Skip to content

fix: Fix deadlock when snap start and using secret for api key#853

Merged
lym953 merged 2 commits intomainfrom
yiming.luo/snap-start-deadlock
Sep 19, 2025
Merged

fix: Fix deadlock when snap start and using secret for api key#853
lym953 merged 2 commits intomainfrom
yiming.luo/snap-start-deadlock

Conversation

@lym953
Copy link
Copy Markdown
Contributor

@lym953 lym953 commented Sep 18, 2025
edited
Loading

Problem

When a Lambda (1) uses snap start, and (2) specifies Datadog API key using DD_API_KEY_SECRET_ARN, the extension will encounter a deadlock. For a RwLock, the extension first gets a read lock:

datadog-lambda-extension/bottlecap/src/secrets/decrypt.rs

Line 45 in daf633d

let aws_credentials_read = aws_credentials.read().await;

then tries to get a write lock:

datadog-lambda-extension/bottlecap/src/secrets/decrypt.rs

Line 65 in daf633d

let mut aws_credentials_write = aws_credentials.write().await;

which never finishes. This causes the function to time out.

This bug was introduced in #717.

This PR

Fix this bug by removing the RwLock usage. AwsCredential is only created and used once in resolve_secrets(), and resolve_secrets() is only called once, so there's no need to protect this struct with a lock.

Testing

Tested on a Lambda with:

  • Python 3.13 runtime
  • snap start
  • using DD_API_KEY_SECRET_ARN

Before:

  • The function timed out.
  • Data failed to be sent to Datadog.

After:

  • The function finished without timeout.
  • Data was sent to Datadog successfully.

Notes

Jira: https://datadoghq.atlassian.net/browse/SLES-2482

@lym953 lym953 force-pushed the yiming.luo/snap-start-deadlock branch from f6132a7 to bc99e51 Compare September 18, 2025 19:51
lym953
lym953 commented Sep 18, 2025
View reviewed changes
Comment thread bottlecap/src/bin/bottlecap/main.rs
fn load_configs(start_time: Instant) -> (AwsConfig, Arc<Config>) {
// First load the AWS configuration
let aws_config = AwsConfig::from_env(start_time);
let aws_credentials = AwsCredentials::from_env();
Copy link
Copy Markdown
Contributor Author

@lym953 lym953 Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to load credentials from main()

Comment thread bottlecap/src/secrets/decrypt.rs
};

let aws_credentials_read = aws_credentials.read().await;
let mut aws_credentials = AwsCredentials::from_env();
Copy link
Copy Markdown
Contributor Author

@lym953 lym953 Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Load it as needed in resolve_secrets(), which is called lazily.

@lym953 lym953 marked this pull request as ready for review September 18, 2025 19:52
@lym953 lym953 requested a review from a team as a code owner September 18, 2025 19:52
This was linked to issues Sep 18, 2025
Cached Datadog api key doesn't play well with snapstart in V84+ #834
Closed
Updating Java Lambda to Datadog-Extension-ARM version 84 leads to Lambda running until timeout #849
Closed
@lym953 lym953 mentioned this pull request Sep 18, 2025
Closed
@lym953 lym953 merged commit 7466374 into main Sep 19, 2025
46 checks passed
@lym953 lym953 deleted the yiming.luo/snap-start-deadlock branch September 19, 2025 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duncanista duncanista duncanista approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@lym953 @duncanista