Skip to content

APM: harden trace-agent against nil entries in malformed payloads#53760

Draft
ajgajg1134 wants to merge 1 commit into
mainfrom
andrew.glaude/moreBugProtection
Draft

APM: harden trace-agent against nil entries in malformed payloads#53760
ajgajg1134 wants to merge 1 commit into
mainfrom
andrew.glaude/moreBugProtection

Conversation

@ajgajg1134

Copy link
Copy Markdown
Contributor

What does this PR do?

Follow-up to #53687. Prevents trace-agent crashes when a decoded trace payload contains nil pointers — nil spans, span links, span events, or nil span-event attribute values — which otherwise reach the processing pipeline and panic on a nil dereference.

Fixes span the full ingest → convert → process → serialize path:

  • ConvertToIdx / traceChunksFromSpans: drop nil chunks, all-nil-span chunks, nil spans, nil links, nil events, and nil attribute values (via append) instead of leaving nil slots or dereferencing them.
  • Converted-msgpack decoders (InternalTraceChunk/InternalSpan UnmarshalMsgConverted): drop nil span/link/event entries instead of storing them, keeping the wire buffer aligned.
  • V0 Process pipeline: stripNilSpans compacts nil spans (and nil link/event entries) at one chokepoint before GetRoot; discardSpans guards nil.
  • normalizeTraceChunkV1: compact nil spans in place (was skip-only) so GetRootV1/ReplaceV1/serialization never see a nil span.
  • obfuscateSpanEvent / replaceAttributeAnyValue: guard nil attribute values.
  • Receiver first-span lookup: both firstService closures now use the nil-safe getFirstSpan/getFirstSpanV1 helpers.

Motivation

While unlikely with well-behaved tracers, malformed msgpack/JSON payloads (e.g. a v0.4 JSON body like [[null]], or a nil msgpack array element) could crash the trace-agent. Some of these paths run in worker goroutines with no recover, so a single malformed payload could take down the whole agent.

Describe how you validated your changes

Added regression tests at the decoder, converter, HTTP endpoint, and Process/ProcessV1 levels — each panics without its corresponding fix. Full suites pass for pkg/trace/agent, pkg/trace/api, pkg/trace/filters, and pkg/proto/pbgo/trace/idx (984 tests, 5 skipped). The changes were reviewed across three independent adversarial review passes.

Additional Notes

Fix strategy is "drop nils at the earliest chokepoint" (decode/convert/normalize) so downstream consumers are safe by construction, rather than scattering per-site nil guards.

🤖 Generated with Claude Code

Follow-up to #53687. Decoded trace payloads can carry nil pointers (nil
spans, span links, span events, and nil span-event attribute values) that
reach the processing pipeline and crash the trace-agent on a nil
dereference. These arrive from msgpack/JSON decode of v0.1/v0.4/v0.5/v0.7
(pb) and v1.0 (idx) payloads.

Fixes across the ingest -> convert -> process -> serialize paths:

- ConvertToIdx / traceChunksFromSpans: drop nil chunks, all-nil-span
  chunks, nil spans, nil links, nil events, and nil attribute values via
  append instead of leaving nil slots or dereferencing them.
- Converted-msgpack decoders (InternalTraceChunk/InternalSpan
  UnmarshalMsgConverted): drop nil span/link/event entries instead of
  storing them, keeping the wire buffer aligned.
- V0 Process pipeline: stripNilSpans compacts nil spans (and nil
  link/event entries) at one chokepoint before GetRoot, and discardSpans
  guards nil.
- normalizeTraceChunkV1: compact nil spans in place (was skip-only) so
  GetRootV1/ReplaceV1/serialization never see a nil span.
- obfuscateSpanEvent / replaceAttributeAnyValue: guard nil attribute
  values.
- Receiver first-span lookup: both firstService closures use the
  nil-safe getFirstSpan/getFirstSpanV1 helpers.

