[WIP] Add JFR scrubbing before profile upload

[jbachorik]

What Does This Do

Adds configurable scrubbing of sensitive fields in JFR profiling recordings before upload. Sensitive data (system properties, JVM arguments, environment variables, command lines) is replaced with redacted values.

Motivation

Prevents accidental exposure of sensitive information (credentials, API keys, internal paths) in profiling data uploaded to Datadog backend.

Additional Notes

This is a proof of concept. All string values from the defined attributes will be scrubbed, there is no support for regex and similar matching. It is disabled by default and present only to be able to infer the extra overhead it would expose on a real-life system after enabling.
If the concept is validated, we will add proper value matching and enable scrubbing by default in a later PR.

profiling-scrubber module (new)

• JfrScrubber wraps jafar-tools Scrubber (Java 8 compatible)
• DefaultScrubDefinition defines fields to scrub per event type: jdk.InitialSystemProperty/value, jdk.JVMInformation/jvmArguments, jdk.InitialEnvironmentVariable/value, jdk.SystemProcess/commandLine
• Event types can be excluded from scrubbing via dd.profiling.scrub.event-type-excludes

Pipeline wiring

• ScrubRecordingDataListener decorates RecordingDataListener, scrubbing JFR data before delegating to the upload listener
• Uses RecordingData.getPath() (new) to avoid stream materialization for file-backed recordings (ddprof)
• Fail-open mode (dd.profiling.scrub.fail-open) passes unscrubbed data on scrubber errors, with null-safety guard to prevent passing already-released data

Configuration

• dd.profiling.scrub.enabled (default: false) — master switch
• dd.profiling.scrub.fail-open (default: false) — upload unscrubbed data on scrubber failure
• dd.profiling.scrub.event-type-excludes — comma-separated event types to skip

Native image support

• Guard ThrowableInstanceAdvice during native-image build to prevent JFR event class initialization errors
• Smoke test verifies profiling pipeline produces JFR files with system property events
• Scrubbing assertion deferred (TODO) — jafar 0.14.0-SNAPSHOT does not yet handle SubstrateVM JFR chunk format

⚠️ HelperScanner change — reviewer attention requested

HelperScanner.visitField() and visitMethod() changed from REQUIRES to USES.

This fix was necessary to support the ~2000 jafar helper classes injected transitively via VMRuntimeModule.injectHelperDependencies(). The previous behavior marked field types and method parameter/return types as load-time dependencies (REQUIRES), which created false dependency cycles. When removeCycles() broke these, subclasses could be positioned before their superclass in the topological sort, causing NoClassDefFoundError during batch class injection.

The fix is correct per the JVM spec: defineClass only eagerly resolves superclass and interfaces (handled by visit()). Field types, method parameter/return types, and declared exceptions are resolved lazily. However, this change affects all instrumentations that use injectHelperDependencies(), not just profiling. If any instrumentation relies on the old (incorrect) ordering where field/method types were treated as load-time dependencies, this change could surface latent issues.

Requesting review from someone familiar with HelperScanner / HelperInjector internals to verify no regressions.

Testing

• Unit tests: JfrScrubberTest (scrubbing correctness, exclusion, no-op), ScrubRecordingDataListenerTest (decorator behavior, fail-open, error paths)
• Integration test: JFRBasedProfilingIntegrationTest — verifies end-to-end scrubbing of jdk.InitialSystemProperty and jdk.JVMInformation in a real profiling session
• Native image smoke test: SpringBootNativeInstrumentationTest — verifies native image builds and runs with scrubbing enabled

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

Jira ticket: PROF-13548

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	jb/jfr_redacting
git_commit_date	1771513426	1771698260
git_commit_sha	5418feb	46507cd
release_version	1.60.0-SNAPSHOT~5418feb23a	1.60.0-SNAPSHOT~46507cd649

