Skip to content

fix(tracing): use-after-realloc in ddtrace_format_tracestate#3874

Merged
morrisonlevi merged 7 commits into
masterfrom
codex/spanlink-long-origin-smart-str
May 12, 2026
Merged

fix(tracing): use-after-realloc in ddtrace_format_tracestate#3874
morrisonlevi merged 7 commits into
masterfrom
codex/spanlink-long-origin-smart-str

Conversation

@morrisonlevi

@morrisonlevi morrisonlevi commented May 12, 2026

Copy link
Copy Markdown
Collaborator

PROF-14628

Description

There is a logic error in ddtrace_format_tracestate that can theoretically result in a stale pointer read caused by a realloc.

I found this by investigating a customer crash which has smart_str_append in the stack. I am not sure it is this one.

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@morrisonlevi morrisonlevi changed the title Codex/spanlink long origin smart str fix(tracing): use-after-realloc in ddtrace_format_tracestate May 12, 2026
@morrisonlevi morrisonlevi marked this pull request as ready for review May 12, 2026 00:31
@morrisonlevi morrisonlevi requested a review from a team as a code owner May 12, 2026 00:31
@pr-commenter

pr-commenter Bot commented May 12, 2026

Copy link
Copy Markdown

Benchmarks [ tracer ]

Benchmark execution time: 2026-05-12 16:37:41

Comparing candidate commit f880f75 in PR branch codex/spanlink-long-origin-smart-str with baseline commit 09ec639 in branch master.

Found 1 performance improvements and 5 performance regressions! Performance is the same for 188 metrics, 0 unstable metrics.

scenario:EmptyFileBench/benchEmptyFileBaseline

  • 🟥 execution_time [+81.024µs; +341.736µs] or [+2.562%; +10.805%]

scenario:EmptyFileBench/benchEmptyFileBaseline-opcache

  • 🟥 execution_time [+114.634µs; +394.466µs] or [+3.424%; +11.783%]

scenario:PHPRedisBench/benchRedisOverhead-opcache

  • 🟩 execution_time [-50.173µs; -38.890µs] or [-4.781%; -3.706%]

scenario:SamplingRuleMatchingBench/benchRegexMatching1

  • 🟥 execution_time [+52.860ns; +165.940ns] or [+3.528%; +11.075%]

scenario:SamplingRuleMatchingBench/benchRegexMatching2

  • 🟥 execution_time [+35.535ns; +122.065ns] or [+2.408%; +8.271%]

scenario:SamplingRuleMatchingBench/benchRegexMatching3

  • 🟥 execution_time [+32.715ns; +117.885ns] or [+2.175%; +7.838%]

@datadog-prod-us1-3

datadog-prod-us1-3 Bot commented May 12, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.67% (+0.00%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f880f75 | Docs | Datadog PR Page | Give us feedback!

@bwoebi bwoebi left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The extra { indent level is odd, but logic is right.

@morrisonlevi

morrisonlevi commented May 12, 2026

Copy link
Copy Markdown
Collaborator Author

The extra block scope is to ensure that the temporaries are not used later on, because the whole issue with the bug is the pointer being used after it has been invalidated, so we didn't want their scope to live any longer than necessary.

@morrisonlevi morrisonlevi merged commit ccfa154 into master May 12, 2026
2112 of 2122 checks passed
@morrisonlevi morrisonlevi deleted the codex/spanlink-long-origin-smart-str branch May 12, 2026 16:51
@github-actions github-actions Bot added this to the 1.20.0 milestone May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants