Abort on IBMJ9's keytool

[bric3]

What Does This Do

The JVM agent should not activate on JDK tools. The JVM agent already did that for JVM having modules. This PR extends that check to older commercial IBMJ9. To avoid faulty behavior.

Note tests are in #11134

Motivation

First, the java agent should not activate on JDK tools. In particular when these JDK tools are invoked as a subprocess of the main app, they might inherit the JAVA_TOOL_OPTIONS that contain the -java-agent flag.

It was observed that IBMJ9 synchronizes JarFile and SignerInfo, on keytool, the agent bstartup thread and the main thread are dead-locking while loading security providers.

The #10714 prevented a code path for this to happen, but another code path was discovered with Strings.sha256 using MessageDigest (loading under the hood the providers).

Preventing keytool from being instrumented should fully solve the issue.

Additional Notes

Since other Java 8 tools might be impacted, I added them.

This PR extends the JDK tool check introduced in #6096

---

I collected the various tools using this approach:

I created a simple agent capturing the sun.java.command system property

import java.lang.instrument.*;
public class ReadToolCommand {
    public static void premain(String a, Instrumentation i) {
        System.err.println("CMD=" + System.getProperty("sun.java.command"));
    }
}

mkdir -p /tmp/agentsrc /tmp/agentclasses
javac -d /tmp/agentclasses /tmp/agentsrc/ReadToolCommand.java
printf "Premain-Class: ReadToolCommand\n\n" > /tmp/meta.txt
cd /tmp/agentclasses && jar cfm /tmp/read-tool-command.jar /tmp/meta.txt ReadToolCommand.class

Then grab the output for each tool with this agent

# JRE tools
for tool in keytool rmiregistry rmid tnameserv kinit klist ktab jdmpview ikeycmd; do
  echo "$tool: $(timeout 3 /opt/ibm/java/jre/bin/$tool -J-javaagent:/tmp/read-tool-command.jar 2>&1 | grep CMD)"
done

# SDK tools
for tool in jar javac javadoc javap javah jarsigner jdb jdeps rmic extcheck \
            serialver native2ascii wsgen wsimport xjc schemagen jrunscript idlj jconsole; do
  echo "$tool: $(timeout 3 /opt/ibm/java/bin/$tool -J-javaagent:/tmp/read-tool-command.jar 2>&1 | grep CMD)"
done

However, some tool didn't accept -J prefix, in this case I used the class in the rt.jar (sun/security/tools/policytool/PolicyTool.class and sun/applet/Main.class)

This was done on the docker image ibmjava:8-sdk. I did the same on a local Hotspot based JDK 8.

[mcculls]

is this change for unit testing?

[bric3]

Yes I wanted to introduce a test for that, but I wanted make sure my test was sound before pushing it. Eventually in another PR.

[PerfectSlayer]

I would not try pushing on patch release without proper testing.

[bric3]

The code is very simple and reads a system property, like a few lines above.

I started tests here #11134

[PerfectSlayer]

Is this thing part of guard rails for injection? It feels duplicate to the mecanism we have already elsewhere (in injector and metadata).
Is there a way to deduplicate?

[bric3]

@PerfectSlayer Yes, but the same issue can happen if the deployment uses the "standard" JAVA_TOOL_OPTIONS (which is also used by SSI), in this case child process of an allowed process inherits the environment variables.

Also, it extends a mechanism already in place introduced by #6096.

[mcculls]

Is this thing part of guard rails for injection? It feels duplicate to the mecanism we have already elsewhere (in injector and metadata). Is there a way to deduplicate?

It is related but separate - the situation this addresses is when the forked tool inherits JAVA_TOOL_OPTIONS

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	bdu/prevent-ibm-j9-keytool
git_commit_date	1776286005	1776339979
git_commit_sha	42f154d	2368ed0
release_version	1.62.0-SNAPSHOT~42f154d2f6	1.62.0-SNAPSHOT~2368ed0149

