region: document GuestMemoryRegion::len() non-zero invariant#382
Open
Aakash456 wants to merge 1 commit into
Open
region: document GuestMemoryRegion::len() non-zero invariant#382Aakash456 wants to merge 1 commit into
Aakash456 wants to merge 1 commit into
Conversation
Custom GuestMemoryRegion implementations must return a non-zero length from len(), since last_addr() computes self.len() - 1 and would otherwise underflow. This was previously enforced implicitly for built-in mmap-backed regions but undocumented for the public trait. Also adds a debug_assert in last_addr() to catch violations early, and corrects the now-inaccurate safety comment on the unchecked_add call. Fixes rust-vmm#380 Signed-off-by: Aakash Chaudhary <aakashchoudhary66@gmail.com>
Aakash456
requested review from
ShadowCurse,
XanClic,
alexandruag,
bonzini,
jiangliu and
roypat
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents that
GuestMemoryRegion::len()must always return a non-zero value, sincelast_addr()'s default implementation computesself.len() - 1and would otherwise underflow.This invariant was previously enforced implicitly for built-in mmap-backed regions but undocumented for the public
GuestMemoryRegiontrait, which custom backends also implement.Changes
# Invariantsection to the doc comment onGuestMemoryRegion::len()debug_assert!inlast_addr()to fail fast in debug builds if a custom implementation violates the invariantunchecked_addcall, which previously implied the safety guarantee holds universally — it only held for the built-in mmap region, not for arbitrary custom implementationsFixes #380
Happy to adjust scope if you'd prefer this as doc-only without the
debug_assert, or if a hardassert!is preferred overdebug_assert!given this is a safety-adjacent invariant.