Merge branch 'main' into 4.0-breaking-changes

Author: emmettbutler

ddtrace/_trace/span.py

@@ -276,6 +276,12 @@ def finished(self, value: bool) -> None:
         If the span is already finished and a truthy value is provided
         no action will occur.
         """
+        deprecate(
+            prefix="The finished setter is deprecated",
+            message="""Use the finish() method to finish a span.""",
+            category=DDTraceDeprecationWarning,
+            removal_version="4.0.0",
+        )
         if value:
             if not self.finished:
                 self.duration_ns = Time.time_ns() - self.start_ns
@@ -767,7 +773,7 @@ def _set_link_or_append_pointer(self, link: Union[SpanLink, _SpanPointer]) -> No
         except ValueError:
             self._links.append(link)
 
-    def finish_with_ancestors(self) -> None:
+    def _finish_with_ancestors(self) -> None:
         """Finish this span along with all (accessible) ancestors of this span.
 
         This method is useful if a sudden program shutdown is required and finishing
@@ -778,6 +784,15 @@ def finish_with_ancestors(self) -> None:
             span.finish()
             span = span._parent
 
+    @removals.remove(removal_version="4.0.0")
+    def finish_with_ancestors(self) -> None:
+        """Finish this span along with all (accessible) ancestors of this span.
+
+        This method is useful if a sudden program shutdown is required and finishing
+        the trace is desired.
+        """
+        self._finish_with_ancestors()
+
     def __enter__(self) -> "Span":
         return self
 

ddtrace/appsec/_iast/__init__.py

@@ -46,6 +46,7 @@ def wrapped_function(wrapped, instance, args, kwargs):
 _IAST_TO_BE_LOADED = True
 _iast_propagation_enabled = False
 _fork_handler_registered = False
+_iast_in_pytest_mode = False
 
 
 def _disable_iast_after_fork():
@@ -87,6 +88,15 @@ def _disable_iast_after_fork():
         from ddtrace.appsec._iast._iast_request_context_base import is_iast_request_enabled
         from ddtrace.appsec._iast._taint_tracking._context import clear_all_request_context_slots
 
+        # In pytest mode, always disable IAST in child processes to avoid segfaults
+        # when tests create multiprocesses (e.g., for testing fork behavior)
+        if _iast_in_pytest_mode:
+            log.debug("IAST fork handler: Pytest mode detected, disabling IAST in child process")
+            clear_all_request_context_slots()
+            IAST_CONTEXT.set(None)
+            asm_config._iast_enabled = False
+            return
+
         if not is_iast_request_enabled():
             # No active context - this is an early fork (web framework worker)
             # IAST can be safely initialized fresh in this child process
@@ -168,6 +178,7 @@ def enable_iast_propagation():
     """Add IAST AST patching in the ModuleWatchdog"""
     # DEV: These imports are here to avoid _ast.ast_patching import in the top level
     # because they are slow and affect serverless startup time
+
     if asm_config._iast_propagation_enabled:
         from ddtrace.appsec._iast._ast.ast_patching import _should_iast_patch
         from ddtrace.appsec._iast._loader import _exec_iast_patched_module
@@ -183,19 +194,30 @@ def enable_iast_propagation():
 
 
 def _iast_pytest_activation():
-    global _iast_propagation_enabled
-    if _iast_propagation_enabled:
+    """Configure IAST settings for pytest execution.
+
+    This function sets up IAST configuration but does NOT create a request context.
+    Request contexts should be created per-test or per-request to avoid threading issues.
+
+    Also sets a global flag to indicate we're in pytest mode, which ensures IAST is
+    disabled in forked child processes to prevent segfaults when tests use multiprocessing.
+    """
+    global _iast_in_pytest_mode
+
+    if not asm_config._iast_enabled:
         return
-    os.environ["DD_IAST_ENABLED"] = os.environ.get("DD_IAST_ENABLED") or "1"
+
+    # Mark that we're running in pytest mode
+    # This flag is checked by the fork handler to disable IAST in child processes
+    _iast_in_pytest_mode = True
+
     os.environ["DD_IAST_REQUEST_SAMPLING"] = os.environ.get("DD_IAST_REQUEST_SAMPLING") or "100.0"
     os.environ["_DD_APPSEC_DEDUPLICATION_ENABLED"] = os.environ.get("_DD_APPSEC_DEDUPLICATION_ENABLED") or "false"
     os.environ["DD_IAST_VULNERABILITIES_PER_REQUEST"] = os.environ.get("DD_IAST_VULNERABILITIES_PER_REQUEST") or "1000"
-    os.environ["DD_IAST_MAX_CONCURRENT_REQUESTS"] = os.environ.get("DD_IAST_MAX_CONCURRENT_REQUESTS") or "1000"
 
     asm_config._iast_request_sampling = 100.0
     asm_config._deduplication_enabled = False
     asm_config._iast_max_vulnerabilities_per_requests = 1000
-    asm_config._iast_max_concurrent_requests = 1000
     oce.reconfigure()
 
 

ddtrace/contrib/internal/aws_lambda/patch.py

@@ -103,7 +103,7 @@ def _crash_flush(self, _, __):
 
         current_span = tracer.current_span()
         if current_span is not None:
-            current_span.finish_with_ancestors()
+            current_span._finish_with_ancestors()
 
     def _remove_alarm_signal(self):
         """Removes the handler set for the signal `SIGALRM`."""

ddtrace/internal/packages.py

@@ -142,11 +142,11 @@ def _root_module(path: Path) -> str:
             pass
 
     # Bazel runfiles support: we assume that these paths look like
-    # /some/path.runfiles/.../site-packages/<root_module>/...
-    if any(p.suffix == ".runfiles" for p in path.parents):
-        for s in path.parents:
-            if s.parent.name == "site-packages":
-                return s.name
+    # /some/path.runfiles/<distribution_name>/site-packages/<root_module>/...
+    # /usr/local/runfiles/<distribution_name>/site-packages/<root_module>/...
+    for s in path.parents:
+        if s.parent.name == "site-packages":
+            return s.name
 
     msg = f"Could not find root module for path {path}"
     raise ValueError(msg)

ddtrace/internal/settings/asm.py

@@ -142,6 +142,8 @@ class ASMConfig(DDConfig):
         + r"ey[I-L][\w=-]+\.ey[I-L][\w=-]+(\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY"
         + r"[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}",
     )
+    # We never use `asm_config._iast_max_concurrent_requests` directly,
+    # but we define it so it can be reported through telemetry, since it’s used from the C files.
     _iast_max_concurrent_requests = DDConfig.var(
         int,
         IAST.DD_IAST_MAX_CONCURRENT_REQUESTS,

lib-injection/sources/requirements.csv

@@ -1,9 +1,9 @@
 Dependency,Version Specifier,Python Version
-bytecode,>=0.17.0,python_version>='3.14.0'
-bytecode,>=0.16.0,python_version>='3.13.0'
-bytecode,>=0.15.1,python_version~='3.12.0'
-bytecode,>=0.14.0,python_version~='3.11.0'
-bytecode,>=0.13.0,python_version<'3.11'
+bytecode,">=0.17.0,<1",python_version>='3.14.0'
+bytecode,">=0.16.0,<1",python_version>='3.13.0'
+bytecode,">=0.15.1,<1",python_version~='3.12.0'
+bytecode,">=0.14.0,<1",python_version~='3.11.0'
+bytecode,">=0.13.0,<1",python_version<'3.11'
 envier,~=0.6.1,
 opentelemetry-api,">=1,<2",
 wrapt,">=1,<3",

pyproject.toml

@@ -35,11 +35,11 @@ classifiers = [
     "Programming Language :: Python :: 3.14",
 ]
 dependencies = [
-    "bytecode>=0.17.0; python_version>='3.14.0'",
-    "bytecode>=0.16.0; python_version>='3.13.0'",
-    "bytecode>=0.15.1; python_version~='3.12.0'",
-    "bytecode>=0.14.0; python_version~='3.11.0'",
-    "bytecode>=0.13.0; python_version<'3.11'",
+    "bytecode>=0.17.0,<1; python_version>='3.14.0'",
+    "bytecode>=0.16.0,<1; python_version>='3.13.0'",
+    "bytecode>=0.15.1,<1; python_version~='3.12.0'",
+    "bytecode>=0.14.0,<1; python_version~='3.11.0'",
+    "bytecode>=0.13.0,<1; python_version<'3.11'",
     "envier~=0.6.1",
     "opentelemetry-api>=1,<2",
     "wrapt>=1,<3",

releasenotes/notes/deprecate-span-finished-finish-with-ancestors-c75633a9baaa9463.yaml

@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    tracing: ``Span.finished`` setter is deprecated, use ``Span.finish()`` method instead.
+  - |
+    tracing: ``Span.finish_with_ancestors()`` is deprecated with no alternative.

requirements.csv

@@ -1,9 +1,9 @@
 Dependency,Version Specifier,Python Version
-bytecode,>=0.17.0,python_version>='3.14.0'
-bytecode,>=0.16.0,python_version>='3.13.0'
-bytecode,>=0.15.1,python_version~='3.12.0'
-bytecode,>=0.14.0,python_version~='3.11.0'
-bytecode,>=0.13.0,python_version<'3.11'
+bytecode,">=0.17.0,<1",python_version>='3.14.0'
+bytecode,">=0.16.0,<1",python_version>='3.13.0'
+bytecode,">=0.15.1,<1",python_version~='3.12.0'
+bytecode,">=0.14.0,<1",python_version~='3.11.0'
+bytecode,">=0.13.0,<1",python_version<'3.11'
 envier,~=0.6.1,
 opentelemetry-api,">=1,<2",
 wrapt,">=1,<3",

