Summary
The HV (Hypervisor.framework) backend is already the de facto default for non-Rosetta workloads — resolve_backend() at virt/arcbox-vmm/src/vmm/mod.rs:1044-1058 returns ResolvedBackend::Hv for VmBackend::Auto when Rosetta is not requested. The stale comment at line 1042 ("default to VZ until the HV backend is fully validated") contradicts the code.
Before VZ can be deleted outright, five blockers must clear. Three are correctness gaps (must fix), two are feature gaps (should fix).
Verdict: Ready with caveats
Phases 1-6 of the VirtIO improvements plan are all landed (MRG_RXBUF, TAP TSO offload, RX scratch reuse, DAX plumbing, DISCARD/WRITE_ZEROES, vmnet bridge cleanup). All core container runtime devices — block, net, vsock, fs, rng — are registered in initialize_darwin_hv() and functional. No unimplemented!() / todo!() panics anywhere in the HV execution path.
But there is no documented end-to-end Linux boot test on HV in CI, and the dispatch of pause/resume/snapshot silently falls through to VZ-only code regardless of backend.
Blockers (see sub-issues)
- [Correctness] Pause / resume / snapshot dispatch is VZ-only — HV-backed VMs call
Virtualization.framework code when paused.
- [Test coverage] No E2E test boots a Linux guest through the HV backend.
- [Verification] DAX end-to-end path is unverified — no test covers
guest mmap → FUSE_SETUPMAPPING → hv_vm_map → page fault.
- [Feature] Balloon device is missing from
initialize_darwin_hv() (VZ registers it; HV does not).
- [Performance] Interrupt coalescing not implemented on the two hottest device paths. Tracked separately: ABX-353 (virtio-net RX) and ABX-208 (VirtQueue EVENT_IDX / push_used_batch integration).
Evidence for readiness
e30ce9c (P2 review) — gates EVENT_IDX on feature negotiation for blk/console/fs; fixes u16 wrap infinite loop.106a6ca (P0/P1 review) — fixes HVC GPA overflow sandbox escape, sector overflow, flush-before-write ordering, DAX per-share mapping, GSO hdr_len.bc87f45 + 7bccbdd — darwin_hv and DeviceManager extraction refactors land.- ABX-287, ABX-286, ABX-285, ABX-288 — core HV crate, device model, Linux boot, dual-backend switching all Done.
- ABX-355, ABX-349, ABX-342, ABX-341 — hardening completed.
Exit criteria
Summary
The HV (Hypervisor.framework) backend is already the de facto default for non-Rosetta workloads —
resolve_backend()atvirt/arcbox-vmm/src/vmm/mod.rs:1044-1058returnsResolvedBackend::HvforVmBackend::Autowhen Rosetta is not requested. The stale comment at line 1042 ("default to VZ until the HV backend is fully validated") contradicts the code.Before VZ can be deleted outright, five blockers must clear. Three are correctness gaps (must fix), two are feature gaps (should fix).
Verdict: Ready with caveats
Phases 1-6 of the VirtIO improvements plan are all landed (MRG_RXBUF, TAP TSO offload, RX scratch reuse, DAX plumbing, DISCARD/WRITE_ZEROES, vmnet bridge cleanup). All core container runtime devices — block, net, vsock, fs, rng — are registered in
initialize_darwin_hv()and functional. Nounimplemented!()/todo!()panics anywhere in the HV execution path.But there is no documented end-to-end Linux boot test on HV in CI, and the dispatch of pause/resume/snapshot silently falls through to VZ-only code regardless of backend.
Blockers (see sub-issues)
Virtualization.frameworkcode when paused.guest mmap → FUSE_SETUPMAPPING → hv_vm_map → page fault.initialize_darwin_hv()(VZ registers it; HV does not).Evidence for readiness
e30ce9c(P2 review) — gates EVENT_IDX on feature negotiation for blk/console/fs; fixes u16 wrap infinite loop.106a6ca(P0/P1 review) — fixes HVC GPA overflow sandbox escape, sector overflow, flush-before-write ordering, DAX per-share mapping, GSO hdr_len.bc87f45+7bccbdd— darwin_hv and DeviceManager extraction refactors land.Exit criteria
resolve_backend()comment updated;VmBackend::Vzflipped from "default" to "legacy / opt-in / Rosetta only".