fix(iast): avoid crash due to missing `INCREF` by KowalskiThomas · Pull Request #17605 · DataDog/dd-trace-py

KowalskiThomas · 2026-04-17T17:11:36Z

Description

This PR fixes a crash coming from IAST due to an inconsistent reference count contract between new_pyobject_id and its callers, where the callers would expect a new owned reference like it already does today but some code paths were missing the Py_INCREF, causing segmentation faults (see example usage).

This error has been around at least since 3.11.0 and is currently causing approximately 50k errors per week.

Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV)
#0   0x000061335a8b72d4 PyType_IsSubtype (/usr/src/python/Objects/typeobject.c:2126:1)
#1   0x000061335a89e11c PyObject_TypeCheck (/usr/src/python/./Include/object.h:381:36)
#2   0x000061335a89e11c object_isinstance (/usr/src/python/Objects/abstract.c:2571:18)
#3   0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2606:16)
#4   0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2628:17)
#5   0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2602:1)
#6   0x000061335a89cbeb PyObject_IsInstance (/usr/src/python/Objects/abstract.c:2670:12)
#7   0x000061335a8c89ed _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3036:26)
#8   0x000061335a98fd11 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11)
#9   0x000061335a884945 partial_vectorcall (/usr/src/python/./Modules/_functoolsmodule.c:267:11)
#10  0x000061335a8a0bf4 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11)
#11  0x000061335a8a0bf4 object_vacall (/usr/src/python/Objects/call.c:850:14)
#12  0x000061335a8fdf8e PyObject_CallFunctionObjArgs (/usr/src/python/Objects/call.c:957:14)
#13  0x000074f48affeb28 WraptBoundFunctionWrapper_call (/project/src/wrapt/_wrappers.c:3024:18)
#14  0x000061335a8a12e2 PyObject_Call
#15  0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26)
#16  0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16)
#17  0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14)
#18  0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22)
#19  0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11)
#20  0x000061335a8af877 cfunction_vectorcall_O (/usr/src/python/Objects/methodobject.c:509:24)
#21  0x000074f48a434f69 __Pyx_PyObject_Call (/project/uvloop/loop.c:191431:15)
#22  0x000074f48a434f69 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66901:25)
#23  0x000074f48a43a96b __pyx_f_6uvloop_4loop_4Loop__on_idle (/project/uvloop/loop.c:17975:25)
#24  0x000074f48a434e52 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66927:24)
#25  0x000074f48a436c88 __pyx_f_6uvloop_4loop_cb_idle_callback (/project/uvloop/loop.c:87335:19)
#26  0x000074f48a452311 uv__run_idle (/project/build/libuv-x86_64/src/unix/loop-watcher.c:68:1)
#27  0x000074f48a44f647 uv_run (/project/build/libuv-x86_64/src/unix/core.c:439:5)
#28  0x000074f48a370db5 __pyx_f_6uvloop_4loop_4Loop__Loop__run (/project/uvloop/loop.c:18458:23)
#29  0x000074f48a3d8e50 __pyx_f_6uvloop_4loop_4Loop__run (/project/uvloop/loop.c:18876:18)
#30  0x000074f48a3e9cf0 __pyx_pf_6uvloop_4loop_4Loop_24run_forever (/project/uvloop/loop.c:31528:18)
#31  0x000074f48a3e9cf0 __pyx_pw_6uvloop_4loop_4Loop_25run_forever (/project/uvloop/loop.c:31331:13)
#32  0x000061335a8a159c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11)
#33  0x000061335a8a159c PyObject_VectorcallMethod (/usr/src/python/Objects/call.c:887:24)
#34  0x000074f48a3edd60 __pyx_pf_6uvloop_4loop_4Loop_44run_until_complete (/project/uvloop/loop.c:33768:23)
#35  0x000074f48a3ef591 __pyx_pw_6uvloop_4loop_4Loop_45run_until_complete (/project/uvloop/loop.c:33318:13)
#36  0x000061335a8a0a18 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11)
#37  0x000061335a8a0a18 PyObject_Vectorcall (/usr/src/python/Objects/call.c:325:12)
#38  0x000061335a8c7807 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:2715:19)
#39  0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16)
#40  0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14)
#41  0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22)
#42  0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11)
#43  0x000061335a8a06fe _PyObject_MakeTpCall (/usr/src/python/Objects/call.c:240:18)
#44  0x000061335a82380c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:90:16)
#45  0x000061335a82380c context_run (/usr/src/python/Python/context.c:668:29)
#46  0x000061335a912d7b cfunction_vectorcall_FASTCALL_KEYWORDS (/usr/src/python/Objects/methodobject.c:438:24)
#47  0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26)
#48  0x000061335a94a4b9 PyEval_EvalCode (/usr/src/python/Python/ceval.c:578:21)
#49  0x000061335a96852c run_eval_code_obj (/usr/src/python/Python/pythonrun.c:1722:9)
#50  0x000061335a9684a4 run_mod (/usr/src/python/Python/pythonrun.c:1743:19)
#51  0x000061335a968061 pyrun_file (/usr/src/python/Python/pythonrun.c:1643:15)
#52  0x000061335a967ea7 _PyRun_SimpleFileObject (/usr/src/python/Python/pythonrun.c:433:13)
#53  0x000061335a967cc7 _PyRun_AnyFileObject (/usr/src/python/Python/pythonrun.c:78:15)
#54  0x000061335a972230 pymain_run_file_obj (/usr/src/python/Modules/main.c:360:15)
#55  0x000061335a972230 pymain_run_file (/usr/src/python/Modules/main.c:379:15)
#56  0x000061335a972230 pymain_run_python (/usr/src/python/Modules/main.c:633:21)
#57  0x000061335a972230 Py_RunMain (/usr/src/python/Modules/main.c:713:5)
#58  0x000061335a971dbd Py_BytesMain (/usr/src/python/Modules/main.c:767:12)
#59  0x000074f48e000e40 __libc_start_main
#60  0x000061335a8ea2d5 _start

