Skip to content

feat(tracebuffer): flush on drop, drain on shutdown, and support nested tokio runtimes#2005

Open
Aaalibaba42 wants to merge 8 commits into
mainfrom
jwiriath/tracebuffer-sharedruntime-rusttracer
Open

feat(tracebuffer): flush on drop, drain on shutdown, and support nested tokio runtimes#2005
Aaalibaba42 wants to merge 8 commits into
mainfrom
jwiriath/tracebuffer-sharedruntime-rusttracer

Conversation

@Aaalibaba42
Copy link
Copy Markdown
Contributor

@Aaalibaba42 Aaalibaba42 commented May 18, 2026
edited
Loading

What?

Make the TraceBuffer and SharedRuntime safe to use from within a tokio runtime, add a synchronous flush_and_wait API, ensure pending spans are drained on shutdown, and fire a best-effort flush on Drop.

Why?

  • SharedRuntime::block_on and shutdown panic with "Cannot start a runtime from within a runtime" when called from inside a tokio context (e.g. the Rust tracer embedded in an async application).
  • On shutdown, the final partial batch of spans was silently dropped because nothing drained the sender's buffer after the worker loop stopped.
  • Dropping a TraceBuffer without an explicit flush also lost any buffered spans.

How?

  • SharedRuntime (libdd-shared-runtime): block_on and shutdown now detect a running tokio Handle via Handle::try_current() and, when found, drive the blocking work on a scoped OS thread (std::thread::scope) instead of calling Runtime::block_on directly. The Arc<Runtime> is explicitly dropped on that same thread so its join-on-drop doesn't panic either. Added Send bounds on the future and its output to support this.
  • TraceBuffer (libdd-data-pipeline): Added flush_and_wait(timeout) — triggers a flush, captures the batch generation, and blocks until the worker has processed it. Added Receiver::drain() to synchronously pull remaining chunks without waiting for a flush trigger; TraceExporterWorker::shutdown now calls it to export any leftover spans. Implemented Drop for TraceBuffer<T> that fires a non-blocking flush notify.
  • TraceExporter: Added Send bounds on T::Text and T::Bytes for send_trace_chunks to satisfy the new block_on signature.

Additional Notes

  • The Drop impl is intentionally best-effort (errors are swallowed) — if the runtime is already gone, there's nothing useful to do.
  • flush_and_wait short-circuits and returns immediately when the batch is empty.
  • All new behavior is covered by tests, including regression tests that run block_on, shutdown, and drop from inside #[tokio::test].

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026
edited
Loading

📚 Documentation Check Results

⚠️ 1427 documentation warning(s) found

📦 libdd-data-pipeline - 1050 warning(s)

📦 libdd-shared-runtime-ffi - 192 warning(s)

📦 libdd-shared-runtime - 185 warning(s)

Updated: 2026-05-22 13:16:32 UTC | Commit: 63286c6 | missing-docs job results

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026
edited
Loading

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

  • Base Branch: origin/main
  • PR Branch: origin/jwiriath/tracebuffer-sharedruntime-rusttracer

Summary by Rule

Rule Base Branch PR Branch Change
unwrap_used 3 3 No change (0%)
Total 3 3 No change (0%)

Annotation Counts by File

File Base Branch PR Branch Change
libdd-data-pipeline/src/trace_buffer/mod.rs 1 1 No change (0%)
libdd-data-pipeline/src/trace_exporter/mod.rs 2 2 No change (0%)

Annotation Stats by Crate

Crate Base Branch PR Branch Change
clippy-annotation-reporter 5 5 No change (0%)
datadog-ffe-ffi 1 1 No change (0%)
datadog-ipc 21 21 No change (0%)
datadog-live-debugger 6 6 No change (0%)
datadog-live-debugger-ffi 10 10 No change (0%)
datadog-profiling-replayer 4 4 No change (0%)
datadog-remote-config 3 3 No change (0%)
datadog-sidecar 57 57 No change (0%)
libdd-common 13 13 No change (0%)
libdd-common-ffi 12 12 No change (0%)
libdd-data-pipeline 5 5 No change (0%)
libdd-ddsketch 2 2 No change (0%)
libdd-dogstatsd-client 1 1 No change (0%)
libdd-profiling 13 13 No change (0%)
libdd-telemetry 20 20 No change (0%)
libdd-tinybytes 4 4 No change (0%)
libdd-trace-normalization 2 2 No change (0%)
libdd-trace-obfuscation 3 3 No change (0%)
libdd-trace-stats 1 1 No change (0%)
libdd-trace-utils 15 15 No change (0%)
Total 198 198 No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026
edited
Loading