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1771700189	1771700189
ci_job_id	1445642010	1445642010
ci_pipeline_id	98083711	98083711
cpu_model	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8175M CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-co813796 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-co813796 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 56 metrics, 15 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.091 s) : 0, 1091331
Total [baseline] (11.302 s) : 0, 11301726
Agent [candidate] (1.1 s) : 0, 1099783
Total [candidate] (11.16 s) : 0, 11159570
section appsec
Agent [baseline] (1.273 s) : 0, 1272837
Total [baseline] (11.249 s) : 0, 11248571
Agent [candidate] (1.264 s) : 0, 1264498
Total [candidate] (11.262 s) : 0, 11261653
section iast
Agent [baseline] (1.265 s) : 0, 1265052
Total [baseline] (11.53 s) : 0, 11530408
Agent [candidate] (1.264 s) : 0, 1263800
Total [candidate] (11.436 s) : 0, 11435951
section profiling
Agent [baseline] (1.217 s) : 0, 1217187
Total [baseline] (11.282 s) : 0, 11282074
Agent [candidate] (1.227 s) : 0, 1227371
Total [candidate] (11.313 s) : 0, 11313043

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.091 s	-
Agent	appsec	1.273 s	181.506 ms (16.6%)
Agent	iast	1.265 s	173.721 ms (15.9%)
Agent	profiling	1.217 s	125.856 ms (11.5%)
Total	tracing	11.302 s	-
Total	appsec	11.249 s	-53.155 ms (-0.5%)
Total	iast	11.53 s	228.682 ms (2.0%)
Total	profiling	11.282 s	-19.652 ms (-0.2%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.1 s	-
Agent	appsec	1.264 s	164.715 ms (15.0%)
Agent	iast	1.264 s	164.018 ms (14.9%)
Agent	profiling	1.227 s	127.588 ms (11.6%)
Total	tracing	11.16 s	-
Total	appsec	11.262 s	102.083 ms (0.9%)
Total	iast	11.436 s	276.381 ms (2.5%)
Total	profiling	11.313 s	153.473 ms (1.4%)

gantt
    title petclinic - break down per module: candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.237 ms) : 0, 1237
crashtracking [candidate] (1.263 ms) : 0, 1263
BytebuddyAgent [baseline] (641.645 ms) : 0, 641645
BytebuddyAgent [candidate] (645.473 ms) : 0, 645473
AgentMeter [baseline] (29.665 ms) : 0, 29665
AgentMeter [candidate] (29.829 ms) : 0, 29829
GlobalTracer [baseline] (264.627 ms) : 0, 264627
GlobalTracer [candidate] (267.446 ms) : 0, 267446
AppSec [baseline] (34.082 ms) : 0, 34082
AppSec [candidate] (34.337 ms) : 0, 34337
Debugger [baseline] (67.719 ms) : 0, 67719
Debugger [candidate] (67.874 ms) : 0, 67874
Remote Config [baseline] (649.154 µs) : 0, 649
Remote Config [candidate] (656.412 µs) : 0, 656
Telemetry [baseline] (11.248 ms) : 0, 11248
Telemetry [candidate] (11.322 ms) : 0, 11322
Flare Poller [baseline] (3.879 ms) : 0, 3879
Flare Poller [candidate] (4.789 ms) : 0, 4789
section appsec
crashtracking [baseline] (1.25 ms) : 0, 1250
