APM: harden trace-agent against nil entries in malformed payloads#53760
APM: harden trace-agent against nil entries in malformed payloads#53760ajgajg1134 wants to merge 1 commit into
Conversation
Follow-up to #53687. Decoded trace payloads can carry nil pointers (nil spans, span links, span events, and nil span-event attribute values) that reach the processing pipeline and crash the trace-agent on a nil dereference. These arrive from msgpack/JSON decode of v0.1/v0.4/v0.5/v0.7 (pb) and v1.0 (idx) payloads. Fixes across the ingest -> convert -> process -> serialize paths: - ConvertToIdx / traceChunksFromSpans: drop nil chunks, all-nil-span chunks, nil spans, nil links, nil events, and nil attribute values via append instead of leaving nil slots or dereferencing them. - Converted-msgpack decoders (InternalTraceChunk/InternalSpan UnmarshalMsgConverted): drop nil span/link/event entries instead of storing them, keeping the wire buffer aligned. - V0 Process pipeline: stripNilSpans compacts nil spans (and nil link/event entries) at one chokepoint before GetRoot, and discardSpans guards nil. - normalizeTraceChunkV1: compact nil spans in place (was skip-only) so GetRootV1/ReplaceV1/serialization never see a nil span. - obfuscateSpanEvent / replaceAttributeAnyValue: guard nil attribute values. - Receiver first-span lookup: both firstService closures use the nil-safe getFirstSpan/getFirstSpanV1 helpers. Regression tests added at the decoder, converter, endpoint, and Process/ProcessV1 levels; each panics without its fix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 65289cbf71
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| // `[[null]]`) and nil link/event entries. Strip them once here so no | ||
| // downstream consumer (GetRoot, normalization, obfuscation, replacement, | ||
| // top-level computation) has to guard against a nil dereference. | ||
| chunk.Spans = stripNilSpans(chunk.Spans) |
There was a problem hiding this comment.
Skip nil chunks before stripping spans
When convert-traces is disabled, a v0.7/msgpack TracerPayload can still contain a nil chunk: the generated decoder stores nil for nil chunks array elements (pkg/proto/pbgo/trace/tracer_payload_gen.go:469-475). The new nil-safe firstService path lets that payload leave the HTTP handler, but Process then dereferences the chunk here while trying to strip nil spans, so a malformed payload with a nil chunk can panic the worker goroutine instead of being dropped. Guard or remove nil chunks before touching chunk.Spans.
Useful? React with 👍 / 👎.
|
🎯 Code Coverage (details) 🔗 Commit SHA: 65289cb | Docs | Datadog PR Page | Give us feedback! |
Static quality checks✅ Please find below the results from static quality gates Successful checksInfo
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: d310d7d Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | quality_gate_logs | % cpu utilization | +1.42 | [+0.45, +2.39] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_idle | memory utilization | +0.55 | [+0.50, +0.60] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_metrics_logs | memory utilization | +0.20 | [-0.05, +0.46] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_security_no_fs_load | memory utilization | +0.05 | [-0.05, +0.14] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.04 | [-0.02, +0.11] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_security_mean_fs_load | memory utilization | +0.02 | [-0.01, +0.06] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_security_idle | memory utilization | -0.44 | [-0.51, -0.37] | 1 | Logs bounds checks dashboard |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | 146.23MiB ≤ 154MiB | bounds checks dashboard |
| ✅ | quality_gate_idle | total_bytes_received | 10/10 | 730.46KiB ≤ 819.20KiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 490.59MiB ≤ 495MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | total_bytes_received | 10/10 | 1.12MiB ≤ 1.25MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 181.04MiB ≤ 195MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_logs | total_bytes_received | 10/10 | 264.16MiB ≤ 292MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 366.81 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 3 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 410.91MiB ≤ 430MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | total_bytes_received | 10/10 | 0.94GiB ≤ 1.04GiB | bounds checks dashboard |
| ✅ | quality_gate_security_idle | cpu_usage | 10/10 | 32.69 ≤ 100 | bounds checks dashboard |
| ✅ | quality_gate_security_idle | memory_usage | 10/10 | 300.01MiB ≤ 330MiB | bounds checks dashboard |
| ✅ | quality_gate_security_mean_fs_load | cpu_usage | 10/10 | 63.36 ≤ 200 | bounds checks dashboard |
| ✅ | quality_gate_security_mean_fs_load | memory_usage | 10/10 | 276.06MiB ≤ 310MiB | bounds checks dashboard |
| ✅ | quality_gate_security_no_fs_load | cpu_usage | 10/10 | 23.69 ≤ 100 | bounds checks dashboard |
| ✅ | quality_gate_security_no_fs_load | memory_usage | 10/10 | 278.86MiB ≤ 320MiB | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
Replicate Execution Details
We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.
Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.
| Experiment | Variant | Replicates | Failure | Logs | Debug Dashboard |
|---|---|---|---|---|---|
| experiment_with_failures | baseline | 0 (x8) 1 (x6) | Oom killed | Debug Dashboard |
The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.
❌ Retried Profiling Replicate Execution Failures (ddprof)
Note: Profiling replicas may still be executing. See the debug dashboard for up to date status.
| Experiment | Variant | Replicates | Failure | Debug Dashboard |
|---|---|---|---|---|
| quality_gate_idle | baseline | 10 | Oom killed | Debug Dashboard |
| quality_gate_idle | comparison | 10 | Oom killed | Debug Dashboard |
| quality_gate_idle_all_features | baseline | 10 | Oom killed | Debug Dashboard |
| quality_gate_idle_all_features | comparison | 10 | Oom killed | Debug Dashboard |
| quality_gate_logs | baseline | 10 | Oom killed | Debug Dashboard |
| quality_gate_logs | comparison | 10 | Oom killed | Debug Dashboard |
| quality_gate_metrics_logs | baseline | 10 | Oom killed | Debug Dashboard |
| quality_gate_metrics_logs | comparison | 10 | Oom killed | Debug Dashboard |
| quality_gate_security_idle | comparison | 10 | Crashed (exit code: 134) | Debug Dashboard |
| quality_gate_security_mean_fs_load | comparison | 10 | Crashed (exit code: 134) | Debug Dashboard |
| quality_gate_security_no_fs_load | baseline | 10 | Crashed (exit code: 134) | Debug Dashboard |
| quality_gate_security_no_fs_load | comparison | 10 | Oom killed | Debug Dashboard |
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_security_no_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_security_no_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
- quality_gate_security_mean_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_security_mean_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_security_idle, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_security_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
What does this PR do?
Follow-up to #53687. Prevents trace-agent crashes when a decoded trace payload contains nil pointers — nil spans, span links, span events, or nil span-event attribute values — which otherwise reach the processing pipeline and panic on a nil dereference.
Fixes span the full ingest → convert → process → serialize path:
ConvertToIdx/traceChunksFromSpans: drop nil chunks, all-nil-span chunks, nil spans, nil links, nil events, and nil attribute values (viaappend) instead of leaving nil slots or dereferencing them.InternalTraceChunk/InternalSpanUnmarshalMsgConverted): drop nil span/link/event entries instead of storing them, keeping the wire buffer aligned.Processpipeline:stripNilSpanscompacts nil spans (and nil link/event entries) at one chokepoint beforeGetRoot;discardSpansguards nil.normalizeTraceChunkV1: compact nil spans in place (was skip-only) soGetRootV1/ReplaceV1/serialization never see a nil span.obfuscateSpanEvent/replaceAttributeAnyValue: guard nil attribute values.firstServiceclosures now use the nil-safegetFirstSpan/getFirstSpanV1helpers.Motivation
While unlikely with well-behaved tracers, malformed msgpack/JSON payloads (e.g. a v0.4 JSON body like
[[null]], or a nil msgpack array element) could crash the trace-agent. Some of these paths run in worker goroutines with norecover, so a single malformed payload could take down the whole agent.Describe how you validated your changes
Added regression tests at the decoder, converter, HTTP endpoint, and
Process/ProcessV1levels — each panics without its corresponding fix. Full suites pass forpkg/trace/agent,pkg/trace/api,pkg/trace/filters, andpkg/proto/pbgo/trace/idx(984 tests, 5 skipped). The changes were reviewed across three independent adversarial review passes.Additional Notes
Fix strategy is "drop nils at the earliest chokepoint" (decode/convert/normalize) so downstream consumers are safe by construction, rather than scattering per-site nil guards.
🤖 Generated with Claude Code