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776341826	1776341826
ci_job_id	1601030160	1601030160
ci_pipeline_id	107983807	107983807
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-1p8xvkrk 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-1p8xvkrk 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 60 metrics, 11 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.078 s) : 0, 1078328
Total [baseline] (11.415 s) : 0, 11415292
Agent [candidate] (1.085 s) : 0, 1084839
Total [candidate] (11.463 s) : 0, 11462943
section appsec
Agent [baseline] (1.291 s) : 0, 1290563
Total [baseline] (11.322 s) : 0, 11321732
Agent [candidate] (1.275 s) : 0, 1274868
Total [candidate] (11.256 s) : 0, 11255891
section iast
Agent [baseline] (1.261 s) : 0, 1260831
Total [baseline] (11.346 s) : 0, 11345586
Agent [candidate] (1.251 s) : 0, 1251128
Total [candidate] (11.513 s) : 0, 11513000
section profiling
Agent [baseline] (1.211 s) : 0, 1210564
Total [baseline] (11.328 s) : 0, 11327521
Agent [candidate] (1.209 s) : 0, 1208871
Total [candidate] (11.223 s) : 0, 11222996

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.078 s	-
Agent	appsec	1.291 s	212.236 ms (19.7%)
Agent	iast	1.261 s	182.503 ms (16.9%)
Agent	profiling	1.211 s	132.236 ms (12.3%)
Total	tracing	11.415 s	-
Total	appsec	11.322 s	-93.56 ms (-0.8%)
Total	iast	11.346 s	-69.706 ms (-0.6%)
Total	profiling	11.328 s	-87.771 ms (-0.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.085 s	-
Agent	appsec	1.275 s	190.029 ms (17.5%)
Agent	iast	1.251 s	166.289 ms (15.3%)
Agent	profiling	1.209 s	124.032 ms (11.4%)
Total	tracing	11.463 s	-
Total	appsec	11.256 s	-207.053 ms (-1.8%)
Total	iast	11.513 s	50.057 ms (0.4%)
Total	profiling	11.223 s	-239.947 ms (-2.1%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.266 ms) : 0, 1266
crashtracking [candidate] (1.296 ms) : 0, 1296
BytebuddyAgent [baseline] (642.644 ms) : 0, 642644
BytebuddyAgent [candidate] (647.149 ms) : 0, 647149
AgentMeter [baseline] (30.091 ms) : 0, 30091
AgentMeter [candidate] (30.02 ms) : 0, 30020
GlobalTracer [baseline] (255.738 ms) : 0, 255738
GlobalTracer [candidate] (255.654 ms) : 0, 255654
AppSec [baseline] (33.127 ms) : 0, 33127
AppSec [candidate] (33.128 ms) : 0, 33128
Debugger [baseline] (61.43 ms) : 0, 61430
Debugger [candidate] (61.45 ms) : 0, 61450
Remote Config [baseline] (625.107 µs) : 0, 625
Remote Config [candidate] (629.163 µs) : 0, 629
Telemetry [baseline] (8.295 ms) : 0, 8295
Telemetry [candidate] (8.31 ms) : 0, 8310
Flare Poller [baseline] (8.608 ms) : 0, 8608
Flare Poller [candidate] (10.321 ms) : 0, 10321
section appsec
crashtracking [baseline] (1.303 ms) : 0, 1303
crashtracking [candidate] (1.259 ms) : 0, 1259
