Skip to content

fix(shared-runtime): make ForkSafeRuntime teardown structurally TLS/poison-safe#2220

Draft
quinna-h wants to merge 5 commits into
mainfrom
fix/shared-runtime-structural-teardown
Draft

fix(shared-runtime): make ForkSafeRuntime teardown structurally TLS/poison-safe#2220
quinna-h wants to merge 5 commits into
mainfrom
fix/shared-runtime-structural-teardown

Conversation

@quinna-h

@quinna-h quinna-h commented Jul 9, 2026

Copy link
Copy Markdown

What does this PR do?

Replaces the shutdown()-only TLS guard with two structural invariants so ForkSafeRuntime teardown never depends on the destruction order of other global/thread-local state during (embedded) interpreter finalization.

Motivation

During (embedded) interpreter finalization, a ForkSafeRuntime can be torn down after the calling thread's Tokio CONTEXT thread-local has already been destroyed. When that happens, teardown panics with "The Tokio context thread-local variable has been destroyed":

  • shutdown() calls runtime.block_on(...), which enters the Tokio context via the thread-local — panicking if it's already gone.
  • Even without an explicit shutdown(), a normal Runtime drop blocks the current thread to join its worker threads, and that join path also touches the context thread-local, so a worker thread panics during drop.

Because lock_or_panic() unwraps a poisoned mutex, that first panic then cascades: every other thread that later locks the shared runtime/workers mutex panics too with PoisonError.

This surfaces as a crash on every uWSGI worker shutdown with ddtrace ≥4.9.x (lazy-apps + --die-on-term). It's fundamentally an ordering problem; the process-global runtime, its worker threads, and thread-local state are destroyed
in an order the library doesn't control, and under uWSGI the teardown is driven from the C layer with no reliable point to shut down cleanly beforehand (the worker's SIGTERM is handled by uWSGI; Python's atexit runs only after TLS is
already destroyed). So the terminal teardown path must be safe unconditionally, rather than relying on detecting the finalization state at each call site.

Additional Notes

Anything else we should know when reviewing?

How to test the change?

Describe here in detail how the change can be validated.

rachelyangdog and others added 4 commits June 26, 2026 12:08
…uring CPython finalization

During CPython interpreter finalization, thread-local storage is destroyed
before atexit handlers fire. SharedRuntime::shutdown() calls runtime.block_on()
which internally calls context::enter() to set up Tokio's CONTEXT thread-local.
If that TLS slot is already destroyed, context::enter() panics with
"The Tokio context thread-local variable has been destroyed", which PyO3
converts to a pyo3_runtime.PanicException. This causes a crash on every uWSGI
worker shutdown when using ddtrace >=4.9.x.

Fix: check Handle::try_current().is_thread_local_destroyed() before calling
block_on(). If TLS is gone, return Ok(()) early — the OS will clean up
remaining Tokio threads on process exit. This eliminates both the panic and
the subsequent 60s hang/SIGKILL.

Reproducer: uWSGI app with lazy-apps=true, ddtrace imported via uwsgi import=,
4 workers. SIGTERM triggers the panic on every worker.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… refactor

Resolves merge conflict with main, which refactored SharedRuntime into
separate ForkSafeRuntime, BasicRuntime, and LocalRuntime types. The TLS
destruction guard (Handle::try_current().is_thread_local_destroyed()) is
now applied to ForkSafeRuntime::shutdown() in fork_safe.rs, where the
block_on call lives after the refactor.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…oison-safe

Replaces the symptomatic shutdown()-only TLS guard with two structural
invariants so teardown does not depend on the destruction order of any other
global/thread-local state during (embedded) interpreter finalization:

A. Terminal teardown never blocks or enters the Tokio context. Add
   `Drop for ForkSafeRuntime` that detaches the owned runtime via
   `shutdown_background()` instead of a normal blocking `Runtime` drop (which
   joins worker threads and touches the CONTEXT thread-local, panicking with
   "The Tokio context thread-local variable has been destroyed" when that TLS
   is already gone). Done unconditionally, so there is no finalization-detection
   branch a future teardown scenario can slip past. The graceful `shutdown()`
   path (which flushes) still runs when a live context exists (`can_block_on`);
   if it already ran, Drop is a no-op.

B. Shared-state access is poison-immune. Add `MutexExt::lock_or_recover`
   (recovers the guard via `into_inner()` instead of unwrapping) and use it on
   all runtime/workers lifecycle locks, so one thread panicking cannot cascade
   into a `PoisonError` on every other thread that later takes the lock.