cit-pr-commenter-54b7da · 2026-04-17T17:13:12Z

Codeowners resolved as

ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp             @DataDog/asm-python
releasenotes/notes/fix-iast-crash-missing-incref-1f03aab5298bddc4.yaml  @DataDog/apm-python

pr-commenter · 2026-04-17T17:31:46Z

Performance SLOs

Comparing candidate kowalski/fix-iast-avoid-crash-due-to-missing-incref (7bf6f74) with baseline main (be0fdf3)

📈 Performance Regressions (1 suite)

📈 iastaspectsospath - 24/24

✅ ospathbasename_aspect

Time: ✅ 529.863µs (SLO: <700.000µs 📉 -24.3%) vs baseline: 📈 +24.2%

Memory: ✅ 43.843MB (SLO: <46.000MB -4.7%) vs baseline: +5.0%

✅ ospathbasename_noaspect

Time: ✅ 432.377µs (SLO: <700.000µs 📉 -38.2%) vs baseline: ~same

Memory: ✅ 43.850MB (SLO: <46.000MB -4.7%) vs baseline: +5.0%

✅ ospathjoin_aspect

Time: ✅ 630.659µs (SLO: <700.000µs -9.9%) vs baseline: -0.2%

Memory: ✅ 43.813MB (SLO: <46.000MB -4.8%) vs baseline: +4.9%

✅ ospathjoin_noaspect

Time: ✅ 641.401µs (SLO: <700.000µs -8.4%) vs baseline: +0.6%

Memory: ✅ 43.788MB (SLO: <46.000MB -4.8%) vs baseline: +4.6%

✅ ospathnormcase_aspect

Time: ✅ 348.379µs (SLO: <700.000µs 📉 -50.2%) vs baseline: ~same

Memory: ✅ 43.940MB (SLO: <46.000MB -4.5%) vs baseline: +4.9%

✅ ospathnormcase_noaspect

Time: ✅ 359.928µs (SLO: <700.000µs 📉 -48.6%) vs baseline: +0.6%

Memory: ✅ 43.833MB (SLO: <46.000MB -4.7%) vs baseline: +4.9%

✅ ospathsplit_aspect

Time: ✅ 492.321µs (SLO: <700.000µs 📉 -29.7%) vs baseline: +0.1%

Memory: ✅ 43.849MB (SLO: <46.000MB -4.7%) vs baseline: +4.8%

✅ ospathsplit_noaspect

Time: ✅ 502.122µs (SLO: <700.000µs 📉 -28.3%) vs baseline: +0.9%

Memory: ✅ 43.873MB (SLO: <46.000MB -4.6%) vs baseline: +5.0%

✅ ospathsplitdrive_aspect

Time: ✅ 373.185µs (SLO: <700.000µs 📉 -46.7%) vs baseline: +0.6%

Memory: ✅ 43.868MB (SLO: <46.000MB -4.6%) vs baseline: +4.8%

✅ ospathsplitdrive_noaspect

Time: ✅ 72.963µs (SLO: <700.000µs 📉 -89.6%) vs baseline: -0.8%

Memory: ✅ 43.942MB (SLO: <46.000MB -4.5%) vs baseline: +4.9%

✅ ospathsplitext_aspect

Time: ✅ 465.717µs (SLO: <700.000µs 📉 -33.5%) vs baseline: -0.3%

Memory: ✅ 43.846MB (SLO: <46.000MB -4.7%) vs baseline: +4.9%

✅ ospathsplitext_noaspect

Time: ✅ 468.445µs (SLO: <700.000µs 📉 -33.1%) vs baseline: -0.6%

Memory: ✅ 43.871MB (SLO: <46.000MB -4.6%) vs baseline: +4.9%

✅ All Tests Passing (2 suites)

