hardening + docs

Author: niesfisch

README.md

@@ -14,6 +14,8 @@ If you work in a legacy app and ask things like "Can we remove this?" or "Is thi
 - [Java Version](#java-version)
 - [Build](#build)
 - [Configure](#configure)
+- [Class Include/Exclude Patterns](#class-includeexclude-patterns)
+- [Hard-Skipped Packages (Non-Overridable)](#hard-skipped-packages-non-overridable)
 - [Run an Application with JCT](#run-an-application-with-jct)
 - [Available Processors](#available-processors)
 - [Stack Volume Control (All vs New Stacks)](#stack-volume-control-all-vs-new-stacks)
@@ -128,6 +130,78 @@ Notes:
 - Default config is loaded from `src/main/resources/META-INF/config.yaml`
 - If `-Djct.config=...` is set, custom config is merged with default config
 
+## Class Include/Exclude Patterns
+
+JCT uses Java regex patterns to decide which classes are instrumented.
+
+Config keys:
+
+- `classes.included`: allow list (what JCT may instrument)
+- `classes.excluded`: deny list (what JCT must never instrument)
+
+How matching works:
+
+1. JCT normalizes class names to dot notation for regex matching (example: `de.marcelsauer.sample.ClassA`).
+2. `excluded` is checked first. If any exclude pattern matches, the class is skipped.
+3. If not excluded, `included` is checked. If any include pattern matches, the class is instrumented.
+4. If no include pattern matches, the class is skipped.
+
+Pattern behavior:
+
+- Patterns are standard Java regex (`String.matches`), so anchors like `^` and `$` are recommended.
+- Include patterns are ORed together (`match any include`).
+- Exclude patterns are ORed together (`match any exclude`).
+- Exclude wins over include when both match the same class.
+
+Example:
+
+```yaml
+classes:
+  included:
+    - ^de.marcelsauer.*
+    - ^com.example.legacy.*
+  excluded:
+    - ^de.marcelsauer.generated.*
+    - ^com.example.legacy.internal.*
+```
+
+In this example:
+
+- `de.marcelsauer.service.OrderService` -> instrumented (included, not excluded)
+- `de.marcelsauer.generated.DtoMapper` -> skipped (excluded wins)
+- `org.springframework.context.ApplicationContext` -> skipped (not included)
+
+Practical tips:
+
+- Start narrow (one business package), then widen once you trust the output volume.
+- Always exclude generated/proxy-heavy areas you do not need.
+- Keep regex explicit; broad patterns like `.*` can produce large event volumes.
+
+## Hard-Skipped Packages (Non-Overridable)
+
+JCT has a built-in safety list of package prefixes that are never instrumented, even if your include regex would match them.
+This prevents self-instrumentation and reduces crash risk in JVM/logging/bytecode internals.
+
+Current hard-skipped prefixes (JVM slash notation):
+
+- `de/marcelsauer/profiler/`
+- `java/`
+- `javax/`
+- `jdk/`
+- `sun/`
+- `com/sun/`
+- `org/slf4j/`
+- `ch/qos/logback/`
+- `org/apache/log4j/`
+- `org/apache/logging/log4j/`
+- `javassist/`
+- `net/bytebuddy/`
+- `org/objectweb/asm/`
+- `cglib/`
+- `org/springframework/cglib/`
+
+Source of truth: `de.marcelsauer.profiler.transformer.Transformer` (`HARD_SKIPPED_PREFIXES`).
+
 ## Run an Application with JCT
 
 ```bash

src/main/java/de/marcelsauer/profiler/transformer/Transformer.java

@@ -9,44 +9,145 @@
 import java.lang.instrument.ClassFileTransformer;
 import java.lang.instrument.IllegalClassFormatException;
 import java.security.ProtectionDomain;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
 
 /**
  * @author msauer
  */
 public class Transformer implements ClassFileTransformer {
 
     private static final Logger logger = Logger.getLogger(Transformer.class);
+    private static final String[] HARD_SKIPPED_PREFIXES = new String[]{
+        "de/marcelsauer/profiler/",
+        "java/",
+        "javax/",
+        "jdk/",
+        "sun/",
+        "com/sun/",
+        "org/slf4j/",
+        "ch/qos/logback/",
+        "org/apache/log4j/",
+        "org/apache/logging/log4j/",
+        "javassist/",
+        "net/bytebuddy/",
+        "org/objectweb/asm/",
+        "cglib/",
+        "org/springframework/cglib/"
+    };
+    private static final int DEFAULT_TRANSFORM_FAILURE_THRESHOLD = 50;
+    private static final long DEFAULT_TRANSFORM_FAILURE_WINDOW_MILLIS = 30_000L;
+    private static final long DEFAULT_TRANSFORM_CIRCUIT_OPEN_MILLIS = 60_000L;
+
     private final CombinedFilter combinedFilter;
+    private final Set<String> permanentlySkippedClasses = ConcurrentHashMap.newKeySet();
+    private final Object transformCircuitLock = new Object();
+    private final int transformFailureThreshold;
+    private final long transformFailureWindowMillis;
+    private final long transformCircuitOpenMillis;
+
+    private long transformFailureWindowStartMillis;
+    private int transformFailuresInWindow;