crashtracking [candidate] (1.228 ms) : 0, 1228
BytebuddyAgent [baseline] (674.171 ms) : 0, 674171
BytebuddyAgent [candidate] (669.537 ms) : 0, 669537
AgentMeter [baseline] (12.405 ms) : 0, 12405
AgentMeter [candidate] (12.288 ms) : 0, 12288
GlobalTracer [baseline] (265.5 ms) : 0, 265500
GlobalTracer [candidate] (263.995 ms) : 0, 263995
AppSec [baseline] (172.542 ms) : 0, 172542
AppSec [candidate] (172.261 ms) : 0, 172261
Debugger [baseline] (69.538 ms) : 0, 69538
Debugger [candidate] (68.602 ms) : 0, 68602
Remote Config [baseline] (686.536 µs) : 0, 687
Remote Config [candidate] (683.486 µs) : 0, 683
Telemetry [baseline] (9.894 ms) : 0, 9894
Telemetry [candidate] (9.561 ms) : 0, 9561
Flare Poller [baseline] (3.86 ms) : 0, 3860
Flare Poller [candidate] (3.649 ms) : 0, 3649
IAST [baseline] (26.477 ms) : 0, 26477
IAST [candidate] (26.318 ms) : 0, 26318
section iast
crashtracking [baseline] (1.232 ms) : 0, 1232
crashtracking [candidate] (1.23 ms) : 0, 1230
BytebuddyAgent [baseline] (812.801 ms) : 0, 812801
BytebuddyAgent [candidate] (813.602 ms) : 0, 813602
AgentMeter [baseline] (11.728 ms) : 0, 11728
AgentMeter [candidate] (11.64 ms) : 0, 11640
GlobalTracer [baseline] (256.575 ms) : 0, 256575
GlobalTracer [candidate] (256.304 ms) : 0, 256304
AppSec [baseline] (34.393 ms) : 0, 34393
AppSec [candidate] (35.148 ms) : 0, 35148
Debugger [baseline] (70.086 ms) : 0, 70086
Debugger [candidate] (68.33 ms) : 0, 68330
Remote Config [baseline] (575.98 µs) : 0, 576
Remote Config [candidate] (563.131 µs) : 0, 563
Telemetry [baseline] (9.05 ms) : 0, 9050
Telemetry [candidate] (8.832 ms) : 0, 8832
Flare Poller [baseline] (3.687 ms) : 0, 3687
Flare Poller [candidate] (3.508 ms) : 0, 3508
IAST [baseline] (28.524 ms) : 0, 28524
IAST [candidate] (28.292 ms) : 0, 28292
section profiling
crashtracking [baseline] (1.247 ms) : 0, 1247
crashtracking [candidate] (1.25 ms) : 0, 1250
BytebuddyAgent [baseline] (695.92 ms) : 0, 695920
BytebuddyAgent [candidate] (702.639 ms) : 0, 702639
AgentMeter [baseline] (8.812 ms) : 0, 8812
AgentMeter [candidate] (8.873 ms) : 0, 8873
GlobalTracer [baseline] (223.59 ms) : 0, 223590
GlobalTracer [candidate] (225.161 ms) : 0, 225161
AppSec [baseline] (33.937 ms) : 0, 33937
AppSec [candidate] (34.181 ms) : 0, 34181
Debugger [baseline] (68.722 ms) : 0, 68722
Debugger [candidate] (69.909 ms) : 0, 69909
Remote Config [baseline] (666.274 µs) : 0, 666
Remote Config [candidate] (662.024 µs) : 0, 662
Telemetry [baseline] (9.242 ms) : 0, 9242
Telemetry [candidate] (9.217 ms) : 0, 9217
Flare Poller [baseline] (4.695 ms) : 0, 4695
Flare Poller [candidate] (3.834 ms) : 0, 3834
ProfilingAgent [baseline] (98.994 ms) : 0, 98994
ProfilingAgent [candidate] (99.626 ms) : 0, 99626
Profiling [baseline] (99.586 ms) : 0, 99586
Profiling [candidate] (100.221 ms) : 0, 100221

