ddtrace 1.17.0 → 1.18.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2da890705f074bf11ffaa1b5099472a4695d318fc1a1a98238d61a061d6582ec
-  data.tar.gz: 8c6db62249ee456939c3eacdeddb0f985148e9daa78adb844144d8da1191e8bb
+  metadata.gz: 69e775ab06a83ce14114a7287056e3d3fb575191b7ff6ccdc5c7b33f7fd58172
+  data.tar.gz: 13b607a4e29e516be4988dca7827eca09b79e968cf98e0641a155039d2ec3273
 SHA512:
-  metadata.gz: a70b6856159a46f30a4ff67bc672011bb016b2aa7b1562834957a325eee90be681f9d0e153ef94c97a4ce675f7b63ac9f5a68f5573b4b9144ee40cf89a70395f
-  data.tar.gz: 0d8d1a5d2ee255e53daab1cea7e82ec6f61c8e4a67b89ab1293853786d634c6cde2407a1ea0ceb4ff8bbb3391940dec5bdcfc56dd4b55b7b3826e35bdcff84eb
+  metadata.gz: d345e07c8b0a654974c51a7457b3fc6d3d7eb99226cfc5555d6bc8ee3e65b17b3782b1e582591be925297c09dd104108007b2081e28ee43c103f8f2fec3ffe5b
+  data.tar.gz: '085ea801f5fae16ed58cd79bab86839cd1aa23fa09261b39219264f603455633e19dbb8f60d647e407c7218d7d00052ef7b593405ec5af828af56ffecd58227d'

data/CHANGELOG.md

@@ -2,6 +2,28 @@
 
 ## [Unreleased]
 
+## [1.18.0] - 2023-12-07
+
+### Added
+
+* Tracing: Support lib injection for ARM64 architecture ([#3307][])
+* Tracing: Add `error_handler` for `pg` instrumentation ([#3303][])
+* Appsec: Enable "Trusted IPs", a.k.a passlist with optional monitoring ([#3229][])
+
+### Changed
+
+* Mark ddtrace threads as fork-safe ([#3279][])
+* Bump `datadog-ci` dependency to 0.5.0 ([#3308][])
+* Bump `debase-ruby_core_source` dependency to 3.2.3 ([#3284][])
+* Profiling: Disable profiler on Ruby 3.3 when running with RUBY_MN_THREADS=1 ([#3259][])
+* Profiling: Run without "no signals" workaround on passenger 6.0.19+ ([#3280][])
+
+### Fixed
+
+* Tracing: Fix `pg` instrumentation `enabled` settings ([#3271][])
+* Profiling: Fix potential crash by importing upstream `rb_profile_frames` fix ([#3289][])
+* Appsec: Call `devise` RegistrationsController block ([#3286][])
+
 ## [1.17.0] - 2023-11-22
 
 For W3C Trace Context, this release adds [`tracecontext`](https://www.w3.org/TR/trace-context/) to the default trace propagation extraction and injection styles. The new defaults are:
@@ -23,7 +45,7 @@ For CI Visibility, you can now manually create CI traces and spans with the [new
 ### Changed
 
 * Tracing: Set 128-bit trace_id to true by default ([#3266][])
-* Tracing: Default trace propagation styles to `Datadog,b3multi,b3,tracecontext` ([#3248][],#3267)
+* Tracing: Default trace propagation styles to `Datadog,b3multi,b3,tracecontext` ([#3248][],[#3267][])
 * Ci-App: Upgraded `datadog-ci` dependency to 0.4 ([#3270][])
 
 ## [1.16.2] - 2023-11-10
@@ -2658,7 +2680,8 @@ Release notes: https://github.com/DataDog/dd-trace-rb/releases/tag/v0.3.1
 Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 
 
-[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.17.0...master
+[Unreleased]: https://github.com/DataDog/dd-trace-rb/compare/v1.18.0...master
+[1.18.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.17.0...v1.18.0
 [1.17.0]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.2...v1.17.0
 [1.16.2]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.1...v1.16.2
 [1.16.1]: https://github.com/DataDog/dd-trace-rb/compare/v1.16.0...v1.16.1
@@ -3870,6 +3893,7 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#3206]: https://github.com/DataDog/dd-trace-rb/issues/3206
 [#3207]: https://github.com/DataDog/dd-trace-rb/issues/3207
 [#3223]: https://github.com/DataDog/dd-trace-rb/issues/3223
+[#3229]: https://github.com/DataDog/dd-trace-rb/issues/3229
 [#3234]: https://github.com/DataDog/dd-trace-rb/issues/3234
 [#3235]: https://github.com/DataDog/dd-trace-rb/issues/3235
 [#3240]: https://github.com/DataDog/dd-trace-rb/issues/3240
@@ -3877,11 +3901,21 @@ Git diff: https://github.com/DataDog/dd-trace-rb/compare/v0.3.0...v0.3.1
 [#3248]: https://github.com/DataDog/dd-trace-rb/issues/3248
 [#3252]: https://github.com/DataDog/dd-trace-rb/issues/3252
 [#3255]: https://github.com/DataDog/dd-trace-rb/issues/3255
+[#3259]: https://github.com/DataDog/dd-trace-rb/issues/3259
 [#3262]: https://github.com/DataDog/dd-trace-rb/issues/3262
 [#3266]: https://github.com/DataDog/dd-trace-rb/issues/3266
 [#3267]: https://github.com/DataDog/dd-trace-rb/issues/3267
 [#3270]: https://github.com/DataDog/dd-trace-rb/issues/3270
+[#3271]: https://github.com/DataDog/dd-trace-rb/issues/3271
 [#3273]: https://github.com/DataDog/dd-trace-rb/issues/3273
+[#3279]: https://github.com/DataDog/dd-trace-rb/issues/3279
+[#3280]: https://github.com/DataDog/dd-trace-rb/issues/3280
+[#3284]: https://github.com/DataDog/dd-trace-rb/issues/3284
+[#3286]: https://github.com/DataDog/dd-trace-rb/issues/3286
+[#3289]: https://github.com/DataDog/dd-trace-rb/issues/3289
+[#3303]: https://github.com/DataDog/dd-trace-rb/issues/3303
+[#3307]: https://github.com/DataDog/dd-trace-rb/issues/3307
+[#3308]: https://github.com/DataDog/dd-trace-rb/issues/3308
 [@AdrianLC]: https://github.com/AdrianLC
 [@Azure7111]: https://github.com/Azure7111
 [@BabyGroot]: https://github.com/BabyGroot

data/ext/ddtrace_profiling_native_extension/clock_id_from_pthread.c

@@ -25,6 +25,9 @@ void self_test_clock_id(void) {
 // Safety: This function is assumed never to raise exceptions by callers
 thread_cpu_time_id thread_cpu_time_id_for(VALUE thread) {
   rb_nativethread_id_t thread_id = pthread_id_for(thread);
+
+  if (thread_id == 0) return (thread_cpu_time_id) {.valid = false};
+
   clockid_t clock_id;
 
   int error = pthread_getcpuclockid(thread_id, &clock_id);

data/ext/ddtrace_profiling_native_extension/collectors_thread_context.c

@@ -1150,6 +1150,7 @@ void thread_context_collector_sample_allocation(VALUE self_instance, unsigned in
   // Since this is stack allocated, be careful about moving it
   ddog_CharSlice class_name;
   ddog_CharSlice *optional_class_name = NULL;
+  char imemo_type[100];
 
   if (state->allocation_type_enabled) {
     optional_class_name = &class_name;
@@ -1197,7 +1198,13 @@ void thread_context_collector_sample_allocation(VALUE self_instance, unsigned in
         class_name = ruby_value_type_to_class_name(type);
       }
     } else if (type == RUBY_T_IMEMO) {
-      class_name = DDOG_CHARSLICE_C("(VM Internal, T_IMEMO)");
+      const char *imemo_string = imemo_kind(new_object);
+      if (imemo_string != NULL) {
+        snprintf(imemo_type, 100, "(VM Internal, T_IMEMO, %s)", imemo_string);
+        class_name = (ddog_CharSlice) {.ptr = imemo_type, .len = strlen(imemo_type)};
+      } else { // Ruby < 3
+        class_name = DDOG_CHARSLICE_C("(VM Internal, T_IMEMO)");
+      }
     } else {
       class_name = ruby_vm_type; // For other weird internal things we just use the VM type
     }

data/ext/ddtrace_profiling_native_extension/extconf.rb

@@ -81,10 +81,7 @@ end
 
 # Because we can't control what compiler versions our customers use, shipping with -Werror by default is a no-go.
 # But we can enable it in CI, so that we quickly spot any new warnings that just got introduced.
-#
-# @ivoanjo TODO: 3.3.0-preview releases are causing issues in CI because `have_header('vm_core.h')` below triggers warnings;
-# I've chosen to disable `-Werror` for this Ruby version for now, and we can revisit this on a later 3.3 release.
-add_compiler_flag '-Werror' if ENV['DDTRACE_CI'] == 'true' && !RUBY_DESCRIPTION.include?('3.3.0preview')
+add_compiler_flag '-Werror' if ENV['DDTRACE_CI'] == 'true'
 
 # Older gcc releases may not default to C99 and we need to ask for this. This is also used:
 # * by upstream Ruby -- search for gnu99 in the codebase
@@ -102,9 +99,6 @@ add_compiler_flag '-Wno-declaration-after-statement'
 # cause a segfault later. Let's ensure that never happens.
 add_compiler_flag '-Werror-implicit-function-declaration'
 
-# Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
-add_compiler_flag '-Wunused-parameter'
-
 # The native extension is not intended to expose any symbols/functions for other native libraries to use;
 # the sole exception being `Init_ddtrace_profiling_native_extension` which needs to be visible for Ruby to call it when
 # it `dlopen`s the library.
@@ -131,6 +125,9 @@ if RUBY_PLATFORM.include?('linux')
   $defs << '-DHAVE_PTHREAD_GETCPUCLOCKID'
 end
 
+# On older Rubies, M:N threads were not available
+$defs << '-DNO_MN_THREADS_AVAILABLE' if RUBY_VERSION < '3.3'
+
 # On older Rubies, we did not need to include the ractor header (this was built into the MJIT header)
 $defs << '-DNO_RACTOR_HEADER_INCLUDE' if RUBY_VERSION < '3.3'
 
@@ -152,12 +149,18 @@ $defs << '-DNO_PRIMITIVE_POP' if RUBY_VERSION < '3.2'
 # On older Rubies, there was no tid member in the internal thread structure
 $defs << '-DNO_THREAD_TID' if RUBY_VERSION < '3.1'
 
+# On older Rubies, there was no jit_return member on the rb_control_frame_t struct
+$defs << '-DNO_JIT_RETURN' if RUBY_VERSION < '3.1'
+
 # On older Rubies, we need to use a backported version of this function. See private_vm_api_access.h for details.
 $defs << '-DUSE_BACKPORTED_RB_PROFILE_FRAME_METHOD_NAME' if RUBY_VERSION < '3'
 
 # On older Rubies, there are no Ractors
 $defs << '-DNO_RACTORS' if RUBY_VERSION < '3'
 
+# On older Rubies, rb_imemo_name did not exist
+$defs << '-DNO_IMEMO_NAME' if RUBY_VERSION < '3'
+
 # On older Rubies, objects would not move
 $defs << '-DNO_T_MOVED' if RUBY_VERSION < '2.7'
 
@@ -238,6 +241,10 @@ if Datadog::Profiling::NativeExtensionHelpers::CAN_USE_MJIT_HEADER
   # NOTE: This needs to come after all changes to $defs
   create_header
 
+  # Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
+  # See the comment on the same flag below for why this is done last.
+  add_compiler_flag '-Wunused-parameter'
+
   create_makefile EXTENSION_NAME
 else
   # The MJIT header was introduced on 2.6 and removed on 3.3; for other Rubies we rely on
@@ -253,9 +260,20 @@ else
   Debase::RubyCoreSource
     .create_makefile_with_core(
       proc do
-        have_header('vm_core.h') &&
-        have_header('iseq.h') &&
-        (RUBY_VERSION < '3.3' || have_header('ractor_core.h'))
+        headers_available =
+          have_header('vm_core.h') &&
+          have_header('iseq.h') &&
+          (RUBY_VERSION < '3.3' || have_header('ractor_core.h'))
+
+        if headers_available
+          # Warn on unused parameters to functions. Use `DDTRACE_UNUSED` to mark things as known-to-not-be-used.
+          # This is added as late as possible because in some Rubies we support (e.g. 3.3), adding this flag before
+          # checking if internal VM headers are available causes those checks to fail because of this warning (and not
+          # because the headers are not available.)
+          add_compiler_flag '-Wunused-parameter'
+        end
+
+        headers_available
       end,
       EXTENSION_NAME,
     )

data/ext/ddtrace_profiling_native_extension/http_transport.c

@@ -16,7 +16,6 @@ static ID agent_id; // id of :agent in Ruby
 
 static ID log_failure_to_process_tag_id; // id of :log_failure_to_process_tag in Ruby
 
-static VALUE http_transport_class = Qnil;
 static VALUE library_version_string = Qnil;
 
 struct call_exporter_without_gvl_arguments {
@@ -54,7 +53,7 @@ static void interrupt_exporter_call(void *cancel_token);
 static VALUE ddtrace_version(void);
 
 void http_transport_init(VALUE profiling_module) {
-  http_transport_class = rb_define_class_under(profiling_module, "HttpTransport", rb_cObject);
+  VALUE http_transport_class = rb_define_class_under(profiling_module, "HttpTransport", rb_cObject);
 
   rb_define_singleton_method(http_transport_class, "_native_validate_exporter",  _native_validate_exporter, 1);
   rb_define_singleton_method(http_transport_class, "_native_do_export",  _native_do_export, 12);
@@ -180,6 +179,10 @@ static ddog_Vec_Tag convert_tags(VALUE tags_as_array) {
 }
 
 static VALUE log_failure_to_process_tag(VALUE err_details) {
+  VALUE datadog_module = rb_const_get(rb_cObject, rb_intern("Datadog"));
+  VALUE profiling_module = rb_const_get(datadog_module, rb_intern("Profiling"));
+  VALUE http_transport_class = rb_const_get(profiling_module, rb_intern("HttpTransport"));
+
   return rb_funcall(http_transport_class, log_failure_to_process_tag_id, 1, err_details);
 }
 

