Update hyperlight-guest to 2024 edition

ludfjig · ludfjig · commit 110ec8e6edb8 · 2025-03-12T19:54:21.000-07:00
Signed-off-by: Ludvig Liljenberg &lt;lliljenberg@microsoft.com&gt;
diff --git a/src/hyperlight_guest/build.rs b/src/hyperlight_guest/build.rs
@@ -105,9 +105,9 @@ fn cargo_main() {
         }
 
         if cfg!(windows) {
-            env::set_var("AR_x86_64_unknown_none", "llvm-ar");
+            unsafe { env::set_var("AR_x86_64_unknown_none", "llvm-ar") };
         } else {
-            env::set_var("AR_x86_64_pc_windows_msvc", "llvm-lib");
+            unsafe { env::set_var("AR_x86_64_pc_windows_msvc", "llvm-lib") };
         }
 
         cfg.compile("hyperlight_guest");
diff --git a/src/hyperlight_guest/src/chkstk.rs b/src/hyperlight_guest/src/chkstk.rs
@@ -22,7 +22,7 @@ use hyperlight_common::mem::RunMode;
 use crate::guest_error::{set_invalid_runmode_error, set_stack_allocate_error};
 use crate::{MIN_STACK_ADDRESS, RUNNING_MODE};
 
-extern "win64" {
+unsafe extern "win64" {
     fn __chkstk();
     fn __chkstk_in_proc();
 }
diff --git a/src/hyperlight_guest/src/entrypoint.rs b/src/hyperlight_guest/src/entrypoint.rs
@@ -42,7 +42,7 @@ pub fn halt() {
     }
 }
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub extern "C" fn abort() -> ! {
     abort_with_code(0)
 }
@@ -57,17 +57,19 @@ pub fn abort_with_code(code: i32) -> ! {
 /// # Safety
 /// This function is unsafe because it dereferences a raw pointer.
 pub unsafe fn abort_with_code_and_message(code: i32, message_ptr: *const c_char) -> ! {
-    let peb_ptr = P_PEB.unwrap();
-    copy_nonoverlapping(
-        message_ptr,
-        (*peb_ptr).guestPanicContextData.guestPanicContextDataBuffer as *mut c_char,
-        CStr::from_ptr(message_ptr).count_bytes() + 1, // +1 for null terminator
-    );
-    outb(OutBAction::Abort as u16, code as u8);
-    unreachable!()
+    unsafe {
+        let peb_ptr = P_PEB.unwrap();
+        copy_nonoverlapping(
+            message_ptr,
+            (*peb_ptr).guestPanicContextData.guestPanicContextDataBuffer as *mut c_char,
+            CStr::from_ptr(message_ptr).count_bytes() + 1, // +1 for null terminator
+        );
+        outb(OutBAction::Abort as u16, code as u8);
+        unreachable!()
+    }
 }
 
-extern "C" {
+unsafe extern "C" {
     fn hyperlight_main();
     fn srand(seed: u32);
 }
@@ -76,7 +78,7 @@ static INIT: Once = Once::new();
 
 // Note: entrypoint cannot currently have a stackframe >4KB, as that will invoke __chkstk on msvc
 //       target without first having setup global `RUNNING_MODE` variable, which __chkstk relies on.
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub extern "win64" fn entrypoint(peb_address: u64, seed: u64, ops: u64, max_log_level: u64) {
     if peb_address == 0 {
         panic!("PEB address is null");
@@ -88,7 +90,7 @@ pub extern "win64" fn entrypoint(peb_address: u64, seed: u64, ops: u64, max_log_
             let peb_ptr = P_PEB.unwrap();
             __security_cookie = peb_address ^ seed;
 
-            let srand_seed = ((peb_address << 8 ^ seed >> 4) >> 32) as u32;
+            let srand_seed = (((peb_address << 8) ^ (seed >> 4)) >> 32) as u32;
 
             // Set the seed for the random number generator for C code using rand;
             srand(srand_seed);
diff --git a/src/hyperlight_guest/src/gdt.rs b/src/hyperlight_guest/src/gdt.rs
@@ -72,26 +72,28 @@ struct GdtPointer {
 }
 
 /// Load the GDT
-pub unsafe fn load_gdt() {
+pub(crate) unsafe fn load_gdt() {
     let gdt_ptr = GdtPointer {
         size: (core::mem::size_of::<[GdtEntry; 3]>() - 1) as u16,
         base: addr_of!(GDT) as *const _ as u64,
     };
 