Adds tests: drop-without-shutdown detaches cleanly, and shutdown recovers from
a poisoned lock.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the common label Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📚 Documentation Check Results

⚠️ 357 documentation warning(s) found

📦 libdd-common - 169 warning(s)

📦 libdd-shared-runtime - 188 warning(s)


Updated: 2026-07-10 15:43:02 UTC | Commit: a01833f | missing-docs job results

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

  • Base Branch: origin/main
  • PR Branch: origin/fix/shared-runtime-structural-teardown

Summary by Rule

Rule Base Branch PR Branch Change
unwrap_used 6 6 No change (0%)
Total 6 6 No change (0%)

Annotation Counts by File

File Base Branch PR Branch Change
libdd-common/src/lib.rs 6 6 No change (0%)

Annotation Stats by Crate

Crate Base Branch PR Branch Change
clippy-annotation-reporter 5 5 No change (0%)
datadog-ffe-ffi 1 1 No change (0%)
datadog-ipc 22 22 No change (0%)
datadog-live-debugger 4 4 No change (0%)
datadog-live-debugger-ffi 10 10 No change (0%)
datadog-profiling-replayer 4 4 No change (0%)
datadog-sidecar 45 45 No change (0%)
libdd-common 13 13 No change (0%)
libdd-common-ffi 12 12 No change (0%)
libdd-data-pipeline 6 6 No change (0%)
libdd-ddsketch 2 2 No change (0%)
libdd-dogstatsd-client 1 1 No change (0%)
libdd-profiling 13 13 No change (0%)
libdd-remote-config 3 3 No change (0%)
libdd-telemetry 20 20 No change (0%)
libdd-tinybytes 4 4 No change (0%)
libdd-trace-normalization 2 2 No change (0%)
libdd-trace-obfuscation 3 3 No change (0%)
libdd-trace-stats 1 1 No change (0%)
libdd-trace-utils 11 11 No change (0%)
Total 182 182 No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔒 Cargo Deny Results

⚠️ 5 issue(s) found, showing only errors (advisories, bans, sources)

📦 libdd-common - 4 error(s)

Show output
error[vulnerability]: Invalid pointer dereference in `fmt::Pointer` impl for `Atomic` and `Shared` when the underlying pointer is invalid
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:33:1
   │
33 │ crossbeam-epoch 0.9.18 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0204
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0204
   ├ Affected versions of `fmt::Display` dereference the underlying pointer. This causes a invalid pointer dereference e.g., when a pointer created with `Atomic::null` or `Shared::null`. `fmt::Debug` impls and pre-0.9 `fmt::Display` impls, which do not dereference pointers, are not affected by this issue.
   ├ Announcement: https://github.com/crossbeam-rs/crossbeam/pull/1276
   ├ Solution: Upgrade to >=0.9.20 (try `cargo update -p crossbeam-epoch`)
   ├ crossbeam-epoch v0.9.18
     ├── crossbeam-deque v0.8.5
     │   └── rayon-core v1.12.1
     │       └── rayon v1.10.0
     │           └── criterion v0.5.1
     │               └── libdd-common v5.1.0
     └── moka v0.12.13
         └── hickory-resolver v0.25.2
             └── reqwest v0.13.2
                 └── libdd-common v5.1.0 (*)

error[vulnerability]: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:64:1
   │
64 │ hickory-proto 0.25.2 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0118
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0118
   ├ The NSEC3 closest-encloser proof validation in `hickory-proto`'s
     `DnssecDnsHandle` walks from the QNAME up to the SOA owner name, building a
     list of candidate encloser names. The iterator used assumes the
     QNAME is a descendant of the SOA owner, terminating only when the current
     candidate equals the SOA name. When the SOA in a response's authority section
     is not an ancestor of the QNAME, the loop stalls at the DNS root and never
     terminates, repeatedly calling `Name::base_name()` and pushing newly allocated
     `Name` and hashed-name entries into the candidate `Vec`.
     
     The bug is reachable by any caller of `DnssecDnsHandle` — including the
     resolver, recursor, and client — when built with the `dnssec-ring` or
     `dnssec-aws-lc-rs` feature and configured to perform DNSSEC validation. It is
     triggered while validating a NoData or NXDomain response whose authority
     section contains an SOA record from a zone other than an ancestor of the
     QNAME, on a code path that requires NSEC3 closest-encloser proof. In practice
     this can be reached through an insecure CNAME chain that crosses zone
     boundaries into a DNSSEC-signed zone returning NoData, but the minimum
     condition is just a mismatched SOA owner on a response requiring NSEC3
     validation.
     