data/ext/ddtrace_profiling_native_extension/private_vm_api_access.c

@@ -58,9 +58,12 @@ static inline rb_thread_t *thread_struct_from_object(VALUE thread) {
 }
 
 rb_nativethread_id_t pthread_id_for(VALUE thread) {
-  // struct rb_native_thread was introduced in Ruby 3.2 (preview2): https://github.com/ruby/ruby/pull/5836
+  // struct rb_native_thread was introduced in Ruby 3.2: https://github.com/ruby/ruby/pull/5836
   #ifndef NO_RB_NATIVE_THREAD
-    return thread_struct_from_object(thread)->nt->thread_id;
+    struct rb_native_thread* native_thread = thread_struct_from_object(thread)->nt;
+    // This can be NULL on Ruby 3.3 with MN threads (RUBY_MN_THREADS=1)
+    if (native_thread == NULL) return 0;
+    return native_thread->thread_id;
   #else
     return thread_struct_from_object(thread)->thread_id;
   #endif
@@ -113,15 +116,16 @@ bool is_current_thread_holding_the_gvl(void) {
 
     if (current_owner == NULL) return (current_gvl_owner) {.valid = false};
 
-    return (current_gvl_owner) {
-      .valid = true,
-      .owner =
-        #ifndef NO_RB_NATIVE_THREAD
-          current_owner->nt->thread_id
-        #else
-          current_owner->thread_id
-        #endif
-    };
+    #ifndef NO_RB_NATIVE_THREAD
+      struct rb_native_thread* current_owner_native_thread = current_owner->nt;
+
+      // This can be NULL on Ruby 3.3 with MN threads (RUBY_MN_THREADS=1)
+      if (current_owner_native_thread == NULL) return (current_gvl_owner) {.valid = false};
+
+      return (current_gvl_owner) {.valid = true, .owner = current_owner_native_thread->thread_id};
+    #else
+      return (current_gvl_owner) {.valid = true, .owner = current_owner->thread_id};
+    #endif
   }
 #else
   current_gvl_owner gvl_owner(void) {
@@ -182,7 +186,9 @@ uint64_t native_thread_id_for(VALUE thread) {
   // The tid is only available on Ruby >= 3.1 + Linux (and FreeBSD). It's the same as `gettid()` aka the task id as seen in /proc
   #if !defined(NO_THREAD_TID) && defined(RB_THREAD_T_HAS_NATIVE_ID)
     #ifndef NO_RB_NATIVE_THREAD
-      return thread_struct_from_object(thread)->nt->tid;
+      struct rb_native_thread* native_thread = thread_struct_from_object(thread)->nt;
+      if (native_thread == NULL) rb_raise(rb_eRuntimeError, "BUG: rb_native_thread* is null. Is this Ruby running with RUBY_MN_THREADS=1?");
+      return native_thread->tid;
     #else
       return thread_struct_from_object(thread)->tid;
     #endif
@@ -407,6 +413,7 @@ calc_lineno(const rb_iseq_t *iseq, const VALUE *pc)
 //   the `VALUE` returned by rb_profile_frames returns `(eval)` instead of the path of the file where the `eval`
 //   was called from.
 // * Imported fix from https://github.com/ruby/ruby/pull/7116 to avoid sampling threads that are still being created
+// * Imported fix from https://github.com/ruby/ruby/pull/8415 to avoid potential crash when using YJIT.
 //
 // What is rb_profile_frames?
 // `rb_profile_frames` is a Ruby VM debug API added for use by profilers for sampling the stack trace of a Ruby thread.
@@ -442,12 +449,15 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, VALUE *buff, i
     // Modified from upstream: Instead of using `GET_EC` to collect info from the current thread,
     // support sampling any thread (including the current) passed as an argument
     rb_thread_t *th = thread_struct_from_object(thread);
-#ifndef USE_THREAD_INSTEAD_OF_EXECUTION_CONTEXT // Modern Rubies
-    const rb_execution_context_t *ec = th->ec;
-#else // Ruby < 2.5
-    const rb_thread_t *ec = th;
-#endif
+    #ifndef USE_THREAD_INSTEAD_OF_EXECUTION_CONTEXT // Modern Rubies
+      const rb_execution_context_t *ec = th->ec;
+    #else // Ruby < 2.5
+      const rb_thread_t *ec = th;
+    #endif
     const rb_control_frame_t *cfp = ec->cfp, *end_cfp = RUBY_VM_END_CONTROL_FRAME(ec);
+    #ifndef NO_JIT_RETURN
+      const rb_control_frame_t *top = cfp;
+    #endif
     const rb_callable_method_entry_t *cme;
 
     // Avoid sampling dead threads
@@ -522,7 +532,20 @@ int ddtrace_rb_profile_frames(VALUE thread, int start, int limit, VALUE *buff, i
                 buff[i] = (VALUE)cfp->iseq;
             }
 