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.095 s) : 0, 1094905
Total [baseline] (9.315 s) : 0, 9315056
Agent [candidate] (1.097 s) : 0, 1096534
Total [candidate] (9.303 s) : 0, 9302729
section iast
Agent [baseline] (1.266 s) : 0, 1265853
Total [baseline] (9.991 s) : 0, 9991448
Agent [candidate] (1.257 s) : 0, 1256818
Total [candidate] (9.981 s) : 0, 9980969

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.095 s	-
Agent	iast	1.266 s	170.948 ms (15.6%)
Total	tracing	9.315 s	-
Total	iast	9.991 s	676.392 ms (7.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.097 s	-
Agent	iast	1.257 s	160.284 ms (14.6%)
Total	tracing	9.303 s	-
Total	iast	9.981 s	678.241 ms (7.3%)

gantt
    title insecure-bank - break down per module: candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.243 ms) : 0, 1243
crashtracking [candidate] (1.242 ms) : 0, 1242
BytebuddyAgent [baseline] (642.966 ms) : 0, 642966
BytebuddyAgent [candidate] (644.363 ms) : 0, 644363
AgentMeter [baseline] (29.753 ms) : 0, 29753
AgentMeter [candidate] (29.849 ms) : 0, 29849
GlobalTracer [baseline] (265.773 ms) : 0, 265773
GlobalTracer [candidate] (265.748 ms) : 0, 265748
AppSec [baseline] (34.226 ms) : 0, 34226
AppSec [candidate] (34.22 ms) : 0, 34220
Debugger [baseline] (65.396 ms) : 0, 65396
Debugger [candidate] (67.793 ms) : 0, 67793
Remote Config [baseline] (662.385 µs) : 0, 662
Remote Config [candidate] (655.096 µs) : 0, 655
Telemetry [baseline] (11.025 ms) : 0, 11025
Telemetry [candidate] (12.052 ms) : 0, 12052
Flare Poller [baseline] (7.163 ms) : 0, 7163
Flare Poller [candidate] (3.861 ms) : 0, 3861
section iast
crashtracking [baseline] (1.249 ms) : 0, 1249
crashtracking [candidate] (1.232 ms) : 0, 1232
BytebuddyAgent [baseline] (817.678 ms) : 0, 817678
BytebuddyAgent [candidate] (809.482 ms) : 0, 809482
AgentMeter [baseline] (11.733 ms) : 0, 11733
AgentMeter [candidate] (11.626 ms) : 0, 11626
GlobalTracer [baseline] (255.692 ms) : 0, 255692
GlobalTracer [candidate] (255.406 ms) : 0, 255406
AppSec [baseline] (32.54 ms) : 0, 32540
AppSec [candidate] (32.613 ms) : 0, 32613
Debugger [baseline] (69.532 ms) : 0, 69532
Debugger [candidate] (69.331 ms) : 0, 69331
Remote Config [baseline] (579.359 µs) : 0, 579
Remote Config [candidate] (557.821 µs) : 0, 558
Telemetry [baseline] (8.822 ms) : 0, 8822
Telemetry [candidate] (8.751 ms) : 0, 8751
Flare Poller [baseline] (3.552 ms) : 0, 3552
Flare Poller [candidate] (3.514 ms) : 0, 3514
IAST [baseline] (27.896 ms) : 0, 27896
IAST [candidate] (28.012 ms) : 0, 28012

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	jb/jfr_redacting
git_commit_date	1771513426	1771698260
git_commit_sha	5418feb	46507cd
release_version	1.60.0-SNAPSHOT~5418feb23a	1.60.0-SNAPSHOT~46507cd649

