[0.9.x] Backport of #931, #959 #994 for release v0.9.1

.github/workflows/Benchmarks.yml

@@ -28,7 +28,7 @@ jobs:
 
       - uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:

.github/workflows/CargoPublish.yml

@@ -32,7 +32,7 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
 

.github/workflows/CreateRelease.yml

@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:
@@ -52,7 +52,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:
@@ -112,7 +112,7 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:

.github/workflows/copilot-setup-steps.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           components: rustfmt
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86" 
         env:

.github/workflows/dep_build_guest_binaries.yml

@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:

.github/workflows/dep_fuzzing.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86"
         env:

.github/workflows/dep_rust.yml

@@ -46,7 +46,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86" 
         env:
@@ -98,7 +98,7 @@ jobs:
         with:
           components: rustfmt
 
-      - uses: hyperlight-dev/ci-setup-workflow@v1.6.0
+      - uses: hyperlight-dev/ci-setup-workflow@v1.8.0
         with:
           rust-toolchain: "1.86" 
         env:

CHANGELOG.md

@@ -4,6 +4,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Prerelease] - Unreleased
 
+## [v0.9.1] - 2025-10-29
+
+### Fixed
+
+- Fix race condition when killing sandboxes by @simongdavies in https://github.com/hyperlight-dev/hyperlight/pull/959 and  https://github.com/hyperlight-dev/hyperlight/pull/994
+
+### Changed
+
+- Added poison sandbox detection  by @ludfjig in https://github.com/hyperlight-dev/hyperlight/pull/931
+
 ## [v0.9.0] - 2025-08-28
 
 ### Fixed
@@ -188,7 +198,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 The Initial Hyperlight Release 🎉 
 
 
-[Prerelease]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.9.0..HEAD>
+[Prerelease]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.9.1..HEAD>
+[v0.9.1]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.8.0...v0.9.1>
 [v0.9.0]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.8.0...v0.9.0>
 [v0.8.0]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.7.0...v0.8.0>
 [v0.7.0]: <https://github.com/hyperlight-dev/hyperlight/compare/v0.6.1...v0.7.0>

Cargo.toml

@@ -28,7 +28,7 @@ exclude = [
 ]
 
 [workspace.package]
-version = "0.9.0"
+version = "0.9.1"
 edition = "2024"
 rust-version = "1.86"
 license = "Apache-2.0"

src/hyperlight_host/src/error.rs

@@ -196,6 +196,27 @@ pub enum HyperlightError {
     #[error("Failure processing PE File {0:?}")]
     PEFileProcessingFailure(#[from] goblin::error::Error),
 
+    /// The sandbox becomes **poisoned** when the guest is not run to completion, leaving it in
+    /// an inconsistent state that could compromise memory safety, data integrity, or security.
+    ///
+    /// ### When Does Poisoning Occur?
+    ///
+    /// Poisoning happens when guest execution is interrupted before normal completion:
+    ///
+    /// - **Guest panics or aborts** - When a guest function panics, crashes, or calls `abort()`,
+    ///   the normal cleanup and unwinding process is interrupted
+    /// - **Invalid memory access** - Attempts to read/write/execute memory outside allowed regions
+    /// - **Stack overflow** - Guest exhausts its stack space during execution
+    /// - **Heap exhaustion** - Guest runs out of heap memory
+    /// - **Host-initiated cancellation** - Calling [`InterruptHandle::kill()`] to forcefully
+    ///   terminate an in-progress guest function
+    ///
+    /// ## Recovery
+    ///
+    /// Use [`crate::MultiUseSandbox::restore()`] to recover from a poisoned sandbox.
+    #[error("The sandbox was poisoned")]
+    PoisonedSandbox,
+
     /// Raw pointer is less than base address
     #[error("Raw pointer ({0:?}) was less than the base address ({1})")]
     RawPointerLessThanBaseAddress(RawPtr, u64),
@@ -301,6 +322,96 @@ impl<T> From<PoisonError<MutexGuard<'_, T>>> for HyperlightError {
     }
 }
 
