-
Notifications
You must be signed in to change notification settings - Fork 2k
Add more assertions #5245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add more assertions #5245
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5245 +/- ##
==========================================
+ Coverage 82.93% 82.97% +0.04%
==========================================
Files 250 250
Lines 26873 26844 -29
==========================================
- Hits 22286 22274 -12
+ Misses 4587 4570 -17
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
70239eb
to
ed878a1
Compare
169752b
to
b7d4bb8
Compare
b32041a
to
477677b
Compare
c7a8490
to
1c1daa9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still struggling to understand the value added by this PR, but I don't have strong opinions against it. Could you expand the reasons a bit more in the PR description?
@Manciukic added reasons to the PR description. |
It is reasonable to assume that we will not have more than u32::MAX memory slots since kernel only returns i32 from a query syscall. Enforce this with `.expect` calls and change the type of `max_memslots` to u32. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Replaces never used error result type wit optional. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Vcpu TLS must only be initialized once. Enforce this with an assertion. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Move setting of signal handler into vcpu init to prevent race condition between setting TLS and signal handler using TLS. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
- The reset must be called only once on vcpu drop, so move it directly into the Drop impl. - Replace errors with asserts since there is an assumption that TLS will always hold correct vcpu pointer for a given thread (except in tests). Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Merge run_on_thread_local into signal handler since it is only used there. The error returned from run_on_thread_local was ignored, so instead replace it with logic to only use vcpu ptr if TLS is initialized, without returning any errors. The reason for not asserting on TLS being initialized here is that during Firecracker shutdown, vcpus will be destroyed and TLS will be reset. If signal will be send to Firecracker during that time, the TLS accessed from a signal handler will be empty. But this is expected, so no assertions/panics are needed. Because Rust is a good language, it does not allow to reference TLS_VCPU_PTR definded inside impl block inside the signal_handler function. So move the TLS_VCPU_PTR definition outside the Vcpu impl block. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Instead of storing the pointer to the Vcpu in the TLS, store the mmapped `kvm_run` struct instead. This way the Drop implementation for Vcpu is no longer required, since the mmapped `kvm_run` will remain valid until TLS is destroyed by the thread Drop impl. This also removes `unsafe` code from the implementation. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
Changes
Add asserts in places where we have strong assumptions about inner workings of the code.
Reason
Adding asserts improves security posture and allows assumptions to be stated more verbosely.
These asserts are only related to the parts of the code which do not depend on the user input.
License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md
.PR Checklist
tools/devtool checkstyle
to verify that the PR passes theautomated style checks.
how they are solving the problem in a clear and encompassing way.
in the PR.
CHANGELOG.md
.Runbook for Firecracker API changes.
integration tests.
TODO
.rust-vmm
.