✅ iastaspectssplit - 12/12

✅ rsplit_aspect

Time: ✅ 163.996µs (SLO: <250.000µs 📉 -34.4%) vs baseline: +5.1%

Memory: ✅ 43.827MB (SLO: <46.000MB -4.7%) vs baseline: +4.6%

✅ rsplit_noaspect

Time: ✅ 160.761µs (SLO: <250.000µs 📉 -35.7%) vs baseline: +0.3%

Memory: ✅ 43.860MB (SLO: <46.000MB -4.7%) vs baseline: +5.0%

✅ split_aspect

Time: ✅ 152.363µs (SLO: <250.000µs 📉 -39.1%) vs baseline: +0.3%

Memory: ✅ 43.819MB (SLO: <46.000MB -4.7%) vs baseline: +4.7%

✅ split_noaspect

Time: ✅ 152.985µs (SLO: <250.000µs 📉 -38.8%) vs baseline: -1.1%

Memory: ✅ 43.820MB (SLO: <46.000MB -4.7%) vs baseline: +4.8%

✅ splitlines_aspect

Time: ✅ 149.544µs (SLO: <250.000µs 📉 -40.2%) vs baseline: +1.0%

Memory: ✅ 43.911MB (SLO: <46.000MB -4.5%) vs baseline: +5.1%

✅ splitlines_noaspect

Time: ✅ 152.685µs (SLO: <250.000µs 📉 -38.9%) vs baseline: +0.1%

Memory: ✅ 43.912MB (SLO: <46.000MB -4.5%) vs baseline: +5.0%

✅ iastpropagation - 8/8

✅ no-propagation

Time: ✅ 49.109µs (SLO: <60.000µs 📉 -18.2%) vs baseline: ~same

Memory: ✅ 40.855MB (SLO: <42.000MB -2.7%) vs baseline: +4.8%

✅ propagation_enabled

Time: ✅ 136.998µs (SLO: <190.000µs 📉 -27.9%) vs baseline: ~same

Memory: ✅ 40.776MB (SLO: <42.000MB -2.9%) vs baseline: +4.6%

✅ propagation_enabled_100

Time: ✅ 1.552ms (SLO: <2.300ms 📉 -32.5%) vs baseline: -0.8%

Memory: ✅ 40.894MB (SLO: <42.000MB -2.6%) vs baseline: +5.1%

✅ propagation_enabled_1000

Time: ✅ 28.894ms (SLO: <34.550ms 📉 -16.4%) vs baseline: ~same

Memory: ✅ 40.914MB (SLO: <42.000MB -2.6%) vs baseline: +4.9%

ℹ️ Scenarios Missing SLO Configuration (20 scenarios)

The following scenarios exist in candidate data but have no SLO thresholds configured:

iast_aspects-re_expand_aspect
iast_aspects-re_expand_noaspect
iast_aspects-re_findall_aspect
iast_aspects-re_findall_noaspect
iast_aspects-re_finditer_aspect
iast_aspects-re_finditer_noaspect
iast_aspects-re_fullmatch_aspect
iast_aspects-re_fullmatch_noaspect
iast_aspects-re_group_aspect
iast_aspects-re_group_noaspect
iast_aspects-re_groups_aspect
iast_aspects-re_groups_noaspect
iast_aspects-re_match_aspect
iast_aspects-re_match_noaspect
iast_aspects-re_search_aspect
iast_aspects-re_search_noaspect
iast_aspects-re_sub_aspect
iast_aspects-re_sub_noaspect
iast_aspects-re_subn_aspect
iast_aspects-re_subn_noaspect

KowalskiThomas · 2026-04-20T07:34:03Z

/merge

gh-worker-devflow-routing-ef8351 · 2026-04-20T07:34:08Z

View all feedbacks in Devflow UI.

2026-04-20 07:34:08 UTC ℹ️ Start processing command /merge

2026-04-20 07:34:12 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 1h (p90).

