Remove and prevent use of unwrap in hyperlight_host

simongdavies · simongdavies · commit 23058ec5d9bf · 2025-03-18T13:30:05.000Z
Signed-off-by: Simon Davies &lt;simongdavies@users.noreply.github.com&gt;
diff --git a/src/hyperlight_host/src/hypervisor/hypervisor_handler.rs b/src/hyperlight_host/src/hypervisor/hypervisor_handler.rs
@@ -246,7 +246,11 @@ impl HypervisorHandler {
         #[cfg(target_os = "windows")]
         let in_process = sandbox_memory_manager.is_in_process();
 
-        *self.execution_variables.shm.try_lock().unwrap() = Some(sandbox_memory_manager);
+        *self
+            .execution_variables
+            .shm
+            .try_lock()
+            .map_err(|e| new_error!("Failed to lock shm: {}", e))? = Some(sandbox_memory_manager);
 
         // Other than running initialization and code execution, the handler thread also handles
         // cancellation. When we need to cancel the execution there are 2 possible cases
@@ -299,13 +303,13 @@ impl HypervisorHandler {
                             HypervisorHandlerAction::Initialise => {
                                 {
                                     hv = Some(set_up_hypervisor_partition(
-                                        execution_variables.shm.try_lock().unwrap().deref_mut().as_mut().unwrap(),
+                                        execution_variables.shm.try_lock().map_err(|e| new_error!("Failed to lock shm: {}", e))?.deref_mut().as_mut().ok_or_else(|| new_error!("shm not set"))?,
                                         configuration.outb_handler.clone(),
                                         #[cfg(gdb)]
                                         &debug_info,
                                     )?);
                                 }
-                                let hv = hv.as_mut().unwrap();
+                                let hv = hv.as_mut().ok_or_else(|| new_error!("Hypervisor not set"))?;
 
                                 #[cfg(target_os = "windows")]
                                 if !in_process {
@@ -386,7 +390,7 @@ impl HypervisorHandler {
                                 }
                             }
                             HypervisorHandlerAction::DispatchCallFromHost(function_name) => {
-                                let hv = hv.as_mut().unwrap();
+                                let hv = hv.as_mut().ok_or_else(|| new_error!("Hypervisor not initialized"))?;
 
                                 // Lock to indicate an action is being performed in the hypervisor
                                 execution_variables.running.store(true, Ordering::SeqCst);
@@ -647,6 +651,8 @@ impl HypervisorHandler {
                         // If the thread has finished, we try to join it and return the error if it has one
                         let res = handle.join();
                         if res.as_ref().is_ok_and(|inner_res| inner_res.is_err()) {
+                            #[allow(clippy::unwrap_used)]
+                            // We know that the thread has finished and that the inner result is an error, so we can safely unwrap the result and the contained err
                             return Err(res.unwrap().unwrap_err());
                         }
                         Err(HyperlightError::HypervisorHandlerMessageReceiveTimedout())
@@ -757,7 +763,7 @@ impl HypervisorHandler {
             if thread_id == u64::MAX {
                 log_then_return!("Failed to get thread id to signal thread");
             }
-            let mut count: i32 = 0;
+            let mut count: u128 = 0;
             // We need to send the signal multiple times in case the thread was between checking if it
             // should be cancelled and entering the run loop
 
@@ -771,7 +777,7 @@ impl HypervisorHandler {
             while !self.execution_variables.run_cancelled.load() {
                 count += 1;
 
-                if count > number_of_iterations.try_into().unwrap() {
+                if count > number_of_iterations {
                     break;
                 }
 
