Skip to content

Fixes a race condition in killing Sandboxes #959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

Fixes a race condition in killing Sandboxes #959

merged 1 commit into from
Oct 28, 2025

Conversation

@simongdavies
Copy link
Contributor

@simongdavies simongdavies commented Oct 16, 2025

Fixes a race condition where a sandbox kill arrives after a sandbox has successfully exited causing the subsequent run to fail.

There is a breaking change in this PR, previously if kill was called on an InterruptHandle before or while a guest call was not in progress the next guest call made on the Sandbox would be cancelled , now this scenario is a no-op. kill only takes effect if there is a guest call running.

@simongdavies simongdavies added the kind/bugfix For PRs that fix bugs label Oct 16, 2025
@simongdavies simongdavies mentioned this pull request Oct 16, 2025
Closed
@simongdavies simongdavies force-pushed the fix-race-1 branch 3 times, most recently from 96a6fce to d200c7c Compare October 17, 2025 10:34
jsturtevant
jsturtevant reviewed Oct 17, 2025
View reviewed changes
jsturtevant
jsturtevant reviewed Oct 18, 2025
View reviewed changes
ludfjig
ludfjig reviewed Oct 21, 2025
View reviewed changes
ludfjig
ludfjig reviewed Oct 23, 2025
View reviewed changes
ludfjig
ludfjig reviewed Oct 23, 2025
View reviewed changes
ludfjig
ludfjig reviewed Oct 23, 2025
View reviewed changes
@simongdavies simongdavies requested a review from Copilot October 27, 2025 14:33
Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a race condition where a sandbox kill could arrive after a guest call completes, incorrectly causing the next guest call to be canceled. The fix introduces generation tracking to ensure kill() only affects the intended guest call.

Key changes:

  • Generation tracking prevents stale kills from affecting new guest calls
  • Added call_active flag to prevent "kill-in-advance" scenario
  • Breaking change: kill() now only affects actively running guest calls, not future ones

Reviewed Changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/tests/rust_guests/simpleguest/src/main.rs Adds SpinForMs guest function for timing-sensitive tests
src/hyperlight_host/tests/integration_test.rs Updates interrupt tests to reflect new behavior and adds comprehensive stress test
src/hyperlight_host/src/sandbox/initialized_multi_use.rs Introduces CallActiveGuard RAII guard to manage call_active flag
src/hyperlight_host/src/mem/shared_mem.rs Fixes test invocation to properly scope guard page crash tests
src/hyperlight_host/src/hypervisor/mod.rs Adds generation tracking to InterruptHandle trait with extensive documentation
src/hyperlight_host/src/hypervisor/kvm.rs Implements generation-aware interrupt handling for KVM
src/hyperlight_host/src/hypervisor/hyperv_windows.rs Implements generation-aware interrupt handling for Windows Hyper-V
src/hyperlight_host/src/hypervisor/hyperv_linux.rs Implements generation-aware interrupt handling for Linux Hyper-V
src/hyperlight_host/Cargo.toml Updates dependency versions and adds Windows feature flags
Justfile Separates stress test execution to show output clearly

ludfjig
ludfjig reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

@ludfjig ludfjig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks ok but still not convinced about the call_active flag.

ludfjig
ludfjig reviewed Oct 27, 2025
View reviewed changes
jsturtevant
jsturtevant reviewed Oct 27, 2025
View reviewed changes
jsturtevant
jsturtevant reviewed Oct 27, 2025
View reviewed changes
jsturtevant
jsturtevant reviewed Oct 27, 2025
View reviewed changes
@simongdavies simongdavies force-pushed the fix-race-1 branch 2 times, most recently from f9b9edd to 3a271df Compare October 27, 2025 20:57
jsturtevant
jsturtevant previously approved these changes Oct 27, 2025
View reviewed changes
jsturtevant
jsturtevant previously approved these changes Oct 27, 2025
View reviewed changes
@simongdavies simongdavies enabled auto-merge (squash) October 27, 2025 22:19
@simongdavies simongdavies force-pushed the fix-race-1 branch 3 times, most recently from 161701a to d3c790b Compare October 28, 2025 09:48
@simongdavies
Fixes a race condition in killing Sandboxes
932285a 
Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
@simongdavies simongdavies merged commit fe74003 into hyperlight-dev:main Oct 28, 2025
49 checks passed
ludfjig pushed a commit to ludfjig/hyperlight that referenced this pull request Oct 28, 2025
@simongdavies @ludfjig
Fixes a race condition in killing Sandboxes (hyperlight-dev#959)
7e81263 
Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
@ludfjig ludfjig mentioned this pull request Oct 28, 2025
Merged
simongdavies added a commit that referenced this pull request Oct 29, 2025
@ludfjig @simongdavies
[0.9.x] Backport of #931, #959 #994 for release v0.9.1 (#996)
418b3c6 
* Add poison state to sandbox to prevent misuse (#931)

Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>

* Fixes a race condition in killing Sandboxes (#959)

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

* Update common workflow to 1.8.0

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

* Fixes issues from merge and splits trait to expose only public method (#994)

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

* updates to change log and crate version for v0.9.1

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

---------

Signed-off-by: Ludvig Liljenberg <4257730+ludfjig@users.noreply.github.com>
Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
Co-authored-by: Simon Davies <simongdavies@users.noreply.github.com>
@ludfjig ludfjig mentioned this pull request Nov 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludfjig ludfjig ludfjig left review comments

Copilot code review Copilot Copilot left review comments

@jsturtevant jsturtevant jsturtevant approved these changes

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@marosset marosset Awaiting requested review from marosset marosset is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes is a code owner

Assignees

No one assigned

Labels

kind/bugfix For PRs that fix bugs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simongdavies @jsturtevant @ludfjig