be mindful of the scope of objects

tracer/src/Datadog.Trace/AppSec/Waf/Context.cs

@@ -100,32 +100,35 @@ private Context(IntPtr contextHandle, Waf waf, WafLibraryInvoker wafLibraryInvok
                 // Calling _encoder.Encode(null) results in a null object that will cause the WAF to error
                 // The WAF can be called with an empty dictionary (though we should avoid doing this).
 
-                var pwPersistentArgsPtr = IntPtr.Zero;
-                var pwEphemeralArgsPtr = IntPtr.Zero;
+                DdwafObjectStruct pwPersistentArgs = default;
+                DdwafObjectStruct pwEphemeralArgsValue = default;
 
-                DdwafObjectStruct ddwafObjectPersistent;
-                if (persistentAddressData != null)
+                if (persistentAddressData is not null)
                 {
                     var persistentArgs = _encoder.Encode(persistentAddressData, applySafetyLimits: true);
-                    ddwafObjectPersistent = persistentArgs.ResultDdwafObject;
-                    pwPersistentArgsPtr = (IntPtr)(&ddwafObjectPersistent);
+                    pwPersistentArgs = persistentArgs.ResultDdwafObject;
                     _encodeResults.Add(persistentArgs);
                 }
 
-                IEncodeResult? ephemeralArgs = null;
                 // pwEphemeralArgs follow a different lifecycle and should be disposed immediately
-                DdwafObjectStruct ddwafObjectEphemeral;
-                if (ephemeralAddressData is { Count: > 0 })
+                using var ephemeralArgs = ephemeralAddressData is { Count: > 0 }
+                                              ? _encoder.Encode(ephemeralAddressData, applySafetyLimits: true)
+                                              : null;
+
+                if (persistentAddressData is null && ephemeralArgs is null)
+                {
+                    Log.Error("Both pwPersistentArgs and pwEphemeralArgs are null");
+                    return null;
+                }
+
+                if (ephemeralArgs is not null)
                 {
-                    var ephemeralArgsResult = _encoder.Encode(ephemeralAddressData, applySafetyLimits: true);
-                    ddwafObjectEphemeral = ephemeralArgsResult.ResultDdwafObject;
-                    pwEphemeralArgsPtr = (IntPtr)(&ddwafObjectEphemeral);
-                    ephemeralArgs = ephemeralArgsResult;
+                    // WARNING: Don't use ref here, we need to make a copy because ephemeralArgs is on the heap
+                    pwEphemeralArgsValue = ephemeralArgs.ResultDdwafObject;
                 }
 
                 // WARNING: DO NOT DISPOSE pwPersistentArgs until the end of this class's lifecycle, i.e in the dispose. Otherwise waf might crash with fatal exception.
-                code = _waf.Run(_contextHandle, pwPersistentArgsPtr, pwEphemeralArgsPtr, ref retNative, timeoutMicroSeconds);
-                ephemeralArgs?.Dispose();
+                code = _waf.Run(_contextHandle, persistentAddressData != null ? &pwPersistentArgs : null, ephemeralArgs != null ? &pwEphemeralArgsValue : null, ref retNative, timeoutMicroSeconds);
             }
 
             _stopwatch.Stop();

tracer/src/Datadog.Trace/AppSec/Waf/IWaf.cs

@@ -19,7 +19,7 @@ internal interface IWaf : IDisposable
 
         public IContext CreateContext();
 
-        internal WafReturnCode Run(IntPtr contextHandle, IntPtr rawPersistentData, IntPtr rawEphemeralData, ref DdwafResultStruct retNative, ulong timeoutMicroSeconds);
+        internal unsafe WafReturnCode Run(IntPtr contextHandle, DdwafObjectStruct* rawPersistentData, DdwafObjectStruct* rawEphemeralData, ref DdwafResultStruct retNative, ulong timeoutMicroSeconds);
 
         UpdateResult UpdateWafFromConfigurationStatus(ConfigurationStatus configurationStatus);
     }

tracer/src/Datadog.Trace/AppSec/Waf/NativeBindings/WafLibraryInvoker.cs

@@ -92,7 +92,7 @@ private WafLibraryInvoker(IntPtr libraryHandle)
 
         private delegate IntPtr InitContextDelegate(IntPtr wafHandle);
 
-        private delegate WafReturnCode RunDelegate(IntPtr context, IntPtr rawPersistentData, IntPtr rawEphemeralData, ref DdwafResultStruct result, ulong timeLeftInUs);
+        private unsafe delegate WafReturnCode RunDelegate(IntPtr context, DdwafObjectStruct* rawPersistentData, DdwafObjectStruct* rawEphemeralData, ref DdwafResultStruct result, ulong timeLeftInUs);
 
         private delegate void DestroyDelegate(IntPtr handle);
 
@@ -268,7 +268,7 @@ internal string GetVersion()
         /// <param name="result">Result</param>
         /// <param name="timeLeftInUs">timeout</param>
         /// <returns>Return waf code</returns>
-        internal WafReturnCode Run(IntPtr context, IntPtr rawPersistentData, IntPtr rawEphemeralData, ref DdwafResultStruct result, ulong timeLeftInUs)
+        internal unsafe WafReturnCode Run(IntPtr context, DdwafObjectStruct* rawPersistentData, DdwafObjectStruct* rawEphemeralData, ref DdwafResultStruct result, ulong timeLeftInUs)
             => _runField(context, rawPersistentData, rawEphemeralData, ref result, timeLeftInUs);
 
         internal void Destroy(IntPtr wafHandle) => _destroyField(wafHandle);

tracer/src/Datadog.Trace/AppSec/Waf/Waf.cs

@@ -228,7 +228,7 @@ private UpdateResult Update(IDictionary<string, object> arguments)
         }
 
         // Doesn't require a non disposed waf handle, but as the WAF instance needs to be valid for the lifetime of the context, if waf is disposed, don't run (unpredictable)
-        public WafReturnCode Run(IntPtr contextHandle, IntPtr rawPersistentData, IntPtr rawEphemeralData, ref DdwafResultStruct retNative, ulong timeoutMicroSeconds)
+        public unsafe WafReturnCode Run(IntPtr contextHandle, DdwafObjectStruct* rawPersistentData, DdwafObjectStruct* rawEphemeralData, ref DdwafResultStruct retNative, ulong timeoutMicroSeconds)
             => _wafLibraryInvoker.Run(contextHandle, rawPersistentData, rawEphemeralData, ref retNative, timeoutMicroSeconds);
 
         internal static List<RuleData> MergeRuleData(IEnumerable<RuleData> res)