     A `debug_assert_ne!(name, Name::root())` guards the loop body, so debug builds
     abort with a panic on the first iteration past the root. Release builds
     compile the assertion out and run the loop unbounded, allocating until the
     process exhausts available memory (OOM). A reachable upstream attacker who
     can return such a response can therefore crash a debug-built validator or
     exhaust memory on a release-built one.
     
     The affected code was migrated from `hickory-proto` to `hickory-net` as part of
     the 0.26.0 release. The `hickory-proto` 0.26.x release no longer offers
     `DnssecDnsHandle` and so we recommend all affected users update to `hickory-net`
     0.26.1 when the implementation of that type is required.
   ├ Announcement: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465
   ├ Solution: No safe upgrade is available!
   ├ hickory-proto v0.25.2
     └── hickory-resolver v0.25.2
         └── reqwest v0.13.2
             └── libdd-common v5.1.0

error[vulnerability]: CPU exhaustion during message encoding due to O(n²) name compression
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:64:1
   │
64 │ hickory-proto 0.25.2 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
   │
   ├ ID: RUSTSEC-2026-0119
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0119
   ├ During message encoding, `hickory-proto`'s `BinEncoder` stores pointers to
     labels that are candidates for name compression in a `Vec<(usize, Vec<u8>)>`.
     The name compression logic then searches for matches with a linear scan.
     
     A malicious message with many records can both introduce many candidate labels,
     and invoke this linear scan many times. This can amplify CPU exhaustion in DoS
     attacks.
     
     This is similar to
     [CVE-2024-8508](https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt).
     
     We recommend all affected users update to `hickory-proto` 0.26.1 for the fix.
   ├ Announcement: https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp
   ├ Solution: Upgrade to >=0.26.1 (try `cargo update -p hickory-proto`)
   ├ hickory-proto v0.25.2
     └── hickory-resolver v0.25.2
         └── reqwest v0.13.2
             └── libdd-common v5.1.0

error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
    ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:127:1
    │
127 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
    │
    ├ ID: RUSTSEC-2026-0097
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
    ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
      
      - The `log` and `thread_rng` features are enabled
      - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
      - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
      - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
      - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
      
      `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
    ├ Announcement: https://github.com/rust-random/rand/pull/1763
    ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
    ├ rand v0.8.5
      └── libdd-common v5.1.0

advisories FAILED, bans ok, sources ok

📦 libdd-shared-runtime - 1 error(s)

Show output
error[unsound]: Rand is unsound with a custom logger using `rand::rng()`
   ┌─ /home/runner/work/libdatadog/libdatadog/Cargo.lock:73:1
   │
73 │ rand 0.8.5 registry+https://github.com/rust-lang/crates.io-index
   │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ unsound advisory detected
   │
   ├ ID: RUSTSEC-2026-0097
   ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0097
   ├ It has been reported (by @lopopolo) that the `rand` library is [unsound](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#soundness-of-code--of-a-library) (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
     
     - The `log` and `thread_rng` features are enabled
     - A [custom logger](https://docs.rs/log/latest/log/#implementing-a-logger) is defined
     - The custom logger accesses `rand::rng()` (previously `rand::thread_rng()`) and calls any `TryRng` (previously `RngCore`) methods on `ThreadRng`
     - The `ThreadRng` (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
     - Trace-level logging is enabled or warn-level logging is enabled and the random source (the `getrandom` crate) is unable to provide a new seed
     
     `TryRng` (previously `RngCore`) methods for `ThreadRng` use `unsafe` code to cast `*mut BlockRng<ReseedingCore>` to `&mut BlockRng<ReseedingCore>`. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of [aliased mutable references is Undefined Behaviour](https://doc.rust-lang.org/stable/nomicon/references.html), the behaviour of optimized builds is hard to predict.
   ├ Announcement: https://github.com/rust-random/rand/pull/1763
   ├ Solution: Upgrade to >=0.10.1 OR <0.10.0, >=0.9.3 OR <0.9.0, >=0.8.6 (try `cargo update -p rand`)
   ├ rand v0.8.5
     └── (dev) libdd-common v5.1.0
         ├── libdd-capabilities-impl v3.0.0
         │   └── libdd-shared-runtime v2.0.0
         └── libdd-shared-runtime v2.0.0 (*)

advisories FAILED, bans ok, sources ok

Updated: 2026-07-10 15:44:52 UTC | Commit: a01833f | dependency-check job results

