fix(iast): avoid crash due to missing `INCREF` [backport 4.5] by dd-octo-sts[bot] · Pull Request #17643 · DataDog/dd-trace-py

dd-octo-sts · 2026-04-21T12:07:00Z

Backport #17605 to 4.5

## Description This PR fixes a crash coming from IAST due to an inconsistent reference count contract between `new_pyobject_id` and its callers, where the callers would expect a new owned reference like it [already does today](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp#L169-L171) but some code paths were missing the `Py_INCREF`, causing segmentation faults (see [example usage](https://github.com/DataDog/dd-trace-py/blob/c02775f9db03c05f90356181323d000b86aba7da/ddtrace/appsec/_iast/_taint_tracking/aspects/aspect_operator_add.cpp#L30-L31)). This error has been around at least since 3.11.0 and is currently causing approximately [50k errors per week](https://app.datadoghq.com/error-tracking/issue/01522162-6bf3-11f0-b96b-da7ad0900002?query=%28%40tags.severity%3Acrash%20OR%20severity%3Acrash%20OR%20signum%3A%2A%20OR%20%40error.is_crash%3Atrue%29%20%40lib_language%3Apython&index=&tb=%40org_id&from_ts=1775841064700&to_ts=1776445864700&live=true). ``` Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV) #0 0x000061335a8b72d4 PyType_IsSubtype (/usr/src/python/Objects/typeobject.c:2126:1) #1 0x000061335a89e11c PyObject_TypeCheck (/usr/src/python/./Include/object.h:381:36) #2 0x000061335a89e11c object_isinstance (/usr/src/python/Objects/abstract.c:2571:18) #3 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2606:16) #4 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2628:17) #5 0x000061335a89cbeb object_recursive_isinstance (/usr/src/python/Objects/abstract.c:2602:1) #6 0x000061335a89cbeb PyObject_IsInstance (/usr/src/python/Objects/abstract.c:2670:12) #7 0x000061335a8c89ed _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3036:26) #8 0x000061335a98fd11 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #9 0x000061335a884945 partial_vectorcall (/usr/src/python/./Modules/_functoolsmodule.c:267:11) #10 0x000061335a8a0bf4 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #11 0x000061335a8a0bf4 object_vacall (/usr/src/python/Objects/call.c:850:14) #12 0x000061335a8fdf8e PyObject_CallFunctionObjArgs (/usr/src/python/Objects/call.c:957:14) #13 0x000074f48affeb28 WraptBoundFunctionWrapper_call (/project/src/wrapt/_wrappers.c:3024:18) #14 0x000061335a8a12e2 PyObject_Call #15 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #16 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #17 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #18 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #19 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #20 0x000061335a8af877 cfunction_vectorcall_O (/usr/src/python/Objects/methodobject.c:509:24) #21 0x000074f48a434f69 __Pyx_PyObject_Call (/project/uvloop/loop.c:191431:15) #22 0x000074f48a434f69 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66901:25) #23 0x000074f48a43a96b __pyx_f_6uvloop_4loop_4Loop__on_idle (/project/uvloop/loop.c:17975:25) #24 0x000074f48a434e52 __pyx_f_6uvloop_4loop_6Handle__run (/project/uvloop/loop.c:66927:24) #25 0x000074f48a436c88 __pyx_f_6uvloop_4loop_cb_idle_callback (/project/uvloop/loop.c:87335:19) #26 0x000074f48a452311 uv__run_idle (/project/build/libuv-x86_64/src/unix/loop-watcher.c:68:1) #27 0x000074f48a44f647 uv_run (/project/build/libuv-x86_64/src/unix/core.c:439:5) #28 0x000074f48a370db5 __pyx_f_6uvloop_4loop_4Loop__Loop__run (/project/uvloop/loop.c:18458:23) #29 0x000074f48a3d8e50 __pyx_f_6uvloop_4loop_4Loop__run (/project/uvloop/loop.c:18876:18) #30 0x000074f48a3e9cf0 __pyx_pf_6uvloop_4loop_4Loop_24run_forever (/project/uvloop/loop.c:31528:18) #31 0x000074f48a3e9cf0 __pyx_pw_6uvloop_4loop_4Loop_25run_forever (/project/uvloop/loop.c:31331:13) #32 0x000061335a8a159c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #33 0x000061335a8a159c PyObject_VectorcallMethod (/usr/src/python/Objects/call.c:887:24) #34 0x000074f48a3edd60 __pyx_pf_6uvloop_4loop_4Loop_44run_until_complete (/project/uvloop/loop.c:33768:23) #35 0x000074f48a3ef591 __pyx_pw_6uvloop_4loop_4Loop_45run_until_complete (/project/uvloop/loop.c:33318:13) #36 0x000061335a8a0a18 _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:92:11) #37 0x000061335a8a0a18 PyObject_Vectorcall (/usr/src/python/Objects/call.c:325:12) #38 0x000061335a8c7807 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:2715:19) #39 0x000061335a8a3ba6 _PyEval_EvalFrame (/usr/src/python/./Include/internal/pycore_ceval.h:89:16) #40 0x000061335a8a3ba6 gen_send_ex2 (/usr/src/python/Objects/genobject.c:230:14) #41 0x000074f48d48bdc7 task_step_impl (/usr/src/python/./Modules/_asynciomodule.c:2869:22) #42 0x000074f48d48c5a2 task_step (/usr/src/python/./Modules/_asynciomodule.c:3188:11) #43 0x000061335a8a06fe _PyObject_MakeTpCall (/usr/src/python/Objects/call.c:240:18) #44 0x000061335a82380c _PyObject_VectorcallTstate (/usr/src/python/./Include/internal/pycore_call.h:90:16) #45 0x000061335a82380c context_run (/usr/src/python/Python/context.c:668:29) #46 0x000061335a912d7b cfunction_vectorcall_FASTCALL_KEYWORDS (/usr/src/python/Objects/methodobject.c:438:24) #47 0x000061335a8cb1a9 _PyEval_EvalFrameDefault (/usr/src/python/Python/bytecodes.c:3263:26) #48 0x000061335a94a4b9 PyEval_EvalCode (/usr/src/python/Python/ceval.c:578:21) #49 0x000061335a96852c run_eval_code_obj (/usr/src/python/Python/pythonrun.c:1722:9) #50 0x000061335a9684a4 run_mod (/usr/src/python/Python/pythonrun.c:1743:19) #51 0x000061335a968061 pyrun_file (/usr/src/python/Python/pythonrun.c:1643:15) #52 0x000061335a967ea7 _PyRun_SimpleFileObject (/usr/src/python/Python/pythonrun.c:433:13) #53 0x000061335a967cc7 _PyRun_AnyFileObject (/usr/src/python/Python/pythonrun.c:78:15) #54 0x000061335a972230 pymain_run_file_obj (/usr/src/python/Modules/main.c:360:15) #55 0x000061335a972230 pymain_run_file (/usr/src/python/Modules/main.c:379:15) #56 0x000061335a972230 pymain_run_python (/usr/src/python/Modules/main.c:633:21) #57 0x000061335a972230 Py_RunMain (/usr/src/python/Modules/main.c:713:5) #58 0x000061335a971dbd Py_BytesMain (/usr/src/python/Modules/main.c:767:12) #59 0x000074f48e000e40 __libc_start_main #60 0x000061335a8ea2d5 _start ``` Co-authored-by: thomas.kowalski <thomas.kowalski@datadoghq.com> (cherry picked from commit 36bf68b) Co-authored-by: Thomas Kowalski <thomas.kowalski@datadoghq.com>

cit-pr-commenter-54b7da · 2026-04-21T12:08:08Z

Codeowners resolved as

ddtrace/appsec/_iast/_taint_tracking/utils/string_utils.cpp             @DataDog/asm-python
releasenotes/notes/fix-iast-crash-missing-incref-1f03aab5298bddc4.yaml  @DataDog/apm-python

pr-commenter · 2026-04-21T12:28:52Z

Performance SLOs

Comparing candidate backport-17605-to-4.5 (93aabd1) with baseline 4.5 (723a6d4)

📈 Performance Regressions (1 suite)

📈 iastaspectsospath - 24/24

✅ ospathbasename_aspect

Time: ✅ 513.539µs (SLO: <700.000µs 📉 -26.6%) vs baseline: 📈 +20.6%

Memory: ✅ 42.605MB (SLO: <46.000MB -7.4%) vs baseline: +5.2%

✅ ospathbasename_noaspect

Time: ✅ 435.844µs (SLO: <700.000µs 📉 -37.7%) vs baseline: +1.9%

Memory: ✅ 42.625MB (SLO: <46.000MB -7.3%) vs baseline: +5.4%

✅ ospathjoin_aspect

Time: ✅ 622.160µs (SLO: <700.000µs 📉 -11.1%) vs baseline: -0.4%

Memory: ✅ 42.566MB (SLO: <46.000MB -7.5%) vs baseline: +5.1%

✅ ospathjoin_noaspect

Time: ✅ 627.537µs (SLO: <700.000µs 📉 -10.4%) vs baseline: +0.1%

Memory: ✅ 42.605MB (SLO: <46.000MB -7.4%) vs baseline: +4.9%

✅ ospathnormcase_aspect

Time: ✅ 357.990µs (SLO: <700.000µs 📉 -48.9%) vs baseline: +1.2%

Memory: ✅ 42.585MB (SLO: <46.000MB -7.4%) vs baseline: +5.2%

✅ ospathnormcase_noaspect

Time: ✅ 368.906µs (SLO: <700.000µs 📉 -47.3%) vs baseline: +3.0%

Memory: ✅ 42.703MB (SLO: <46.000MB -7.2%) vs baseline: +5.4%

✅ ospathsplit_aspect

Time: ✅ 488.717µs (SLO: <700.000µs 📉 -30.2%) vs baseline: ~same

Memory: ✅ 42.625MB (SLO: <46.000MB -7.3%) vs baseline: +5.4%

✅ ospathsplit_noaspect

Time: ✅ 500.685µs (SLO: <700.000µs 📉 -28.5%) vs baseline: +0.7%

Memory: ✅ 42.585MB (SLO: <46.000MB -7.4%) vs baseline: +5.2%

✅ ospathsplitdrive_aspect

Time: ✅ 378.785µs (SLO: <700.000µs 📉 -45.9%) vs baseline: +2.1%

Memory: ✅ 42.546MB (SLO: <46.000MB -7.5%) vs baseline: +4.8%

✅ ospathsplitdrive_noaspect

Time: ✅ 72.535µs (SLO: <700.000µs 📉 -89.6%) vs baseline: -0.2%

Memory: ✅ 42.585MB (SLO: <46.000MB -7.4%) vs baseline: +5.0%

✅ ospathsplitext_aspect

Time: ✅ 465.248µs (SLO: <700.000µs 📉 -33.5%) vs baseline: +1.2%

Memory: ✅ 42.566MB (SLO: <46.000MB -7.5%) vs baseline: +5.1%

✅ ospathsplitext_noaspect

Time: ✅ 471.263µs (SLO: <700.000µs 📉 -32.7%) vs baseline: +1.3%

Memory: ✅ 42.585MB (SLO: <46.000MB -7.4%) vs baseline: +5.1%

✅ All Tests Passing (2 suites)

✅ iastaspectssplit - 12/12

✅ rsplit_aspect

Time: ✅ 153.949µs (SLO: <250.000µs 📉 -38.4%) vs baseline: +0.3%

Memory: ✅ 42.526MB (SLO: <46.000MB -7.6%) vs baseline: +5.2%

✅ rsplit_noaspect

Time: ✅ 154.511µs (SLO: <250.000µs 📉 -38.2%) vs baseline: -3.3%

Memory: ✅ 42.605MB (SLO: <46.000MB -7.4%) vs baseline: +5.1%

✅ split_aspect

Time: ✅ 146.496µs (SLO: <250.000µs 📉 -41.4%) vs baseline: -3.2%

Memory: ✅ 42.546MB (SLO: <46.000MB -7.5%) vs baseline: +4.9%

✅ split_noaspect

Time: ✅ 150.688µs (SLO: <250.000µs 📉 -39.7%) vs baseline: -4.3%

Memory: ✅ 42.605MB (SLO: <46.000MB -7.4%) vs baseline: +5.2%

✅ splitlines_aspect

Time: ✅ 147.791µs (SLO: <250.000µs 📉 -40.9%) vs baseline: -1.2%

Memory: ✅ 42.566MB (SLO: <46.000MB -7.5%) vs baseline: +5.1%

✅ splitlines_noaspect

Time: ✅ 150.436µs (SLO: <250.000µs 📉 -39.8%) vs baseline: -3.0%

Memory: ✅ 42.664MB (SLO: <46.000MB -7.3%) vs baseline: +5.3%

✅ iastpropagation - 8/8

✅ no-propagation

Time: ✅ 48.269µs (SLO: <60.000µs 📉 -19.6%) vs baseline: ~same

Memory: ✅ 39.027MB (SLO: <42.000MB -7.1%) vs baseline: +5.3%

✅ propagation_enabled

Time: ✅ 134.368µs (SLO: <190.000µs 📉 -29.3%) vs baseline: -1.1%

Memory: ✅ 38.948MB (SLO: <42.000MB -7.3%) vs baseline: +5.0%

✅ propagation_enabled_100

Time: ✅ 1.581ms (SLO: <2.300ms 📉 -31.3%) vs baseline: +1.8%

Memory: ✅ 38.987MB (SLO: <42.000MB -7.2%) vs baseline: +4.8%

✅ propagation_enabled_1000

Time: ✅ 29.131ms (SLO: <34.550ms 📉 -15.7%) vs baseline: +0.3%

Memory: ✅ 38.948MB (SLO: <42.000MB -7.3%) vs baseline: +5.1%

ℹ️ Scenarios Missing SLO Configuration (20 scenarios)

The following scenarios exist in candidate data but have no SLO thresholds configured:

iast_aspects-re_expand_aspect
iast_aspects-re_expand_noaspect
iast_aspects-re_findall_aspect
iast_aspects-re_findall_noaspect
iast_aspects-re_finditer_aspect
iast_aspects-re_finditer_noaspect
iast_aspects-re_fullmatch_aspect
iast_aspects-re_fullmatch_noaspect
iast_aspects-re_group_aspect
iast_aspects-re_group_noaspect
iast_aspects-re_groups_aspect
iast_aspects-re_groups_noaspect
iast_aspects-re_match_aspect
iast_aspects-re_match_noaspect
iast_aspects-re_search_aspect
iast_aspects-re_search_noaspect
iast_aspects-re_sub_aspect
iast_aspects-re_sub_noaspect
iast_aspects-re_subn_aspect
iast_aspects-re_subn_noaspect

dd-octo-sts Bot requested review from a team as code owners April 21, 2026 12:07

dd-octo-sts Bot requested review from Yun-Kim and wconti27 April 21, 2026 12:07

florentinl approved these changes Apr 21, 2026

View reviewed changes

Merge branch '4.5' into backport-17605-to-4.5

2d68934

KowalskiThomas enabled auto-merge (squash) April 21, 2026 14:12

Merge branch '4.5' into backport-17605-to-4.5

93aabd1

KowalskiThomas merged commit d93e350 into 4.5 Apr 21, 2026
556 checks passed

KowalskiThomas deleted the backport-17605-to-4.5 branch April 21, 2026 17:03

Conversation

dd-octo-sts Bot commented Apr 21, 2026

Uh oh!

cit-pr-commenter-54b7da Bot commented Apr 21, 2026

Codeowners resolved as

Uh oh!

pr-commenter Bot commented Apr 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Performance SLOs

✅ ospathbasename_aspect

✅ ospathbasename_noaspect

✅ ospathjoin_aspect

✅ ospathjoin_noaspect

✅ ospathnormcase_aspect

✅ ospathnormcase_noaspect

✅ ospathsplit_aspect

✅ ospathsplit_noaspect

✅ ospathsplitdrive_aspect

✅ ospathsplitdrive_noaspect

✅ ospathsplitext_aspect

✅ ospathsplitext_noaspect

✅ rsplit_aspect

✅ rsplit_noaspect

✅ split_aspect

✅ split_noaspect

✅ splitlines_aspect

✅ splitlines_noaspect

✅ no-propagation

✅ propagation_enabled

✅ propagation_enabled_100

✅ propagation_enabled_1000

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

pr-commenter Bot commented Apr 21, 2026 •

edited

Loading