dd-trace 5.104.0 → 5.105.0

package/packages/dd-trace/src/plugins/util/test.js

@@ -229,11 +229,11 @@ const BASE_LIKE_BRANCH_FILTER = /^(main|master|preprod|prod|dev|development|trun
 
 /**
  * Returns request error tags from a test session span for propagation to child events.
- * @param {{ context: () => { _tags?: Record<string, string> } } | undefined} sessionSpan
+ * @param {{ context: () => { getTag?: (key: string) => string } } | undefined} sessionSpan
  * @returns {Record<string, string>}
  */
 function getSessionRequestErrorTags (sessionSpan) {
-  const tags = sessionSpan?.context()._tags
+  const tags = sessionSpan?.context()?.getTags?.()
   const sessionRequestErrorTags = {}
   if (!tags || typeof tags !== 'object') return {}
   if (tags[DD_CI_LIBRARY_CONFIGURATION_ERROR_SETTINGS] === 'true') {
@@ -253,11 +253,11 @@ function getSessionRequestErrorTags (sessionSpan) {
 
 /**
  * Returns ITR skipping-enabled tags from a test session span for propagation to child events.
- * @param {{ context: () => { _tags?: Record<string, string> } } | undefined} sessionSpan
+ * @param {{ context: () => { getTags?: () => Record<string, string> } } | undefined} sessionSpan
  * @returns {Record<string, string>}
  */
 function getSessionItrSkippingEnabledTags (sessionSpan) {
-  const tags = sessionSpan?.context()._tags
+  const tags = sessionSpan?.context()?.getTags?.()
   if (!tags || typeof tags !== 'object') return {}
   if (tags[TEST_ITR_SKIPPING_ENABLED] !== undefined) {
     return {
@@ -418,6 +418,12 @@ module.exports = {
   ITR_CORRELATION_ID,
   addIntelligentTestRunnerSpanTags,
   getCoveredFilenamesFromCoverage,
+  getCoveredFilesFromCoverage,
+  getExecutableFilesFromCoverage,
+  getRelativeCoverageFiles,
+  getLineCoverageBitmap,
+  applySkippedCoverageToCoverage,
+  getTestCoverageLinesPercentage,
   resetCoverage,
   mergeCoverage,
   fromCoverageMapToCoverage,
@@ -952,7 +958,6 @@ function getTestLevelCommonTags (command, testFrameworkVersion, testFramework) {
   return {
     [TEST_FRAMEWORK_VERSION]: testFrameworkVersion,
     [LIBRARY_VERSION]: ddTraceVersion,
-    [TEST_COMMAND]: command,
     [TEST_TYPE]: getTestTypeFromFramework(testFramework),
   }
 }
@@ -1030,15 +1035,233 @@ function addIntelligentTestRunnerSpanTags (
 }
 
 function getCoveredFilenamesFromCoverage (coverage) {
-  const coverageMap = istanbul.createCoverageMap(coverage)
+  return getCoveredFilesFromCoverage(coverage).map(({ filename }) => filename)
+}
 
