Fix SIGSEGV in ddwaf_run from JIT-elided ArenaLease reference on JDK 21.0.8+/JDK 25

build.gradle

@@ -482,6 +482,47 @@ tasks.register('testgc', Test) {
 }
 check.dependsOn testgc
 
+// Dedicated task for the GC race regression (APPSEC-62784).
+// Must run without the Jacoco coverage agent: the agent instruments WafContext.run()
+// bytecode in a way that keeps DirectByteBuffer references alive past the JNI boundary,
+// preventing the reference elision the test is designed to detect.
+// Only wired into 'check' when -PuseZGC is set (alpine-temurin21/25 CI matrix entries).
+tasks.register('testGCRace', Test) {
+    description = 'GC race regression test without coverage instrumentation (ZGC builds only)'
+    group = 'verification'
+    useJUnit()
+    // ZGC + aggressive JIT (-XX:-TieredCompilation -XX:CompileThreshold=1) consume more
+    // native and heap memory than the default Gradle test worker allocation (512m).
+    maxHeapSize = '2g'
+    filter {
+        includeTestsMatching 'com.datadog.ddwaf.ReachabilityFenceTest'
+    }
+}
+tasks.named('testGCRace') {
+    jacoco.enabled = false
+    // Force immediate C2 compilation: disables tiered compilation and compiles
+    // methods after 1 invocation, ensuring reference elision happens from the
+    // first GC stress iteration without needing a warmup run.
+    // ExplicitGCInvokesConcurrent: makes System.gc() trigger ZGC concurrent
+    // cycles (instead of a potential stop-the-world), maximising the chance
+    // of a collection running concurrently with ddwaf_run().
+    jvmArgs '-XX:-TieredCompilation', '-XX:CompileThreshold=1',
+            '-XX:+ExplicitGCInvokesConcurrent',
+            // Suppress per-call DEBUG logging from ddwaf_native: each ddwaf_run()
+            // emits ~25 lines at DEBUG level. With 16 threads x 1000 iterations the
+            // log buffer alone exhausts the 1g worker heap and triggers GC overhead
+            // limit. WARN is sufficient; the test asserts on return values, not logs.
+            '-Dorg.slf4j.simpleLogger.defaultLogLevel=WARN'
+}
+if (project.hasProperty('useZGC')) {
+    check.dependsOn 'testGCRace'
+}
+// ReachabilityFenceTest contains long warmup loops and concurrent GC pressure
+// threads designed for ZGC+C2. Running it in the standard :test task (ASAN,
+// coverage, dev builds) makes those jobs take hours. Exclude it here; it runs
+// exclusively via testGCRace when -PuseZGC is set.
+test.filter.excludeTestsMatching 'com.datadog.ddwaf.ReachabilityFenceTest'
+
 tasks.withType(Test).configureEach {
     if (System.getenv('TEST_EXECUTABLE')) {
         it.executable System.getenv('TEST_EXECUTABLE')

gradle.properties

@@ -0,0 +1 @@
+org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m

src/main/java/com/datadog/ddwaf/WafContext.java

@@ -20,15 +20,21 @@
 
 /**
  * Originally intended to be a {@code final} class to enforce immutability and usage constraints.
- * The {@code final} modifier was intentionally removed to improve testability—specifically to allow
- * mocking in unit tests
+ * The {@code final} modifier was intentionally removed to improve testability - specifically to
+ * allow mocking in unit tests
  *
  * <p>This class should still be treated as final in spirit: it is not designed for extension , and
  * should only be subclassed or mocked in test environments.
  */
 public class WafContext implements Closeable {
   private static final Logger LOGGER = LoggerFactory.getLogger(WafContext.class);
 
+  // Java-8 compatible reachability fence: a volatile write is a memory barrier
+  // the JIT cannot elide, keeping the written object strongly reachable until
+  // this point. Equivalent to Reference.reachabilityFence(obj) on JDK 9+.
+  @SuppressWarnings("unused")
+  private static volatile Object leaseFenceSink;
+
   private final ByteBufferSerializer.ArenaLease lease;
   private final LeakDetection.PhantomRefWithName<Object> selfRef;
 
@@ -120,6 +126,14 @@ private Waf.ResultWithData run(
 
           result = runWafContext(persistentBuffer, ephemeralBuffer, newLimits, metrics);
         } finally {
+          // Keep lease/ephemeralLease strongly reachable past the ddwaf_run JNI boundary.
+          // The JIT may elide references to this.lease and ephemeralLease after the last
+          // Java-visible use, letting the GC Cleaner free the underlying native memory while
+          // ddwaf_run is still executing (observed on ZGC Generational, JDK 21.0.8+/JDK 25).
+          // Volatile writes are memory barriers the JIT cannot remove. Placed in finally so
+          // they run on both normal and exceptional returns. See: APPSEC-62784
+          leaseFenceSink = this.lease;
+          leaseFenceSink = ephemeralLease;
           if (ephemeralLease != null) {
             ephemeralLease.close();
           }