-    asm!(
-    "lgdt [{0}]",
-    "mov ax, 0x10",        // Load data segment registers
-    "mov ds, ax",
-    "mov es, ax",
-    "mov fs, ax",
-    "mov gs, ax",
-    "mov ss, ax",
-    "push 0x08",            // Push CS (kernel code segment)
-    "lea rax, [2f + rip]",  // Load the next instruction's address
-    "push rax",             // Push address onto stack
-    "retfq",                // Far return to update CS
-    "2:",                   // Label for continued execution
-    in(reg) &gdt_ptr,
-    options(nostack, preserves_flags)
-    );
+    unsafe {
+        asm!(
+        "lgdt [{0}]",
+        "mov ax, 0x10",        // Load data segment registers
+        "mov ds, ax",
+        "mov es, ax",
+        "mov fs, ax",
+        "mov gs, ax",
+        "mov ss, ax",
+        "push 0x08",            // Push CS (kernel code segment)
+        "lea rax, [2f + rip]",  // Load the next instruction's address
+        "push rax",             // Push address onto stack
+        "retfq",                // Far return to update CS
+        "2:",                   // Label for continued execution
+        in(reg) &gdt_ptr,
+        options(nostack, preserves_flags)
+        );
+    }
 }
diff --git a/src/hyperlight_guest/src/guest_error.rs b/src/hyperlight_guest/src/guest_error.rs
@@ -92,12 +92,12 @@ pub(crate) fn set_error_and_halt(error_code: ErrorCode, message: &str) {
     halt();
 }
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub(crate) extern "win64" fn set_stack_allocate_error() {
     outb(OutBAction::Abort as u16, ErrorCode::StackOverflow as u8);
 }
 
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub(crate) extern "win64" fn set_invalid_runmode_error() {
     panic!("Invalid run mode in __chkstk");
 }
@@ -107,7 +107,7 @@ pub(crate) extern "win64" fn set_invalid_runmode_error() {
 /// # Safety
 /// TODO
 /// cbindgen:ignore
-#[no_mangle]
+#[unsafe(no_mangle)]
 #[allow(non_camel_case_types)]
 pub unsafe extern "C" fn setError(code: u64, message: *const c_char) {
     let error_code = ErrorCode::from(code);
diff --git a/src/hyperlight_guest/src/guest_function_call.rs b/src/hyperlight_guest/src/guest_function_call.rs
@@ -43,8 +43,9 @@ pub(crate) fn call_guest_function(function_call: FunctionCall) -> Result<Vec<u8>
     }
 
     // Find the function definition for the function call.
-    if let Some(registered_function_definition) =
-        unsafe { REGISTERED_GUEST_FUNCTIONS.get(&function_call.function_name) }
+    if let Some(registered_function_definition) = REGISTERED_GUEST_FUNCTIONS
+        .lock()
+        .get(&function_call.function_name)
     {
         let function_call_parameter_types: Vec<ParameterType> = function_call
             .parameters
@@ -68,7 +69,7 @@ pub(crate) fn call_guest_function(function_call: FunctionCall) -> Result<Vec<u8>
         // TODO: ideally we would define a default implementation of this with weak linkage so the guest is not required
         // to implement the function but its seems that weak linkage is an unstable feature so for now its probably better
         // to not do that.
-        extern "Rust" {
+        unsafe extern "Rust" {
             fn guest_dispatch_function(function_call: FunctionCall) -> Result<Vec<u8>>;
         }
 
@@ -78,7 +79,7 @@ pub(crate) fn call_guest_function(function_call: FunctionCall) -> Result<Vec<u8>
 
 // This function is marked as no_mangle/inline to prevent the compiler from inlining it , if its inlined the epilogue will not be called
 // and we will leak memory as the epilogue will not be called as halt() is not going to return.
-#[no_mangle]
+#[unsafe(no_mangle)]
 #[inline(never)]
 fn internal_dispatch_function() -> Result<()> {
     reset_error();
diff --git a/src/hyperlight_guest/src/guest_function_register.rs b/src/hyperlight_guest/src/guest_function_register.rs
@@ -54,11 +54,6 @@ impl GuestFunctionRegister {
 }
 
 pub fn register_function(function_definition: GuestFunctionDefinition) {
-    unsafe {
-        // This is currently safe, because we are single threaded, but we
-        // should find a better way to do this, see issue #808
-        #[allow(static_mut_refs)]
-        let gfd = &mut REGISTERED_GUEST_FUNCTIONS;
-        gfd.register(function_definition);
-    }
+    let mut gfd = REGISTERED_GUEST_FUNCTIONS.lock();
+    gfd.register(function_definition);
 }
diff --git a/src/hyperlight_guest/src/host_function_call.rs b/src/hyperlight_guest/src/host_function_call.rs
@@ -110,7 +110,7 @@ pub fn outb(port: u16, value: u8) {
     }
 }
 