scripts/check-dependency-bounds

@@ -0,0 +1,185 @@
+#!/usr/bin/env scripts/uv-run-script
+# -*- mode: python -*-
+# /// script
+# dependencies = [
+#     "packaging>=23.1,<24",
+# ]
+# ///
+"""
+Validate that all project dependencies have well-defined version ranges.
+
+This script checks that dependencies in pyproject.toml have both lower and upper
+bounds to prevent unexpected breaking changes from transitive dependencies.
+
+Acceptable formats:
+- >=X.Y,<X.Z (explicit bounds)
+- ~=X.Y.Z (compatible release with at least x.y format, implies upper bound)
+
+Unacceptable formats:
+- >=X.Y (open-ended, no upper bound)
+- <X.Y (only upper bound)
+- ~=X (only single version component, too open-ended)
+- package (no version specified)
+"""
+
+import sys
+import tomllib
+from pathlib import Path
+from typing import Dict, List, Tuple
+
+from packaging.specifiers import SpecifierSet
+
+
+def load_pyproject() -> Dict:
+    """Load and parse pyproject.toml from the current directory."""
+    pyproject_path = Path("pyproject.toml")
+    if not pyproject_path.exists():
+        print(f"Error: {pyproject_path} not found")
+        sys.exit(1)
+
+    with open(pyproject_path, "rb") as f:
+        return tomllib.load(f)
+
+
+def has_lower_bound(spec_set: SpecifierSet) -> bool:
+    """Check if specifier set has a lower bound."""
+    for spec in spec_set:
+        operator = spec.operator
+        if operator in (">=", ">", "~=", "=="):
+            return True
+    return False
+
+
+def has_upper_bound(spec_set: SpecifierSet) -> bool:
+    """Check if specifier set has an upper bound."""
+    for spec in spec_set:
+        operator = spec.operator
+        if operator in ("<", "<=", "~=", "=="):
+            return True
+    return False
+
+
+def is_well_defined(spec_string: str) -> Tuple[bool, str]:
+    """
+    Check if a version specifier is well-defined.
+
+    Returns:
+        Tuple of (is_valid, reason_if_invalid)
+    """
+    # Handle empty string (no version specified)
+    if not spec_string.strip():
+        return False, "no version specified"
+
+    try:
+        spec_set = SpecifierSet(spec_string)
+    except Exception as e:
+        return False, f"invalid specifier: {e}"
+
+    # Check for lower bound
+    if not has_lower_bound(spec_set):
+        return False, "missing lower bound (no >=, >, ~=, or ==)"
+
+    # Check for upper bound
+    if not has_upper_bound(spec_set):
+        return False, "missing upper bound (no <, <=, ~=, or ==)"
+
+    # If using compatible release (~=), ensure it has at least x.y format
+    for spec in spec_set:
+        if spec.operator == "~=":
+            version_parts = spec.version.split(".")
+            if len(version_parts) < 2:
+                return False, f"compatible release ~= requires at least x.y format (got ~={spec.version})"
+
+    return True, ""
+
+
+def check_dependencies(data: Dict) -> List[str]:
+    """
+    Check all project dependencies for well-defined version ranges.
+
+    Returns:
+        List of error messages for violations found
+    """
+    violations = []
+
+    # Check project.dependencies
+    if "project" in data and "dependencies" in data["project"]:
+        violations.extend(
+            check_dependency_section(
+                data["project"]["dependencies"],
+                "project.dependencies",
+            )
+        )
+
+    # Check project.optional-dependencies
+    if "project" in data and "optional-dependencies" in data["project"]:
+        optional_deps = data["project"]["optional-dependencies"]
+        for group_name, deps in optional_deps.items():
+            violations.extend(
+                check_dependency_section(
+                    deps,
+                    f"project.optional-dependencies[{group_name}]",
+                )
+            )
+
+    return violations
+
+
+def check_dependency_section(deps: List[str], section_name: str) -> List[str]:
+    """Check a single dependency section for violations."""
+    violations = []
+
+    for dep_line in deps:
+        # Parse package name and version specifier
+        # Format: "package_name[extras]version_spec" or just "package_name"
+        parts = dep_line.split(";", 1)  # Split on environment marker
+        dep_spec = parts[0].strip()
+
+        # Extract package name and version specifier
+        # Find where the version specifier starts (first operator: >, <, =, ~, !)
+        package_name = ""
+        version_spec = ""
+
+        for i, char in enumerate(dep_spec):
+            if char in (">=", "<", "=", "~", "!", ">", "<") or dep_spec[i:].startswith((">=", "<=", "~=")):
+                package_name = dep_spec[:i].strip()
+                version_spec = dep_spec[i:].strip()
+                break
+        else:
+            # No version specifier found
+            package_name = dep_spec.strip()
+            version_spec = ""
+
+        # Remove environment markers from package name if present
+        if "[" in package_name:
+            package_name = package_name.split("[")[0]
+
+        is_valid, reason = is_well_defined(version_spec)
+
+        if not is_valid:
+            violations.append(
+                f"{section_name}: '{package_name}' has {reason} (specifier: '{version_spec}')"
+            )
+
+    return violations
+
+
+def main() -> int:
+    """Main entry point."""
+    data = load_pyproject()
+    violations = check_dependencies(data)
+
+    if violations:
+        print("❌ Dependency validation failed:\n")
+        for violation in violations:
+            print(f"  {violation}")
+        print("\nAll dependencies must have both lower and upper bounds.")
+        print("Acceptable formats: >=X.Y,<X.Z or ~=X.Y.Z (compatible release)")
+        return 1
+
+    print("✅ All dependencies have well-defined version ranges")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())