2026-04-20 08:10:13 UTC ℹ️ MergeQueue: This merge request was merged

github-actions · 2026-04-21T12:06:43Z

This change is marked for backport to 4.7 and it does not conflict with that branch.
The command used to test backporting was

git checkout 4.7 && git cherry-pick -x --mainline 1 36bf68ba1bcb3c8d83d21719cb0a7442f2279a55

github-actions · 2026-04-21T12:06:44Z

This change is marked for backport to 4.6 and it does not conflict with that branch.
The command used to test backporting was

git checkout 4.6 && git cherry-pick -x --mainline 1 36bf68ba1bcb3c8d83d21719cb0a7442f2279a55

github-actions · 2026-04-21T12:06:47Z

This change is marked for backport to 4.5 and it does not conflict with that branch.
The command used to test backporting was

git checkout 4.5 && git cherry-pick -x --mainline 1 36bf68ba1bcb3c8d83d21719cb0a7442f2279a55

## Description This PR fixes a crash coming from IAST due to an inconsistent reference count contract between `new_pyobject_id` and its callers, where the callers would expect a new owned reference like it [already does today](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp#L169-L171) but some code paths were missing the `Py_INCREF`, causing segmentation faults (see [example usage](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/aspects/aspect_operator_add.cpp#L30-L31)). This error has been around at least since 3.11.0 and is currently causing approximately [50k errors per week](https://app.datadoghq.com/error-tracking/issue/01522162-6bf3-11f0-b96b-da7ad0900002?query=%28%40tags.severity%3Acrash%20OR%20severity%3Acrash%20OR%20signum%3A%2A%20OR%20%40error.is_crash%3Atrue%29%20%40lib_language%3Apython&index=&tb=%40org_id&from_ts=1775841064700&to_ts=1776445864700&live=true). ``` Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV) #0 0x000061335a8b72d4 PyType_IsSubtype (/usr/src/python/Objects/typeobject.c:2126:1) #1 0x000061335a89e11c PyObject_TypeCheck (/usr/src/python/./Include/object.h:381:36) #2 0x000061335a89e11c object_isinstance (/usr/src/python/Objects/abstract.c:2571:18) #3 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2606:16) #4 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2628:17) #5 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2602:1) #6 0x000061335a89cbeb PyObject_IsInstance (/usr/src/python/Objects/abstract.c:2670:12) #7 0x000061335a8c89ed _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3036:26) #8 0x000061335a98fd11 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #9 0x000061335a884945 partial_vectorcall (/usr/src/python/./Modules/_functoolsmodule.c:267:11) #10 0x000061335a8a0bf4 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #11 0x000061335a8a0bf4 object_vacall (/usr/src/python/Objects/call.c:850:14) #12 0x000061335a8fdf8e PyObject_CallFunctionObjArgs (/usr/src/python/Objects/call.c:957:14) #13 0x000074f48affeb28 WraptBoundFunctionWrapper_call (/project/src/wrapt/_wrappers.c:3024:18) #14 0x000061335a8a12e2 PyObject_Call #15 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #16 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #17 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #18 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #19 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #20 0x000061335a8af877 cfunction_vectorcall_O (/usr/src/python/Objects/methodobject.c:509:24) #21 0x000074f48a434f69 __Pyx_PyObject_Call (/project/uvloop/loop.c:191431:15) #22 0x000074f48a434f69 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66901:25) #23 0x000074f48a43a96b __pyx_f_6uvloop_4loop_4Loop__on_idle (/project/uvloop/loop.c:17975:25) #24 0x000074f48a434e52 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66927:24) #25 0x000074f48a436c88 __pyx_f_6uvloop_4loop_cb_idle_callback (/project/uvloop/loop.c:87335:19) #26 0x000074f48a452311 uv__run_idle (/project/build/libuv-x86_64/src/unix/loop-watcher.c:68:1) #27 0x000074f48a44f647 uv_run (/project/build/libuv-x86_64/src/unix/core.c:439:5) #28 0x000074f48a370db5 __pyx_f_6uvloop_4loop_4Loop__Loop__run (/project/uvloop/loop.c:18458:23) #29 0x000074f48a3d8e50 __pyx_f_6uvloop_4loop_4Loop__run (/project/uvloop/loop.c:18876:18) #30 0x000074f48a3e9cf0 __pyx_pf_6uvloop_4loop_4Loop_24run_forever (/project/uvloop/loop.c:31528:18) #31 0x000074f48a3e9cf0 __pyx_pw_6uvloop_4loop_4Loop_25run_forever (/project/uvloop/loop.c:31331:13) #32 0x000061335a8a159c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #33 0x000061335a8a159c PyObject_VectorcallMethod (/usr/src/python/Objects/call.c:887:24) #34 0x000074f48a3edd60 __pyx_pf_6uvloop_4loop_4Loop_44run_until_complete (/project/uvloop/loop.c:33768:23) #35 0x000074f48a3ef591 __pyx_pw_6uvloop_4loop_4Loop_45run_until_complete (/project/uvloop/loop.c:33318:13) #36 0x000061335a8a0a18 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #37 0x000061335a8a0a18 PyObject_Vectorcall (/usr/src/python/Objects/call.c:325:12) #38 0x000061335a8c7807 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:2715:19) #39 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #40 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #41 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #42 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #43 0x000061335a8a06fe _PyObject_MakeTpCall (/usr/src/python/Objects/call.c:240:18) #44 0x000061335a82380c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:90:16) #45 0x000061335a82380c context_run (/usr/src/python/Python/context.c:668:29) #46 0x000061335a912d7b cfunction_vectorcall_FASTCALL_KEYWORDS (/usr/src/python/Objects/methodobject.c:438:24) #47 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #48 0x000061335a94a4b9 PyEval_EvalCode (/usr/src/python/Python/ceval.c:578:21) #49 0x000061335a96852c run_eval_code_obj (/usr/src/python/Python/pythonrun.c:1722:9) #50 0x000061335a9684a4 run_mod (/usr/src/python/Python/pythonrun.c:1743:19) #51 0x000061335a968061 pyrun_file (/usr/src/python/Python/pythonrun.c:1643:15) #52 0x000061335a967ea7 _PyRun_SimpleFileObject (/usr/src/python/Python/pythonrun.c:433:13) #53 0x000061335a967cc7 _PyRun_AnyFileObject (/usr/src/python/Python/pythonrun.c:78:15) #54 0x000061335a972230 pymain_run_file_obj (/usr/src/python/Modules/main.c:360:15) #55 0x000061335a972230 pymain_run_file (/usr/src/python/Modules/main.c:379:15) #56 0x000061335a972230 pymain_run_python (/usr/src/python/Modules/main.c:633:21) #57 0x000061335a972230 Py_RunMain (/usr/src/python/Modules/main.c:713:5) #58 0x000061335a971dbd Py_BytesMain (/usr/src/python/Modules/main.c:767:12) #59 0x000074f48e000e40 __libc_start_main #60 0x000061335a8ea2d5 _start ``` Co-authored-by: thomas.kowalski <thomas.kowalski@datadoghq.com> (cherry picked from commit 36bf68b) Co-authored-by: Thomas Kowalski <thomas.kowalski@datadoghq.com>