-extern "win64" {
+unsafe extern "win64" {
     fn hloutb(port: u16, value: u8);
 }
 
diff --git a/src/hyperlight_guest/src/idtr.rs b/src/hyperlight_guest/src/idtr.rs
@@ -11,13 +11,15 @@ pub struct Idtr {
 static mut IDTR: Idtr = Idtr { limit: 0, base: 0 };
 
 impl Idtr {
-    pub unsafe fn init(&mut self, base: u64, size: u16) {
+    unsafe fn init(&mut self, base: u64, size: u16) {
         self.limit = size - 1;
         self.base = base;
     }
 
-    pub unsafe fn load(&self) {
-        core::arch::asm!("lidt [{}]", in(reg) self, options(readonly, nostack, preserves_flags));
+    unsafe fn load(&self) {
+        unsafe {
+            core::arch::asm!("lidt [{}]", in(reg) self, options(readonly, nostack, preserves_flags));
+        }
     }
 }
 
@@ -27,6 +29,9 @@ pub(crate) unsafe fn load_idt() {
     let idt_size = 256 * size_of::<IdtEntry>();
     let expected_base = addr_of!(IDT) as *const _ as u64;
 
-    IDTR.init(expected_base, idt_size as u16);
-    IDTR.load();
+    #[allow(static_mut_refs)]
+    unsafe {
+        IDTR.init(expected_base, idt_size as u16);
+        IDTR.load();
+    }
 }
diff --git a/src/hyperlight_guest/src/interrupt_entry.rs b/src/hyperlight_guest/src/interrupt_entry.rs
@@ -21,7 +21,7 @@ use core::arch::global_asm;
 
 use crate::interrupt_handlers::hl_exception_handler;
 
-extern "sysv64" {
+unsafe extern "sysv64" {
     // Exception handlers
     pub(crate) fn _do_excp0();
     pub(crate) fn _do_excp1();
diff --git a/src/hyperlight_guest/src/interrupt_handlers.rs b/src/hyperlight_guest/src/interrupt_handlers.rs
@@ -15,7 +15,7 @@ limitations under the License.
 */
 
 /// Exception handler
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub extern "sysv64" fn hl_exception_handler(
     stack_pointer: u64,
     exception_number: u64,
diff --git a/src/hyperlight_guest/src/lib.rs b/src/hyperlight_guest/src/lib.rs
@@ -19,6 +19,7 @@ limitations under the License.
 use alloc::string::ToString;
 use core::hint::unreachable_unchecked;
 use core::ptr::copy_nonoverlapping;
+use spin::Mutex;
 
 use buddy_system_allocator::LockedHeap;
 use guest_function_register::GuestFunctionRegister;
@@ -59,10 +60,10 @@ pub mod logging;
 
 // Unresolved symbols
 ///cbindgen:ignore
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub(crate) extern "C" fn __CxxFrameHandler3() {}
 ///cbindgen:ignore
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub(crate) static _fltused: i32 = 0;
 
 // It looks like rust-analyzer doesn't correctly manage no_std crates,
@@ -91,7 +92,7 @@ fn panic(info: &core::panic::PanicInfo) -> ! {
 pub(crate) static HEAP_ALLOCATOR: LockedHeap<32> = LockedHeap::<32>::empty();
 
 ///cbindgen:ignore
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub(crate) static mut __security_cookie: u64 = 0;
 
 pub(crate) static mut P_PEB: Option<*mut HyperlightPEB> = None;
@@ -104,5 +105,5 @@ pub(crate) static mut OUTB_PTR_WITH_CONTEXT: Option<
 > = None;
 pub static mut RUNNING_MODE: RunMode = RunMode::None;
 
-pub(crate) static mut REGISTERED_GUEST_FUNCTIONS: GuestFunctionRegister =
-    GuestFunctionRegister::new();
+pub(crate) static REGISTERED_GUEST_FUNCTIONS: Mutex<GuestFunctionRegister> =
+    Mutex::new(GuestFunctionRegister::new());
diff --git a/src/hyperlight_guest/src/memory.rs b/src/hyperlight_guest/src/memory.rs
@@ -81,30 +81,32 @@ unsafe fn alloc_helper(size: usize, zero: bool) -> *mut c_void {
 ///
 /// # Safety
 /// The returned pointer must be freed with `memory::free` when it is no longer needed, otherwise memory will leak.
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub unsafe extern "C" fn malloc(size: usize) -> *mut c_void {
-    alloc_helper(size, false)
+    unsafe { alloc_helper(size, false) }
 }
 
