Skip to content

fix(config): stop leak and avoid buffer reuse#3759

Merged
morrisonlevi merged 3 commits intomasterfrom
levi/fix-zai-config
Apr 1, 2026
Merged

fix(config): stop leak and avoid buffer reuse#3759
morrisonlevi merged 3 commits intomasterfrom
levi/fix-zai-config

Conversation

@morrisonlevi
Copy link
Copy Markdown
Collaborator

@morrisonlevi morrisonlevi commented Mar 31, 2026
edited
Loading

Description

The leak is rare, it's happening on mshutdown, so unless you are spamming graceful restarts, this doesn't affect much, but of course, we should fix it anyway. Introduced by me in 1.17.0.

The buffer changes should fix #3729. I was able to make a phpt using a failed decoder with Claude's help.

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

morrisonlevi and others added 3 commits March 31, 2026 14:08
@morrisonlevi
fix(config): leak from not clearing sys env cache
9043075 
There was an order of operations issue in mshutdown.
@morrisonlevi
fix(config): use fresh buffer for env_config_fallback to prevent buff…
433ca60 
…er reuse
@morrisonlevi @claude
test(config): regression test for buf-aliasing heap overflow in zai_c…
f30f5e3 
…onfig_find_and_set_value

When a DD_ env var is cached as a short persistent allocation and the
corresponding OTEL fallback is invoked, the code (pre-fix) passes the
aliased buf—still pointing at that tiny allocation—directly to the
fallback. ddtrace_conf_otel_propagators then writes up to 30 bytes via
memcpy, overflowing the allocation.

The trigger: DD_TRACE_PROPAGATION_STYLE=, (a bare comma). The comma is
non-empty so PHP's proc_open passes it to the child process normally.
SET_LOWERCASE decode rejects all-separator input (zero set elements),
leaving value.len == 0, which causes the fallback to fire with the
aliased 2-byte buffer. Under ASAN this crashes the process during MINIT.

The fix (commit 433ca60) allocates a fresh ZAI_ENV_MAX_BUFSIZ buffer
for every fallback call so the aliased pointer is never used as the write
destination.

Note: DD_TRACE_PROPAGATION_STYLE= (empty string) cannot be used because
PHP's proc_open silently drops env-array entries with empty-string values.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@morrisonlevi morrisonlevi mentioned this pull request Apr 1, 2026
Open
@datadog-prod-us1-6
Copy link
Copy Markdown

datadog-prod-us1-6 bot commented Apr 1, 2026
edited by datadog-datadog-prod-us1 bot
Loading

⚠️ Tests

Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 1 Test failed

❄️ Known flaky: testAsyncWithTracerDisabledOnConsume from symfony-latest-test.DDTrace\Tests\Integrations\Symfony\Latest\MessengerTest   View in Datadog   (Fix with Cursor) 
DDTrace\Tests\Integrations\Symfony\Latest\MessengerTest::testAsyncWithTracerDisabledOnConsume
Command failed with exit code 1. Output: 
 [OK] Consuming messages from transport "async".

 // The worker will automatically exit once it has processed 1 messages or
 // received a stop signal via the messenger:stop-workers command.

 // Quit the worker with CONTROL-C.

 // Re-run the command with a -vv option to see logs about consumed messages.
...

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.64% (-0.04%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f30f5e3 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@morrisonlevi morrisonlevi marked this pull request as ready for review April 1, 2026 02:02
@morrisonlevi morrisonlevi requested a review from a team as a code owner April 1, 2026 02:02
bwoebi
bwoebi reviewed Apr 1, 2026
View reviewed changes
@morrisonlevi morrisonlevi merged commit 0b558b2 into master Apr 1, 2026
2087 of 2100 checks passed
@morrisonlevi morrisonlevi deleted the levi/fix-zai-config branch April 1, 2026 14:05
@github-actions github-actions bot added this to the 1.18.0 milestone Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwoebi bwoebi bwoebi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.18.0

Development

Successfully merging this pull request may close these issues.

[Bug]: malloc_consolidate heap corruption with 1.17.0 on PHP 8.4 ZTS + FrankenPHP

2 participants

@morrisonlevi @bwoebi