@@ -797,7 +803,8 @@ impl HypervisorHandler {
                 // partition handle only set when running in-hypervisor (not in-process)
                 unsafe {
                     WHvCancelRunVirtualProcessor(
-                        self.execution_variables.get_partition_handle()?.unwrap(), // safe unwrap
+                        #[allow(clippy::unwrap_used)]
+                        self.execution_variables.get_partition_handle()?.unwrap(), // safe unwrap as we checked is some
                         0,
                         0,
                     )
diff --git a/src/hyperlight_host/src/hypervisor/surrogate_process_manager.rs b/src/hyperlight_host/src/hypervisor/surrogate_process_manager.rs
@@ -267,14 +267,26 @@ impl Drop for SurrogateProcessManager {
 lazy_static::lazy_static! {
     // see the large comment inside `SurrogateProcessManager` describing
     // our reasoning behind using `lazy_static`.
-    static ref SURROGATE_PROCESSES_MANAGER: SurrogateProcessManager =
-        SurrogateProcessManager::new().unwrap();
+    static ref SURROGATE_PROCESSES_MANAGER: std::result::Result<SurrogateProcessManager, &'static str> =
+        match SurrogateProcessManager::new() {
+            Ok(manager) => Ok(manager),
+            Err(e) => {
+                error!("Failed to create SurrogateProcessManager: {:?}", e);
+                Err("Failed to create SurrogateProcessManager")
+            }
+        };
 }
 
 /// Gets the singleton SurrogateProcessManager. This should be called when a new HyperV on Windows Driver is created.
 #[instrument(err(Debug), skip_all, parent = Span::current(), level= "Trace")]
 pub(crate) fn get_surrogate_process_manager() -> Result<&'static SurrogateProcessManager> {
-    Ok(&SURROGATE_PROCESSES_MANAGER)
+    match &*SURROGATE_PROCESSES_MANAGER {
+        Ok(manager) => Ok(manager),
+        Err(e) => {
+            error!("Failed to get SurrogateProcessManager: {:?}", e);
+            Err(new_error!("Failed to get SurrogateProcessManager {}", e))
+        }
+    }
 }
 
 // Creates a job object that will terminate all the surrogate processes when the struct instance is dropped.
diff --git a/src/hyperlight_host/src/hypervisor/windows_hypervisor_platform.rs b/src/hyperlight_host/src/hypervisor/windows_hypervisor_platform.rs
@@ -165,6 +165,8 @@ pub unsafe fn try_load_whv_map_gpa_range2() -> Result<WHvMapGpaRange2Func> {
         return Err(new_error!("{}", e));
     }
 
+    #[allow(clippy::unwrap_used)]
+    // We know this will succeed because we just checked for an error above
     let library = library.unwrap();
 
     let address = unsafe { GetProcAddress(library, s!("WHvMapGpaRange2")) };
diff --git a/src/hyperlight_host/src/lib.rs b/src/hyperlight_host/src/lib.rs
@@ -19,6 +19,7 @@ limitations under the License.
 
 #![cfg_attr(not(any(test, debug_assertions)), warn(clippy::panic))]
 #![cfg_attr(not(any(test, debug_assertions)), warn(clippy::expect_used))]
+#![cfg_attr(not(any(test, debug_assertions)), warn(clippy::unwrap_used))]
 
 use std::sync::Once;
 
diff --git a/src/hyperlight_host/src/mem/elf.rs b/src/hyperlight_host/src/mem/elf.rs
@@ -52,20 +52,22 @@ impl ElfInfo {
         self.entry
     }
     pub(crate) fn get_base_va(&self) -> u64 {
+        #[allow(clippy::unwrap_used)] // guaranteed not to panic because of the check in new()
         let min_phdr = self
             .phdrs
             .iter()
             .find(|phdr| phdr.p_type == PT_LOAD)
-            .unwrap(); // guaranteed not to panic because of the check in new()
+            .unwrap();
         min_phdr.p_vaddr
     }
     pub(crate) fn get_va_size(&self) -> usize {
+        #[allow(clippy::unwrap_used)] // guaranteed not to panic because of the check in new()
         let max_phdr = self
             .phdrs
             .iter()
             .rev()
             .find(|phdr| phdr.p_type == PT_LOAD)
-            .unwrap(); // guaranteed not to panic because of the check in new()
+            .unwrap();
         (max_phdr.p_vaddr + max_phdr.p_memsz - self.get_base_va()) as usize
     }
     pub(crate) fn load_at(&self, load_addr: usize, target: &mut [u8]) -> Result<()> {
diff --git a/src/hyperlight_host/src/mem/loaded_lib.rs b/src/hyperlight_host/src/mem/loaded_lib.rs
@@ -54,7 +54,7 @@ impl LoadedLib {
         // arc reference is dropped, but before the destructor is executed. This however
         // is ok, as it means that the old library is not going to be used anymore and
         // we can use it instead.
-        let mut lock = LOADED_LIB.lock().unwrap();
+        let mut lock = LOADED_LIB.lock()?;
         if lock.upgrade().is_some() {
             // An owning copy of the loaded library still exists somewhere,
             // we can't load a new library yet
diff --git a/src/hyperlight_host/src/mem/memory_region.rs b/src/hyperlight_host/src/mem/memory_region.rs
@@ -202,6 +202,8 @@ impl MemoryRegionVecBuilder {
             return guest_end - self.guest_base_phys_addr;
         }
 