-  return coverageMap
-    .files()
-    .filter(filename => {
-      const fileCoverage = coverageMap.fileCoverageFor(filename)
-      const lineCoverage = fileCoverage.getLineCoverage()
-      return Object.entries(lineCoverage).some(([, numExecutions]) => !!numExecutions)
-    })
+function getCoverageMap (coverage) {
+  if (coverage?.files && coverage?.fileCoverageFor) {
+    return coverage
+  }
+  return istanbul.createCoverageMap(coverage)
+}
+
+function getCoveredFilesFromCoverage (coverage) {
+  const coverageMap = getCoverageMap(coverage)
+  const coverageFiles = []
+
+  for (const filename of coverageMap.files()) {
+    const fileCoverage = coverageMap.fileCoverageFor(filename)
+    const bitmap = getLineCoverageBitmap(fileCoverage.getLineCoverage(), true)
+    if (bitmap) {
+      coverageFiles.push({ filename, bitmap })
+    }
+  }
+
+  return coverageFiles
+}
+
+function getExecutableFilesFromCoverage (coverage) {
+  const coverageMap = getCoverageMap(coverage)
+  const coverageFiles = []
+
+  for (const filename of coverageMap.files()) {
+    const fileCoverage = coverageMap.fileCoverageFor(filename)
+    const bitmap = getLineCoverageBitmap(fileCoverage.getLineCoverage())
+    if (bitmap) {
+      coverageFiles.push({ filename, bitmap })
+    }
+  }
+
+  return coverageFiles
+}
+
+function getRelativeCoverageFiles (coverageFiles, rootDir) {
+  return coverageFiles.map(({ filename, bitmap }) => ({
+    filename: getTestSuitePath(filename, rootDir),
+    bitmap,
+  }))
+}
+
+function getLineCoverageBitmap (lineCoverage, onlyCoveredLines = false) {
+  let maxLine = 0
+  const lines = []
+
+  for (const [line, hits] of Object.entries(lineCoverage)) {
+    if (onlyCoveredLines && !hits) continue
+
+    const lineNumber = Number(line)
+    if (!Number.isSafeInteger(lineNumber) || lineNumber <= 0) continue
+
+    lines.push(lineNumber)
+    if (lineNumber > maxLine) {
+      maxLine = lineNumber
+    }
+  }
+
+  if (maxLine === 0) return
+
+  const bitmap = Buffer.alloc(Math.ceil((maxLine + 1) / 8))
+  for (const lineNumber of lines) {
+    bitmap[lineNumber >> 3] |= 1 << (lineNumber % 8)
+  }
+
+  return bitmap
+}
+
+function mergeCoverageBitmaps (targetBitmap, bitmap) {
+  if (!targetBitmap) {
+    return Buffer.from(bitmap)
+  }
+
+  if (targetBitmap.length < bitmap.length) {
+    const biggerBitmap = Buffer.alloc(bitmap.length)
+    targetBitmap.copy(biggerBitmap)
+    targetBitmap = biggerBitmap
+  }
+
+  for (let i = 0; i < bitmap.length; i++) {
+    targetBitmap[i] |= bitmap[i]
+  }
+
+  return targetBitmap
+}
+
+function countBitmapBits (bitmap) {
+  let count = 0
+
+  for (const byte of bitmap) {
+    let value = byte
+    while (value) {
+      value &= value - 1
+      count++
+    }
+  }
+
+  return count
+}
+
+function countCoveredExecutableBits (coveredBitmap, executableBitmap) {
+  if (!coveredBitmap) return 0
+
+  let count = 0
+  const length = Math.min(coveredBitmap.length, executableBitmap.length)
+
+  for (let i = 0; i < length; i++) {
+    let value = coveredBitmap[i] & executableBitmap[i]
+    while (value) {
+      value &= value - 1
+      count++
+    }
+  }
+
+  return count
+}
+
+function getCoverageFileBitmap (bitmap) {
+  if (!bitmap) return
+  if (Buffer.isBuffer(bitmap)) return bitmap
+  if (ArrayBuffer.isView(bitmap)) {
+    return Buffer.from(bitmap.buffer, bitmap.byteOffset, bitmap.byteLength)
+  }
+  if (typeof bitmap === 'string') {
+    return Buffer.from(bitmap, 'base64')
+  }
+}
+
+function addCoverageFilesToMap (files, targetMap, rootDir) {
+  for (const file of files) {
+    const bitmap = getCoverageFileBitmap(file.bitmap)
+    if (!bitmap) continue
+
+    const filename = rootDir ? getTestSuitePath(file.filename, rootDir) : file.filename
+    targetMap.set(filename, mergeCoverageBitmaps(targetMap.get(filename), bitmap))
+  }
+}
+
+function addSkippedCoverageToMap (skippedCoverage, targetMap) {
+  if (!skippedCoverage) return
+
+  for (const [filename, bitmap] of Object.entries(skippedCoverage)) {
+    const coverageBitmap = getCoverageFileBitmap(bitmap)
+    if (!coverageBitmap) continue
+    targetMap.set(filename, mergeCoverageBitmaps(targetMap.get(filename), coverageBitmap))
+  }
+}
+
+function hasSkippedCoverage (skippedCoverage) {
+  return skippedCoverage && typeof skippedCoverage === 'object' && Object.keys(skippedCoverage).length > 0
+}
+
+function getTestCoverageLinesPercentage (coverage, skippedCoverage, rootDir) {
+  const executableLinesByFile = new Map()
+  const coveredLinesByFile = new Map()
+
+  addCoverageFilesToMap(getExecutableFilesFromCoverage(coverage), executableLinesByFile, rootDir)
+  addCoverageFilesToMap(getCoveredFilesFromCoverage(coverage), coveredLinesByFile, rootDir)
+  addSkippedCoverageToMap(skippedCoverage, coveredLinesByFile)
+
+  let totalExecutableLines = 0
+  let totalCoveredLines = 0
+
+  for (const [filename, executableLines] of executableLinesByFile) {
+    totalExecutableLines += countBitmapBits(executableLines)
+    totalCoveredLines += countCoveredExecutableBits(coveredLinesByFile.get(filename), executableLines)
+  }
+
+  return totalExecutableLines === 0 ? 0 : Math.floor((totalCoveredLines / totalExecutableLines) * 10_000) / 100
+}
+
+function isLineCoveredByBitmap (bitmap, line) {
+  if (!Number.isSafeInteger(line) || line <= 0) return false
+
+  const byteIndex = line >> 3
+  return byteIndex < bitmap.length && !!(bitmap[byteIndex] & (1 << (line % 8)))
+}
+
+function getSkippedCoverageByFilename (skippedCoverage) {
+  const skippedCoverageByFilename = new Map()
+  addSkippedCoverageToMap(skippedCoverage, skippedCoverageByFilename)
+  return skippedCoverageByFilename
+}
+
+function applySkippedCoverageToFileCoverage (fileCoverage, skippedBitmap) {
+  let updated = false
+  for (const [statementId, statementLocation] of Object.entries(fileCoverage.data.statementMap)) {
+    const startLine = statementLocation?.start?.line
+    if (!isLineCoveredByBitmap(skippedBitmap, startLine)) continue
+    if (fileCoverage.data.s[statementId] > 0) continue
+
+    fileCoverage.data.s[statementId] = 1
+    updated = true
+  }
+  return updated
+}
+
+/**
+ * Applies backend skipped-suite coverage to an Istanbul coverage map.
+ * @param {object} coverage
+ * @param {object} skippedCoverage
+ * @param {string} [rootDir]
+ * @returns {boolean}
+ */
+function applySkippedCoverageToCoverage (coverage, skippedCoverage, rootDir) {
+  if (!hasSkippedCoverage(skippedCoverage)) return false
+
+  const coverageMap = getCoverageMap(coverage)
+  const skippedCoverageByFilename = getSkippedCoverageByFilename(skippedCoverage)
+  let matched = false
+
+  for (const filename of coverageMap.files()) {
+    const relativeFilename = rootDir ? getTestSuitePath(filename, rootDir) : filename
+    const skippedBitmap = skippedCoverageByFilename.get(relativeFilename)
+    if (!skippedBitmap) continue
+
+    const fileCoverage = coverageMap.fileCoverageFor(filename)
+    applySkippedCoverageToFileCoverage(fileCoverage, skippedBitmap)
+    matched = true
+  }
+
+  return matched
 }
 
 function resetCoverage (coverage) {

package/packages/dd-trace/src/plugins/util/web.js

@@ -10,16 +10,14 @@ const kinds = require('../../../../../ext/kinds')
 const { ERROR_MESSAGE } = require('../../constants')
 const TracingPlugin = require('../tracing')
 const { storage } = require('../../../../datadog-core')
+const legacyStorage = storage('legacy')
 const urlFilter = require('./urlfilter')
 const { createInferredProxySpan, finishInferredProxySpan } = require('./inferred_proxy')
 const { extractURL, obfuscateQs, calculateHttpEndpoint } = require('./url')
 
-let extractIp
-
 const WEB = types.WEB
 const SERVER = kinds.SERVER
 const RESOURCE_NAME = tags.RESOURCE_NAME
-const SERVICE_NAME = tags.SERVICE_NAME
 const SPAN_TYPE = tags.SPAN_TYPE
 const SPAN_KIND = tags.SPAN_KIND
 const ERROR = tags.ERROR
@@ -35,7 +33,6 @@ const HTTP_CLIENT_IP = tags.HTTP_CLIENT_IP
 const MANUAL_DROP = tags.MANUAL_DROP
 
 const contexts = new WeakMap()
-const ends = new WeakMap()
 
 // TODO: change this to no longer rely on creating a dummy plugin to be able to access startSpan
 function createWebPlugin (tracer, config = {}) {
@@ -67,7 +64,9 @@ const web = {
     const middleware = getMiddlewareSetting(config)
     const queryStringObfuscation = getQsObfuscator(config)
 
-    extractIp = config.clientIpEnabled && require('./ip_extractor').extractIp
+    const extractIp = config.clientIpEnabled
+      ? require('./ip_extractor').extractIp
+      : undefined
 
     return {
       ...config,
@@ -77,6 +76,7 @@ const web = {
       filter,
       middleware,
       queryStringObfuscation,
+      extractIp,
     }
   },
 
@@ -87,7 +87,7 @@ const web = {
     if (!span) return
 
     span.context()._name = `${name}.request`
-    span.context()._tags.component = name
+    span.context().setTag('component', name)
     span._integrationName = name
 
     web.setConfig(req, config)
@@ -105,7 +105,7 @@ const web = {
     }
 
     if (config.service) {
-      span.setTag(SERVICE_NAME, config.service)
+      web.plugin.setServiceName(span, config.service)
     }
 
     analyticsSampler.sample(span, config.measured, true)
@@ -126,7 +126,6 @@ const web = {
     context.tracer = tracer
     context.span = span
     context.res = res
-    context.store = storage('legacy').getStore()
 
     this.setConfig(req, config)
     addRequestTags(context, this.TYPE)
@@ -204,7 +203,7 @@ const web = {
   startServerlessSpanWithInferredProxy (tracer, config, name, req, traceCtx) {
     const headers = req.headers
     const reqCtx = contexts.get(req)
-    const store = storage('legacy').getStore()
+    const store = legacyStorage.getStore()
     const pubsubSpan = store?.span?._name === 'pubsub.push.receive' ? store.span : null
 
     let childOf = pubsubSpan || tracer.extract(FORMAT_HTTP_HEADERS, headers)
@@ -225,9 +224,11 @@ const web = {
     const context = contexts.get(req)
     const { span, inferredProxySpan, error } = context
 
-    const spanHasExistingError = span.context()._tags.error || span.context()._tags[ERROR_MESSAGE]
+    const spanContext = span.context()
+    const spanHasExistingError = spanContext.getTag('error') || spanContext.getTag(ERROR_MESSAGE)
     const inferredSpanContext = inferredProxySpan?.context()
-    const inferredSpanHasExistingError = inferredSpanContext?._tags.error || inferredSpanContext?._tags[ERROR_MESSAGE]
+    const inferredSpanHasExistingError = inferredSpanContext?.getTag('error') ||
+      inferredSpanContext?.getTag(ERROR_MESSAGE)
 
     const isValidStatusCode = context.config.validateStatus(statusCode)
 