Backport #17605 to 4.7 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Kowalski <thomas.kowalski@datadoghq.com>

## Description This PR fixes a crash coming from IAST due to an inconsistent reference count contract between `new_pyobject_id` and its callers, where the callers would expect a new owned reference like it [already does today](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp#L169-L171) but some code paths were missing the `Py_INCREF`, causing segmentation faults (see [example usage](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/aspects/aspect_operator_add.cpp#L30-L31)). This error has been around at least since 3.11.0 and is currently causing approximately [50k errors per week](https://app.datadoghq.com/error-tracking/issue/01522162-6bf3-11f0-b96b-da7ad0900002?query=%28%40tags.severity%3Acrash%20OR%20severity%3Acrash%20OR%20signum%3A%2A%20OR%20%40error.is_crash%3Atrue%29%20%40lib_language%3Apython&index=&tb=%40org_id&from_ts=1775841064700&to_ts=1776445864700&live=true). ``` Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV) #0 0x000061335a8b72d4 PyType_IsSubtype (/usr/src/python/Objects/typeobject.c:2126:1) #1 0x000061335a89e11c PyObject_TypeCheck (/usr/src/python/./Include/object.h:381:36) #2 0x000061335a89e11c object_isinstance (/usr/src/python/Objects/abstract.c:2571:18) #3 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2606:16) #4 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2628:17) #5 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2602:1) #6 0x000061335a89cbeb PyObject_IsInstance (/usr/src/python/Objects/abstract.c:2670:12) #7 0x000061335a8c89ed _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3036:26) #8 0x000061335a98fd11 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #9 0x000061335a884945 partial_vectorcall (/usr/src/python/./Modules/_functoolsmodule.c:267:11) #10 0x000061335a8a0bf4 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #11 0x000061335a8a0bf4 object_vacall (/usr/src/python/Objects/call.c:850:14) #12 0x000061335a8fdf8e PyObject_CallFunctionObjArgs (/usr/src/python/Objects/call.c:957:14) #13 0x000074f48affeb28 WraptBoundFunctionWrapper_call (/project/src/wrapt/_wrappers.c:3024:18) #14 0x000061335a8a12e2 PyObject_Call #15 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #16 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #17 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #18 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #19 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #20 0x000061335a8af877 cfunction_vectorcall_O (/usr/src/python/Objects/methodobject.c:509:24) #21 0x000074f48a434f69 __Pyx_PyObject_Call (/project/uvloop/loop.c:191431:15) #22 0x000074f48a434f69 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66901:25) #23 0x000074f48a43a96b __pyx_f_6uvloop_4loop_4Loop__on_idle (/project/uvloop/loop.c:17975:25) #24 0x000074f48a434e52 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66927:24) #25 0x000074f48a436c88 __pyx_f_6uvloop_4loop_cb_idle_callback (/project/uvloop/loop.c:87335:19) #26 0x000074f48a452311 uv__run_idle (/project/build/libuv-x86_64/src/unix/loop-watcher.c:68:1) #27 0x000074f48a44f647 uv_run (/project/build/libuv-x86_64/src/unix/core.c:439:5) #28 0x000074f48a370db5 __pyx_f_6uvloop_4loop_4Loop__Loop__run (/project/uvloop/loop.c:18458:23) #29 0x000074f48a3d8e50 __pyx_f_6uvloop_4loop_4Loop__run (/project/uvloop/loop.c:18876:18) #30 0x000074f48a3e9cf0 __pyx_pf_6uvloop_4loop_4Loop_24run_forever (/project/uvloop/loop.c:31528:18) #31 0x000074f48a3e9cf0 __pyx_pw_6uvloop_4loop_4Loop_25run_forever (/project/uvloop/loop.c:31331:13) #32 0x000061335a8a159c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #33 0x000061335a8a159c PyObject_VectorcallMethod (/usr/src/python/Objects/call.c:887:24) #34 0x000074f48a3edd60 __pyx_pf_6uvloop_4loop_4Loop_44run_until_complete (/project/uvloop/loop.c:33768:23) #35 0x000074f48a3ef591 __pyx_pw_6uvloop_4loop_4Loop_45run_until_complete (/project/uvloop/loop.c:33318:13) #36 0x000061335a8a0a18 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #37 0x000061335a8a0a18 PyObject_Vectorcall (/usr/src/python/Objects/call.c:325:12) #38 0x000061335a8c7807 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:2715:19) #39 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #40 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #41 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #42 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #43 0x000061335a8a06fe _PyObject_MakeTpCall (/usr/src/python/Objects/call.c:240:18) #44 0x000061335a82380c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:90:16) #45 0x000061335a82380c context_run (/usr/src/python/Python/context.c:668:29) #46 0x000061335a912d7b cfunction_vectorcall_FASTCALL_KEYWORDS (/usr/src/python/Objects/methodobject.c:438:24) #47 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #48 0x000061335a94a4b9 PyEval_EvalCode (/usr/src/python/Python/ceval.c:578:21) #49 0x000061335a96852c run_eval_code_obj (/usr/src/python/Python/pythonrun.c:1722:9) #50 0x000061335a9684a4 run_mod (/usr/src/python/Python/pythonrun.c:1743:19) #51 0x000061335a968061 pyrun_file (/usr/src/python/Python/pythonrun.c:1643:15) #52 0x000061335a967ea7 _PyRun_SimpleFileObject (/usr/src/python/Python/pythonrun.c:433:13) #53 0x000061335a967cc7 _PyRun_AnyFileObject (/usr/src/python/Python/pythonrun.c:78:15) #54 0x000061335a972230 pymain_run_file_obj (/usr/src/python/Modules/main.c:360:15) #55 0x000061335a972230 pymain_run_file (/usr/src/python/Modules/main.c:379:15) #56 0x000061335a972230 pymain_run_python (/usr/src/python/Modules/main.c:633:21) #57 0x000061335a972230 Py_RunMain (/usr/src/python/Modules/main.c:713:5) #58 0x000061335a971dbd Py_BytesMain (/usr/src/python/Modules/main.c:767:12) #59 0x000074f48e000e40 __libc_start_main #60 0x000061335a8ea2d5 _start ``` Co-authored-by: thomas.kowalski <thomas.kowalski@datadoghq.com>

Backport #17605 to 4.5 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Kowalski <thomas.kowalski@datadoghq.com>

Backport #17605 to 4.6 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Thomas Kowalski <thomas.kowalski@datadoghq.com>