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1771700728	1771700728
ci_job_id	1445642011	1445642011
ci_pipeline_id	98083711	98083711
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-2ai6nbvi 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-2ai6nbvi 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 3 performance regressions! Performance is the same for 13 metrics, 18 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load	better [-221.190µs; -96.668µs] or [-8.045%; -3.516%]	unstable [-3.711ms; +9.752ms] or [-47.031%; +123.594%]	unstable [-67.199op/s; +239.136op/s] or [-5.193%; +18.481%]	2.590ms	10.911ms	1379.906op/s	2.749ms	7.890ms	1293.938op/s
scenario:load:petclinic:tracing:high_load	worse [+0.840ms; +1.737ms] or [+4.882%; +10.093%]	worse [+0.980ms; +2.488ms] or [+3.466%; +8.793%]	unstable [-43.464op/s; +10.277op/s] or [-16.403%; +3.878%]	18.496ms	30.023ms	248.375op/s	17.207ms	28.289ms	264.969op/s
scenario:load:petclinic:code_origins:high_load	better [-1.935ms; -0.898ms] or [-10.195%; -4.733%]	unsure [-2.031ms; -0.543ms] or [-6.645%; -1.776%]	unstable [-10.170op/s; +43.108op/s] or [-4.177%; +17.703%]	17.568ms	29.278ms	259.969op/s	18.985ms	30.565ms	243.500op/s
scenario:load:petclinic:no_agent:high_load	worse [+0.931ms; +2.575ms] or [+5.388%; +14.897%]	unstable [+0.316ms; +3.437ms] or [+1.076%; +11.691%]	unstable [-50.248op/s; +6.561op/s] or [-19.031%; +2.485%]	19.039ms	31.273ms	242.188op/s	17.286ms	29.396ms	264.031op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a
    dateFormat X
    axisFormat %s
section baseline
no_agent (17.673 ms) : 17494, 17852
.   : milestone, 17673,
appsec (18.776 ms) : 18587, 18964
.   : milestone, 18776,
code_origins (19.17 ms) : 18975, 19365
.   : milestone, 19170,
iast (17.605 ms) : 17430, 17781
.   : milestone, 17605,
profiling (19.581 ms) : 19384, 19777
.   : milestone, 19581,
tracing (17.607 ms) : 17432, 17782
.   : milestone, 17607,
section candidate
no_agent (19.276 ms) : 19076, 19475
.   : milestone, 19276,
appsec (18.316 ms) : 18130, 18502
.   : milestone, 18316,
code_origins (17.951 ms) : 17773, 18129
.   : milestone, 17951,
iast (17.577 ms) : 17406, 17749
.   : milestone, 17577,
profiling (19.011 ms) : 18824, 19199
.   : milestone, 19011,
tracing (18.794 ms) : 18604, 18985
.   : milestone, 18794,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	17.673 ms [17.494 ms, 17.852 ms]	-
appsec	18.776 ms [18.587 ms, 18.964 ms]	1.102 ms (6.2%)
code_origins	19.17 ms [18.975 ms, 19.365 ms]	1.496 ms (8.5%)
iast	17.605 ms [17.43 ms, 17.781 ms]	-67.765 µs (-0.4%)
profiling	19.581 ms [19.384 ms, 19.777 ms]	1.907 ms (10.8%)
tracing	17.607 ms [17.432 ms, 17.782 ms]	-66.057 µs (-0.4%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	19.276 ms [19.076 ms, 19.475 ms]	-
appsec	18.316 ms [18.13 ms, 18.502 ms]	-959.506 µs (-5.0%)
code_origins	17.951 ms [17.773 ms, 18.129 ms]	-1.325 ms (-6.9%)
iast	17.577 ms [17.406 ms, 17.749 ms]	-1.698 ms (-8.8%)
profiling	19.011 ms [18.824 ms, 19.199 ms]	-264.28 µs (-1.4%)
tracing	18.794 ms [18.604 ms, 18.985 ms]	-481.367 µs (-2.5%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.167 ms) : 1156, 1178
.   : milestone, 1167,
iast (3.236 ms) : 3188, 3284
.   : milestone, 3236,
iast_FULL (5.862 ms) : 5802, 5921
.   : milestone, 5862,
iast_GLOBAL (3.543 ms) : 3482, 3604
.   : milestone, 3543,
profiling (2.152 ms) : 2132, 2173
.   : milestone, 2152,
tracing (1.774 ms) : 1759, 1789
.   : milestone, 1774,
section candidate
no_agent (1.166 ms) : 1155, 1178
.   : milestone, 1166,
iast (3.188 ms) : 3148, 3227
.   : milestone, 3188,
iast_FULL (5.963 ms) : 5902, 6024
.   : milestone, 5963,
iast_GLOBAL (3.32 ms) : 3273, 3367
.   : milestone, 3320,
profiling (2.089 ms) : 2070, 2107
.   : milestone, 2089,
tracing (1.849 ms) : 1832, 1865
.   : milestone, 1849,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.167 ms [1.156 ms, 1.178 ms]	-
iast	3.236 ms [3.188 ms, 3.284 ms]	2.069 ms (177.2%)
iast_FULL	5.862 ms [5.802 ms, 5.921 ms]	4.694 ms (402.2%)
iast_GLOBAL	3.543 ms [3.482 ms, 3.604 ms]	2.376 ms (203.5%)
profiling	2.152 ms [2.132 ms, 2.173 ms]	985.071 µs (84.4%)
tracing	1.774 ms [1.759 ms, 1.789 ms]	606.732 µs (52.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.166 ms [1.155 ms, 1.178 ms]	-
iast	3.188 ms [3.148 ms, 3.227 ms]	2.021 ms (173.3%)
iast_FULL	5.963 ms [5.902 ms, 6.024 ms]	4.797 ms (411.3%)
iast_GLOBAL	3.32 ms [3.273 ms, 3.367 ms]	2.154 ms (184.7%)
profiling	2.089 ms [2.07 ms, 2.107 ms]	922.232 µs (79.1%)
tracing	1.849 ms [1.832 ms, 1.865 ms]	682.586 µs (58.5%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	jb/jfr_redacting
git_commit_date	1771513426	1771698260
git_commit_sha	5418feb	46507cd
release_version	1.60.0-SNAPSHOT~5418feb23a	1.60.0-SNAPSHOT~46507cd649