+        #[allow(clippy::unwrap_used)]
+        // we know this is safe because we check if the regions are empty above
         let last_region = self.regions.last().unwrap();
         let new_region = MemoryRegion {
             guest_region: last_region.guest_region.end..last_region.guest_region.end + size,
diff --git a/src/hyperlight_host/src/mem/mgr.rs b/src/hyperlight_host/src/mem/mgr.rs
@@ -300,6 +300,7 @@ where
         if last.is_none() {
             log_then_return!(NoMemorySnapshot);
         }
+        #[allow(clippy::unwrap_used)] // We know that last is not None because we checked it above
         let snapshot = last.unwrap();
         snapshot.restore_from_snapshot(&mut self.shared_mem)
     }
diff --git a/src/hyperlight_host/src/mem/pe/base_relocations.rs b/src/hyperlight_host/src/mem/pe/base_relocations.rs
@@ -91,6 +91,7 @@ impl<'a> Iterator for BaseRelocations<'a> {
         let word = u16::from_le_bytes(block);
 
         // Shift the word over so that we are only reading a number from the first (most significant) 4 bits
+        #[allow(clippy::unwrap_used)] // this is safe as we are only reading 4 bits from a u16
         let typ = u8::try_from(word >> 12).unwrap();
 
         // Set the first 4 bits to 0 so that we only use the lower 12 bits for the location of the RVA in the PE file
diff --git a/src/hyperlight_host/src/mem/shared_mem.rs b/src/hyperlight_host/src/mem/shared_mem.rs
@@ -885,7 +885,7 @@ impl HostSharedMemory {
         buffer_size: usize,
         data: &[u8],
     ) -> Result<()> {
-        let stack_pointer_rel = self.read::<u64>(buffer_start_offset).unwrap() as usize;
+        let stack_pointer_rel = self.read::<u64>(buffer_start_offset)? as usize;
         let buffer_size_u64: u64 = buffer_size.try_into()?;
 
         if stack_pointer_rel > buffer_size || stack_pointer_rel < 8 {
@@ -953,7 +953,7 @@ impl HostSharedMemory {
 
         // go back 8 bytes to get offset to element on top of stack
         let last_element_offset_rel: usize =
-            self.read::<u64>(last_element_offset_abs - 8).unwrap() as usize;
+            self.read::<u64>(last_element_offset_abs - 8)? as usize;
 
         // make it absolute
         let last_element_offset_abs = last_element_offset_rel + buffer_start_offset;
diff --git a/src/hyperlight_host/src/metrics/int_gauge_vec.rs b/src/hyperlight_host/src/metrics/int_gauge_vec.rs
@@ -16,7 +16,7 @@ limitations under the License.
 
 use prometheus::core::{AtomicI64, GenericGaugeVec};
 use prometheus::register_int_gauge_vec_with_registry;
-use tracing::{instrument, Span};
+use tracing::{error, instrument, Span};
 