-            lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+            // The topmost frame may not have an updated PC because the JIT
+            // may not have set one.  The JIT compiler will update the PC
+            // before entering a new function (so that `caller` will work),
+            // so only the topmost frame could possibly have an out of date PC
+            #ifndef NO_JIT_RETURN
+              if (cfp == top && cfp->jit_return) {
+                lines[i] = 0;
+              } else {
+                lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+              }
+            #else // Ruby < 3.1
+              lines[i] = calc_lineno(cfp->iseq, cfp->pc);
+            #endif
+
             is_ruby_frame[i] = true;
             i++;
         }
@@ -811,3 +834,40 @@ VALUE invoke_location_for(VALUE thread, int *line_location) {
   *line_location = NUM2INT(rb_iseq_first_lineno(iseq));
   return rb_iseq_path(iseq);
 }
+
+void self_test_mn_enabled(void) {
+  #ifdef NO_MN_THREADS_AVAILABLE
+    return;
+  #else
+    if (ddtrace_get_ractor()->threads.sched.enable_mn_threads == true) {
+      rb_raise(rb_eRuntimeError, "Ruby VM is running with RUBY_MN_THREADS=1. This is not yet supported");
+    }
+  #endif
+}
+
+// Taken from upstream imemo.h at commit 6ebcf25de2859b5b6402b7e8b181066c32d0e0bf (November 2023, master branch)
+// (See the Ruby project copyright and license above)
+// to enable calling rb_imemo_name
+//
+// Modifications:
+// * Added IMEMO_MASK define
+// * Changed return type to int to avoid having to define `enum imemo_type`
+static inline int ddtrace_imemo_type(VALUE imemo) {
+  // This mask is the same between Ruby 2.5 and 3.3-preview3. Furthermore, the intention of this method is to be used
+  // to call `rb_imemo_name` which correctly handles invalid numbers so even if the mask changes in the future, at most
+  // we'll get incorrect results (and never a VM crash)
+  #define IMEMO_MASK   0x0f
+  return (RBASIC(imemo)->flags >> FL_USHIFT) & IMEMO_MASK;
+}
+
+// Safety: This function assumes the object passed in is of the imemo type. But in the worst case, you'll just get
+// a string that doesn't make any sense.
+#ifndef NO_IMEMO_NAME
+  const char *imemo_kind(VALUE imemo) {
+    return rb_imemo_name(ddtrace_imemo_type(imemo));
+  }
+#else
+  const char *imemo_kind(__attribute__((unused)) VALUE imemo) {
+    return NULL;
+  }
+#endif

data/ext/ddtrace_profiling_native_extension/private_vm_api_access.h

@@ -49,3 +49,9 @@ bool ddtrace_rb_ractor_main_p(void);
 // This is what Ruby shows in `Thread#to_s`.
 // The file is returned directly, and the line is recorded onto *line_location.
 VALUE invoke_location_for(VALUE thread, int *line_location);
+
+// Check if RUBY_MN_THREADS is enabled (aka main Ractor is not doing 1:1 threads)
+void self_test_mn_enabled(void);
+
+// Provides more specific information on what kind an imemo is
+const char *imemo_kind(VALUE imemo);

data/ext/ddtrace_profiling_native_extension/profiling.c

@@ -68,6 +68,7 @@ void DDTRACE_EXPORT Init_ddtrace_profiling_native_extension(void) {
 
 static VALUE native_working_p(DDTRACE_UNUSED VALUE _self) {
   self_test_clock_id();
+  self_test_mn_enabled();
 
   return Qtrue;
 }

data/ext/ddtrace_profiling_native_extension/stack_recorder.c

@@ -129,8 +129,6 @@
 static VALUE ok_symbol = Qnil; // :ok in Ruby
 static VALUE error_symbol = Qnil; // :error in Ruby
 
-static VALUE stack_recorder_class = Qnil;
-
 // Note: Please DO NOT use `VALUE_STRING` anywhere else, instead use `DDOG_CHARSLICE_C`.
 // `VALUE_STRING` is only needed because older versions of gcc (4.9.2, used in our Ruby 2.2 CI test images)
 // tripped when compiling `enabled_value_types` using `-std=gnu99` due to the extra cast that is included in
@@ -217,7 +215,7 @@ static VALUE _native_record_endpoint(DDTRACE_UNUSED VALUE _self, VALUE recorder_
 static void reset_profile(ddog_prof_Profile *profile, ddog_Timespec *start_time /* Can be null */);
 
 void stack_recorder_init(VALUE profiling_module) {
-  stack_recorder_class = rb_define_class_under(profiling_module, "StackRecorder", rb_cObject);
+  VALUE stack_recorder_class = rb_define_class_under(profiling_module, "StackRecorder", rb_cObject);
   // Hosts methods used for testing the native code using RSpec
   VALUE testing_module = rb_define_module_under(stack_recorder_class, "Testing");
 

data/lib/datadog/appsec/component.rb

@@ -38,12 +38,15 @@ module Datadog
 
           data = AppSec::Processor::RuleLoader.load_data(
             ip_denylist: settings.appsec.ip_denylist,
-            user_id_denylist: settings.appsec.user_id_denylist
+            user_id_denylist: settings.appsec.user_id_denylist,
           )
 
