Add poison state to sandbox

[ludfjig]

This PR adds a poison state to sandbox in order to prevent further operations when the sandbox is left in an inconsistent state that could compromise memory safety, data integrity, or security. The sandbox becomes poisoned when guest functions abort/panic or when host-initiated execution cancellation occurs, leaving behind leaked heap allocations, corrupted data structures, or unreleased resources. For example, interrupting execution while guest is allocating can leave the global allocation lock in an inconsistent state, making future allocations impossible in subsequent runs due to infinite locking/spinning.

Poisoned sandboxes will reject all further operations (guest calls, snapshots, memory mapping) until the inconsistent state is resolved through either restoring to a snapshot or manually (unsafely) clearing the poison state.

Closes #848

[Copilot]

Pull Request Overview

This PR introduces sandbox poisoning functionality to prevent further operations when a sandbox is in an inconsistent state that could compromise memory safety. The sandbox becomes poisoned when guest functions abort/panic or when host-initiated execution cancellation occurs.

Key changes:

• Added poisoned state tracking with safety checks across all sandbox operations
• Implemented automatic poison detection for specific error types (GuestAborted, ExecutionCanceledByHost)
• Added recovery mechanisms through snapshot restoration or manual poison clearing

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/hyperlight_host/src/sandbox/initialized_multi_use.rs	Core implementation of poison state tracking, safety checks, and recovery mechanisms
src/hyperlight_host/src/error.rs	Added PoisonedSandbox error variant with detailed documentation
src/hyperlight_host/tests/integration_test.rs	Updated interrupt tests to clear poison state for continued execution
src/hyperlight_host/src/sandbox/snapshot.rs	Added Debug trait to Snapshot struct
src/hyperlight_host/src/mem/shared_mem_snapshot.rs	Added Debug trait to SharedMemorySnapshot struct

[dblnz]

Great stuff!
Changes LGTM. I left some clarifying comments, but overall good to go.

[jsturtevant]

It seems a bit strange to me that IsPoisoned doesn't return true when this is the error.

[ludfjig]

you're right it's confusing, but it is correct. PoisonedSandbox is what we return in case some other error already have caused poison state.

[ludfjig]

Which reminds we should probably better organize our errors into categories.

[jsturtevant]

isn't by definition poisoned then?

[ludfjig]

No because this error doesn't cause poison. PoisionedSandbox is what we returned if it is poisoned.

[jsturtevant]

if the sandbox returns this error then poisoned() == true? something feels off about not verifying that if this is returned and the internal state should also be verified to be correct.

[jsturtevant]

Are these things we have that get corrupted? These seems like general information on corruption but not specific to what we are protecting against.

[ludfjig]

yes these are just general information warnings

[jsturtevant]

Would all of these fall under memory corruption?

[ludfjig]

Probably yes

[jsturtevant]

IMO, this list feels overly generic and distracts from the rest of the comment but can see what others think

[jsturtevant]

Overall LGTM, a few nits but happy to see what other say