 use super::{
     get_metric_opts, get_metrics_registry, GetHyperlightMetric, HyperlightMetric,
@@ -44,50 +44,53 @@ impl IntGaugeVec {
     /// Increments a gauge by 1
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn inc(&self, label_vals: &[&str]) {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .inc();
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.inc(),
+            Err(e) => error!("Failed to get metric with label values: {}", e),
+        }
     }
     /// Decrements a gauge by 1
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn dec(&self, label_vals: &[&str]) {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .dec();
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.dec(),
+            Err(e) => error!("Failed to get metric with label values: {}", e),
+        }
     }
     /// Gets the value of a gauge
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn get(&self, label_vals: &[&str]) -> i64 {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .get()
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.get(),
+            Err(e) => {
+                error!("Failed to get metric with label values: {}", e);
+                0
+            }
+        }
     }
     /// Resets a gauge
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn set(&self, label_vals: &[&str], val: i64) {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .set(val);
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.set(val),
+            Err(e) => error!("Failed to get metric with label values: {}", e),
+        }
     }
     /// Adds a value to a gauge
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn add(&self, label_vals: &[&str], val: i64) {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .add(val);
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.add(val),
+            Err(e) => error!("Failed to get metric with label values: {}", e),
+        }
     }
     /// Subtracts a value from a gauge
     #[instrument(skip_all, parent = Span::current(), level= "Trace")]
     pub fn sub(&self, label_vals: &[&str], val: i64) {
-        self.gauge
-            .get_metric_with_label_values(label_vals)
-            .unwrap()
-            .sub(val);
+        match self.gauge.get_metric_with_label_values(label_vals) {
+            Ok(gauge) => gauge.sub(val),
+            Err(e) => error!("Failed to get metric with label values: {}", e),
+        }
     }
 }
 
diff --git a/src/hyperlight_host/src/sandbox/outb.rs b/src/hyperlight_host/src/sandbox/outb.rs
@@ -137,7 +137,7 @@ fn handle_outb_impl(
         }
         OutBAction::Abort => {
             let guest_error = ErrorCode::from(byte);
-            let panic_context = mem_mgr.as_mut().read_guest_panic_context_data().unwrap();
+            let panic_context = mem_mgr.as_mut().read_guest_panic_context_data()?;
             // trim off trailing \0 bytes if they exist
             let index_opt = panic_context.iter().position(|&x| x == 0x00);
             let trimmed = match index_opt {
diff --git a/src/hyperlight_host/src/seccomp/guest.rs b/src/hyperlight_host/src/seccomp/guest.rs
@@ -89,7 +89,7 @@ pub(crate) fn get_seccomp_filter_for_host_function_worker_thread(
         allowed_syscalls.into_iter().collect(),
         SeccompAction::Trap,  // non-match syscall will kill the offending thread
         SeccompAction::Allow, // match syscall will be allowed
-        std::env::consts::ARCH.try_into().unwrap(),
+        std::env::consts::ARCH.try_into()?,
     )
     .and_then(|filter| filter.try_into())?)
 }

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,8 @@ pub unsafe fn try_load_whv_map_gpa_range2() -> Result<WHvMapGpaRange2Func> {`
`165`	`165`	`return Err(new_error!("{}", e));`
`166`	`166`	`}`
`167`	`167`
	`168`	`+ #[allow(clippy::unwrap_used)]`
	`169`	`+ // We know this will succeed because we just checked for an error above`
`168`	`170`	`let library = library.unwrap();`
`169`	`171`
`170`	`172`	`let address = unsafe { GetProcAddress(library, s!("WHvMapGpaRange2")) };`
Original file line number	Diff line number	Diff line change
`@@ -202,6 +202,8 @@ impl MemoryRegionVecBuilder {`
`202`	`202`	`return guest_end - self.guest_base_phys_addr;`
`203`	`203`	`}`
`204`	`204`
	`205`	`+ #[allow(clippy::unwrap_used)]`
	`206`	`+ // we know this is safe because we check if the regions are empty above`
`205`	`207`	`let last_region = self.regions.last().unwrap();`
`206`	`208`	`let new_region = MemoryRegion {`
`207`	`209`	`guest_region: last_region.guest_region.end..last_region.guest_region.end + size,`
Original file line number	Diff line number	Diff line change
`@@ -300,6 +300,7 @@ where`
`300`	`300`	`if last.is_none() {`
`301`	`301`	`log_then_return!(NoMemorySnapshot);`
`302`	`302`	`}`
	`303`	`+ #[allow(clippy::unwrap_used)] // We know that last is not None because we checked it above`
`303`	`304`	`let snapshot = last.unwrap();`
`304`	`305`	`snapshot.restore_from_snapshot(&mut self.shared_mem)`
`305`	`306`	`}`