+          exclusions = AppSec::Processor::RuleLoader.load_exclusions(ip_passlist: settings.appsec.ip_passlist)
+
           ruleset = AppSec::Processor::RuleMerger.merge(
             rules: [rules],
             data: data,
+            exclusions: exclusions,
           )
 
           processor = Processor.new(ruleset: ruleset)

data/lib/datadog/appsec/configuration/settings.rb

@@ -54,6 +54,10 @@ module Datadog
                 o.default :recommended
               end
 
+              option :ip_passlist do |o|
+                o.default []
+              end
+
               option :ip_denylist do |o|
                 o.type :array
                 o.default []

data/lib/datadog/appsec/contrib/devise/patcher/registration_controller_patch.rb

@@ -42,6 +42,8 @@ module Datadog
                     **event_information.to_h
                   )
                 end
+
+                yield resource if block_given?
               end
             end
           end

data/lib/datadog/appsec/processor/rule_loader.rb

@@ -47,6 +47,13 @@ module Datadog
             data
           end
 
+          def load_exclusions(ip_passlist: [])
+            exclusions = []
+            exclusions << [passlist_exclusions(ip_passlist)] if ip_passlist.any?
+
+            exclusions
+          end
+
           private
 
           def denylist_data(id, denylist)
@@ -56,6 +63,59 @@ module Datadog
               'data' => denylist.map { |v| { 'value' => v.to_s, 'expiration' => 2**63 } }
             }
           end
+
+          def passlist_exclusions(ip_passlist) # rubocop:disable Metrics/MethodLength
+            case ip_passlist
+            when Array
+              pass = ip_passlist
+              monitor = []
+            when Hash
+              pass = ip_passlist[:pass]
+              monitor = ip_passlist[:monitor]
+            else
+              pass = []
+              monitor = []
+            end
+
+            exclusions = []
+
+            exclusions << {
+              'conditions' => [
+                {
+                  'operator' => 'ip_match',
+                  'parameters' => {
+                    'inputs' => [
+                      {
+                        'address' => 'http.client_ip'
+                      }
+                    ],
+                    'list' => pass
+                  }
+                }
+              ],
+              'id' => SecureRandom.uuid,
+            }
+
+            exclusions << {
+              'conditions' => [
+                {
+                  'operator' => 'ip_match',
+                  'parameters' => {
+                    'inputs' => [
+                      {
+                        'address' => 'http.client_ip'
+                      }
+                    ],
+                    'list' => monitor
+                  }
+                }
+              ],
+              'id' => SecureRandom.uuid,
+              'on_match' => 'monitor'
+            }
+
+            exclusions
+          end
         end
       end
     end

data/lib/datadog/appsec/remote.rb

@@ -12,15 +12,17 @@ module Datadog
       class NoRulesError < StandardError; end
 
       class << self
-        CAP_ASM_ACTIVATION                = 1 << 1 # Remote activation via ASM_FEATURES product
-        CAP_ASM_IP_BLOCKING               = 1 << 2 # accept IP blocking data from ASM_DATA product
-        CAP_ASM_DD_RULES                  = 1 << 3 # read ASM rules from ASM_DD product
-        CAP_ASM_EXCLUSIONS                = 1 << 4 # exclusion filters (passlist) via ASM product
-        CAP_ASM_REQUEST_BLOCKING          = 1 << 5 # can block on request info
-        CAP_ASM_RESPONSE_BLOCKING         = 1 << 6 # can block on response info
-        CAP_ASM_USER_BLOCKING             = 1 << 7 # accept user blocking data from ASM_DATA product
-        CAP_ASM_CUSTOM_RULES              = 1 << 8 # accept custom rules
-        CAP_ASM_CUSTOM_BLOCKING_RESPONSE  = 1 << 9 # supports custom http code or redirect sa blocking response
+        CAP_ASM_RESERVED_1                = 1 << 0   # RESERVED
+        CAP_ASM_ACTIVATION                = 1 << 1   # Remote activation via ASM_FEATURES product
+        CAP_ASM_IP_BLOCKING               = 1 << 2   # accept IP blocking data from ASM_DATA product
+        CAP_ASM_DD_RULES                  = 1 << 3   # read ASM rules from ASM_DD product
+        CAP_ASM_EXCLUSIONS                = 1 << 4   # exclusion filters (passlist) via ASM product
+        CAP_ASM_REQUEST_BLOCKING          = 1 << 5   # can block on request info
+        CAP_ASM_RESPONSE_BLOCKING         = 1 << 6   # can block on response info
+        CAP_ASM_USER_BLOCKING             = 1 << 7   # accept user blocking data from ASM_DATA product
+        CAP_ASM_CUSTOM_RULES              = 1 << 8   # accept custom rules
+        CAP_ASM_CUSTOM_BLOCKING_RESPONSE  = 1 << 9   # supports custom http code or redirect sa blocking response
+        CAP_ASM_TRUSTED_IPS               = 1 << 10  # supports trusted ip
 
