554000
.   : milestone, 18554000,
iast_GLOBAL (17.841 s) : 17841000, 17841000
.   : milestone, 17841000,
profiling (15.247 s) : 15247000, 15247000
.   : milestone, 15247000,
tracing (14.623 s) : 14623000, 14623000
.   : milestone, 14623000,
section candidate
no_agent (14.894 s) : 14894000, 14894000
.   : milestone, 14894000,
appsec (14.753 s) : 14753000, 14753000
.   : milestone, 14753000,
iast (18.597 s) : 18597000, 18597000
.   : milestone, 18597000,
iast_GLOBAL (18.02 s) : 18020000, 18020000
.   : milestone, 18020000,
profiling (15.261 s) : 15261000, 15261000
.   : milestone, 15261000,
tracing (14.727 s) : 14727000, 14727000
.   : milestone, 14727000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.547 s [15.547 s, 15.547 s]	-
appsec	14.729 s [14.729 s, 14.729 s]	-818.0 ms (-5.3%)
iast	18.554 s [18.554 s, 18.554 s]	3.007 s (19.3%)
iast_GLOBAL	17.841 s [17.841 s, 17.841 s]	2.294 s (14.8%)
profiling	15.247 s [15.247 s, 15.247 s]	-300.0 ms (-1.9%)
tracing	14.623 s [14.623 s, 14.623 s]	-924.0 ms (-5.9%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.894 s [14.894 s, 14.894 s]	-
appsec	14.753 s [14.753 s, 14.753 s]	-141.0 ms (-0.9%)
iast	18.597 s [18.597 s, 18.597 s]	3.703 s (24.9%)
iast_GLOBAL	18.02 s [18.02 s, 18.02 s]	3.126 s (21.0%)
profiling	15.261 s [15.261 s, 15.261 s]	367.0 ms (2.5%)
tracing	14.727 s [14.727 s, 14.727 s]	-167.0 ms (-1.1%)