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 3 Pipeline jobs failed

Miri test | run-miri (3)   View in Datadog   GitHub Actions

semver-check | validate   View in Datadog   GitHub Actions

Required checks pass | allchecks   View in Datadog   GitHub Actions

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 91.18%
Overall Coverage: 74.36% (+0.02%)

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 302c31d | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Artifact Size Benchmark Report

aarch64-alpine-linux-musl
Artifact Baseline Commit Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so 7.82 MB 7.82 MB +0% (+24 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a 85.14 MB 85.42 MB +.32% (+284.71 KB) 🔍
aarch64-unknown-linux-gnu
Artifact Baseline Commit Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a 96.27 MB 96.58 MB +.31% (+313.14 KB) 🔍
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.51 MB 10.52 MB +.06% (+7.46 KB) 🔍
libdatadog-x64-windows
Artifact Baseline Commit Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll 25.14 MB 25.21 MB +.29% (+76.50 KB) 🔍
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib 88.04 KB 88.04 KB 0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb 183.36 MB 183.83 MB +.25% (+480.00 KB) 🔍
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib 938.86 MB 941.34 MB +.26% (+2.47 MB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll 8.22 MB 8.25 MB +.32% (+27.50 KB) 🔍
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib 88.04 KB 88.04 KB 0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb 24.30 MB 24.40 MB +.38% (+96.00 KB) 🔍
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib 48.47 MB 48.62 MB +.30% (+152.39 KB) 🔍
libdatadog-x86-windows
Artifact Baseline Commit Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll 21.79 MB 21.86 MB +.31% (+70.00 KB) 🔍
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib 89.42 KB 89.42 KB 0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb 187.40 MB 187.87 MB +.25% (+488.00 KB) 🔍
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib 927.44 MB 930.03 MB +.27% (+2.58 MB) 🔍
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll 6.35 MB 6.37 MB +.32% (+21.00 KB) 🔍
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib 89.42 KB 89.42 KB 0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb 26.09 MB 26.19 MB +.38% (+104.00 KB) 🔍
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib 46.11 MB 46.26 MB +.33% (+158.82 KB) 🔍
x86_64-alpine-linux-musl
Artifact Baseline Commit Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a 75.88 MB 76.13 MB +.32% (+255.75 KB) 🔍
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so 8.70 MB 8.72 MB +.22% (+20.03 KB) 🔍
x86_64-unknown-linux-gnu
Artifact Baseline Commit Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a 91.34 MB 91.61 MB +.28% (+266.74 KB) 🔍
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so 10.59 MB 10.62 MB +.27% (+29.83 KB) 🔍

Comment thread libdd-common/src/lib.rs

#[inline(always)]
fn lock_or_recover(&self) -> MutexGuard<'_, T> {
self.lock().unwrap_or_else(|poisoned| poisoned.into_inner())

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PoisonError should not be used, we have no guarantee over the state in which the value was left.

fn drop(&mut self) {
if let Some(runtime) = self.runtime.lock_or_recover().take() {
match Arc::try_unwrap(runtime) {
Ok(runtime) => runtime.shutdown_background(),

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't trigger the shutdown logic of the workers and therefore will not flush data before the fork this will cause the same issue as --skip-atexit

…estroyed

shutdown() previously skipped the graceful shutdown entirely once the
calling thread's Tokio CONTEXT thread-local was destroyed (embedded
interpreter finalization), deferring to Drop's shutdown_background(),
which detaches without flushing in-flight work.

Since only the calling thread's TLS is affected, not the runtime's own
worker threads, shutdown() now hands the same graceful shutdown off to
a freshly spawned thread whose TLS was never touched, and waits for it
via a plain channel. This lets a final flush actually happen during
finalization instead of being silently dropped.
@pr-commenter

pr-commenter Bot commented Jul 10, 2026

Copy link
Copy Markdown

Benchmarks

Comparison

Benchmark execution time: 2026-07-10 16:46:11

Comparing candidate commit 302c31d in PR branch fix/shared-runtime-structural-teardown with baseline commit a41a0f4 in branch main.

