fix: Guard span baggage inheritance against malformed parent zval

[jdani-airalo]

Generated with AI assistance and reviewed before submission. (Adding the "AI Generated" label here would require triage permission on this repo, which external contributors do not have — flagging it in the description instead.)

Description

ddtrace_inherit_span_properties (ext/serializer.c) copies several parent span
properties into a new span with ZVAL_COPY_DEREF. That macro runs GC_ADDREF on
the source whenever its type carries the refcounted flag, without checking that the
counted pointer is valid.

When the parent's baggage property is a zval whose type is flagged refcounted but
whose Z_COUNTED pointer is NULL, GC_ADDREF dereferences NULL and the process
crashes with a SIGSEGV during span creation.

Crash signature observed in production (PHP 8.3, NTS, fpm-fcgi, tracer 1.20.0):

• SIGSEGV at the GC_ADDREF increment (addl $0x1,(%rdx) with %rdx = 0).
• addr2line on the faulting offset points into ddtrace_inherit_span_properties.
  The function issues five back-to-back zval_ptr_dtor(); ZVAL_COPY_DEREF();
  sequences; at -O2 these identical tails fold together, so the reported line
  lands on the first copy regardless of which property actually faults.
• The crashes stop when baggage extraction is disabled
  (DD_TRACE_PROPAGATION_STYLE=datadog,tracecontext). The other inherited
  properties (service, type, env, version) are long-stable strings; baggage
  is the only inherited field populated from inbound distributed-tracing headers and
  managed as an array. That points at the baggage copy as the faulting one.

Change

Guard the baggage copy. If the parent baggage zval is flagged refcounted but holds a
NULL counted pointer, skip the copy and initialize the new span's baggage to its
declared empty-array default instead of dereferencing NULL. Valid baggage is copied
exactly as before, so propagation behavior is unchanged for well-formed input.

The guard is scoped to the baggage property only, where the evidence points, and adds
no PHP-version or ZTS-specific branches.

Notes

This is a defensive fix at the crash site. The producer path that leaves the baggage
zval in the refcounted-with-NULL state is not pinned down here: the visible baggage
write paths (header merge, apply_baggage_span_tags, the serializer copy via
zend_hash_copy(..., zval_add_ref)) look refcount-balanced. The crash is reproducible
in production under load but not yet as a deterministic unit test, so no regression
test is included rather than adding a flaky one. Happy to add a harness test if you can
point at a reliable trigger, or to move the guard to the producer if you can identify
the exact path.

Reviewer checklist

• Test coverage seems ok.
• Appropriate labels assigned.

[bwoebi]

Hey @jdani-airalo.

the big question is - how does that become NULL. This is an invalid state and probably direct access to \DDTrace\active_span()->baggage in very normal user code would also crash then.

I was unable to pin down a possible path to get this to crash. Do have any reproducer? Any information your AI could extract from the core dump / source code to reconstruct a path to getting this crashing?

This PR is a band-aid, not a proper fix :-(