@@ -266,7 +267,16 @@ const web = {
 
     if (context.finished && !req.stream) return
 
+    // `addRequestTags` is idempotent: in the normal HTTP path it ran during
+    // `web.startSpan`. Serverless callers (e.g. Azure Functions) skip
+    // `web.startSpan` and rely on this call to do the request-side work.
     addRequestTags(context, spanType)
+    // Configured-header tagging runs at finish time. Framework plugins
+    // (connect, express, ...) install their own config via `setFramework`
+    // after `web.startSpan` has already locked the http-plugin config in;
+    // tagging earlier would use the http-plugin's `headers` list and drop
+    // the framework's.
+    addRequestHeaders(context)
     addResponseTags(context)
 
     context.config.hooks.request(context.span, req, res)
@@ -293,11 +303,18 @@ const web = {
     const writeHead = res.writeHead
 
     return function (statusCode, statusMessage, headers) {
-      headers = typeof statusMessage === 'string' ? headers : statusMessage
-      headers = { ...res.getHeaders(), ...headers }
-
-      if (req.method.toLowerCase() === 'options' && isOriginAllowed(req, headers)) {
-        addAllowHeaders(req, res, headers)
+      // CORS preflight tagging only matters for OPTIONS requests. Skip the
+      // getHeaders() spread + isOriginAllowed work entirely for the common
+      // GET / POST / etc. case. Node's http module passes `req.method`
+      // through unchanged, so all standard methods are uppercase; the
+      // `toLowerCase` fallback covers any non-standard caller.
+      if (req.method === 'OPTIONS' || req.method.toLowerCase() === 'options') {
+        headers = typeof statusMessage === 'string' ? headers : statusMessage
+        headers = { ...res.getHeaders(), ...headers }
+
+        if (isOriginAllowed(req, headers)) {
+          addAllowHeaders(req, res, headers)
+        }
       }
 
       return writeHead.apply(this, arguments)
@@ -306,34 +323,6 @@ const web = {
   getContext (req) {
     return contexts.get(req)
   },
-  wrapRes (context, req, res, end) {
-    return function (...args) {
-      web.finishAll(context)
-
-      return end.apply(res, args)
-    }
-  },
-  wrapEnd (context) {
-    const req = context.req
-    const res = context.res
-    const end = res.end
-
-    res.writeHead = web.wrapWriteHead(context)
-
-    ends.set(res, this.wrapRes(context, req, res, end))
-
-    Object.defineProperty(res, 'end', {
-      configurable: true,
-      get () {
-        return ends.get(this)
-      },
-      set (value) {
-        ends.set(this, function (...args) {
-          return storage('legacy').run(context.store, value, ...args)
-        })
-      },
-    })
-  },
   setRouteOrEndpointTag (req) {
     const context = contexts.get(req)
 
@@ -379,6 +368,16 @@ function splitHeader (str) {
 
 function addRequestTags (context, spanType) {
   const { req, span, inferredProxySpan, config } = context
+  const spanContext = span.context()
+
+  // Idempotency guard. `addRequestTags` runs in `web.startSpan` for the
+  // normal HTTP path and again in `web.finishSpan`; without this guard the
+  // second call would re-extract the URL, re-obfuscate the query string,
+  // and re-publish five `tagsUpdateCh` events with the same values. The
+  // serverless path skips `startSpan` and lands here first, in which case
+  // HTTP_URL is unset and the work runs normally.
+  if (spanContext.hasTag(HTTP_URL)) return
+
   const url = extractURL(req)
   const type = spanType ?? WEB
 
@@ -391,8 +390,8 @@ function addRequestTags (context, spanType) {
   })
 
   // if client ip has already been set by appsec, no need to run it again
-  if (extractIp && !span.context()._tags.hasOwnProperty(HTTP_CLIENT_IP)) {
-    const clientIp = extractIp(config, req)
+  if (config.extractIp && !spanContext.hasTag(HTTP_CLIENT_IP)) {
+    const clientIp = config.extractIp(config, req)
 
     if (clientIp) {
       span.setTag(HTTP_CLIENT_IP, clientIp)
@@ -410,8 +409,6 @@ function addRequestTags (context, spanType) {
   if (securityTest !== undefined) {
     span.setTag(`${HTTP_REQUEST_HEADERS}.x-datadog-security-test`, securityTest)
   }
-
-  addHeaders(context)
 }
 
 function addResponseTags (context) {
@@ -426,14 +423,26 @@ function addResponseTags (context) {
     [HTTP_STATUS_CODE]: res.statusCode,
   })
 