         # TODO: we need to dynamically add CAP_ASM_ACTIVATION once we support it
         ASM_CAPABILITIES = [
@@ -32,6 +34,7 @@ module Datadog
           CAP_ASM_DD_RULES,
           CAP_ASM_CUSTOM_RULES,
           CAP_ASM_CUSTOM_BLOCKING_RESPONSE,
+          CAP_ASM_TRUSTED_IPS,
         ].freeze
 
         ASM_PRODUCTS = [

data/lib/datadog/core/configuration.rb

@@ -273,6 +273,10 @@ module Datadog
       def handle_interrupt_shutdown!
         logger = Datadog.logger
         shutdown_thread = Thread.new { shutdown! }
+        unless Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.3')
+          shutdown_thread.name = Datadog::Core::Configuration.name
+        end
+
         print_message_treshold_seconds = 0.2
 
         slow_shutdown = shutdown_thread.join(print_message_treshold_seconds).nil?

data/lib/datadog/core/remote/worker.rb

@@ -30,6 +30,7 @@ module Datadog
 
           thread = Thread.new { poll(@interval) }
           thread.name = self.class.name unless Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.3')
+          thread.thread_variable_set(:fork_safe, true)
           @thr = thread
 
           @started = true

data/lib/datadog/core/workers/async.rb

@@ -147,6 +147,7 @@ module Datadog
               # rubocop:enable Lint/RescueException
             end
             @worker.name = self.class.name unless Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.3')
+            @worker.thread_variable_set(:fork_safe, true)
 
             nil
           end

data/lib/datadog/kit/enable_core_dumps.rb

@@ -16,11 +16,13 @@ module Datadog
             '(Could not open /proc/sys/kernel/core_pattern)'
           end
 
+        enabled_status = "Maximum size: #{maximum_size} Output pattern: '#{core_pattern}'"
+
         if maximum_size <= 0
           Kernel.warn("[ddtrace] Could not enable core dumps on crash, maximum size is #{maximum_size} (disabled).")
           return
         elsif maximum_size == current_size
-          Kernel.warn('[ddtrace] Core dumps already enabled, nothing to do!')
+          Kernel.warn("[ddtrace] Core dumps already enabled, nothing to do. #{enabled_status}")
           return
         end
 
@@ -35,12 +37,9 @@ module Datadog
         end
 
         if current_size == 0
-          Kernel.warn("[ddtrace] Enabled core dumps. Maximum size: #{maximum_size} Output pattern: '#{core_pattern}'")
+          Kernel.warn("[ddtrace] Enabled core dumps. #{enabled_status}")
         else
-          Kernel.warn(
-            "[ddtrace] Raised core dump limit. Old size: #{current_size} " \
-            "Maximum size: #{maximum_size} Output pattern: '#{core_pattern}'"
-          )
+          Kernel.warn("[ddtrace] Raised core dump limit. Old size: #{current_size} #{enabled_status}")
         end
       end
     end

data/lib/datadog/profiling/collectors/cpu_and_wall_time_worker.rb

@@ -78,6 +78,7 @@ module Datadog
               end
             end
             @worker_thread.name = self.class.name # Repeated from above to make sure thread gets named asap
+            @worker_thread.thread_variable_set(:fork_safe, true)
           end
 
           true

data/lib/datadog/profiling/collectors/idle_sampling_helper.rb

@@ -43,6 +43,7 @@ module Datadog
               end
             end
             @worker_thread.name = self.class.name # Repeated from above to make sure thread gets named asap
+            @worker_thread.thread_variable_set(:fork_safe, true)
           end
 
           true

data/lib/datadog/profiling/component.rb

@@ -171,12 +171,11 @@ module Datadog
           return true
         end
 
-        if defined?(::PhusionPassenger)
+        if (defined?(::PhusionPassenger) || Gem.loaded_specs['passenger']) && incompatible_passenger_version?
           Datadog.logger.warn(
-            'Enabling the profiling "no signals" workaround because the passenger web server is in use. ' \
-            'This is needed because passenger is currently incompatible with the normal working mode ' \
-            'of the profiler, as detailed in <https://github.com/DataDog/dd-trace-rb/issues/2976>. ' \
-            'Profiling data will have lower quality.'
+            'Enabling the profiling "no signals" workaround because an incompatible version of the passenger gem is ' \
+            'installed. Profiling data will have lower quality.' \
+            'To fix this, upgrade the passenger gem to version 6.0.19 or above.'
           )
           return true
         end
@@ -237,6 +236,15 @@ module Datadog
           true
         end
       end
+
+      # See https://github.com/datadog/dd-trace-rb/issues/2976 for details.
+      private_class_method def self.incompatible_passenger_version?
+        if Gem.loaded_specs['passenger']
+          Gem.loaded_specs['passenger'].version < Gem::Version.new('6.0.19')
+        else
+          true
+        end
+      end
     end
   end
 end

data/lib/datadog/tracing/contrib/pg/configuration/settings.rb

@@ -25,6 +25,11 @@ module Datadog
               o.default false
             end
 
