feat(virtq): add virtio-villain inspired packed virtq coverage#1634
feat(virtq): add virtio-villain inspired packed virtq coverage#1634andreiltd wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens Hyperlight’s packed virtqueue (virtq) robustness by porting a set of deterministic packed-ring test cases (inspired by virtio-villain) into the in-process ring tests, and by adding a new fuzz target (with seed corpus support) for the packed-ring parser and notification/event-suppression logic.
Changes:
- Harden packed-ring parsing/consumption by rejecting descriptors that carry
INDIRECT, and by guardingDESC-event notification logic against out-of-range event indices. - Add a large suite of deterministic packed virtq tests covering malformed chains, phase/wrap edge cases, and notification suppression behavior.
- Add and wire up a new
fuzz_virtq_packed_ringtarget (Cargo/Just/CI), plus seed-corpus handling infuzz/.gitignoreand documentation updates.
Reviewed changes
Copilot reviewed 11 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/hyperlight_common/src/virtq/ring.rs | Reject INDIRECT descriptors, add notification guard, and add extensive packed-ring tests (virtio-villain inspired). |
| src/hyperlight_common/src/virtq/producer.rs | Add regression tests for invalid used lengths/IDs and import ring consumer test helper. |
| src/hyperlight_common/src/virtq/desc.rs | Update documentation to reflect INDIRECT rejection behavior. |
| src/hyperlight_common/src/virtq/consumer.rs | Add regression tests ensuring bad chains don’t leak into higher-level inflight tracking. |
| fuzz/fuzz_targets/virtq_packed_ring.rs | New fuzz target to exercise packed-ring parsing/consumption paths with compact binary inputs. |
| fuzz/Cargo.toml | Register fuzz_virtq_packed_ring binary target. |
| fuzz/.gitignore | Keep .bin seed inputs for the new fuzz target while ignoring other corpus artifacts. |
| fuzz/README.md | Document that packed virtqueue ring parser is now fuzzed. |
| Justfile | Include the new fuzz target in like-CI fuzz runs. |
| .github/workflows/ValidatePullRequest.yml | Add new fuzz target to PR validation matrix. |
| .github/workflows/Fuzzing.yml | Add new fuzz target to scheduled fuzzing matrix. |
74a3b74 to
477abe8
Compare
Map applicable packed ring cases into deterministic in process virtq tests, add high-level producer/consumer safety coverage, and add a packed-ring fuzz target with binary seed inputs. See: https://github.com/weltling/virtio-villain/tree/main/tests/vring Signed-off-by: Tomasz Andrzejak <andreiltd@gmail.com>
There was a problem hiding this comment.
do these bin's need to be checked in? looks like gitignore as added after?
There was a problem hiding this comment.
Yes, the intention was to have a valid queue as starting point for fuzzer and mutate memory from there. The seed is just binary form of the queue. I think it's more realistic than just starting from completely random mapping.
Map applicable packed ring cases into deterministic in process virtq tests, and add a packed-ring fuzz target with binary seed inputs.
See: https://github.com/weltling/virtio-villain/tree/main/tests/packed