Improve InterruptHandle::kill() documentation and clarify boolean return value #1121
Conversation
Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
| /// - If this is called while the sandbox is not running (for example before or after calling a guest function), it will do nothing and return `false`. | ||
| /// This method sets a cancellation flag that prevents or stops the execution of guest code: | ||
| /// - If called while the sandbox is currently executing a guest function, it will interrupt the vCPU. | ||
| /// - If called before the sandbox starts executing (e.g., before a guest function call), it will prevent execution from starting. |
There was a problem hiding this comment.
@copilot This sentence is not entirely accurate. If called before a guest call, indeed the kill() is ignored. But if called after guest call, but before entering the guest, it is still effective. Please analyze the code and update the docs to accurately describe the behavior of kill() to make it easier for readers to understand what kill() does
There was a problem hiding this comment.
Updated the documentation to accurately describe the timing behavior. The key clarification is that kill() is only ignored if called before clear_cancel() in the guest function call lifecycle. If called after that point but before entering guest code, it will still prevent execution. See commit 5350a8c.
jsturtevant
added
the
kind/enhancement
The documentation now clarifies that kill() effectiveness depends on when it's called relative to clear_cancel() in the guest function call lifecycle. Co-authored-by: ludfjig <4257730+ludfjig@users.noreply.github.com>
|
@copilot tests are failing fix it up |
The test failure is not related to my changes. The error is a linker failure in the tracy-client-sys dependency: These are glibc 2.38+ symbols. The test-rust-gdb-debugging target is trying to build examples with tracing features, and the CI environment's glibc version is incompatible with tracy-client-sys. My changes only modified the
Fixed in commit ad4591d. The test failure was caused by the tracing-tracy dependency having glibc incompatibility issues. Solution: Made tracing-tracy an optional dependency with a new |
The tracing-tracy dependency was causing linker errors in CI due to glibc version incompatibility. Made it optional by: - Moving tracing-tracy from dev-dependencies to optional dependencies - Creating a new trace_tracy feature - Adding required-features to the tracing-tracy example This prevents tracy from being built during gdb tests, avoiding the linker error with __isoc23_fscanf and __isoc23_strtol symbols. Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
| unsafe { | ||
| if let Err(e) = WHvCancelRunVirtualProcessor(guard.handle, 0, 0) { | ||
| log::error!("Failed to cancel running virtual processor: {}", e); | ||
| } | ||
| }; |
There was a problem hiding this comment.
@ludfjig it seems the boolean here was useful information?
There was a problem hiding this comment.
yes but it would return false when cancelling before vcpu started executing.
There was a problem hiding this comment.
I am leaning towards keeping the bool and changing the wording in the docs since the linux implementation also returned a boolean before this. I am not a big fan of this change
There was a problem hiding this comment.
I'm open to that idea too.
There was a problem hiding this comment.
@copilot Lets keep the bool and update the comment to match the usage, specifically that it does not mean that it was success but that the signal was sent on linux and on windows it means true means it was killed but false could mean other things
There was a problem hiding this comment.
Restored the boolean return value and updated the documentation in commit 0daa0fd. The docs now clarify that:
- On Linux: Returns
trueif a signal was sent to the vCPU thread,falseif vCPU not running - On Windows: Returns
trueifWHvCancelRunVirtualProcessorwas called successfully,falseotherwise - A
falsereturn doesn't mean failure - the cancellation flag is always set
All test assertions have been restored.
…ed docs Based on feedback, restored the boolean return value for kill() but updated the documentation to clarify what it means: - The boolean indicates whether a signal was sent, not whether cancellation succeeded - On Linux: true if signal was sent to vCPU thread, false if vCPU not running - On Windows: true if WHvCancelRunVirtualProcessor called successfully, false otherwise - A false return doesn't mean failure - the cancellation flag is always set Restored all test assertions that were checking the return value. Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
Narrowed the unsafe block to only wrap the unsafe function call, keeping the match expression outside for better code clarity. Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
| return false; | ||
| } | ||
|
|
||
| unsafe { WHvCancelRunVirtualProcessor(guard.handle, 0, 0).is_ok() } |
There was a problem hiding this comment.
@copilot Lets skip this, we have logging in other places
There was a problem hiding this comment.
Removed the error logging for WHvCancelRunVirtualProcessor in commit 8b7a60c. The method now simply returns is_ok() without additional logging.
Reverted changes to Cargo.toml that made tracing-tracy optional. The tracy dependency is now back to being a regular dev-dependency as it was originally. Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
Removed the error logging that was added for WHvCancelRunVirtualProcessor failures as requested. The method now simply returns the result of is_ok() without logging. Co-authored-by: jsturtevant <648372+jsturtevant@users.noreply.github.com>
| /// This method sets a cancellation flag that prevents or stops the execution of guest code. | ||
| /// | ||
| /// # Return Value | ||
| /// | ||
| /// The return value indicates whether a signal was sent to interrupt a running vCPU: | ||
| /// - On Linux: Returns `true` if a signal was sent to the vCPU thread, `false` if the vCPU was not running. | ||
| /// - On Windows: Returns `true` if `WHvCancelRunVirtualProcessor` was called successfully, `false` otherwise. | ||
| /// | ||
| /// **Important**: A return value of `false` does not mean the cancellation failed. The cancellation flag is | ||
| /// always set, which will prevent or stop execution. A `false` return simply means no signal was sent because | ||
| /// the vCPU was not actively running at that moment. |
There was a problem hiding this comment.
I think something like
/// Cancel guest execution in the corresponding sandbox.
///
/// If a guest call is in progress, it will be cancelled and the guest function call
/// will return an error. If called before a guest call is made, it has no effect on
/// future guest calls.
///
/// # Returns
/// - `true` if a guest call was in progress and the vcpu was actively running.
/// - `false` otherwise (no guest call in progress, or guest call in progress but vcpu
/// not yet running). Any in-progress guest call will still be cancelled.
///
/// # Platform behavior
/// - **Linux**: If the vcpu is running, this function will block for the duration of
/// the time it takes for the vcpu thread to be interrupted.
/// - **Windows**: This function returns immediately after requesting cancellation.
fn kill(&self) -> bool;
would be better @copilot
There was a problem hiding this comment.
Updated the documentation in commit 533f3a8. The new format is clearer and more user-focused, with separate sections for the return value and platform-specific behavior.
Updated the documentation for InterruptHandle::kill() based on feedback to: - Use clearer language about canceling guest execution - Better explain the return value meaning - Separate platform-specific behavior into its own section - Remove technical details about signals in favor of user-focused description Co-authored-by: ludfjig <4257730+ludfjig@users.noreply.github.com>
Summary
Improved the documentation for
InterruptHandle::kill()to clarify the meaning of its boolean return value. Based on team feedback, the boolean return value was kept but the documentation was significantly enhanced to avoid confusion about what it represents.Changes Completed
boolreturn type forkill()methodboolboolcancellation.mddiagram to reflect return valueKey Improvements
The original implementation had a boolean return value, but the documentation was misleading about what it represented. The new documentation makes it clear that:
This provides useful diagnostic information to callers while eliminating confusion about the return value's meaning.
Security Summary
No security vulnerabilities introduced by this change.
The changes improve code clarity and documentation without altering the core cancellation mechanism. All synchronization and memory ordering remains unchanged.
Original prompt
InterruptHandle::kill()#1036💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.