 /// Allocates a block of memory for an array of `nmemb` elements, each of `size` bytes.
 /// The memory is initialized to 0s.
 ///
 /// # Safety
 /// The returned pointer must be freed with `memory::free` when it is no longer needed, otherwise memory will leak.
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub unsafe extern "C" fn calloc(nmemb: usize, size: usize) -> *mut c_void {
-    let total_size = nmemb
-        .checked_mul(size)
-        .expect("nmemb * size should not overflow in calloc");
+    unsafe {
+        let total_size = nmemb
+            .checked_mul(size)
+            .expect("nmemb * size should not overflow in calloc");
 
-    alloc_helper(total_size, true)
+        alloc_helper(total_size, true)
+    }
 }
 
 /// Frees the memory block pointed to by `ptr`.
 ///
 /// # Safety
 /// `ptr` must be a pointer to a memory block previously allocated by `memory::malloc`, `memory::calloc`, or `memory::realloc`.
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub unsafe extern "C" fn free(ptr: *mut c_void) {
     if !ptr.is_null() {
         unsafe {
@@ -120,24 +122,23 @@ pub unsafe extern "C" fn free(ptr: *mut c_void) {
 ///
 /// # Safety
 /// `ptr` must be a pointer to a memory block previously allocated by `memory::malloc`, `memory::calloc`, or `memory::realloc`.
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub unsafe extern "C" fn realloc(ptr: *mut c_void, size: usize) -> *mut c_void {
     if ptr.is_null() {
         // If the pointer is null, treat as a malloc
-        return malloc(size);
+        return unsafe { malloc(size) };
     }
 
     if size == 0 {
         // If the size is 0, treat as a free and return null
-        free(ptr);
+        unsafe { free(ptr) };
         return ptr::null_mut();
     }
 
+    let total_new_size = size
+        .checked_add(size_of::<Layout>())
+        .expect("data and layout size should not overflow in realloc");
     unsafe {
-        let total_new_size = size
-            .checked_add(size_of::<Layout>())
-            .expect("data and layout size should not overflow in realloc");
-
         let block_start = (ptr as *const Layout).sub(1);
         let old_layout = block_start.read();
         let new_layout = Layout::from_size_align(total_new_size, MAX_ALIGN).unwrap();
diff --git a/src/hyperlight_guest/src/print.rs b/src/hyperlight_guest/src/print.rs
diff --git a/src/hyperlight_guest/src/security_check.rs b/src/hyperlight_guest/src/security_check.rs
diff --git a/src/hyperlight_guest/src/setjmp.rs b/src/hyperlight_guest/src/setjmp.rs

Original file line number	Diff line number	Diff line change
`@@ -105,9 +105,9 @@ fn cargo_main() {`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`if cfg!(windows) {`
`108`		`- env::set_var("AR_x86_64_unknown_none", "llvm-ar");`
	`108`	`+ unsafe { env::set_var("AR_x86_64_unknown_none", "llvm-ar") };`
`109`	`109`	`} else {`
`110`		`- env::set_var("AR_x86_64_pc_windows_msvc", "llvm-lib");`
	`110`	`+ unsafe { env::set_var("AR_x86_64_pc_windows_msvc", "llvm-lib") };`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`cfg.compile("hyperlight_guest");`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ use hyperlight_common::mem::RunMode;`
`22`	`22`	`use crate::guest_error::{set_invalid_runmode_error, set_stack_allocate_error};`
`23`	`23`	`use crate::{MIN_STACK_ADDRESS, RUNNING_MODE};`
`24`	`24`
`25`		`-extern "win64" {`
	`25`	`+unsafe extern "win64" {`
`26`	`26`	`fn __chkstk();`
`27`	`27`	`fn __chkstk_in_proc();`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,11 +54,6 @@ impl GuestFunctionRegister {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`pub fn register_function(function_definition: GuestFunctionDefinition) {`
`57`		`- unsafe {`
`58`		`- // This is currently safe, because we are single threaded, but we`
`59`		`- // should find a better way to do this, see issue #808`
`60`		`- #[allow(static_mut_refs)]`
`61`		`- let gfd = &mut REGISTERED_GUEST_FUNCTIONS;`
`62`		`- gfd.register(function_definition);`
`63`		`- }`
	`57`	`+ let mut gfd = REGISTERED_GUEST_FUNCTIONS.lock();`
	`58`	`+ gfd.register(function_definition);`
`64`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ pub fn outb(port: u16, value: u8) {`
`110`	`110`	`}`
`111`	`111`	`}`
`112`	`112`
`113`		`-extern "win64" {`
	`113`	`+unsafe extern "win64" {`
`114`	`114`	`fn hloutb(port: u16, value: u8);`
`115`	`115`	`}`
`116`	`116`