BytebuddyAgent [baseline] (681.578 ms) : 0, 681578
BytebuddyAgent [candidate] (671.732 ms) : 0, 671732
AgentMeter [baseline] (12.476 ms) : 0, 12476
AgentMeter [candidate] (12.464 ms) : 0, 12464
GlobalTracer [baseline] (258.583 ms) : 0, 258583
GlobalTracer [candidate] (255.537 ms) : 0, 255537
IAST [baseline] (25.718 ms) : 0, 25718
IAST [candidate] (25.301 ms) : 0, 25301
AppSec [baseline] (191.341 ms) : 0, 191341
AppSec [candidate] (190.208 ms) : 0, 190208
Debugger [baseline] (68.882 ms) : 0, 68882
Debugger [candidate] (68.312 ms) : 0, 68312
Remote Config [baseline] (657.54 µs) : 0, 658
Remote Config [candidate] (661.696 µs) : 0, 662
Telemetry [baseline] (8.927 ms) : 0, 8927
Telemetry [candidate] (8.821 ms) : 0, 8821
Flare Poller [baseline] (3.882 ms) : 0, 3882
Flare Poller [candidate] (3.775 ms) : 0, 3775
section iast
crashtracking [baseline] (1.289 ms) : 0, 1289
crashtracking [candidate] (1.263 ms) : 0, 1263
BytebuddyAgent [baseline] (823.157 ms) : 0, 823157
BytebuddyAgent [candidate] (814.941 ms) : 0, 814941
AgentMeter [baseline] (11.717 ms) : 0, 11717
AgentMeter [candidate] (11.682 ms) : 0, 11682
GlobalTracer [baseline] (247.275 ms) : 0, 247275
GlobalTracer [candidate] (246.316 ms) : 0, 246316
IAST [baseline] (26.759 ms) : 0, 26759
IAST [candidate] (26.635 ms) : 0, 26635
AppSec [baseline] (33.523 ms) : 0, 33523
AppSec [candidate] (32.471 ms) : 0, 32471
Debugger [baseline] (65.635 ms) : 0, 65635
Debugger [candidate] (67.026 ms) : 0, 67026
Remote Config [baseline] (670.359 µs) : 0, 670
Remote Config [candidate] (577.867 µs) : 0, 578
Telemetry [baseline] (10.412 ms) : 0, 10412
Telemetry [candidate] (9.809 ms) : 0, 9809
Flare Poller [baseline] (3.626 ms) : 0, 3626
Flare Poller [candidate] (3.763 ms) : 0, 3763
section profiling
crashtracking [baseline] (1.219 ms) : 0, 1219
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (704.592 ms) : 0, 704592
BytebuddyAgent [candidate] (703.452 ms) : 0, 703452
AgentMeter [baseline] (9.329 ms) : 0, 9329
AgentMeter [candidate] (9.303 ms) : 0, 9303
GlobalTracer [baseline] (215.286 ms) : 0, 215286
GlobalTracer [candidate] (214.912 ms) : 0, 214912
AppSec [baseline] (33.828 ms) : 0, 33828
AppSec [candidate] (33.678 ms) : 0, 33678
Debugger [baseline] (68.492 ms) : 0, 68492
Debugger [candidate] (68.16 ms) : 0, 68160
Remote Config [baseline] (607.353 µs) : 0, 607
Remote Config [candidate] (600.207 µs) : 0, 600
Telemetry [baseline] (8.133 ms) : 0, 8133
Telemetry [candidate] (8.115 ms) : 0, 8115
Flare Poller [baseline] (3.678 ms) : 0, 3678
Flare Poller [candidate] (3.619 ms) : 0, 3619
ProfilingAgent [baseline] (93.513 ms) : 0, 93513
ProfilingAgent [candidate] (93.968 ms) : 0, 93968
Profiling [baseline] (94.121 ms) : 0, 94121
Profiling [candidate] (94.548 ms) : 0, 94548