+  addResponseHeaders(context)
+
   web.addStatusError(req, res.statusCode)
 }
 
 function applyRouteOrEndpointTag (context) {
   const { paths, span, config } = context
   if (!span) return
-  const tags = span.context()._tags
-  const route = paths.join('')
+  const spanContext = span.context()
+
+  // AppSec calls `web.setRouteOrEndpointTag` from a pre-finish hook so the
+  // route/endpoint tags are available for API Security sampling, and the
+  // normal finish-time path runs this again. Either tag being present
+  // means the work has already been done; paths are stable between the
+  // two calls, so the second pass has nothing to add.
+  if (spanContext.hasTag(HTTP_ROUTE) || spanContext.hasTag(HTTP_ENDPOINT)) return
+
+  // Skip the `Array.prototype.join` builtin in the empty / single-segment
+  // cases; `paths[0]` covers both (`undefined` is falsy for the empty case).
+  const route = paths.length > 1 ? paths.join('') : paths[0]
 
   if (route) {
     // Use http.route from trusted framework instrumentation.
@@ -441,44 +450,49 @@ function applyRouteOrEndpointTag (context) {
     return
   }
 
-  if (!config.resourceRenamingEnabled || tags[HTTP_ENDPOINT]) {
-    return
-  }
+  if (!config.resourceRenamingEnabled) return
 
   // Route is unavailable, compute http.endpoint once.
-  const url = tags[HTTP_URL]
+  const url = spanContext.getTag(HTTP_URL)
   const endpoint = url ? calculateHttpEndpoint(url) : '/'
   span.setTag(HTTP_ENDPOINT, endpoint)
 }
 
 function addResourceTag (context) {
   const { req, span } = context
-  const tags = span.context()._tags
+  const spanContext = span.context()
 
-  if (tags[RESOURCE_NAME]) return
+  if (spanContext.getTag(RESOURCE_NAME)) return
 
-  const resource = [req.method, tags[HTTP_ROUTE]]
+  const resource = [req.method, spanContext.getTag(HTTP_ROUTE)]
     .filter(Boolean)
     .join(' ')
 
   span.setTag(RESOURCE_NAME, resource)
 }
 
-function addHeaders (context) {
-  const { req, res, config, span, inferredProxySpan } = context
+function addRequestHeaders (context) {
+  const { req, config, span, inferredProxySpan } = context
 
   for (const [key, tag] of config.headers) {
     const reqHeader = req.headers[key]
-    const resHeader = res.getHeader(key)
-
     if (reqHeader) {
-      span.setTag(tag || `${HTTP_REQUEST_HEADERS}.${key}`, reqHeader)
-      inferredProxySpan?.setTag(tag || `${HTTP_REQUEST_HEADERS}.${key}`, reqHeader)
+      const tagName = tag || `${HTTP_REQUEST_HEADERS}.${key}`
+      span.setTag(tagName, reqHeader)
+      inferredProxySpan?.setTag(tagName, reqHeader)
     }
+  }
+}
+
+function addResponseHeaders (context) {
+  const { res, config, span, inferredProxySpan } = context
 
+  for (const [key, tag] of config.headers) {
+    const resHeader = res.getHeader(key)
     if (resHeader) {
-      span.setTag(tag || `${HTTP_RESPONSE_HEADERS}.${key}`, resHeader)
-      inferredProxySpan?.setTag(tag || `${HTTP_RESPONSE_HEADERS}.${key}`, resHeader)
+      const tagName = tag || `${HTTP_RESPONSE_HEADERS}.${key}`
+      span.setTag(tagName, resHeader)
+      inferredProxySpan?.setTag(tagName, resHeader)
     }
   }
 }

package/packages/dd-trace/src/priority_sampler.js

@@ -125,7 +125,7 @@ class PrioritySampler {
 
     log.trace(span, auto)
 