## Description This PR fixes a crash coming from IAST due to an inconsistent reference count contract between `new_pyobject_id` and its callers, where the callers would expect a new owned reference like it [already does today](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp#L169-L171) but some code paths were missing the `Py_INCREF`, causing segmentation faults (see [example usage](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/aspects/aspect_operator_add.cpp#L30-L31)). This error has been around at least since 3.11.0 and is currently causing approximately [50k errors per week](https://app.datadoghq.com/error-tracking/issue/01522162-6bf3-11f0-b96b-da7ad0900002?query=%28%40tags.severity%3Acrash%20OR%20severity%3Acrash%20OR%20signum%3A%2A%20OR%20%40error.is_crash%3Atrue%29%20%40lib_language%3Apython&index=&tb=%40org_id&from_ts=1775841064700&to_ts=1776445864700&live=true). ``` Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV) #0 0x000061335a8b72d4 PyType_IsSubtype (/usr/src/python/Objects/typeobject.c:2126:1) #1 0x000061335a89e11c PyObject_TypeCheck (/usr/src/python/./Include/object.h:381:36) #2 0x000061335a89e11c object_isinstance (/usr/src/python/Objects/abstract.c:2571:18) #3 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2606:16) #4 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2628:17) #5 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2602:1) #6 0x000061335a89cbeb PyObject_IsInstance (/usr/src/python/Objects/abstract.c:2670:12) #7 0x000061335a8c89ed _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3036:26) #8 0x000061335a98fd11 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #9 0x000061335a884945 partial_vectorcall (/usr/src/python/./Modules/_functoolsmodule.c:267:11) #10 0x000061335a8a0bf4 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #11 0x000061335a8a0bf4 object_vacall (/usr/src/python/Objects/call.c:850:14) #12 0x000061335a8fdf8e PyObject_CallFunctionObjArgs (/usr/src/python/Objects/call.c:957:14) #13 0x000074f48affeb28 WraptBoundFunctionWrapper_call (/project/src/wrapt/_wrappers.c:3024:18) #14 0x000061335a8a12e2 PyObject_Call #15 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #16 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #17 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #18 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #19 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #20 0x000061335a8af877 cfunction_vectorcall_O (/usr/src/python/Objects/methodobject.c:509:24) #21 0x000074f48a434f69 __Pyx_PyObject_Call (/project/uvloop/loop.c:191431:15) #22 0x000074f48a434f69 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66901:25) #23 0x000074f48a43a96b __pyx_f_6uvloop_4loop_4Loop__on_idle (/project/uvloop/loop.c:17975:25) #24 0x000074f48a434e52 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66927:24) #25 0x000074f48a436c88 __pyx_f_6uvloop_4loop_cb_idle_callback (/project/uvloop/loop.c:87335:19) #26 0x000074f48a452311 uv__run_idle (/project/build/libuv-x86_64/src/unix/loop-watcher.c:68:1) #27 0x000074f48a44f647 uv_run (/project/build/libuv-x86_64/src/unix/core.c:439:5) #28 0x000074f48a370db5 __pyx_f_6uvloop_4loop_4Loop__Loop__run (/project/uvloop/loop.c:18458:23) #29 0x000074f48a3d8e50 __pyx_f_6uvloop_4loop_4Loop__run (/project/uvloop/loop.c:18876:18) #30 0x000074f48a3e9cf0 __pyx_pf_6uvloop_4loop_4Loop_24run_forever (/project/uvloop/loop.c:31528:18) #31 0x000074f48a3e9cf0 __pyx_pw_6uvloop_4loop_4Loop_25run_forever (/project/uvloop/loop.c:31331:13) #32 0x000061335a8a159c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #33 0x000061335a8a159c PyObject_VectorcallMethod (/usr/src/python/Objects/call.c:887:24) #34 0x000074f48a3edd60 __pyx_pf_6uvloop_4loop_4Loop_44run_until_complete (/project/uvloop/loop.c:33768:23) #35 0x000074f48a3ef591 __pyx_pw_6uvloop_4loop_4Loop_45run_until_complete (/project/uvloop/loop.c:33318:13) #36 0x000061335a8a0a18 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #37 0x000061335a8a0a18 PyObject_Vectorcall (/usr/src/python/Objects/call.c:325:12) #38 0x000061335a8c7807 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:2715:19) #39 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #40 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #41 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #42 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #43 0x000061335a8a06fe _PyObject_MakeTpCall (/usr/src/python/Objects/call.c:240:18) #44 0x000061335a82380c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:90:16) #45 0x000061335a82380c context_run (/usr/src/python/Python/context.c:668:29) #46 0x000061335a912d7b cfunction_vectorcall_FASTCALL_KEYWORDS (/usr/src/python/Objects/methodobject.c:438:24) #47 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #48 0x000061335a94a4b9 PyEval_EvalCode (/usr/src/python/Python/ceval.c:578:21) #49 0x000061335a96852c run_eval_code_obj (/usr/src/python/Python/pythonrun.c:1722:9) #50 0x000061335a9684a4 run_mod (/usr/src/python/Python/pythonrun.c:1743:19) #51 0x000061335a968061 pyrun_file (/usr/src/python/Python/pythonrun.c:1643:15) #52 0x000061335a967ea7 _PyRun_SimpleFileObject (/usr/src/python/Python/pythonrun.c:433:13) #53 0x000061335a967cc7 _PyRun_AnyFileObject (/usr/src/python/Python/pythonrun.c:78:15) #54 0x000061335a972230 pymain_run_file_obj (/usr/src/python/Modules/main.c:360:15) #55 0x000061335a972230 pymain_run_file (/usr/src/python/Modules/main.c:379:15) #56 0x000061335a972230 pymain_run_python (/usr/src/python/Modules/main.c:633:21) #57 0x000061335a972230 Py_RunMain (/usr/src/python/Modules/main.c:713:5) #58 0x000061335a971dbd Py_BytesMain (/usr/src/python/Modules/main.c:767:12) #59 0x000074f48e000e40 __libc_start_main #60 0x000061335a8ea2d5 _start ``` Co-authored-by: thomas.kowalski <thomas.kowalski@datadoghq.com>