Regression tests added at the decoder, converter, endpoint, and
Process/ProcessV1 levels; each panics without its fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

@codex review

@dd-octo-sts dd-octo-sts Bot added internal Identify a non-fork PR team/agent-apm trace-agent labels Jul 16, 2026
@github-actions github-actions Bot added the long review PR is complex, plan time to review it label Jul 16, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 65289cbf71

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread pkg/trace/agent/agent.go
// `[[null]]`) and nil link/event entries. Strip them once here so no
// downstream consumer (GetRoot, normalization, obfuscation, replacement,
// top-level computation) has to guard against a nil dereference.
chunk.Spans = stripNilSpans(chunk.Spans)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Skip nil chunks before stripping spans

When convert-traces is disabled, a v0.7/msgpack TracerPayload can still contain a nil chunk: the generated decoder stores nil for nil chunks array elements (pkg/proto/pbgo/trace/tracer_payload_gen.go:469-475). The new nil-safe firstService path lets that payload leave the HTTP handler, but Process then dereferences the chunk here while trying to strip nil spans, so a malformed payload with a nil chunk can panic the worker goroutine instead of being dropped. Guard or remove nil chunks before touching chunk.Spans.

Useful? React with 👍 / 👎.

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 84.87%
Overall Coverage: 54.14% (+2.39%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 65289cb | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor b94c61d
📊 Static Quality Gates Dashboard
🔗 SQG Job
SOME SIZE DELTAS ARE N/A (ANCESTOR METRICS NOT YET AVAILABLE). RETRY JOB

Successful checks

Info

Quality gate Change Size (prev → curr → max)
agent_deb_amd64 N/A N/A → 749.826 → 758.200
agent_deb_amd64_fips N/A N/A → 704.684 → 709.840
agent_heroku_amd64 N/A N/A → 307.701 → 315.230
agent_rpm_amd64 N/A N/A → 749.809 → 758.170
agent_rpm_amd64_fips N/A N/A → 704.667 → 709.840
agent_rpm_arm64 N/A N/A → 726.443 → 729.660
agent_rpm_arm64_fips N/A N/A → 684.994 → 688.860
agent_suse_amd64 N/A N/A → 749.809 → 758.170
agent_suse_amd64_fips N/A N/A → 704.667 → 709.840
agent_suse_arm64 N/A N/A → 726.443 → 729.660
agent_suse_arm64_fips N/A N/A → 684.994 → 688.860
docker_agent_amd64 N/A N/A → 808.532 → 813.790
docker_agent_arm64 N/A N/A → 810.171 → 815.030
docker_agent_jmx_amd64 N/A N/A → 999.430 → 1004.550
docker_agent_jmx_arm64 N/A N/A → 989.721 → 994.710
docker_cluster_agent_amd64 N/A N/A → 209.881 → 210.470
docker_cluster_agent_arm64 N/A N/A → 222.952 → 222.980
docker_cws_instrumentation_amd64 N/A N/A → 7.447 → 7.480
docker_cws_instrumentation_arm64 N/A N/A → 6.877 → 7.110
docker_dogstatsd_amd64 N/A N/A → 39.216 → 39.910
docker_dogstatsd_arm64 N/A N/A → 37.367 → 38.270
docker_host_profiler_amd64 N/A N/A → 303.107 → 317.640
docker_host_profiler_arm64 N/A N/A → 314.594 → 328.900
dogstatsd_deb_amd64 N/A N/A → 29.955 → 31.150
dogstatsd_deb_arm64 N/A N/A → 27.994 → 29.530
dogstatsd_rpm_amd64 N/A N/A → 29.955 → 31.150
dogstatsd_suse_amd64 N/A N/A → 29.955 → 31.150
iot_agent_deb_amd64 N/A N/A → 46.194 → 46.380
iot_agent_deb_arm64 N/A N/A → 42.882 → 43.720
iot_agent_deb_armhf N/A N/A → 43.647 → 43.960
iot_agent_rpm_amd64 N/A N/A → 46.195 → 46.380
iot_agent_suse_amd64 N/A N/A → 46.194 → 46.380

@cit-pr-commenter-54b7da

Copy link
Copy Markdown

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 4365ec4d-2120-42ed-b021-8e91fa3edb74