+impl HyperlightError {
+    /// Internal helper to determines if the given error has potential to poison the sandbox.
+    ///
+    /// Errors that poison the sandbox are those that can leave the sandbox in an inconsistent
+    /// state where memory, resources, or data structures may be corrupted or leaked. Usually
+    /// due to the guest not running to completion.
+    ///
+    /// If this method returns `true`, the sandbox will be poisoned and all further operations
+    /// will fail until the sandbox is restored from a non-poisoned snapshot using
+    /// [`crate::MultiUseSandbox::restore()`].
+    pub(crate) fn is_poison_error(&self) -> bool {
+        // wildcard _ or matches! not used here purposefully to ensure that new error variants
+        // are explicitly considered for poisoning behavior.
+        match self {
+            // These errors poison the sandbox because they can leave it in an inconsistent state due
+            // to the guest not running to completion.
+            HyperlightError::GuestAborted(_, _)
+            | HyperlightError::ExecutionCanceledByHost()
+            | HyperlightError::PoisonedSandbox
+            | HyperlightError::ExecutionAccessViolation(_)
+            | HyperlightError::StackOverflow()
+            | HyperlightError::MemoryAccessViolation(_, _, _) => true,
+            #[cfg(all(feature = "seccomp", target_os = "linux"))]
+            HyperlightError::DisallowedSyscall => true,
+
+            // All other errors do not poison the sandbox.
+            HyperlightError::AnyhowError(_)
+            | HyperlightError::BoundsCheckFailed(_, _)
+            | HyperlightError::CheckedAddOverflow(_, _)
+            | HyperlightError::CStringConversionError(_)
+            | HyperlightError::Error(_)
+            | HyperlightError::FailedToGetValueFromParameter()
+            | HyperlightError::FieldIsMissingInGuestLogData(_)
+            | HyperlightError::GuestError(_, _)
+            | HyperlightError::GuestExecutionHungOnHostFunctionCall()
+            | HyperlightError::GuestFunctionCallAlreadyInProgress()
+            | HyperlightError::GuestInterfaceUnsupportedType(_)
+            | HyperlightError::GuestOffsetIsInvalid(_)
+            | HyperlightError::HostFunctionNotFound(_)
+            | HyperlightError::IOError(_)
+            | HyperlightError::IntConversionFailure(_)
+            | HyperlightError::InvalidFlatBuffer(_)
+            | HyperlightError::JsonConversionFailure(_)
+            | HyperlightError::LockAttemptFailed(_)
+            | HyperlightError::MemoryAllocationFailed(_)
+            | HyperlightError::MemoryProtectionFailed(_)
+            | HyperlightError::MemoryRequestTooBig(_, _)
+            | HyperlightError::MetricNotFound(_)
+            | HyperlightError::MmapFailed(_)
+            | HyperlightError::MprotectFailed(_)
+            | HyperlightError::NoHypervisorFound()
+            | HyperlightError::NoMemorySnapshot
+            | HyperlightError::ParameterValueConversionFailure(_, _)
+            | HyperlightError::PEFileProcessingFailure(_)
+            | HyperlightError::RawPointerLessThanBaseAddress(_, _)
+            | HyperlightError::RefCellBorrowFailed(_)
+            | HyperlightError::RefCellMutBorrowFailed(_)
+            | HyperlightError::ReturnValueConversionFailure(_, _)
+            | HyperlightError::SnapshotSandboxMismatch
+            | HyperlightError::SystemTimeError(_)
+            | HyperlightError::TryFromSliceError(_)
+            | HyperlightError::UnexpectedNoOfArguments(_, _)
+            | HyperlightError::UnexpectedParameterValueType(_, _)
+            | HyperlightError::UnexpectedReturnValueType(_, _)
+            | HyperlightError::UTF8StringConversionFailure(_)
+            | HyperlightError::VectorCapacityIncorrect(_, _, _) => false,
+
+            #[cfg(target_os = "windows")]
+            HyperlightError::CrossBeamReceiveError(_) => false,
+            #[cfg(target_os = "windows")]
+            HyperlightError::CrossBeamSendError(_) => false,
+            #[cfg(target_os = "windows")]
+            HyperlightError::WindowsAPIError(_) => false,
+            #[cfg(target_os = "linux")]
+            HyperlightError::VmmSysError(_) => false,
+            #[cfg(kvm)]
+            HyperlightError::KVMError(_) => false,
+            #[cfg(mshv)]
+            HyperlightError::MSHVError(_) => false,
+            #[cfg(gdb)]
+            HyperlightError::TranslateGuestAddress(_) => false,
+            #[cfg(all(feature = "seccomp", target_os = "linux"))]
+            HyperlightError::SeccompFilterError(_) => false,
+
+            #[cfg(all(feature = "seccomp", target_os = "linux"))]
+            HyperlightError::SeccompFilterBackendError(_) => false,
+        }
+    }
+}
+
 /// Creates a `HyperlightError::Error` from a string literal or format string
 #[macro_export]
 macro_rules! new_error {