crosvm

mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-11-25 05:03:05 +00:00

History

Noah Gold cbf9381c58 vm_control: snapshot fragments use IO traits. The current SnapshotReader/Writer interface returns Files for raw fragments. When we add snapshot encryption, we will need to return an encrypting or decrypting streaming wrapper, and this won't be a File. This CL changes the interface to return impl Read or impl Write. As part of that, we also had to make a significant safety change to how memory snapshots are taken. Memory snapshots used to be written with FileReadWriteVolatile. This is because we assume GuestMemory is always mutably borrowed by the guest, and it is UB to have aliased references in Rust. While formally undefined, the rough reasoning for this is that LLVM optimizations assume noalias on mutable references, and if that is violated at runtime, optimizations can result in changed behavior. In the snapshot & restore case though, we know the guest is not running because its VCPUs are stopped, so its mutable reference can be ignored (temporal overlap for aliasing is required for UB to occur). Luckily for us, the host code will never alias guest memory because up until this CL, we assumed that was never safe. Credit: thanks to fmayle@, who originally proposed using Read/Write in this manner in a CL that added snapshot compression. BUG=b:326170473 TEST=builds Change-Id: Iafd9175f684bc197329a0f5aae57685f5cfd677e Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/5313630 Reviewed-by: Frederick Mayle <fmayle@google.com> Commit-Queue: Noah Gold <nkgold@google.com>	2024-02-22 20:48:37 +00:00
..
src	vm_control: snapshot fragments use IO traits.	2024-02-22 20:48:37 +00:00
Cargo.toml

Noah Gold cbf9381c58 vm_control: snapshot fragments use IO traits.

The current SnapshotReader/Writer interface returns Files for raw
fragments. When we add snapshot encryption, we will need to return an
encrypting or decrypting streaming wrapper, and this won't be a File.
This CL changes the interface to return impl Read or impl Write. As
part of that, we also had to make a significant safety change to
how memory snapshots are taken.

Memory snapshots used to be written with FileReadWriteVolatile. This is
because we assume GuestMemory is always mutably borrowed by the guest,
and it is UB to have aliased references in Rust. While formally
undefined, the rough reasoning for this is that LLVM optimizations
assume noalias on mutable references, and if that is violated at
runtime, optimizations can result in changed behavior. In the snapshot &
restore case though, we know the guest is not running because its VCPUs
are stopped, so its mutable reference can be ignored (temporal overlap
for aliasing is required for UB to occur). Luckily for us, the host code
will never alias guest memory because up until this CL, we assumed that
was never safe.

Credit: thanks to fmayle@, who originally proposed using Read/Write in this
manner in a CL that added snapshot compression.

BUG=b:326170473
TEST=builds

Change-Id: Iafd9175f684bc197329a0f5aae57685f5cfd677e
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/5313630
Reviewed-by: Frederick Mayle <fmayle@google.com>
Commit-Queue: Noah Gold <nkgold@google.com>

2024-02-22 20:48:37 +00:00

src

vm_control: snapshot fragments use IO traits.

2024-02-22 20:48:37 +00:00

Cargo.toml