Skip to content

Fixes to Host Call Fuzzing #840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 28, 2025
Merged

Fixes to Host Call Fuzzing #840

merged 1 commit into from
Aug 28, 2025

Conversation

adamperlin
Copy link
Contributor

This PR prevents fuzz_host_call from hitting a memory leak upon encountering host function calling errors. It restores to a known clean snapshot on each iteration. This fix should not be needed once #826 is fixed.

Snapshot restore initially wasn't working in the fuzzing case due to a bug discovered by @ludfjig in call_type_erased_guest_function_by_name (snapshot wasn't being set to None) so this bug has been fixed.

This PR also more explicitly ignores some expected errors that may come up from host call fuzzing.

@adamperlin adamperlin added the kind/bugfix For PRs that fix bugs label Aug 28, 2025
ludfjig
ludfjig approved these changes Aug 28, 2025
View reviewed changes
Copy link
Contributor

@ludfjig ludfjig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, lgtm

@adamperlin
Fix fuzz_host_call target by
426baaf 
1. Setting sandbox snapshot to none in
   call_type_erased_guest_function_by_name
2. Restoring to an initial snapshot on each fuzzing iteration to
avoid hitting a known memory leak.

Signed-off-by: adamperlin <[email protected]>
@adamperlin adamperlin force-pushed the adamperlin/triage-fuzzing-memory-leak branch from 6306e2d to 426baaf Compare August 28, 2025 21:33
@adamperlin adamperlin enabled auto-merge (squash) August 28, 2025 21:34
@adamperlin adamperlin merged commit a835ef5 into hyperlight-dev:main Aug 28, 2025
33 checks passed
jsturtevant
jsturtevant reviewed Aug 28, 2025
View reviewed changes
src/hyperlight_host/src/sandbox/initialized_multi_use.rs
Comment on lines +384 to +385
// Reset snapshot since we are mutating the sandbox state
self.snapshot = None;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we clearing this here? Shouldn't the restore call above take care of this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

otherwise I would have expected it too look like

hyperlight/src/hyperlight_host/src/sandbox/initialized_multi_use.rs

Line 243 in 828a529

pub fn call_guest_function_by_name<Output: SupportedReturnType>(

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a bug: since this function is wrapping call_guest_function_by_name_no_reset and we're mutating the guest sandbox, the attached snapshot will be invalidated here, right? If we don't clear the snapshot, the restore call will hit the "snapshot exists" case and won't do the restore.

Copy link
Contributor Author

@adamperlin adamperlin Aug 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the moment we could change the behavior to do the snapshot and restore in the call_type_erased_guest_function_by_name though, but since it seemed more clear to do it in the fuzzing code!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I think I miss read this. I think this is fine and mimics the 'call func'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok, I'm glad it looks fine!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsturtevant jsturtevant jsturtevant left review comments

@ludfjig ludfjig ludfjig approved these changes

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@marosset marosset Awaiting requested review from marosset marosset is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

Assignees
No one assigned
Labels
kind/bugfix For PRs that fix bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adamperlin @jsturtevant @ludfjig