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.079 s) : 0, 1078568
Total [baseline] (9.366 s) : 0, 9366424
Agent [candidate] (1.089 s) : 0, 1089140
Total [candidate] (9.38 s) : 0, 9380253
section iast
Agent [baseline] (1.258 s) : 0, 1257743
Total [baseline] (10.097 s) : 0, 10096567
Agent [candidate] (1.248 s) : 0, 1248437
Total [candidate] (10.103 s) : 0, 10102555

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.079 s	-
Agent	iast	1.258 s	179.175 ms (16.6%)
Total	tracing	9.366 s	-
Total	iast	10.097 s	730.143 ms (7.8%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.089 s	-
Agent	iast	1.248 s	159.297 ms (14.6%)
Total	tracing	9.38 s	-
Total	iast	10.103 s	722.302 ms (7.7%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.281 ms) : 0, 1281
crashtracking [candidate] (1.301 ms) : 0, 1301
BytebuddyAgent [baseline] (643.316 ms) : 0, 643316
BytebuddyAgent [candidate] (648.458 ms) : 0, 648458
AgentMeter [baseline] (30.002 ms) : 0, 30002
AgentMeter [candidate] (30.202 ms) : 0, 30202
GlobalTracer [baseline] (255.5 ms) : 0, 255500
GlobalTracer [candidate] (257.352 ms) : 0, 257352
AppSec [baseline] (33.312 ms) : 0, 33312
AppSec [candidate] (33.496 ms) : 0, 33496
Debugger [baseline] (60.856 ms) : 0, 60856
Debugger [candidate] (61.188 ms) : 0, 61188
Remote Config [baseline] (629.767 µs) : 0, 630
Remote Config [candidate] (628.286 µs) : 0, 628
Telemetry [baseline] (8.364 ms) : 0, 8364
Telemetry [candidate] (8.403 ms) : 0, 8403
Flare Poller [baseline] (8.683 ms) : 0, 8683
Flare Poller [candidate] (11.131 ms) : 0, 11131
section iast
crashtracking [baseline] (1.282 ms) : 0, 1282
crashtracking [candidate] (1.271 ms) : 0, 1271
BytebuddyAgent [baseline] (822.639 ms) : 0, 822639
BytebuddyAgent [candidate] (814.254 ms) : 0, 814254
AgentMeter [baseline] (11.778 ms) : 0, 11778
AgentMeter [candidate] (11.658 ms) : 0, 11658
GlobalTracer [baseline] (246.878 ms) : 0, 246878
GlobalTracer [candidate] (245.966 ms) : 0, 245966
AppSec [baseline] (34.081 ms) : 0, 34081
AppSec [candidate] (33.242 ms) : 0, 33242
Debugger [baseline] (62.803 ms) : 0, 62803
Debugger [candidate] (65.079 ms) : 0, 65079
Remote Config [baseline] (574.364 µs) : 0, 574
Remote Config [candidate] (570.295 µs) : 0, 570
Telemetry [baseline] (10.519 ms) : 0, 10519
Telemetry [candidate] (9.635 ms) : 0, 9635
Flare Poller [baseline] (3.537 ms) : 0, 3537
Flare Poller [candidate] (3.653 ms) : 0, 3653
IAST [baseline] (26.634 ms) : 0, 26634
IAST [candidate] (26.656 ms) : 0, 26656

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	bdu/prevent-ibm-j9-keytool
git_commit_date	1776286005	1776339979
git_commit_sha	42f154d	2368ed0
release_version	1.62.0-SNAPSHOT~42f154d2f6	1.62.0-SNAPSHOT~2368ed0149

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776342165	1776342165
ci_job_id	1601030161	1601030161
ci_pipeline_id	107983807	107983807
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-a4iskdsp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-a4iskdsp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 17 metrics, 16 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:profiling:high_load	better [-263.320µs; -151.671µs] or [-14.079%; -8.109%]	unstable [-1.665ms; -0.947ms] or [-28.347%; -16.118%]	unstable [+147.288op/s; +597.650op/s] or [+7.902%; +32.065%]	1.663ms	4.567ms	2236.312op/s	1.870ms	5.873ms	1863.844op/s
scenario:load:petclinic:iast:high_load	worse [+381.787µs; +1171.039µs] or [+2.193%; +6.726%]	same [-371.416µs; +869.630µs] or [-1.294%; +3.029%]	unstable [-37.947op/s; +16.010op/s] or [-14.410%; +6.079%]	18.188ms	28.958ms	252.375op/s	17.411ms	28.709ms	263.344op/s
scenario:load:petclinic:tracing:high_load	better [-2.058ms; -1.111ms] or [-10.902%; -5.882%]	unsure [-1.907ms; -0.545ms] or [-6.373%; -1.821%]	unstable [-8.739op/s; +44.552op/s] or [-3.565%; +18.173%]	17.296ms	28.693ms	263.062op/s	18.880ms	29.919ms	245.156op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.956 ms) : 17771, 18141
.   : milestone, 17956,
appsec (18.782 ms) : 18596, 18968
.   : milestone, 18782,
code_origins (18.118 ms) : 17937, 18298
.   : milestone, 18118,
iast (17.72 ms) : 17542, 17897
.   : milestone, 17720,
profiling (17.946 ms) : 17770, 18122
.   : milestone, 17946,
tracing (19.043 ms) : 18854, 19232
.   : milestone, 19043,
section candidate
no_agent (18.221 ms) : 18035, 18406
.   : milestone, 18221,
appsec (18.446 ms) : 18262, 18630
.   : milestone, 18446,
code_origins (18.253 ms) : 18071, 18435
.   : milestone, 18253,
iast (18.491 ms) : 18310, 18672
.   : milestone, 18491,
profiling (18.616 ms) : 18432, 18799
.   : milestone, 18616,
tracing (17.732 ms) : 17556, 17908
.   : milestone, 17732,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	17.956 ms [17.771 ms, 18.141 ms]	-
appsec	18.782 ms [18.596 ms, 18.968 ms]	825.572 µs (4.6%)
code_origins	18.118 ms [17.937 ms, 18.298 ms]	161.249 µs (0.9%)
iast	17.72 ms [17.542 ms, 17.897 ms]	-236.541 µs (-1.3%)
profiling	17.946 ms [17.77 ms, 18.122 ms]	-10.379 µs (-0.1%)
tracing	19.043 ms [18.854 ms, 19.232 ms]	1.087 ms (6.1%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	18.221 ms [18.035 ms, 18.406 ms]	-
appsec	18.446 ms [18.262 ms, 18.63 ms]	225.519 µs (1.2%)
code_origins	18.253 ms [18.071 ms, 18.435 ms]	32.313 µs (0.2%)
iast	18.491 ms [18.31 ms, 18.672 ms]	270.842 µs (1.5%)
profiling	18.616 ms [18.432 ms, 18.799 ms]	395.206 µs (2.2%)
tracing	17.732 ms [17.556 ms, 17.908 ms]	-488.391 µs (-2.7%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.25 ms) : 1239, 1262
.   : milestone, 1250,
iast (3.345 ms) : 3296, 3393
.   : milestone, 3345,
iast_FULL (5.96 ms) : 5900, 6019
.   : milestone, 5960,
iast_GLOBAL (3.72 ms) : 3658, 3781
.   : milestone, 3720,
profiling (2.436 ms) : 2411, 2461
.   : milestone, 2436,
tracing (1.874 ms) : 1858, 1889
.   : milestone, 1874,
section candidate
no_agent (1.252 ms) : 1240, 1265
.   : milestone, 1252,
iast (3.306 ms) : 3261, 3351
.   : milestone, 3306,
iast_FULL (5.99 ms) : 5929, 6051
.   : milestone, 5990,
iast_GLOBAL (3.758 ms) : 3694, 3821
.   : milestone, 3758,
profiling (2.018 ms) : 2002, 2035
.   : milestone, 2018,
tracing (1.876 ms) : 1861, 1891
.   : milestone, 1876,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.25 ms [1.239 ms, 1.262 ms]	-
iast	3.345 ms [3.296 ms, 3.393 ms]	2.094 ms (167.5%)
iast_FULL	5.96 ms [5.9 ms, 6.019 ms]	4.709 ms (376.6%)
iast_GLOBAL	3.72 ms [3.658 ms, 3.781 ms]	2.469 ms (197.5%)
profiling	2.436 ms [2.411 ms, 2.461 ms]	1.186 ms (94.8%)
tracing	1.874 ms [1.858 ms, 1.889 ms]	623.065 µs (49.8%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.252 ms [1.24 ms, 1.265 ms]	-
iast	3.306 ms [3.261 ms, 3.351 ms]	2.054 ms (164.0%)
iast_FULL	5.99 ms [5.929 ms, 6.051 ms]	4.738 ms (378.3%)
iast_GLOBAL	3.758 ms [3.694 ms, 3.821 ms]	2.505 ms (200.1%)
profiling	2.018 ms [2.002 ms, 2.035 ms]	766.039 µs (61.2%)
tracing	1.876 ms [1.861 ms, 1.891 ms]	623.726 µs (49.8%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	bdu/prevent-ibm-j9-keytool
git_commit_date	1776286005	1776339979
git_commit_sha	42f154d	2368ed0
release_version	1.62.0-SNAPSHOT~42f154d2f6	1.62.0-SNAPSHOT~2368ed0149

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1776342007	1776342007
ci_job_id	1601030164	1601030164
ci_pipeline_id	107983807	107983807
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-ojjij2jo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-ojjij2jo 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:dacapo:tomcat:appsec	better [-1.491ms; -1.139ms] or [-38.657%; -29.526%]	2.541ms	3.856ms

