fix(core): Make HubSwitchGuard !Send to prevent thread corruption

HubSwitchGuard manages thread-local hub state but was Send, allowing it
to be moved to another thread. When dropped on the wrong thread, it would
corrupt that thread's hub state instead of restoring the original thread.

To fix this, add PhantomData<MutexGuard<'static, ()>> to make the guard
!Send while keeping it Sync. This prevents the guard from being moved
across threads at compile time.

Additionally, refactor sentry-tracing to store guards in thread-local
storage keyed by span ID instead of in span extensions. This fixes a
related bug where multiple threads entering the same span would clobber
each other's guards.

Fixes #943
Fixes #946
Refs RUST-130
Refs RUST-132

Co-Authored-By: Claude Sonnet 4.5 (1M context) <[email protected]>

Author: szokeasaurusrex

sentry-core/src/hub_impl.rs

@@ -1,5 +1,6 @@
 use std::cell::{Cell, UnsafeCell};
-use std::sync::{Arc, LazyLock, PoisonError, RwLock};
+use std::marker::PhantomData;
+use std::sync::{Arc, LazyLock, MutexGuard, PoisonError, RwLock};
 use std::thread;
 
 use crate::Scope;
@@ -19,10 +20,14 @@ thread_local! {
     );
 }
 
-/// A Hub switch guard used to temporarily swap
-/// active hub in thread local storage.
+/// A guard that temporarily swaps the active hub in thread-local storage.
+///
+/// This type is `!Send` because it manages thread-local state and must be
+/// dropped on the same thread where it was created.
 pub struct SwitchGuard {
     inner: Option<(Arc<Hub>, bool)>,
+    /// Makes this type `!Send` while keeping it `Sync`.
+    _not_send: PhantomData<MutexGuard<'static, ()>>,
 }
 
 impl SwitchGuard {
@@ -41,7 +46,10 @@ impl SwitchGuard {
             let was_process_hub = is_process_hub.replace(false);
             Some((hub, was_process_hub))
         });
-        SwitchGuard { inner }
+        SwitchGuard {
+            inner,
+            _not_send: PhantomData,
+        }
     }
 
     fn swap(&mut self) -> Option<Arc<Hub>> {
@@ -192,3 +200,22 @@ impl Hub {
             .with_mut(|stack| f(Arc::make_mut(&mut stack.top_mut().scope)))
     }
 }
+
+#[cfg(all(test, feature = "test"))]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_switch_guard_restores_hub_on_same_thread() {
+        let original_hub = Hub::current();
+        let custom_hub = Arc::new(Hub::new(None, Arc::new(Default::default())));
+        assert!(!Arc::ptr_eq(&original_hub, &custom_hub));
+
+        {
+            let _guard = SwitchGuard::new(custom_hub.clone());
+            assert!(Arc::ptr_eq(&Hub::current(), &custom_hub));
+        }
+
+        assert!(Arc::ptr_eq(&Hub::current(), &original_hub));
+    }
+}

sentry-tracing/src/layer.rs

@@ -1,6 +1,6 @@
 use std::borrow::Cow;
 use std::cell::RefCell;
-use std::collections::BTreeMap;
+use std::collections::{BTreeMap, HashMap};
 use std::sync::Arc;
 
 use bitflags::bitflags;
@@ -236,7 +236,6 @@ pub(super) struct SentrySpanData {
     pub(super) sentry_span: TransactionOrSpan,
     parent_sentry_span: Option<TransactionOrSpan>,
     hub: Arc<sentry_core::Hub>,
-    hub_switch_guard: Option<sentry_core::HubSwitchGuard>,
 }
 
 impl<S> Layer<S> for SentryLayer<S>
@@ -338,24 +337,26 @@ where
             sentry_span,
             parent_sentry_span,
             hub,
-            hub_switch_guard: None,
         });
     }
 
     /// Sets entered span as *current* sentry span. A tracing span can be
-    /// entered and existed multiple times, for example, when using a `tracing::Instrumented` future.
+    /// entered and exited multiple times, for example, when using a `tracing::Instrumented` future.
     fn on_enter(&self, id: &span::Id, ctx: Context<'_, S>) {
         let span = match ctx.span(id) {
             Some(span) => span,
             None => return,
         };
 
-        let mut extensions = span.extensions_mut();
-        if let Some(data) = extensions.get_mut::<SentrySpanData>() {
-            data.hub_switch_guard = Some(sentry_core::HubSwitchGuard::new(data.hub.clone()));
+        let extensions = span.extensions();
+        if let Some(data) = extensions.get::<SentrySpanData>() {
+            let guard = sentry_core::HubSwitchGuard::new(data.hub.clone());
+            SPAN_GUARDS.with(|guards| {
+                guards.borrow_mut().insert(id.clone(), guard);
+            });
             data.hub.configure_scope(|scope| {
                 scope.set_span(Some(data.sentry_span.clone()));
-            })
+            });
         }
     }
 
@@ -366,18 +367,24 @@ where
             None => return,
         };
 
-        let mut extensions = span.extensions_mut();
-        if let Some(data) = extensions.get_mut::<SentrySpanData>() {
+        let extensions = span.extensions();
+        if let Some(data) = extensions.get::<SentrySpanData>() {
             data.hub.configure_scope(|scope| {
                 scope.set_span(data.parent_sentry_span.clone());
             });
-            data.hub_switch_guard.take();
         }
+        SPAN_GUARDS.with(|guards| {
+            guards.borrow_mut().remove(id);
+        });
     }
 
     /// When a span gets closed, finish the underlying sentry span, and set back
     /// its parent as the *current* sentry span.
     fn on_close(&self, id: span::Id, ctx: Context<'_, S>) {
+        SPAN_GUARDS.with(|guards| {
+            guards.borrow_mut().remove(&id);
+        });
+
         let span = match ctx.span(&id) {
             Some(span) => span,
             None => return,
@@ -503,6 +510,10 @@ fn extract_span_data(
 
 thread_local! {
     static VISITOR_BUFFER: RefCell<String> = const { RefCell::new(String::new()) };
+    /// Hub switch guards keyed by span ID. Stored in thread-local so guards are
+    /// always dropped on the same thread where they were created.
+    static SPAN_GUARDS: RefCell<HashMap<span::Id, sentry_core::HubSwitchGuard>> =
+        RefCell::new(HashMap::new());
 }
 
 /// Records all span fields into a `BTreeMap`, reusing a mutable `String` as buffer.