PerfectSlayer

Looking good from LP team

manuel-alvarez-alvarez · 2025-07-03T12:24:03Z

/merge

dd-devflow · 2025-07-03T12:24:08Z

| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.google.errorprone:error_prone_annotations](https://errorprone.info) ([source](https://github.com/google/error-prone)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `2.39.0` -> `2.40.0` | | [org.apache.commons:commons-lang3](https://commons.apache.org/proper/commons-lang/) ([source](https://gitbox.apache.org/repos/asf/commons-lang.git)) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `3.17.0` -> `3.18.0` | | [org.jetbrains.kotlinx.binary-compatibility-validator](https://github.com/Kotlin/binary-compatibility-validator) | plugin | misk/gradle/libs.versions.toml | gradle | patch | `0.18.0` -> `0.18.1` | | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.50.1` -> `1.51.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.31.77` -> `2.31.78` | --- ### Release Notes <details> <summary>google/error-prone (com.google.errorprone:error_prone_annotations)</summary> ### [`v2.40.0`](https://github.com/google/error-prone/releases/tag/v2.40.0): Error Prone 2.40.0 Changes: - Bug fixes and improvements - Releases (including snapshots) have migrated from [OSSRH to the Central Publisher Portal](https://central.sonatype.org/pages/ossrh-eol/#process-to-migrate) Full changelog: google/error-prone@v2.39.0...v2.40.0 </details> <details> <summary>Kotlin/binary-compatibility-validator (org.jetbrains.kotlinx.binary-compatibility-validator)</summary> ### [`v0.18.1`](https://github.com/Kotlin/binary-compatibility-validator/releases/tag/0.18.1) [Compare Source](Kotlin/binary-compatibility-validator@0.18.0...0.18.1) #### What's Changed - Fixed a bug preventing use of cross-compilation support during KLIB dump validation \[[#304](https://github.com/Kotlin/binary-compatibility-validator/issues/304)]\[[#306](https://github.com/Kotlin/binary-compatibility-validator/issues/306)] </details> <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.51.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.51.0): 1.51.0 ### Components #### Application Security Management (IAST) - 🐛 Fix verify error when ctor params are used after a call site ([#9083](DataDog/dd-trace-java#9083) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Limit the maximum size of the location path in IAST vulnerabilities ([#9028](DataDog/dd-trace-java#9028) - [@jandro996](https://github.com/jandro996)) - 🐛 Fix IAST gRPC handler with null superclass ([#8984](DataDog/dd-trace-java#8984) - [@smola](https://github.com/smola)) - ✨ Optimize IAST Vulnerability Detection ([#8885](DataDog/dd-trace-java#8885) - [@jandro996](https://github.com/jandro996)) #### Application Security Management (WAF) - ✨ Upgrade libddwaf-java to 15.0.0 ([#9022](DataDog/dd-trace-java#9022) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Extract RestEasy json body response schemas ([#9015](DataDog/dd-trace-java#9015) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Enable API Security by default and make it lazy loading ([#9009](DataDog/dd-trace-java#9009) - [@smola](https://github.com/smola)) - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛 Fix Jackson nodes introspection for request/response schema extraction ([#8980](DataDog/dd-trace-java#8980) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) - ✨ Default obfuscation regexp update ([#8937](DataDog/dd-trace-java#8937) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Build & Tooling - ✨ Cancel GitLab running pipeline on new PR push ([#9023](DataDog/dd-trace-java#9023) - [@PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Migrate publishing to Maven Central Portal ([#8807](DataDog/dd-trace-java#8807) - [@sarahchen6](https://github.com/sarahchen6)) #### Continuous Integration Visibility - 🐛 Fix Test Optimization to work with JDK 24 ([#9114](DataDog/dd-trace-java#9114) - [@nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add repo root as safe directory on git client creation ([#9033](DataDog/dd-trace-java#9033) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Add PR number tag and improve PR information building ([#8990](DataDog/dd-trace-java#8990) - [@daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update impacted tests logic ([#8923](DataDog/dd-trace-java#8923) - [@daniel-mohedano](https://github.com/daniel-mohedano)) #### Data Streams Monitoring - 🧹 Clean up DSM context injection ([#8776](DataDog/dd-trace-java#8776) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Database Monitoring - 🐛 Set trace\_injected in try block ([#9025](DataDog/dd-trace-java#9025) - [@natashadada](https://github.com/natashadada)) #### Dynamic Instrumentation - 🐛 Add source file tracking enable option ([#9115](DataDog/dd-trace-java#9115) - [@jpbempel](https://github.com/jpbempel)) - ✨ Add java.util.Date support ([#9111](DataDog/dd-trace-java#9111) - [@jpbempel](https://github.com/jpbempel)) - ✨ Update file probe format ([#9047](DataDog/dd-trace-java#9047) - [@jpbempel](https://github.com/jpbempel)) - ✨ add safe local var hoisting ([#9034](DataDog/dd-trace-java#9034) - [@jpbempel](https://github.com/jpbempel)) - 🧹 Add new config for debugger upload interval ([#8959](DataDog/dd-trace-java#8959) - [@jpbempel](https://github.com/jpbempel)) - ✨ Enable Code Origin with Dynamic instrumentation ([#8940](DataDog/dd-trace-java#8940) - [@jpbempel](https://github.com/jpbempel)) #### ML Observability (LLMObs) - 💡 LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang), [@nayeem-kamal](https://github.com/nayeem-kamal)) #### Metrics - 🐛 Ensure client stat reporter is started when the agent is not available at bootstrap ([#9082](DataDog/dd-trace-java#9082) - [@amarziali](https://github.com/amarziali)) - ✨ Create metric: appsec.waf.config\_errors ([#8394](DataDog/dd-trace-java#8394) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Platform components - ✨ Introduce environment component ([#9071](DataDog/dd-trace-java#9071) - [@PerfectSlayer](https://github.com/PerfectSlayer)) #### Profiling - 🐛 Remove annoying warning for smap event parsing ([#9119](DataDog/dd-trace-java#9119) - [@jbachorik](https://github.com/jbachorik)) - 🐛 Fix ByteCountingInputStream when reading past EOF ([#8988](DataDog/dd-trace-java#8988) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Realtime User Monitoring - ✨ Add RUM SDK injection for servlet based web servers ([#9110](DataDog/dd-trace-java#9110) - [@PerfectSlayer](https://github.com/PerfectSlayer) [@amarziali](https://github.com/amarziali)) #### Telemetry - ✨ Update the config origin metric to match what it's mapping ([#9045](DataDog/dd-trace-java#9045) - [@sezen-datadog](https://github.com/sezen-datadog)) #### Testing - ✨ Add testing for latest stable version (JDK 24) ([#8875](DataDog/dd-trace-java#8875) - [@sarahchen6](https://github.com/sarahchen6)) #### Trace context propagation - 🐛 Fix bug with dropping baggage when `TracePropagationBehaviorExtract=IGNORE` ([#9037](DataDog/dd-trace-java#9037) - [@mhlidd](https://github.com/mhlidd)) - 🐛 Fix ArrayIndexOutOfBoundsException in PercentEscaper ([#9032](DataDog/dd-trace-java#9032) - [@mhlidd](https://github.com/mhlidd)) #### Tracer core - 🐛 Fix `Error` handling for trace interceptors ([#9097](DataDog/dd-trace-java#9097) - [@AlexeyKuznetsov-DD](https://github.com/AlexeyKuznetsov-DD)) - 💡 Add wildcard feature for `DD_TRACE_HEADER_TAGS` and enabling for Http Response headers ([#9067](DataDog/dd-trace-java#9067) - [@mhlidd](https://github.com/mhlidd)) #### Tracer public API - 💡 Add LLM Observability SDK ([#8781](DataDog/dd-trace-java#8781) - [@gary-huang](https://github.com/gary-huang)) ### Instrumentations #### Akka instrumentation - 🐛 Fix NPE in akka-http and pekko-http integrations ([#9019](DataDog/dd-trace-java#9019) - [@mcculls](https://github.com/mcculls)) #### Eclipse Vert.x instrumentation - ✨ Extract Vert.x json body response schemas ([#9001](DataDog/dd-trace-java#9001) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Write http.route tag as soon as possible in vert.x ([#8952](DataDog/dd-trace-java#8952) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### JAX-WS instrumentation - 💡⚠️ Enable jax-ws integration by default ([#9030](DataDog/dd-trace-java#9030) - [@bm1549](https://github.com/bm1549)) - ✨ Extract Jersey json body response schemas ([#9014](DataDog/dd-trace-java#9014) - [@jandro996](https://github.com/jandro996)) #### Mule instrumentation - 🐛 Propagate grizzly http span in filters if nothing is active ([#9016](DataDog/dd-trace-java#9016) - [@amarziali](https://github.com/amarziali)) #### Play Framework instrumentation - ✨ Extract Play json body response schemas ([#8995](DataDog/dd-trace-java#8995) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Ratpack instrumentation - ✨ Extract Ratpack json body response schemas ([#9013](DataDog/dd-trace-java#9013) - [@manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) #### Spring instrumentation - ✨ Extract Spring json body response schemas ([#8938](DataDog/dd-trace-java#8938) - [@sezen-datadog](https://github.com/sezen-datadog)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 649b690d4c9d7dcb572c457f0802b42b8e3e682e