+            option :error_handler do |o|
+              o.type :proc
+              o.default_proc(&Tracing::SpanOperation::Events::DEFAULT_ON_ERROR)
+            end
+
             option :analytics_sample_rate do |o|
               o.type :float
               o.env Ext::ENV_ANALYTICS_SAMPLE_RATE

data/lib/datadog/tracing/contrib/pg/instrumentation.rb

@@ -21,18 +21,24 @@ module Datadog
           # PG::Connection patch methods
           module InstanceMethods
             def exec(sql, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_EXEC, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, *args, &wrapped_block)
               end
             end
 
             def exec_params(sql, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_EXEC_PARAMS, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, params, *args, &wrapped_block)
               end
             end
 
             def exec_prepared(statement_name, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_EXEC_PREPARED, statement_name: statement_name, block: block) do |_, wrapped_block|
                 super(statement_name, params, *args, &wrapped_block)
               end
@@ -40,6 +46,8 @@ module Datadog
 
             # async_exec is an alias to exec
             def async_exec(sql, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_ASYNC_EXEC, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, *args, &wrapped_block)
               end
@@ -47,6 +55,8 @@ module Datadog
 
             # async_exec_params is an alias to exec_params
             def async_exec_params(sql, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_ASYNC_EXEC_PARAMS, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, params, *args, &wrapped_block)
               end
@@ -54,24 +64,32 @@ module Datadog
 
             # async_exec_prepared is an alias to exec_prepared
             def async_exec_prepared(statement_name, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_ASYNC_EXEC_PREPARED, statement_name: statement_name, block: block) do |_, wrapped_block|
                 super(statement_name, params, *args, &wrapped_block)
               end
             end
 
             def sync_exec(sql, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_SYNC_EXEC, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, *args, &wrapped_block)
               end
             end
 
             def sync_exec_params(sql, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_SYNC_EXEC_PARAMS, sql: sql, block: block) do |sql_statement, wrapped_block|
                 super(sql_statement, params, *args, &wrapped_block)
               end
             end
 
             def sync_exec_prepared(statement_name, params, *args, &block)
+              return super unless enabled?
+
               trace(Ext::SPAN_SYNC_EXEC_PREPARED, statement_name: statement_name, block: block) do |_, wrapped_block|
                 super(statement_name, params, *args, &wrapped_block)
               end
@@ -81,10 +99,12 @@ module Datadog
 
             def trace(name, sql: nil, statement_name: nil, block: nil)
               service = Datadog.configuration_for(self, :service_name) || datadog_configuration[:service_name]
+              error_handler = datadog_configuration[:error_handler]
               resource = statement_name || sql
 
               Tracing.trace(
                 name,
+                on_error: error_handler,
                 service: service,
                 resource: resource,
                 type: Tracing::Metadata::Ext::SQL::TYPE
@@ -172,6 +192,10 @@ module Datadog
             def comment_propagation
               datadog_configuration[:comment_propagation]
             end
+
+            def enabled?
+              datadog_configuration[:enabled]
+            end
           end
         end
       end

data/lib/datadog/tracing/workers.rb

@@ -69,6 +69,7 @@ module Datadog
             Datadog.logger.debug { "Starting thread for: #{self}" }
             @worker = Thread.new { perform }
             @worker.name = self.class.name unless Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.3')
+            @worker.thread_variable_set(:fork_safe, true)
 
             nil
           end

data/lib/ddtrace/version.rb

@@ -3,7 +3,7 @@
 module DDTrace
   module VERSION
     MAJOR = 1
-    MINOR = 17
+    MINOR = 18
     PATCH = 0
     PRE = nil
     BUILD = nil

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ddtrace
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.18.0
 platform: ruby
 authors:
 - Datadog, Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-22 00:00:00.000000000 Z
+date: 2023-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: msgpack
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2
+        version: 3.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.2
+        version: 3.2.3
 - !ruby/object:Gem::Dependency
   name: libddwaf
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.0
 description: |
   ddtrace is Datadog's tracing client for Ruby. It is used to trace requests
   as they flow across web servers, databases and microservices so that developers
@@ -890,7 +890,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.0.0
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.21
 signing_key:
 specification_version: 4
 summary: Datadog tracing code for your Ruby applications