Found 18 performance improvements and 41 performance regressions! Performance is the same for 212 metrics, 10 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:credit_card/is_card_number/ 3782-8224-6310-005

  • 🟥 execution_time [+4.835µs; +5.054µs] or [+6.434%; +6.726%]
  • 🟥 throughput [-841118.927op/s; -803763.401op/s] or [-6.320%; -6.039%]

scenario:credit_card/is_card_number/ 378282246310005

  • 🟥 execution_time [+5.779µs; +5.883µs] or [+8.522%; +8.675%]
  • 🟥 throughput [-1176539.025op/s; -1157882.541op/s] or [-7.979%; -7.852%]

scenario:credit_card/is_card_number/378282246310005

  • 🟥 execution_time [+17.542µs; +17.604µs] or [+27.163%; +27.258%]
  • 🟥 throughput [-3317047.464op/s; -3307277.576op/s] or [-21.422%; -21.358%]

scenario:credit_card/is_card_number/37828224631000521389798

  • 🟥 execution_time [+7.099µs; +7.154µs] or [+15.683%; +15.804%]
  • 🟥 throughput [-3018585.180op/s; -2992393.718op/s] or [-13.663%; -13.544%]

scenario:credit_card/is_card_number/x371413321323331

  • 🟩 execution_time [-933.265ns; -917.300ns] or [-13.692%; -13.458%]
  • 🟩 throughput [+22831526.797op/s; +23291583.945op/s] or [+15.562%; +15.875%]

scenario:credit_card/is_card_number_no_luhn/ 378282246310005

  • 🟥 execution_time [+4.487µs; +4.515µs] or [+8.451%; +8.505%]
  • 🟥 throughput [-1476561.346op/s; -1467632.298op/s] or [-7.839%; -7.792%]

scenario:credit_card/is_card_number_no_luhn/378282246310005

  • 🟥 execution_time [+4.967µs; +4.996µs] or [+9.959%; +10.018%]
  • 🟥 throughput [-1825992.134op/s; -1815754.380op/s] or [-9.107%; -9.056%]

scenario:credit_card/is_card_number_no_luhn/37828224631000521389798

  • 🟥 execution_time [+7.054µs; +7.114µs] or [+15.600%; +15.733%]
  • 🟥 throughput [-3010323.942op/s; -2981312.365op/s] or [-13.612%; -13.481%]

scenario:credit_card/is_card_number_no_luhn/x371413321323331

  • 🟩 execution_time [-923.460ns; -909.193ns] or [-13.550%; -13.340%]
  • 🟩 throughput [+22599072.237op/s; +23008964.376op/s] or [+15.402%; +15.682%]

scenario:ddsketch_encode/encode_to_vec/clustered_near_zero

  • 🟥 execution_time [+42.742ns; +49.676ns] or [+6.117%; +7.109%]

scenario:ddsketch_encode/encode_to_vec/large_values

  • 🟥 execution_time [+72.911ns; +77.718ns] or [+8.727%; +9.302%]

scenario:ddsketch_encode/encode_to_vec/mixed

  • 🟥 execution_time [+92.373ns; +97.761ns] or [+7.571%; +8.012%]

scenario:glob_matcher/ascii_case_insensitive_match/wall_time

  • 🟩 execution_time [-2.946ns; -2.912ns] or [-9.843%; -9.731%]

scenario:glob_matcher/ascii_exact_match/wall_time

  • 🟩 execution_time [-3.192ns; -3.167ns] or [-10.667%; -10.583%]

scenario:glob_matcher/ascii_exact_miss/wall_time

  • 🟩 execution_time [-4.247ns; -4.186ns] or [-26.990%; -26.602%]

scenario:glob_matcher/ascii_wildcard_backtrack_match/wall_time

  • 🟥 execution_time [+1.605ns; +1.626ns] or [+4.337%; +4.395%]

scenario:normalization/normalize_name/normalize_name/Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Long-.Too-Lo...

  • 🟥 execution_time [+18.205µs; +18.361µs] or [+9.747%; +9.830%]
  • 🟥 throughput [-479359.186op/s; -475268.526op/s] or [-8.954%; -8.877%]

scenario:normalization/normalize_name/normalize_name/bad-name

  • 🟥 execution_time [+961.736ns; +997.018ns] or [+5.381%; +5.579%]
  • 🟥 throughput [-2961427.311op/s; -2854740.787op/s] or [-5.292%; -5.102%]

scenario:normalization/normalize_name/normalize_name/good

  • 🟥 execution_time [+1.223µs; +1.251µs] or [+12.695%; +12.990%]
  • 🟥 throughput [-11955198.536op/s; -11682156.041op/s] or [-11.514%; -11.251%]

scenario:normalization/normalize_service/normalize_service/A0000000000000000000000000000000000000000000000000...