Baseline: d310d7d
Comparison: 65289cb
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
quality_gate_logs % cpu utilization +1.42 [+0.45, +2.39] 1 Logs bounds checks dashboard
quality_gate_idle memory utilization +0.55 [+0.50, +0.60] 1 Logs bounds checks dashboard
quality_gate_metrics_logs memory utilization +0.20 [-0.05, +0.46] 1 Logs bounds checks dashboard
quality_gate_security_no_fs_load memory utilization +0.05 [-0.05, +0.14] 1 Logs bounds checks dashboard
quality_gate_idle_all_features memory utilization +0.04 [-0.02, +0.11] 1 Logs bounds checks dashboard
quality_gate_security_mean_fs_load memory utilization +0.02 [-0.01, +0.06] 1 Logs bounds checks dashboard
quality_gate_security_idle memory utilization -0.44 [-0.51, -0.37] 1 Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed observed_value links
quality_gate_idle intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle memory_usage 10/10 146.23MiB ≤ 154MiB bounds checks dashboard
quality_gate_idle total_bytes_received 10/10 730.46KiB ≤ 819.20KiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 490.59MiB ≤ 495MiB bounds checks dashboard
quality_gate_idle_all_features total_bytes_received 10/10 1.12MiB ≤ 1.25MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 181.04MiB ≤ 195MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_logs total_bytes_received 10/10 264.16MiB ≤ 292MiB bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 366.81 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 3 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 410.91MiB ≤ 430MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs total_bytes_received 10/10 0.94GiB ≤ 1.04GiB bounds checks dashboard
quality_gate_security_idle cpu_usage 10/10 32.69 ≤ 100 bounds checks dashboard
quality_gate_security_idle memory_usage 10/10 300.01MiB ≤ 330MiB bounds checks dashboard
quality_gate_security_mean_fs_load cpu_usage 10/10 63.36 ≤ 200 bounds checks dashboard
quality_gate_security_mean_fs_load memory_usage 10/10 276.06MiB ≤ 310MiB bounds checks dashboard
quality_gate_security_no_fs_load cpu_usage 10/10 23.69 ≤ 100 bounds checks dashboard
quality_gate_security_no_fs_load memory_usage 10/10 278.86MiB ≤ 320MiB bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

Replicate Execution Details

We run multiple replicates for each experiment/variant. However, we allow replicates to be automatically retried if there are any failures, up to 8 times, at which point the replicate is marked dead and we are unable to run analysis for the entire experiment. We call each of these attempts at running replicates a replicate execution. This section lists all replicate executions that failed due to the target crashing or being oom killed.

Note: In the below tables we bucket failures by experiment, variant, and failure type. For each of these buckets we list out the replicate indexes that failed with an annotation signifying how many times said replicate failed with the given failure mode. In the below example the baseline variant of the experiment named experiment_with_failures had two replicates that failed by oom kills. Replicate 0, which failed 8 executions, and replicate 1 which failed 6 executions, all with the same failure mode.

Experiment Variant Replicates Failure Logs Debug Dashboard
experiment_with_failures baseline 0 (x8) 1 (x6) Oom killed Debug Dashboard

The debug dashboard links will take you to a debugging dashboard specifically designed to investigate replicate execution failures.

❌ Retried Profiling Replicate Execution Failures (ddprof)

Note: Profiling replicas may still be executing. See the debug dashboard for up to date status.

Experiment Variant Replicates Failure Debug Dashboard
quality_gate_idle baseline 10 Oom killed Debug Dashboard
quality_gate_idle comparison 10 Oom killed Debug Dashboard
quality_gate_idle_all_features baseline 10 Oom killed Debug Dashboard
quality_gate_idle_all_features comparison 10 Oom killed Debug Dashboard
quality_gate_logs baseline 10 Oom killed Debug Dashboard
quality_gate_logs comparison 10 Oom killed Debug Dashboard
quality_gate_metrics_logs baseline 10 Oom killed Debug Dashboard
quality_gate_metrics_logs comparison 10 Oom killed Debug Dashboard
quality_gate_security_idle comparison 10 Crashed (exit code: 134) Debug Dashboard
quality_gate_security_mean_fs_load comparison 10 Crashed (exit code: 134) Debug Dashboard
quality_gate_security_no_fs_load baseline 10 Crashed (exit code: 134) Debug Dashboard
quality_gate_security_no_fs_load comparison 10 Oom killed Debug Dashboard

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_security_no_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_no_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

internal Identify a non-fork PR long review PR is complex, plan time to review it team/agent-apm trace-agent

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant