squib-snapshot 0.2.0

Squib snapshot subsystem: bitcode state file, sparse memory file, dirty-page tracking
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

//! `Snapshot<Data>` envelope, header, and CRC64 framing.
//!
//! Layout per [10-data-model.md § 6.1](../../../specs/10-data-model.md#61-state-file-idsnap):
//!
//! ```text
//! | bitcode::serialize(Snapshot<MicrovmState>)   variable, no length prefix
//! | crc64                                        u64 LE, ECMA-182, over the bitcode bytes
//! ```
//!
//! The implementation mirrors `vendors/firecracker/src/vmm/src/snapshot/mod.rs` so a
//! `firecracker --describe-snapshot` against a squib-produced file succeeds
//! structurally (D5).

use std::io::{Read, Write};

use semver::Version;
use serde::{Serialize, de::DeserializeOwned};

use crate::error::SnapshotError;

/// aarch64 magic id; matches upstream Firecracker
/// (`vendors/firecracker/src/vmm/src/snapshot/mod.rs:44`).
pub const SNAPSHOT_MAGIC_AARCH64: u64 = 0x0710_1984_AAAA_0000;

/// Snapshot version this build emits and accepts.
///
/// Pinned to upstream Firecracker `SNAPSHOT_VERSION` (D15). Bumped in lockstep with
/// upstream minor releases. Major bump invalidates older state files.
pub const SNAPSHOT_VERSION: Version = Version::new(5, 0, 0);

/// 10 MiB upper bound on serialized state payload, matching upstream's DoS guard
/// (`SNAPSHOT_DESERIALIZATION_BYTES_LIMIT`). Real microVMs sit well below 1 MiB; the
/// limit only ever fires on a malicious or corrupt file.
pub const SNAPSHOT_DESERIALIZATION_BYTES_LIMIT: usize = 10_000_000;

/// Architecture-specific magic for this build.
#[must_use]
pub const fn arch_magic() -> u64 {
    SNAPSHOT_MAGIC_AARCH64
}

/// On-disk header. Lives **inside** the bitcode envelope (D5) — *not* as a raw byte
/// prefix, which would break upstream Firecracker compatibility.
#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
pub struct SnapshotHdr {
    /// Architecture-specific magic value.
    pub magic: u64,
    /// Snapshot data version.
    pub version: Version,
}

/// Outer envelope wrapping a state blob.
#[derive(Debug, Clone, PartialEq, serde::Serialize, serde::Deserialize)]
pub struct Snapshot<Data> {
    /// Header (magic + version).
    pub header: SnapshotHdr,
    /// Wrapped state data.
    pub data: Data,
}

impl<Data> Snapshot<Data> {
    /// Construct a fresh envelope around `data`, stamped with this build's magic +
    /// version.
    #[must_use]
    pub fn new(data: Data) -> Self {
        Self {
            header: SnapshotHdr {
                magic: arch_magic(),
                version: SNAPSHOT_VERSION,
            },
            data,
        }
    }

    /// Borrow the embedded version.
    #[must_use]
    pub fn version(&self) -> &Version {
        &self.header.version
    }
}

impl<Data: Serialize> Snapshot<Data> {
    /// Save `self` into `writer` as `bitcode(envelope) || crc64-le`.
    ///
    /// The CRC is computed over the bitcode bytes only (the trailing 8 bytes are
    /// not folded into the checksum) — same shape as upstream Firecracker so a
    /// `firecracker --describe-snapshot` succeeds.
    ///
    /// # Errors
    /// [`SnapshotError::Bitcode`] for an encoding failure; [`SnapshotError::Io`]
    /// for a writer-side I/O failure.
    pub fn save<W: Write>(&self, writer: &mut W) -> Result<(), SnapshotError> {
        let mut crc_writer = Crc64Writer::new(writer);
        let encoded =
            bitcode::serialize(self).map_err(|e| SnapshotError::Bitcode(e.to_string()))?;
        crc_writer.write_all(&encoded)?;
        let crc = crc_writer.checksum();
        crc_writer.into_inner().write_all(&crc.to_le_bytes())?;
        Ok(())
    }
}

impl<Data: DeserializeOwned> Snapshot<Data> {
    /// Load and validate the envelope from a `Read`.
    ///
    /// Validates, in order:
    /// 1. Size is below the DoS-guard limit.
    /// 2. Trailing 8-byte CRC matches the body.
    /// 3. Magic equals the architecture-specific value.
    /// 4. Major version matches; minor version ≤ ours.
    ///
    /// The "load_without_crc_check" variant is exposed for `--describe-snapshot`
    /// against a possibly-corrupt file: an operator wants to see the version *even
    /// if* the CRC has been clobbered, so the describe path can downgrade CRC
    /// errors to warnings.
    ///
    /// # Errors
    /// [`SnapshotError::SizeLimitExceeded`], [`SnapshotError::TooShort`],
    /// [`SnapshotError::CrcMismatch`], [`SnapshotError::MagicMismatch`],
    /// [`SnapshotError::VersionMismatch`], [`SnapshotError::Bitcode`],
    /// [`SnapshotError::Io`].
    pub fn load<R: Read>(reader: &mut R) -> Result<Self, SnapshotError> {
        let buf = read_with_limit(reader, SNAPSHOT_DESERIALIZATION_BYTES_LIMIT)?;
        Self::load_from_slice(&buf)
    }

    /// Load + validate from an in-memory slice. The slice must include the trailing
    /// 8-byte CRC.
    ///
    /// # Errors
    /// Same as [`Self::load`].
    pub fn load_from_slice(buf: &[u8]) -> Result<Self, SnapshotError> {
        if buf.len() > SNAPSHOT_DESERIALIZATION_BYTES_LIMIT {
            return Err(SnapshotError::SizeLimitExceeded {
                limit: SNAPSHOT_DESERIALIZATION_BYTES_LIMIT,
            });
        }
        if buf.len() < 8 {
            return Err(SnapshotError::TooShort);
        }
        // Upstream's CRC trick: `crc64(0, full_buf) == 0` iff the trailing 8 bytes
        // are the LE checksum of the preceding bytes. We verify CRC first because
        // a magic mismatch is meaningless on corrupted bytes.
        if crc64::crc64(0, buf) != 0 {
            return Err(SnapshotError::CrcMismatch);
        }
        let (data_buf, _crc_buf) = buf.split_at(buf.len() - 8);
        Self::load_without_crc_check(data_buf)
    }

    /// Decode the envelope without checking the CRC.
    ///
    /// Used by `--describe-snapshot` to emit a useful diagnostic on a CRC-clobbered
    /// file (the version + magic are still meaningful). Production load paths must
    /// go through [`Self::load`] / [`Self::load_from_slice`] which validate the CRC
    /// first.
    ///
    /// # Errors
    /// [`SnapshotError::SizeLimitExceeded`], [`SnapshotError::Bitcode`],
    /// [`SnapshotError::MagicMismatch`], [`SnapshotError::VersionMismatch`].
    pub fn load_without_crc_check(data_buf: &[u8]) -> Result<Self, SnapshotError> {
        if data_buf.len() > SNAPSHOT_DESERIALIZATION_BYTES_LIMIT {
            return Err(SnapshotError::SizeLimitExceeded {
                limit: SNAPSHOT_DESERIALIZATION_BYTES_LIMIT,
            });
        }
        let snapshot: Self =
            bitcode::deserialize(data_buf).map_err(|e| SnapshotError::Bitcode(e.to_string()))?;
        if snapshot.header.magic != arch_magic() {
            return Err(SnapshotError::MagicMismatch {
                found: snapshot.header.magic,
                expected: arch_magic(),
            });
        }
        if snapshot.header.version.major != SNAPSHOT_VERSION.major
            || snapshot.header.version.minor > SNAPSHOT_VERSION.minor
        {
            return Err(SnapshotError::VersionMismatch {
                found: snapshot.header.version.clone(),
                expected: SNAPSHOT_VERSION,
            });
        }
        Ok(snapshot)
    }
}

/// Read up to `limit` bytes from `reader`. Returns
/// [`SnapshotError::SizeLimitExceeded`] when the input exceeds the limit.
///
/// We read `limit + 1` bytes so a file exactly at the limit succeeds and a file one
/// byte over surfaces the dedicated error rather than `bitcode`'s opaque truncation.
fn read_with_limit<R: Read>(reader: &mut R, limit: usize) -> Result<Vec<u8>, SnapshotError> {
    let mut buf = Vec::new();
    let read_cap = u64::try_from(limit.saturating_add(1)).unwrap_or(u64::MAX);
    let bytes = reader.take(read_cap).read_to_end(&mut buf)?;
    if bytes > limit {
        return Err(SnapshotError::SizeLimitExceeded { limit });
    }
    Ok(buf)
}

/// Streaming CRC-64 (ECMA-182) computer that wraps a writer.
///
/// Same shape as upstream's `CRC64Writer` (`vendors/firecracker/src/vmm/src/snapshot/crc.rs`).
#[derive(Debug)]
pub struct Crc64Writer<W> {
    writer: W,
    crc: u64,
}

impl<W: Write> Crc64Writer<W> {
    /// Construct a new wrapper over `writer`.
    pub fn new(writer: W) -> Self {
        Self { writer, crc: 0 }
    }

    /// The current CRC64 over all bytes written so far.
    #[must_use]
    pub fn checksum(&self) -> u64 {
        self.crc
    }

    /// Drop the wrapper, returning the underlying writer. Used to write the CRC
    /// trailer **without** including it in the checksum.
    pub fn into_inner(self) -> W {
        self.writer
    }
}

impl<W: Write> Write for Crc64Writer<W> {
    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
        let written = self.writer.write(buf)?;
        self.crc = crc64::crc64(self.crc, &buf[..written]);
        Ok(written)
    }

    fn flush(&mut self) -> std::io::Result<()> {
        self.writer.flush()
    }
}

#[cfg(test)]
mod tests {
    use std::io::Cursor;

    use super::*;
    use crate::state::MicrovmState;

    #[test]
    fn test_should_round_trip_default_state_through_save_and_load() {
        let snapshot = Snapshot::new(MicrovmState::default());
        let mut buf = Vec::new();
        snapshot.save(&mut buf).unwrap();
        let back = Snapshot::<MicrovmState>::load(&mut Cursor::new(&buf)).unwrap();
        assert_eq!(snapshot.header, back.header);
    }

    #[test]
    fn test_should_reject_truncated_crc_trailer() {
        let snapshot = Snapshot::new(MicrovmState::default());
        let mut buf = Vec::new();
        snapshot.save(&mut buf).unwrap();
        let truncated = &buf[..buf.len() - 4];
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(truncated),
            Err(SnapshotError::CrcMismatch)
        ));
    }

    #[test]
    fn test_should_reject_too_short_buffer() {
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(&[]),
            Err(SnapshotError::TooShort)
        ));
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(&[0u8; 4]),
            Err(SnapshotError::TooShort)
        ));
    }

    #[test]
    fn test_should_reject_bit_flipped_state() {
        let snapshot = Snapshot::new(MicrovmState::default());
        let mut buf = Vec::new();
        snapshot.save(&mut buf).unwrap();
        // Flip a body bit (not a CRC trailer bit).
        buf[2] ^= 0x01;
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(&buf),
            Err(SnapshotError::CrcMismatch)
        ));
    }

    #[test]
    fn test_should_reject_clobbered_crc_trailer() {
        let snapshot = Snapshot::new(MicrovmState::default());
        let mut buf = Vec::new();
        snapshot.save(&mut buf).unwrap();
        let len = buf.len();
        for byte in &mut buf[len - 8..] {
            *byte ^= 0xFF;
        }
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(&buf),
            Err(SnapshotError::CrcMismatch)
        ));
    }

    #[test]
    fn test_should_reject_wrong_magic_via_load_without_crc_check() {
        let mut snapshot = Snapshot::new(MicrovmState::default());
        snapshot.header.magic = 0xDEAD_BEEF;
        let body = bitcode::serialize(&snapshot).unwrap();
        assert!(matches!(
            Snapshot::<MicrovmState>::load_without_crc_check(&body),
            Err(SnapshotError::MagicMismatch { .. })
        ));
    }

    #[test]
    fn test_should_reject_higher_major_version() {
        let mut snapshot = Snapshot::new(MicrovmState::default());
        snapshot.header.version =
            Version::new(SNAPSHOT_VERSION.major + 1, SNAPSHOT_VERSION.minor, 0);
        let body = bitcode::serialize(&snapshot).unwrap();
        assert!(matches!(
            Snapshot::<MicrovmState>::load_without_crc_check(&body),
            Err(SnapshotError::VersionMismatch { .. })
        ));
    }

    #[test]
    fn test_should_reject_higher_minor_version() {
        let mut snapshot = Snapshot::new(MicrovmState::default());
        snapshot.header.version =
            Version::new(SNAPSHOT_VERSION.major, SNAPSHOT_VERSION.minor + 1, 0);
        let body = bitcode::serialize(&snapshot).unwrap();
        assert!(matches!(
            Snapshot::<MicrovmState>::load_without_crc_check(&body),
            Err(SnapshotError::VersionMismatch { .. })
        ));
    }

    #[test]
    fn test_should_accept_lower_minor_version() {
        // A state file from the previous minor must still load on this build.
        if SNAPSHOT_VERSION.minor == 0 {
            return; // can't test "lower minor" if we're on .0.x
        }
        let mut snapshot = Snapshot::new(MicrovmState::default());
        snapshot.header.version =
            Version::new(SNAPSHOT_VERSION.major, SNAPSHOT_VERSION.minor - 1, 0);
        let body = bitcode::serialize(&snapshot).unwrap();
        let _ok = Snapshot::<MicrovmState>::load_without_crc_check(&body).unwrap();
    }

    #[test]
    fn test_should_accept_arbitrary_patch_version() {
        let mut snapshot = Snapshot::new(MicrovmState::default());
        snapshot.header.version = Version::new(
            SNAPSHOT_VERSION.major,
            SNAPSHOT_VERSION.minor,
            SNAPSHOT_VERSION.patch + 12345,
        );
        let body = bitcode::serialize(&snapshot).unwrap();
        let _ok = Snapshot::<MicrovmState>::load_without_crc_check(&body).unwrap();
    }

    #[test]
    fn test_should_enforce_size_limit_on_load() {
        let huge = vec![0u8; SNAPSHOT_DESERIALIZATION_BYTES_LIMIT + 32];
        assert!(matches!(
            Snapshot::<MicrovmState>::load_from_slice(&huge),
            Err(SnapshotError::SizeLimitExceeded { .. })
        ));
    }

    #[test]
    fn test_should_keep_arch_magic_aarch64_constant() {
        assert_eq!(arch_magic(), 0x0710_1984_AAAA_0000);
    }
}