🔒 Cargo Deny Results

⚠️ 13 issue(s) found, showing only errors (advisories, bans, sources)

📦 libdd-data-pipeline - 5 error(s)

Show output 
error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:214:1
    │
214 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      ├── libdd-common v4.1.0
      │   ├── libdd-capabilities-impl v2.0.0
      │   │   ├── libdd-data-pipeline v4.0.0
      │   │   ├── libdd-shared-runtime v1.0.0
      │   │   │   ├── libdd-data-pipeline v4.0.0 (*)
      │   │   │   ├── libdd-telemetry v5.0.0
      │   │   │   │   └── libdd-data-pipeline v4.0.0 (*)
      │   │   │   └── libdd-trace-stats v3.0.0
      │   │   │       └── libdd-data-pipeline v4.0.0 (*)
      │   │   ├── libdd-trace-stats v3.0.0 (*)
      │   │   └── libdd-trace-utils v4.0.0
      │   │       ├── libdd-data-pipeline v4.0.0 (*)
      │   │       ├── libdd-trace-obfuscation v3.0.0
      │   │       │   └── libdd-trace-stats v3.0.0 (*)
      │   │       ├── libdd-trace-stats v3.0.0 (*)
      │   │       └── (dev) libdd-trace-utils v4.0.0 (*)
      │   ├── libdd-data-pipeline v4.0.0 (*)
      │   ├── libdd-dogstatsd-client v3.0.0
      │   │   └── libdd-data-pipeline v4.0.0 (*)
      │   ├── libdd-shared-runtime v1.0.0 (*)
      │   ├── libdd-telemetry v5.0.0 (*)
      │   ├── libdd-trace-obfuscation v3.0.0 (*)
      │   ├── libdd-trace-stats v3.0.0 (*)
      │   └── libdd-trace-utils v4.0.0 (*)
      ├── (dev) libdd-data-pipeline v4.0.0 (*)
      ├── (dev) libdd-trace-normalization v2.0.0
      │   └── libdd-trace-utils v4.0.0 (*)
      ├── (dev) libdd-trace-stats v3.0.0 (*)
      ├── libdd-trace-utils v4.0.0 (*)
      └── proptest v1.5.0
          └── (dev) libdd-tinybytes v1.1.1
              ├── libdd-data-pipeline v4.0.0 (*)
              ├── (dev) libdd-tinybytes v1.1.1 (*)
              └── libdd-trace-utils v4.0.0 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:238:1
    │
238 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0098
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
    ├ Name constraints for URI names were ignored and therefore accepted.
      
      Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      └── rustls v0.23.37
          ├── hyper-rustls v0.27.7
          │   └── libdd-common v4.1.0
          │       ├── libdd-capabilities-impl v2.0.0
          │       │   ├── libdd-data-pipeline v4.0.0
          │       │   ├── libdd-shared-runtime v1.0.0
          │       │   │   ├── libdd-data-pipeline v4.0.0 (*)
          │       │   │   ├── libdd-telemetry v5.0.0
          │       │   │   │   └── libdd-data-pipeline v4.0.0 (*)
          │       │   │   └── libdd-trace-stats v3.0.0
          │       │   │       └── libdd-data-pipeline v4.0.0 (*)
          │       │   ├── libdd-trace-stats v3.0.0 (*)
          │       │   └── libdd-trace-utils v4.0.0
          │       │       ├── libdd-data-pipeline v4.0.0 (*)
          │       │       ├── libdd-trace-obfuscation v3.0.0
          │       │       │   └── libdd-trace-stats v3.0.0 (*)
          │       │       ├── libdd-trace-stats v3.0.0 (*)
          │       │       └── (dev) libdd-trace-utils v4.0.0 (*)
          │       ├── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-dogstatsd-client v3.0.0
          │       │   └── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-shared-runtime v1.0.0 (*)
          │       ├── libdd-telemetry v5.0.0 (*)
          │       ├── libdd-trace-obfuscation v3.0.0 (*)
          │       ├── libdd-trace-stats v3.0.0 (*)
          │       └── libdd-trace-utils v4.0.0 (*)
          ├── libdd-common v4.1.0 (*)
          └── tokio-rustls v0.26.0
              ├── hyper-rustls v0.27.7 (*)
              └── libdd-common v4.1.0 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:238:1
    │
238 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
    ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
      
      This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
      This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
      
      Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
      
      This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
    ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      └── rustls v0.23.37
          ├── hyper-rustls v0.27.7
          │   └── libdd-common v4.1.0
          │       ├── libdd-capabilities-impl v2.0.0
          │       │   ├── libdd-data-pipeline v4.0.0
          │       │   ├── libdd-shared-runtime v1.0.0
          │       │   │   ├── libdd-data-pipeline v4.0.0 (*)
          │       │   │   ├── libdd-telemetry v5.0.0
          │       │   │   │   └── libdd-data-pipeline v4.0.0 (*)
          │       │   │   └── libdd-trace-stats v3.0.0
          │       │   │       └── libdd-data-pipeline v4.0.0 (*)
          │       │   ├── libdd-trace-stats v3.0.0 (*)
          │       │   └── libdd-trace-utils v4.0.0
          │       │       ├── libdd-data-pipeline v4.0.0 (*)
          │       │       ├── libdd-trace-obfuscation v3.0.0
          │       │       │   └── libdd-trace-stats v3.0.0 (*)
          │       │       ├── libdd-trace-stats v3.0.0 (*)
          │       │       └── (dev) libdd-trace-utils v4.0.0 (*)
          │       ├── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-dogstatsd-client v3.0.0
          │       │   └── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-shared-runtime v1.0.0 (*)
          │       ├── libdd-telemetry v5.0.0 (*)
          │       ├── libdd-trace-obfuscation v3.0.0 (*)
          │       ├── libdd-trace-stats v3.0.0 (*)
          │       └── libdd-trace-utils v4.0.0 (*)
          ├── libdd-common v4.1.0 (*)
          └── tokio-rustls v0.26.0
              ├── hyper-rustls v0.27.7 (*)
              └── libdd-common v4.1.0 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:238:1
    │
238 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0104
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
    ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
      or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
      `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
      
      This panic is reachable prior to a CRL's signature being verified.
      
      Applications that do not use CRLs are not affected.
      
      Thank you to @tynus3 for the report.
    ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
    ├ rustls-webpki v0.103.10
      └── rustls v0.23.37
          ├── hyper-rustls v0.27.7
          │   └── libdd-common v4.1.0
          │       ├── libdd-capabilities-impl v2.0.0
          │       │   ├── libdd-data-pipeline v4.0.0
          │       │   ├── libdd-shared-runtime v1.0.0
          │       │   │   ├── libdd-data-pipeline v4.0.0 (*)
          │       │   │   ├── libdd-telemetry v5.0.0
          │       │   │   │   └── libdd-data-pipeline v4.0.0 (*)
          │       │   │   └── libdd-trace-stats v3.0.0
          │       │   │       └── libdd-data-pipeline v4.0.0 (*)
          │       │   ├── libdd-trace-stats v3.0.0 (*)
          │       │   └── libdd-trace-utils v4.0.0
          │       │       ├── libdd-data-pipeline v4.0.0 (*)
          │       │       ├── libdd-trace-obfuscation v3.0.0
          │       │       │   └── libdd-trace-stats v3.0.0 (*)
          │       │       ├── libdd-trace-stats v3.0.0 (*)
          │       │       └── (dev) libdd-trace-utils v4.0.0 (*)
          │       ├── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-dogstatsd-client v3.0.0
          │       │   └── libdd-data-pipeline v4.0.0 (*)
          │       ├── libdd-shared-runtime v1.0.0 (*)
          │       ├── libdd-telemetry v5.0.0 (*)
          │       ├── libdd-trace-obfuscation v3.0.0 (*)
          │       ├── libdd-trace-stats v3.0.0 (*)
          │       └── libdd-trace-utils v4.0.0 (*)
          ├── libdd-common v4.1.0 (*)
          └── tokio-rustls v0.26.0
              ├── hyper-rustls v0.27.7 (*)
              └── libdd-common v4.1.0 (*)

error[vulnerability]: Denial of Service via Stack Exhaustion
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:278:1
    │
278 │ time 0.3.41 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0009
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
    ├ ## Impact
      
      When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
      service attack via stack exhaustion is possible. The attack relies on formally deprecated and
      rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
      non-malicious input will never encounter this scenario.
      
      ## Patches
      
      A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
      rather than exhausting the stack.
      
      ## Workarounds
      
      Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
      the stack consumed would be at most a factor of the length of the input.
    ├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05
    ├ Solution: Upgrade to >=0.3.47 (try `cargo update -p time`)
    ├ time v0.3.41
      └── tracing-appender v0.2.3
          └── libdd-log v1.0.0
              └── (dev) libdd-data-pipeline v4.0.0

advisories FAILED, bans ok, sources ok

📦 libdd-shared-runtime-ffi - 4 error(s)

Show output 
error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:83:1
   │
83 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2026-0097
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
   ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
     
     - The `log` and `thread_rng` features are enabled
     - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
     - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
     - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
     - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
     
     `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
   ├ Announcement: https://github.com/rust-random/rand/pull/1763
   ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
   ├ rand v0.8.5
     └── (dev) libdd-common v4.1.0
         ├── libdd-capabilities-impl v2.0.0
         │   └── libdd-shared-runtime v1.0.0
         │       └── libdd-shared-runtime-ffi v34.0.0
         └── libdd-shared-runtime v1.0.0 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:94:1
   │
94 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0098
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
   ├ Name constraints for URI names were ignored and therefore accepted.
     
     Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       │       └── libdd-shared-runtime-ffi v34.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:94:1
   │
94 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0099
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
   ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
     
     This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
     This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       │       └── libdd-shared-runtime-ffi v34.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:94:1
   │
94 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0104
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
   ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
     or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
     `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
     
     This panic is reachable prior to a CRL's signature being verified.
     
     Applications that do not use CRLs are not affected.
     
     Thank you to @tynus3 for the report.
   ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       │       └── libdd-shared-runtime-ffi v34.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

advisories FAILED, bans ok, sources ok

📦 libdd-shared-runtime - 4 error(s)

Show output 
error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:69:1
   │
69 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2026-0097
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
   ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
     
     - The `log` and `thread_rng` features are enabled
     - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
     - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
     - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
     - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
     
     `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
   ├ Announcement: https://github.com/rust-random/rand/pull/1763
   ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
   ├ rand v0.8.5
     └── (dev) libdd-common v4.1.0
         ├── libdd-capabilities-impl v2.0.0
         │   └── libdd-shared-runtime v1.0.0
         └── libdd-shared-runtime v1.0.0 (*)

error[vulnerability]: Name constraints for URI names were incorrectly accepted
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:80:1
   │
80 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0098
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0098
   ├ Name constraints for URI names were ignored and therefore accepted.
     
     Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.  URI name constraints are now rejected unconditionally.
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-965h-392x-2mh5](https://github.com/rustls/webpki/security/advisories/GHSA-965h-392x-2mh5). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:80:1
   │
80 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0099
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0099
   ├ Permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name.
     
     This was incorrect because, given a name constraint of `accept.example.com`, `*.example.com` could feasibly allow a name of `reject.example.com` which is outside the constraint.
     This is very similar to [CVE-2025-61727](https://go.dev/issue/76442).
     
     Since name constraints are restrictions on otherwise properly-issued certificates, this bug is reachable only after signature verification and requires misissuance to exploit.
     
     This vulnerability is identified as [GHSA-xgp8-3hg3-c2mh](https://github.com/rustls/webpki/security/advisories/GHSA-xgp8-3hg3-c2mh). Thank you to @1seal for the report.
   ├ Solution: Upgrade to >=0.103.12, <0.104.0-alpha.1 OR >=0.104.0-alpha.6 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

error[vulnerability]: Reachable panic in certificate revocation list parsing
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:80:1
   │
80 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0104
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0104
   ├ A panic was reachable when parsing certificate revocation lists via [`BorrowedCertRevocationList::from_der`]
     or [`OwnedCertRevocationList::from_der`].  This was the result of mishandling a syntactically valid empty
     `BIT STRING` appearing in the `onlySomeReasons` element of a `IssuingDistributionPoint` CRL extension.
     
     This panic is reachable prior to a CRL's signature being verified.
     
     Applications that do not use CRLs are not affected.
     
     Thank you to @tynus3 for the report.
   ├ Solution: Upgrade to >=0.103.13, <0.104.0-alpha.1 OR >=0.104.0-alpha.7 (try `cargo update -p rustls-webpki`)
   ├ rustls-webpki v0.103.10
     └── rustls v0.23.37
         ├── hyper-rustls v0.27.7
         │   └── libdd-common v4.1.0
         │       ├── libdd-capabilities-impl v2.0.0
         │       │   └── libdd-shared-runtime v1.0.0
         │       └── libdd-shared-runtime v1.0.0 (*)
         ├── libdd-common v4.1.0 (*)
         └── tokio-rustls v0.26.0
             ├── hyper-rustls v0.27.7 (*)
             └── libdd-common v4.1.0 (*)

advisories FAILED, bans ok, sources ok

Updated: 2026-05-22 13:17:44 UTC | Commit: 63286c6 | dependency-check job results

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 82.64059% with 71 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.92%. Comparing base (dbc2cf7) to head (3dae176).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2005      +/-   ##
==========================================
+ Coverage   72.83%   72.92%   +0.09%     
==========================================
  Files         458      458              
  Lines       75789    76036     +247     
==========================================
+ Hits        55201    55453     +252     
+ Misses      20588    20583       -5
Components Coverage Δ
libdd-crashtracker 65.22% <ø> (+0.01%) ⬆️
libdd-crashtracker-ffi 36.82% <ø> (ø)
libdd-alloc 98.77% <ø> (ø)
libdd-data-pipeline 87.50% <84.86%> (+0.81%) ⬆️
libdd-data-pipeline-ffi 78.63% <ø> (ø)
libdd-common 79.81% <ø> (ø)
libdd-common-ffi 74.41% <ø> (ø)
libdd-telemetry 73.40% <ø> (+0.05%) ⬆️
libdd-telemetry-ffi 31.36% <ø> (ø)
libdd-dogstatsd-client 82.64% <ø> (ø)
datadog-ipc 76.22% <ø> (ø)
libdd-profiling 81.70% <ø> (+0.01%) ⬆️
libdd-profiling-ffi 64.79% <ø> (ø)
libdd-sampling 97.46% <ø> (ø)
datadog-sidecar 29.06% <ø> (ø)
datdog-sidecar-ffi 9.52% <ø> (ø)
spawn-worker 48.86% <ø> (ø)
libdd-tinybytes 93.16% <ø> (ø)
libdd-trace-normalization 81.71% <ø> (ø)
libdd-trace-obfuscation 87.30% <ø> (ø)
libdd-trace-protobuf 68.25% <ø> (ø)
libdd-trace-utils 88.86% <ø> (ø)
libdd-tracer-flare 86.88% <ø> (ø)
libdd-log 74.83% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@datadog-datadog-prod-us1
Copy link
Copy Markdown
Contributor

datadog-datadog-prod-us1 Bot commented May 18, 2026
edited by datadog-prod-us1-5 Bot
Loading

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Test | cargo check --target wasm32-unknown-unknown   View in Datadog   GitHub Actions

🔧 Fix in code (Fix with Cursor). Compilation error in libdd-data-pipeline/src/trace_exporter/builder.rs:318: error[E0599]: no method named `block_on` found for struct `Arc<SharedRuntime>` in the current scope.

Required checks pass | allchecks   View in Datadog   GitHub Actions

🔄 Retry job. This looks flaky and may succeed on retry. Some checks have failed or timed out during execution.

semver-check | validate   View in Datadog   GitHub Actions

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration. SEMVER validation failed due to added enum variants in libdd-shared-runtime without proper breaking change marker in PR title or body.

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 82.64%
Overall Coverage: 72.93% (+0.09%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 3dae176 | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 18, 2026
edited
Loading

Artifact Size Benchmark Report

aarch64-alpine-linux-musl
Artifact Baseline Commit Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so 7.57 MB 7.57 MB 0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a 82.01 MB 82.11 MB +.12% (+102.11 KB) 🔍
aarch64-unknown-linux-gnu
Artifact Baseline Commit Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.02 MB 10.09 MB +.72% (+73.94 KB) 🔍
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a 98.27 MB 98.43 MB +.16% (+162.28 KB) 🔍
libdatadog-x64-windows
Artifact Baseline Commit Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll 24.54 MB 24.56 MB +.07% (+18.00 KB) 🔍
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib 81.48 KB 81.48 KB 0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb 180.48 MB 180.90 MB +.23% (+432.00 KB) 🔍
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib 914.99 MB 916.98 MB +.21% (+1.98 MB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll 7.76 MB 7.78 MB +.27% (+21.50 KB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib 81.48 KB 81.48 KB 0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb 23.24 MB 23.29 MB +.20% (+48.00 KB) 🔍
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib 45.50 MB 45.60 MB +.22% (+103.77 KB) 🔍
libdatadog-x86-windows
Artifact Baseline Commit Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll 21.15 MB 21.17 MB +.06% (+14.50 KB) 🔍
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib 82.76 KB 82.76 KB 0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb 184.70 MB 185.14 MB +.23% (+448.00 KB) 🔍
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib 900.70 MB 902.64 MB +.21% (+1.93 MB) 🔍
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll 6.01 MB 6.03 MB +.25% (+15.50 KB) 🔍
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib 82.76 KB 82.76 KB 0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb 24.90 MB 24.95 MB +.21% (+56.00 KB) 🔍
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib 43.00 MB 43.10 MB +.23% (+103.01 KB) 🔍
x86_64-alpine-linux-musl
Artifact Baseline Commit Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a 73.11 MB 73.22 MB +.14% (+108.53 KB) 🔍
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so 8.45 MB 8.45 MB +.09% (+8.00 KB) 🔍
x86_64-unknown-linux-gnu
Artifact Baseline Commit Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a 90.92 MB 91.06 MB +.15% (+145.48 KB) 🔍
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.08 MB 10.10 MB +.15% (+15.88 KB) 🔍

@Aaalibaba42 Aaalibaba42 force-pushed the jwiriath/tracebuffer-sharedruntime-rusttracer branch from b5a716f to d55d383 Compare May 18, 2026 12:04
@Aaalibaba42 Aaalibaba42 marked this pull request as ready for review May 19, 2026 12:14
@Aaalibaba42 Aaalibaba42 requested review from a team as code owners May 19, 2026 12:14
@Aaalibaba42 Aaalibaba42 force-pushed the jwiriath/tracebuffer-sharedruntime-rusttracer branch 2 times, most recently from d4d669c to 463495c Compare May 19, 2026 12:15
@Aaalibaba42 Aaalibaba42 changed the title feat: separate os thread for shared runtime to avoid tokio-in-tokio bugs feat(tracebuffer): flush on drop, drain on shutdown, and support nested tokio runtimes May 19, 2026
yannham
yannham requested changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@yannham yannham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've discussed this offline, and the consensus seemed to be that the actual issue of the runtime-in-the-runtime problem is that some functions of our API pretend to be async but actually use block_on under the hood. It seems one possible solution is to actually make them async, and to offer a customary blocking API at the top-level only. Then, from Rust we could only use the purely async API and not care about the shared runtime at all.

On the other hand, the current solution secretly spawns a thread and run a second runtime on the side, while blocking the original executor's thread waiting for the answer. This is a bit fishy, and we never want to block an async executor thread, as this will block a whole bunch of unrelated async tasks queued on this thread.

@Aaalibaba42 Aaalibaba42 force-pushed the jwiriath/tracebuffer-sharedruntime-rusttracer branch from 13fe812 to f8d6d54 Compare May 22, 2026 12:36
@Aaalibaba42 Aaalibaba42 force-pushed the jwiriath/tracebuffer-sharedruntime-rusttracer branch from f8d6d54 to fd24165 Compare May 22, 2026 12:46
Aaalibaba42 and others added 2 commits May 22, 2026 14:55
@Aaalibaba42 @cursoragent
fixup! feat: flush&drain
e8c0427 
Co-authored-by: Cursor <cursoragent@cursor.com>
@Aaalibaba42 @cursoragent
fixup! feat: add best-effort drop impl for the tracebuffer that flushes
3dae176 
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yannham yannham yannham requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

data-pipeline

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aaalibaba42 @codecov-commenter @yannham