You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Overview
It replaces the thread/process fragile map semantics with a bounded,
request-scoped context backed by a native, fixed-size array, and adds
end-to-end tests validating Overhead Control Engine (OCE)
max-concurrency enforcement across FastAPI, Django, and Flask test apps.
## Context and motivation
- Problem: The legacy IAST context map (pointer-keyed + thread-local
cache) breaks under asyncio and concurrency, causing incorrect request
association and performance inconsistencies.
- Goal: Make the IAST request map safe and predictable under
threads/async with consistent overhead, enforce request concurrency via
OCE, and provide clear, framework-agnostic tests that verify behavior.
## Related work
- Follows the direction and experiments from:
- #14466: Initial context refactor and benchmarks groundwork
- #14497, #14555, #14562: Subsequent iterations on IAST context
ownership, perf and integration
- This PR integrates and stabilizes those ideas into the runtime and
test suites.
## What’s in this PR
Core IAST context lifecycle
- New request-scoped flow entrypoint
- `ddtrace/appsec/_iast/_iast_request_context_base.py`
- `_iast_start_request(span)` now gates with OCE
(`oce.acquire_request(span)`) and creates a native request context only
when needed.
- Sets `IAST_CONTEXT` ContextVar to the active context id.
- Attaches a per-request `IASTEnvironment(span)` via
`core.set_item(IAST.REQUEST_CONTEXT_KEY, ...)`.
- On finish (`_iast_finish_request(...)`) it updates global limits,
discards the environment, and releases the native context.
- Helper: `is_iast_request_enabled()` exposes whether the taint-tracking
context is active in the current execution.
## Rollout plan
- Land behind existing feature flags/env vars (default disabled for IAST
if unsupported).
- Monitor CI and integration tests for the new concurrency checks.
- Follow-up PRs (tracked in the RFC) will:
- Complete the native context array migration across all call sites.
- Add more microbenchmarks and tighten perf budgets (+/- thresholds).
- Expand sink coverage and per-request metrics.
## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))
## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
0 commit comments