GauntletCI logoGauntletCI

Case Study

← All articles

A "Performance Improvement" PR Introduced 11 Block-Level Risks - GauntletCI Found Them in 660ms

Jellyfin PR #16062 was massive: 126 files, +27,810 lines. It was reviewed, approved, and merged. Then users reported slow queries and hangs. GauntletCI found 129 findings in 660ms — 11 were block-level.

Eric Cogen·Founder, GauntletCI··3 min read

Key Takeaways

  • A single "performance" PR introduced 129 behavioral risks
  • 11 were block-level (should have prevented merge)
  • Major categories: concurrency issues, N+1 queries, service locator anti-patterns, unsafe null handling, and more
  • All of them escaped human review and existing tests
  • Analysis completed in 660ms on a very large diff — no full build required
  • This is exactly the kind of change that looks safe but breaks in production

What GauntletCI Is

GauntletCI is a diff-first Behavioral Change Risk detector for .NET. It does not run tests. It does not compile code. It does not use a language model to evaluate your changes. It runs a set of deterministic rules against the diff and produces findings that are reproducible every time.

The same diff produces the same findings. Always.

It answers one question: did this change introduce behavior that is not properly validated? Learn more about diff-based analysis and behavioral change risk assessment.

What GauntletCI Found

GCI0016Block

Concurrency and State Risk

5 findings

Five deadlock candidates: blocking calls on async operations (.Wait() and .GetAwaiter().GetResult())

Impact: In ASP.NET Core, blocking on async can cause deadlock via synchronization context starvation. The request hangs with no exception or log entry.
GCI0012Block

Security Risk

3 findings

Three dangerous API usages: Reflection and Activator.CreateInstance bypassing the DI container

Impact: Reflection instantiation bypasses dependency injection, access controls, validation, and lifecycle management. In a media server handling authentication and content access, this is a real security concern.
GCI0044Warn

Performance Hotpath Risk

28 findings

Twenty-eight N+1 query patterns: LINQ queries executing inside loops

Impact: For a media library with tens of thousands of items, the difference between milliseconds and minutes. The PR was titled 'Query Performance Improvements.'
GCI0038Warn

Dependency Injection Safety

45 findings

Forty-five service locator anti-patterns: reaching into the DI container instead of declaring dependencies

Impact: Service locator code is harder to test, harder to reason about, and creates hidden coupling. The most common architectural regression in growing .NET codebases.
GCI0043Warn

Nullability and Type Safety

15 findings

Fifteen as-cast operations without null checks

Impact: obj as SomeType returns null on failure, not an exception. Using the result without checking causes NullReferenceException at runtime with no useful context.
GCI0006Warn

Edge Case Handling

13 findings

Thirteen .Value accesses on nullable types without preceding null checks

Impact: Explicit dereference of nullable values without verification. Runtime crashes in edge cases that tests did not cover.

Why These Issues Slipped Through

This PR is a textbook example of why traditional tools and processes often miss behavioral regressions:

  • Code review focuses on intent ("this should be faster") and local correctness. Reviewers rarely trace every downstream impact across 126 files.
  • Tests only validate the paths the team remembered to write or update.
  • Traditional static analysis excels at style, security, and code smells - but doesn't deeply analyze behavioral deltas in the diff.
  • Performance work is especially dangerous because it often involves broad refactors that touch many implicit contracts.

GauntletCI doesn't replace your existing tools. It adds the missing layer: diff-scoped behavioral risk detection.

What This Means for Your Team

Jellyfin is a mature, well-maintained open-source project with experienced contributors — yet this kind of subtle behavioral regression still made it through.

This is not a failure of the Jellyfin team. It's the natural limitation of current development practices.

Most .NET teams ship code under pressure: tight deadlines, large PRs, context-switching reviewers, and growing codebases full of implicit contracts.

GauntletCI answers the critical question:

"What actual runtime behavior just changed, and what could break as a result?"

Teams using GauntletCI typically see:

  • Fewer "it worked in testing" surprises
  • Faster, higher-confidence code reviews
  • Reduced emergency fixes and on-call incidents
  • Better long-term architecture discipline

Ready to Add This Safety Net?

dotnet tool install -g GauntletCI
gauntletci analyze --staged
  • Works locally in seconds on typical staged diffs
  • By default, no code leaves your machine
  • Free for personal and internal use
  • Pro/Teams plans for advanced team features

→ Try GauntletCI on GitHub

→ Browse Live Demo PRs

One More Thing

If you work on or contribute to Jellyfin: this analysis was performed against the public diff of PR #16062 as an independent validation exercise. The findings are documented and reproducible. The diff is public. Anyone can verify them.

The intent is not to criticize the Jellyfin team. A PR of this size and complexity, touching core data access paths across 126 files, is exactly the kind of change where this class of issue is hardest to catch in review. That is the point.

About the author

Eric Cogen -- Founder, GauntletCI

Eric Cogen is a senior .NET engineer with twenty years in production. He has shipped payments systems, internal platforms, and critical line-of-business applications — the kind where a 2 a.m. alert wasn't an emergency, it was a regular Tuesday. GauntletCI is the pre-commit checklist he wishes he had run before every commit.

@EricCogen/GauntletCI on GitHub