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.971 s) : 14971000, 14971000
.   : milestone, 14971000,
appsec (14.806 s) : 14806000, 14806000
.   : milestone, 14806000,
iast (18.579 s) : 18579000, 18579000
.   : milestone, 18579000,
iast_GLOBAL (18.223 s) : 18223000, 18223000
.   : milestone, 18223000,
profiling (14.968 s) : 14968000, 14968000
.   : milestone, 14968000,
tracing (14.711 s) : 14711000, 14711000
.   : milestone, 14711000,
section candidate
no_agent (15.414 s) : 15414000, 15414000
.   : milestone, 15414000,
appsec (14.785 s) : 14785000, 14785000
.   : milestone, 14785000,
iast (18.18 s) : 18180000, 18180000
.   : milestone, 18180000,
iast_GLOBAL (18.142 s) : 18142000, 18142000
.   : milestone, 18142000,
profiling (15.409 s) : 15409000, 15409000
.   : milestone, 15409000,
tracing (14.661 s) : 14661000, 14661000
.   : milestone, 14661000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	14.971 s [14.971 s, 14.971 s]	-
appsec	14.806 s [14.806 s, 14.806 s]	-165.0 ms (-1.1%)
iast	18.579 s [18.579 s, 18.579 s]	3.608 s (24.1%)
iast_GLOBAL	18.223 s [18.223 s, 18.223 s]	3.252 s (21.7%)
profiling	14.968 s [14.968 s, 14.968 s]	-3.0 ms (-0.0%)
tracing	14.711 s [14.711 s, 14.711 s]	-260.0 ms (-1.7%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.414 s [15.414 s, 15.414 s]	-
appsec	14.785 s [14.785 s, 14.785 s]	-629.0 ms (-4.1%)
iast	18.18 s [18.18 s, 18.18 s]	2.766 s (17.9%)
iast_GLOBAL	18.142 s [18.142 s, 18.142 s]	2.728 s (17.7%)
profiling	15.409 s [15.409 s, 15.409 s]	-5.0 ms (-0.0%)
tracing	14.661 s [14.661 s, 14.661 s]	-753.0 ms (-4.9%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~2368ed0149, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.49 ms) : 1479, 1502
.   : milestone, 1490,
appsec (3.856 ms) : 3631, 4081
.   : milestone, 3856,
iast (2.276 ms) : 2206, 2345
.   : milestone, 2276,
iast_GLOBAL (2.324 ms) : 2255, 2394
.   : milestone, 2324,
profiling (2.102 ms) : 2047, 2157
.   : milestone, 2102,
tracing (2.086 ms) : 2032, 2140
.   : milestone, 2086,
section candidate
no_agent (1.491 ms) : 1479, 1502
.   : milestone, 1491,
appsec (2.541 ms) : 2487, 2596
.   : milestone, 2541,
iast (2.275 ms) : 2206, 2345
.   : milestone, 2275,
iast_GLOBAL (2.319 ms) : 2249, 2388
.   : milestone, 2319,
profiling (2.1 ms) : 2046, 2155
.   : milestone, 2100,
tracing (2.099 ms) : 2045, 2153
.   : milestone, 2099,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.49 ms [1.479 ms, 1.502 ms]	-
appsec	3.856 ms [3.631 ms, 4.081 ms]	2.366 ms (158.7%)
iast	2.276 ms [2.206 ms, 2.345 ms]	785.274 µs (52.7%)
iast_GLOBAL	2.324 ms [2.255 ms, 2.394 ms]	834.21 µs (56.0%)
profiling	2.102 ms [2.047 ms, 2.157 ms]	611.573 µs (41.0%)
tracing	2.086 ms [2.032 ms, 2.14 ms]	595.968 µs (40.0%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.491 ms [1.479 ms, 1.502 ms]	-
appsec	2.541 ms [2.487 ms, 2.596 ms]	1.051 ms (70.5%)
iast	2.275 ms [2.206 ms, 2.345 ms]	784.778 µs (52.6%)
iast_GLOBAL	2.319 ms [2.249 ms, 2.388 ms]	828.296 µs (55.6%)
profiling	2.1 ms [2.046 ms, 2.155 ms]	609.831 µs (40.9%)
tracing	2.099 ms [2.045 ms, 2.153 ms]	608.33 µs (40.8%)

[bric3]

I went ahead and merged this one while I work on a smoke test

[dd-octo-sts]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-16 12:59:13 UTC ℹ️ Start processing command /merge

---

2026-04-16 12:59:18 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

---

2026-04-16 14:11:39 UTC ℹ️ MergeQueue: This merge request was merged