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1771700565	1771700565
ci_job_id	1445642012	1445642012
ci_pipeline_id	98083711	98083711
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-gwrz6wwa 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-gwrz6wwa 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.47 ms) : 1459, 1482
.   : milestone, 1470,
appsec (3.735 ms) : 3519, 3951
.   : milestone, 3735,
iast (2.257 ms) : 2188, 2326
.   : milestone, 2257,
iast_GLOBAL (2.287 ms) : 2219, 2356
.   : milestone, 2287,
profiling (2.083 ms) : 2028, 2137
.   : milestone, 2083,
tracing (2.049 ms) : 1996, 2102
.   : milestone, 2049,
section candidate
no_agent (1.476 ms) : 1464, 1487
.   : milestone, 1476,
appsec (3.707 ms) : 3491, 3922
.   : milestone, 3707,
iast (2.251 ms) : 2182, 2320
.   : milestone, 2251,
iast_GLOBAL (2.287 ms) : 2218, 2355
.   : milestone, 2287,
profiling (2.067 ms) : 2013, 2121
.   : milestone, 2067,
tracing (2.067 ms) : 2014, 2121
.   : milestone, 2067,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.47 ms [1.459 ms, 1.482 ms]	-
appsec	3.735 ms [3.519 ms, 3.951 ms]	2.265 ms (154.0%)
iast	2.257 ms [2.188 ms, 2.326 ms]	786.549 µs (53.5%)
iast_GLOBAL	2.287 ms [2.219 ms, 2.356 ms]	817.118 µs (55.6%)
profiling	2.083 ms [2.028 ms, 2.137 ms]	612.388 µs (41.7%)
tracing	2.049 ms [1.996 ms, 2.102 ms]	578.853 µs (39.4%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.476 ms [1.464 ms, 1.487 ms]	-
appsec	3.707 ms [3.491 ms, 3.922 ms]	2.231 ms (151.2%)
iast	2.251 ms [2.182 ms, 2.32 ms]	775.388 µs (52.5%)
iast_GLOBAL	2.287 ms [2.218 ms, 2.355 ms]	810.953 µs (55.0%)
profiling	2.067 ms [2.013 ms, 2.121 ms]	591.641 µs (40.1%)
tracing	2.067 ms [2.014 ms, 2.121 ms]	591.409 µs (40.1%)

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.60.0-SNAPSHOT~46507cd649, baseline=1.60.0-SNAPSHOT~5418feb23a
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.296 s) : 15296000, 15296000
.   : milestone, 15296000,
appsec (14.836 s) : 14836000, 14836000
.   : milestone, 14836000,
iast (18.215 s) : 18215000, 18215000
.   : milestone, 18215000,
iast_GLOBAL (17.66 s) : 17660000, 17660000
.   : milestone, 17660000,
profiling (14.831 s) : 14831000, 14831000
.   : milestone, 14831000,
tracing (14.827 s) : 14827000, 14827000
.   : milestone, 14827000,
section candidate
no_agent (15.554 s) : 15554000, 15554000
.   : milestone, 15554000,
appsec (14.605 s) : 14605000, 14605000
.   : milestone, 14605000,
iast (18.266 s) : 18266000, 18266000
.   : milestone, 18266000,
iast_GLOBAL (17.635 s) : 17635000, 17635000
.   : milestone, 17635000,
profiling (14.734 s) : 14734000, 14734000
.   : milestone, 14734000,
tracing (14.906 s) : 14906000, 14906000
.   : milestone, 14906000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.296 s [15.296 s, 15.296 s]	-
appsec	14.836 s [14.836 s, 14.836 s]	-460.0 ms (-3.0%)
iast	18.215 s [18.215 s, 18.215 s]	2.919 s (19.1%)
iast_GLOBAL	17.66 s [17.66 s, 17.66 s]	2.364 s (15.5%)
profiling	14.831 s [14.831 s, 14.831 s]	-465.0 ms (-3.0%)
tracing	14.827 s [14.827 s, 14.827 s]	-469.0 ms (-3.1%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.554 s [15.554 s, 15.554 s]	-
appsec	14.605 s [14.605 s, 14.605 s]	-949.0 ms (-6.1%)
iast	18.266 s [18.266 s, 18.266 s]	2.712 s (17.4%)
iast_GLOBAL	17.635 s [17.635 s, 17.635 s]	2.081 s (13.4%)
profiling	14.734 s [14.734 s, 14.734 s]	-820.0 ms (-5.3%)
tracing	14.906 s [14.906 s, 14.906 s]	-648.0 ms (-4.2%)