-    const tag = this._getPriorityFromTags(context._tags, context)
+    const tag = this._getPriorityFromTags(context.getTags(), context)
 
     if (this.validate(tag)) {
       context._sampling.priority = tag
@@ -300,7 +300,7 @@ class PrioritySampler {
    * @returns {SamplingPriority}
    */
   #getPriorityByAgent (context) {
-    const key = `service:${context._tags[SERVICE_NAME]},env:${this._env}`
+    const key = `service:${context.getTag(SERVICE_NAME)},env:${this._env}`
     // TODO: Change underscored properties to private ones.
     const sampler = this._samplers[key] || this._samplers[DEFAULT_KEY]
 

package/packages/dd-trace/src/profiling/profiler.js

@@ -17,7 +17,7 @@ function findWebSpan (startedSpans, spanId) {
     const ispan = startedSpans[i]
     const context = ispan.context()
     if (context._spanId === spanId) {
-      if (isWebServerSpan(context._tags)) {
+      if (isWebServerSpan(context.getTags())) {
         return true
       }
       spanId = context._parentId
@@ -268,7 +268,7 @@ class Profiler extends EventEmitter {
 
   #onSpanFinish (span) {
     const context = span.context()
-    const tags = context._tags
+    const tags = context.getTags()
     if (!isWebServerSpan(tags)) return
 
     const endpointName = endpointNameFromTags(tags)

package/packages/dd-trace/src/profiling/profilers/wall.js

@@ -247,6 +247,7 @@ class NativeWallProfiler {
     // context -- we simply can't tell which one it might've been across all
     // possible async context frames.
     if (this.#asyncContextFrameEnabled) {
+      const current = this.#pprof.time.getContext()
       if (this.#customLabelsActive) {
         // Custom labels may be active in this async context. The current CPED
         // context could be a 2-element array [profilingContext, customLabels].
@@ -254,7 +255,6 @@ class NativeWallProfiler {
         // This flag is monotonic (once set, stays true) because async
         // continuations from runWithLabels can fire at any time after the
         // synchronous runWithLabels call has returned.
-        const current = this.#pprof.time.getContext()
         if (Array.isArray(current)) {
           if (current[0] !== sampleContext) {
             this.#pprof.time.setContext([sampleContext, current[1]])
@@ -262,7 +262,13 @@ class NativeWallProfiler {
         } else if (current !== sampleContext) {
           this.#pprof.time.setContext(sampleContext)
         }
-      } else {
+      // Every setContext() call in ACF mode allocates a fresh contextHolder
+      // (a node::ObjectWrap with its own v8::Global<v8::Value>) in the native
+      // profiler. Skip the call if the CPED already holds this sampleContext,
+      // which is the common case when the same span is repeatedly activated:
+      // #getProfilingContext caches profilingContext on span[ProfilingContext],
+      // so identity comparison short-circuits.
+      } else if (current !== sampleContext) {
         this.#pprof.time.setContext(sampleContext)
       }
     } else {
@@ -294,7 +300,7 @@ class NativeWallProfiler {
 
       let webTags
       if (this.#endpointCollectionEnabled) {
-        const tags = context._tags
+        const tags = context.getTags()
         if (isWebServerSpan(tags)) {
           webTags = tags
         } else {
@@ -333,7 +339,7 @@ class NativeWallProfiler {
     if (!this.#started) return
     const profilingContext = span[ProfilingContext]
     if (profilingContext === undefined || profilingContext.webTags !== undefined) return
-    const tags = span.context()._tags
+    const tags = span.context().getTags()
     if (isWebServerSpan(tags)) {
       profilingContext.webTags = tags
     }