+    private long transformCircuitOpenUntilMillis;
 
     Instrumenter instrumenter;
 
     public Transformer(Config config) {
+        this(config,
+            DEFAULT_TRANSFORM_FAILURE_THRESHOLD,
+            DEFAULT_TRANSFORM_FAILURE_WINDOW_MILLIS,
+            DEFAULT_TRANSFORM_CIRCUIT_OPEN_MILLIS);
+    }
+
+    Transformer(Config config, int transformFailureThreshold, long transformFailureWindowMillis, long transformCircuitOpenMillis) {
         this.instrumenter = new Instrumenter(new DefaultInstrumentationCallback());
         this.combinedFilter = new CombinedFilter(config);
+        this.transformFailureThreshold = Math.max(1, transformFailureThreshold);
+        this.transformFailureWindowMillis = Math.max(1_000L, transformFailureWindowMillis);
+        this.transformCircuitOpenMillis = Math.max(1_000L, transformCircuitOpenMillis);
         logger.debug("using transformer: " + Transformer.class.getName());
     }
 
     public byte[] transform(ClassLoader loader, String className, Class klass, ProtectionDomain domain, byte[] byteCode) throws IllegalClassFormatException {
         try {
-            if (loader == null) {
+            if (loader == null || className == null) {
                 logger.debug(String.format("[skipping bootstrap class] '%s'.", className));
                 return byteCode;
             }
 
+            if (isHardSkipped(className) || permanentlySkippedClasses.contains(className)) {
+                return byteCode;
+            }
+
+            if (isTransformCircuitOpen()) {
+                return byteCode;
+            }
+
             boolean shouldBeInstrumented = combinedFilter.matches(className);
-            if (shouldBeInstrumented) {
-                logger.debug(String.format("[instrumenting] '%s'.", className));
-                byte[] transformed = this.instrumenter.instrument(className, loader);
-                // null means "skip transformation" per ClassFileTransformer contract
-                return transformed != null ? transformed : byteCode;
+            if (!shouldBeInstrumented) {
+                return byteCode;
             }
-            return byteCode;
+
+            logger.debug(String.format("[instrumenting] '%s'.", className));
+            byte[] transformed = this.instrumenter.instrument(className, loader);
+            // null means "skip transformation" per ClassFileTransformer contract
+            return transformed != null ? transformed : byteCode;
         } catch (Throwable t) {
+            if (className != null) {
+                permanentlySkippedClasses.add(className);
+            }
+            registerTransformFailure(className, t);
             // Never let any exception escape the transformer — the JVM JPLIS layer
             // turns uncaught throwables into the ugly "!errorOutstanding" native assertion.
             logger.warn(String.format("transform failed for '%s', returning original bytecode: %s", className, t.getMessage()));
             return byteCode;
         }
     }
 
+    private boolean isHardSkipped(String className) {
+        for (String hardSkippedPrefix : HARD_SKIPPED_PREFIXES) {
+            if (className.startsWith(hardSkippedPrefix)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    protected long currentTimeMillis() {
+        return System.currentTimeMillis();
+    }
+
+    private boolean isTransformCircuitOpen() {
+        synchronized (transformCircuitLock) {
+            return currentTimeMillis() < transformCircuitOpenUntilMillis;
+        }
+    }
+
+    private void registerTransformFailure(String className, Throwable throwable) {
+        synchronized (transformCircuitLock) {
+            long now = currentTimeMillis();
+
+            if (transformFailureWindowStartMillis == 0L
+                || (now - transformFailureWindowStartMillis) > transformFailureWindowMillis) {
+                transformFailureWindowStartMillis = now;
+                transformFailuresInWindow = 0;
+            }
+
+            transformFailuresInWindow++;
+
+            if (transformFailuresInWindow >= transformFailureThreshold) {
+                transformCircuitOpenUntilMillis = now + transformCircuitOpenMillis;
+                logger.warn(String.format(
+                    "transform circuit opened for %dms after %d failures in %dms window. latest class='%s', cause='%s'",
+                    transformCircuitOpenMillis,
+                    transformFailuresInWindow,
+                    transformFailureWindowMillis,
+                    className,
+                    throwable == null ? "n/a" : throwable.getClass().getSimpleName()));
+                transformFailureWindowStartMillis = now;
+                transformFailuresInWindow = 0;
+            }
+        }
+    }
+
 }