  • 🟥 execution_time [+37.818µs; +38.166µs] or [+7.584%; +7.653%]
  • 🟥 throughput [-142607.803op/s; -141301.758op/s] or [-7.112%; -7.047%]

scenario:normalization/normalize_service/normalize_service/Test Conversion 0f Weird !@#$%^&**() Characters

  • 🟥 execution_time [+19.959µs; +20.058µs] or [+11.696%; +11.754%]
  • 🟥 throughput [-616502.571op/s; -613480.172op/s] or [-10.520%; -10.469%]

scenario:normalization/normalize_service/normalize_service/test_ASCII

  • 🟩 throughput [+840672.931op/s; +858216.065op/s] or [+4.070%; +4.155%]

scenario:sql/obfuscate_sql_string

  • 🟥 execution_time [+13.324µs; +13.536µs] or [+4.713%; +4.788%]

scenario:vec_map/as_deduped_map/already_deduped/16

  • 🟩 execution_time [-1.842ns; -1.808ns] or [-7.267%; -7.132%]

scenario:vec_map/as_deduped_map/already_deduped/8

  • 🟩 execution_time [-1.797ns; -1.786ns] or [-11.458%; -11.386%]

scenario:vec_map/as_deduped_map/needs_dedup_1_in_10/8

  • 🟩 execution_time [-17.755ns; -17.551ns] or [-4.762%; -4.707%]

scenario:vec_map/contains_key/128

  • 🟥 execution_time [+712.882ns; +725.637ns] or [+4.754%; +4.839%]
  • 🟥 throughput [-394184.576op/s; -387238.421op/s] or [-4.618%; -4.537%]

scenario:vec_map/contains_key/16

  • 🟥 execution_time [+30.422ns; +30.794ns] or [+13.192%; +13.353%]
  • 🟥 throughput [-8178434.943op/s; -8081204.845op/s] or [-11.787%; -11.647%]

scenario:vec_map/contains_key/64

  • 🟥 execution_time [+176.453ns; +179.118ns] or [+4.393%; +4.459%]
  • 🟥 throughput [-680379.115op/s; -670146.541op/s] or [-4.270%; -4.206%]

scenario:vec_map/contains_key/8

  • 🟥 execution_time [+12.629ns; +12.805ns] or [+17.837%; +18.087%]
  • 🟥 throughput [-17323066.161op/s; -17087943.021op/s] or [-15.330%; -15.122%]

scenario:vec_map/get_hit/128

  • 🟥 execution_time [+1.119µs; +1.127µs] or [+9.009%; +9.073%]
  • 🟥 throughput [-857559.041op/s; -851654.756op/s] or [-8.320%; -8.263%]

scenario:vec_map/get_hit/16

  • 🟩 execution_time [-12.806ns; -12.608ns] or [-6.020%; -5.927%]
  • 🟩 throughput [+4742563.768op/s; +4814314.523op/s] or [+6.305%; +6.400%]

scenario:vec_map/get_hit/64

  • 🟥 execution_time [+260.993ns; +264.910ns] or [+7.766%; +7.882%]
  • 🟥 throughput [-1391537.055op/s; -1371762.720op/s] or [-7.307%; -7.204%]

scenario:vec_map/get_hit/8

  • 🟩 execution_time [-7.139ns; -6.989ns] or [-11.660%; -11.415%]
  • 🟩 throughput [+16871432.585op/s; +17191921.232op/s] or [+12.912%; +13.157%]

scenario:vec_map/get_miss/16

  • 🟩 execution_time [-17.771ns; -17.479ns] or [-65.252%; -64.178%]

scenario:vec_map/get_miss/64

  • 🟩 execution_time [-21.393ns; -21.316ns] or [-41.941%; -41.791%]

scenario:vec_map/get_miss/8

  • 🟩 execution_time [-12.611ns; -12.425ns] or [-69.204%; -68.182%]

Candidate

Omitted due to size.

Baseline

Omitted due to size.

@danielsn

Copy link
Copy Markdown
Contributor

I fundamentally worry we're going the wrong direction here. Tokio has undocumented global state, and may just be incompatable with forking. We can play whack-a-mole with fork-based crashes on a multi-threaded runtime, but do we have a design where we believe we ought to eventually converge on true fork safety?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants