Merge branch 'main' into refactor/symdb-cap-uploads-via-ipc

Author: P403n1x87

.gitlab/testrunner.yml

@@ -1,5 +1,5 @@
 variables:
-  TESTRUNNER_IMAGE: registry.ddbuild.io/dd-trace-py:v78900213-daaf5b5-testrunner@sha256:bf80b40852537c0eca2d8ace5ffeffa7b916bc4c412bf4a3fce2f9f8d72e7a20
+  TESTRUNNER_IMAGE: registry.ddbuild.io/dd-trace-py:v81799905-0f9bd8b-testrunner@sha256:f29e49e817cb3fdcc188414b9e94bd9244df7db00b72205738a752ab23953cc5
 
 .testrunner:
   image:

ddtrace/appsec/_iast/__init__.py

@@ -46,6 +46,7 @@ def wrapped_function(wrapped, instance, args, kwargs):
 _IAST_TO_BE_LOADED = True
 _iast_propagation_enabled = False
 _fork_handler_registered = False
+_iast_in_pytest_mode = False
 
 
 def _disable_iast_after_fork():
@@ -87,6 +88,15 @@ def _disable_iast_after_fork():
         from ddtrace.appsec._iast._iast_request_context_base import is_iast_request_enabled
         from ddtrace.appsec._iast._taint_tracking._context import clear_all_request_context_slots
 
+        # In pytest mode, always disable IAST in child processes to avoid segfaults
+        # when tests create multiprocesses (e.g., for testing fork behavior)
+        if _iast_in_pytest_mode:
+            log.debug("IAST fork handler: Pytest mode detected, disabling IAST in child process")
+            clear_all_request_context_slots()
+            IAST_CONTEXT.set(None)
+            asm_config._iast_enabled = False
+            return
+
         if not is_iast_request_enabled():
             # No active context - this is an early fork (web framework worker)
             # IAST can be safely initialized fresh in this child process
@@ -168,6 +178,7 @@ def enable_iast_propagation():
     """Add IAST AST patching in the ModuleWatchdog"""
     # DEV: These imports are here to avoid _ast.ast_patching import in the top level
     # because they are slow and affect serverless startup time
+
     if asm_config._iast_propagation_enabled:
         from ddtrace.appsec._iast._ast.ast_patching import _should_iast_patch
         from ddtrace.appsec._iast._loader import _exec_iast_patched_module
@@ -183,19 +194,30 @@ def enable_iast_propagation():
 
 
 def _iast_pytest_activation():
-    global _iast_propagation_enabled
-    if _iast_propagation_enabled:
+    """Configure IAST settings for pytest execution.
+
+    This function sets up IAST configuration but does NOT create a request context.
+    Request contexts should be created per-test or per-request to avoid threading issues.
+
+    Also sets a global flag to indicate we're in pytest mode, which ensures IAST is
+    disabled in forked child processes to prevent segfaults when tests use multiprocessing.
+    """
+    global _iast_in_pytest_mode
+
+    if not asm_config._iast_enabled:
         return
-    os.environ["DD_IAST_ENABLED"] = os.environ.get("DD_IAST_ENABLED") or "1"
+
+    # Mark that we're running in pytest mode
+    # This flag is checked by the fork handler to disable IAST in child processes
+    _iast_in_pytest_mode = True
+
     os.environ["DD_IAST_REQUEST_SAMPLING"] = os.environ.get("DD_IAST_REQUEST_SAMPLING") or "100.0"
     os.environ["_DD_APPSEC_DEDUPLICATION_ENABLED"] = os.environ.get("_DD_APPSEC_DEDUPLICATION_ENABLED") or "false"
     os.environ["DD_IAST_VULNERABILITIES_PER_REQUEST"] = os.environ.get("DD_IAST_VULNERABILITIES_PER_REQUEST") or "1000"
-    os.environ["DD_IAST_MAX_CONCURRENT_REQUESTS"] = os.environ.get("DD_IAST_MAX_CONCURRENT_REQUESTS") or "1000"
 
     asm_config._iast_request_sampling = 100.0
     asm_config._deduplication_enabled = False
     asm_config._iast_max_vulnerabilities_per_requests = 1000
-    asm_config._iast_max_concurrent_requests = 1000
     oce.reconfigure()
 
 

ddtrace/internal/ipc.py

@@ -57,9 +57,7 @@ class ReadLock(BaseUnixLock):
     class WriteLock(BaseUnixLock):
         __acquire_mode__ = fcntl.LOCK_EX
 
-    @contextmanager
-    def open_file(path, mode):
-        yield unpatched_open(path, mode)
+    open_file = unpatched_open
 
 except ModuleNotFoundError:
     # Availability: Windows
@@ -78,7 +76,7 @@ def release(self):
 
     ReadLock = WriteLock = BaseWinLock  # type: ignore
 
-    def open_file(path, mode):
+    def open_file(path, mode):  # type: ignore
         import _winapi
 
         # force all modes to be read/write binary

ddtrace/settings/asm.py

@@ -140,6 +140,8 @@ class ASMConfig(DDConfig):
         + r"ey[I-L][\w=-]+\.ey[I-L][\w=-]+(\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY"
         + r"[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}",
     )
+    # We never use `asm_config._iast_max_concurrent_requests` directly,
+    # but we define it so it can be reported through telemetry, since it’s used from the C files.
     _iast_max_concurrent_requests = DDConfig.var(
         int,
         IAST.DD_IAST_MAX_CONCURRENT_REQUESTS,

docker-compose.yml

@@ -185,7 +185,7 @@ services:
         # build:
         #  context: ./docker
         #  dockerfile: Dockerfile
-        image: ghcr.io/datadog/dd-trace-py/testrunner:adc7896c0901c0589e45776d9e409c3d1b15cd51@sha256:5fa1b0062e20c753cd5da590df3841b74b9ead5b4531a7ec9f5cacd2b95386e3
+        image: ghcr.io/datadog/dd-trace-py/testrunner:1717b70091ae646ec3ee29a5cb77158a82209aa3@sha256:aac6cacc68517874da310d5ea78a967f34af8388af5c6621aba77a73c4757657
         command: bash
         environment:
           DD_FAST_BUILD: "1"

lib-injection/sources/requirements.csv

@@ -1,9 +1,9 @@
 Dependency,Version Specifier,Python Version
-bytecode,>=0.17.0,python_version>='3.14.0'
-bytecode,>=0.16.0,python_version>='3.13.0'
-bytecode,>=0.15.1,python_version~='3.12.0'
-bytecode,>=0.14.0,python_version~='3.11.0'
-bytecode,>=0.13.0,python_version<'3.11'
+bytecode,">=0.17.0,<1",python_version>='3.14.0'
+bytecode,">=0.16.0,<1",python_version>='3.13.0'
+bytecode,">=0.15.1,<1",python_version~='3.12.0'
+bytecode,">=0.14.0,<1",python_version~='3.11.0'
+bytecode,">=0.13.0,<1",python_version<'3.11'
 envier,~=0.6.1,
 opentelemetry-api,">=1,<2",
 wrapt,">=1,<3",

pyproject.toml

@@ -35,11 +35,11 @@ classifiers = [
     "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-    "bytecode>=0.17.0; python_version>='3.14.0'",
-    "bytecode>=0.16.0; python_version>='3.13.0'",
-    "bytecode>=0.15.1; python_version~='3.12.0'",
-    "bytecode>=0.14.0; python_version~='3.11.0'",
-    "bytecode>=0.13.0; python_version<'3.11'",
+    "bytecode>=0.17.0,<1; python_version>='3.14.0'",
+    "bytecode>=0.16.0,<1; python_version>='3.13.0'",
+    "bytecode>=0.15.1,<1; python_version~='3.12.0'",
+    "bytecode>=0.14.0,<1; python_version~='3.11.0'",
+    "bytecode>=0.13.0,<1; python_version<'3.11'",
     "envier~=0.6.1",
     "opentelemetry-api>=1,<2",
     "wrapt>=1,<3",

releasenotes/notes/fix-ipc-open-file-ensure-closed-98d9707f56c416da.yaml

@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Prevent a potential ``ResourceWarning`` in multiprocess scenarios.

requirements.csv

@@ -1,9 +1,9 @@
 Dependency,Version Specifier,Python Version
-bytecode,>=0.17.0,python_version>='3.14.0'
-bytecode,>=0.16.0,python_version>='3.13.0'
-bytecode,>=0.15.1,python_version~='3.12.0'
-bytecode,>=0.14.0,python_version~='3.11.0'
-bytecode,>=0.13.0,python_version<'3.11'
+bytecode,">=0.17.0,<1",python_version>='3.14.0'
+bytecode,">=0.16.0,<1",python_version>='3.13.0'
+bytecode,">=0.15.1,<1",python_version~='3.12.0'
+bytecode,">=0.14.0,<1",python_version~='3.11.0'
+bytecode,">=0.13.0,<1",python_version<'3.11'
 envier,~=0.6.1,
 opentelemetry-api,">=1,<2",
 wrapt,">=1,<3",

riotfile.py

@@ -544,6 +544,7 @@ def select_pys(min_version: str = MIN_PYTHON_VERSION, max_version: str = MAX_PYT
             env={
                 "DD_INSTRUMENTATION_TELEMETRY_ENABLED": "0",
                 "DD_CIVISIBILITY_ITR_ENABLED": "0",
+                "DD_CIVISIBILITY_EARLY_FLAKE_DETECTION_ENABLED": "0",  # DEV: Temporary, remove once merged
             },
             command="pytest -v {cmdargs} tests/internal/",
             pkgs={