Fix verify error when ctor params are used after a call site

744dc04

manuel-alvarez-alvarez requested review from a team as code owners July 2, 2025 10:59

manuel-alvarez-alvarez added the type: bug Bug report and fix label Jul 2, 2025

manuel-alvarez-alvarez requested review from jandro996 and smola July 2, 2025 10:59

manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Jul 2, 2025

manuel-alvarez-alvarez requested review from bric3 and removed request for a team July 2, 2025 10:59

smola reviewed Jul 2, 2025

View reviewed changes

Comment thread ...va-agent/agent-tooling/src/test/java/datadog/trace/agent/tooling/csi/SuperInCtorExample.java Outdated

Keep tests separated

1a14c5c

manuel-alvarez-alvarez requested a review from smola July 2, 2025 12:01

PerfectSlayer approved these changes Jul 2, 2025

View reviewed changes

dd-devflow Bot added mergequeue-status: queued and removed mergequeue-status: queued labels Jul 3, 2025

dd-mergequeue Bot merged commit 53e4f70 into master Jul 3, 2025
510 of 511 checks passed

dd-mergequeue Bot deleted the malvarez/fix-wrong-stack-advice-on-ctor branch July 3, 2025 13:33

dd-devflow Bot added mergequeue-status: done and removed mergequeue-status: in_progress labels Jul 3, 2025

github-actions Bot added this to the 1.51.0 milestone Jul 3, 2025

Sunbelt Computer Software

PL/B Language Development and Support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix verify error when ctor params are used after a call site#9083

Fix verify error when ctor params are used after a call site#9083
dd-mergequeue[bot] merged 2 commits into
masterfrom
malvarez/fix-wrong-stack-advice-on-ctor

manuel-alvarez-alvarez commented Jul 2, 2025 •

edited by atlassian Bot

Loading

Uh oh!

Uh oh!

pr-commenter Bot commented Jul 2, 2025 •

edited

Loading

Uh oh!

PerfectSlayer left a comment

Uh oh!

manuel-alvarez-alvarez commented Jul 3, 2025

Uh oh!

dd-devflow Bot commented Jul 3, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

manuel-alvarez-alvarez commented Jul 2, 2025 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

Uh oh!

pr-commenter Bot commented Jul 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

PerfectSlayer left a comment

Choose a reason for hiding this comment

Uh oh!

manuel-alvarez-alvarez commented Jul 3, 2025

Uh oh!

dd-devflow Bot commented Jul 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

manuel-alvarez-alvarez commented Jul 2, 2025 •

edited by atlassian Bot

Loading

pr-commenter Bot commented Jul 2, 2025 •

edited

Loading

dd-devflow Bot commented Jul 3, 2025 •

edited

Loading