KowalskiThomas added the ASM Application Security Monitoring label Apr 17, 2026

fix(iast): avoid crash due to missing INCREF

7bf6f74

KowalskiThomas force-pushed the kowalski/fix-iast-avoid-crash-due-to-missing-incref branch from 841fffc to 7bf6f74 Compare April 17, 2026 17:12

KowalskiThomas marked this pull request as ready for review April 17, 2026 17:12

KowalskiThomas requested review from a team as code owners April 17, 2026 17:12

KowalskiThomas requested review from P403n1x87 and rachelyangdog April 17, 2026 17:12

florentinl approved these changes Apr 20, 2026

View reviewed changes

gh-worker-dd-mergequeue-cf854d Bot merged commit 36bf68b into main Apr 20, 2026
582 checks passed

gh-worker-dd-mergequeue-cf854d Bot deleted the kowalski/fix-iast-avoid-crash-due-to-missing-incref branch April 20, 2026 08:10

KowalskiThomas added backport 4.5 backport 4.6 backport 4.7 labels Apr 21, 2026

dd-octo-sts Bot mentioned this pull request Apr 21, 2026

fix(iast): avoid crash due to missing INCREF [backport 4.7] #17642

Merged

This was referenced Apr 21, 2026

fix(iast): avoid crash due to missing INCREF [backport 4.5] #17643

Merged

fix(iast): avoid crash due to missing INCREF [backport 4.6] #17644

Merged

KowalskiThomas added the identified-by:crashtracking Identified by Crash Tracking label Apr 22, 2026

Conversation

KowalskiThomas commented Apr 17, 2026

Description

Uh oh!

cit-pr-commenter-54b7da Bot commented Apr 17, 2026

Codeowners resolved as

Uh oh!

pr-commenter Bot commented Apr 17, 2026

Performance SLOs

✅ ospathbasename_aspect

✅ ospathbasename_noaspect

✅ ospathjoin_aspect

✅ ospathjoin_noaspect

✅ ospathnormcase_aspect

✅ ospathnormcase_noaspect

✅ ospathsplit_aspect

✅ ospathsplit_noaspect

✅ ospathsplitdrive_aspect

✅ ospathsplitdrive_noaspect

✅ ospathsplitext_aspect

✅ ospathsplitext_noaspect

✅ rsplit_aspect

✅ rsplit_noaspect

✅ split_aspect

✅ split_noaspect

✅ splitlines_aspect

✅ splitlines_noaspect

✅ no-propagation

✅ propagation_enabled

✅ propagation_enabled_100

✅ propagation_enabled_1000

Uh oh!

KowalskiThomas commented Apr 20, 2026

Uh oh!

gh-worker-devflow-routing-ef8351 Bot commented Apr 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Apr 21, 2026

Uh oh!

github-actions Bot commented Apr 21, 2026

Uh oh!

github-actions Bot commented Apr 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

gh-worker-devflow-routing-ef8351 Bot commented Apr 20, 2026 •

edited

Loading