From: Gaash Hazan <gaash@qwilt.com>
To: Andrew Haley <aph@redhat.com>
Cc: libffi-discuss@sourceware.org
Subject: Re: libffi & fork
Date: Sun, 29 Apr 2012 15:34:00 -0000 [thread overview]
Message-ID: <CAP+vr+MhMzK=-gQ-Nz-avPcCfEgVPwQ7KyaOjFK4TKspyKBHdg@mail.gmail.com> (raw)
In-Reply-To: <4F991CA5.8070503@redhat.com>
Hi Andrew,
Thanks for the detailed answer.
I think I found the root cause of the problem. The libffi version that
I use (3.0.5) contains a bug in closures.c:selinux_enabled_check()
that incorrectly detected non-selinux systsem as selinux system.
Because system is detected (incorrectly) as selinux dlmap() does not
attempts to do mmap() for private anonymous block with write-exec
protection. It reverts to the trick with two mmap()s on a tmp file.
But trick does not with fork.
If the system is detected (correctly) as non-selinux, then dlmp()
would use anonymous write-exec mmap() and it would not use the trick.
Hence the fork problem would not occurred.
The selinux detected problem was fixed in
https://github.com/atgreen/libffi/commit/eaf444eabc4c78703c0f98ac0197b1619c1b1bef#src/closures.c
(closures.c line 149)
Unfortunately Redhat 6.2 and 6.3-bets uses libffi 3.0.5 that has this problem.
Regards,
Gaash
On Thu, Apr 26, 2012 at 1:00 PM, Andrew Haley <aph@redhat.com> wrote:
>
> On 04/25/2012 06:32 PM, Gaash Hazan wrote:
> >> There is, as far as I can see, only one way to remedy this: allow
> >> python to map anonymous memory with both write and execute permission.
> >> Then it should work fine.
> >
> > I believe memory allocation is a service provided by the OS and not by
> > the application or interpreter.
>
> The usual problem is a mechanism such as SELinux that is forbidding
> Python from mmap()ing PROT_WRITE|PROT_EXEC . If you label the
> executable unconfined_execmem_exec_t it may work because then libffi
> won't bother with all this multiple maps though a shared file
> descriptor business.
>
> > Python does not provide memory allocation service to libffi. In this
> > case libffi creates read-write-exec memory block using mmap to a tmp
> > file. I guess the problem is common to libff users and it is not
> > unique to python.
>
> It's special to Python because Python is the only common libffi client
> that forks and then tries to use the closures.
>
> > libffi uses mmap with MAP_SHARED at libffi:closures.c:dlmap(). What
> > was the reason for using MAP_SHARED in the first place?
> >
> > I think MAP_PRIVATE would create the desired behavior of copy-on-write
> > when forked. Would that be a proper fix?
>
> No, memory regions that are backed by a real file are always shared
> between processes. There is a single file descriptor that
> references the block of memory that holds the closures. The only
> way you'll get it to work is to create a new file.
>
> Andrew.
next prev parent reply other threads:[~2012-04-29 15:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAP+vr+PX9gw7Ot6Zc7AN8Gks9P+WHVQg8bX5S7YRnTRyRBHp7A@mail.gmail.com>
2012-04-24 19:41 ` Gaash Hazan
2012-04-25 9:11 ` Andrew Haley
2012-04-25 17:33 ` Gaash Hazan
2012-04-26 10:00 ` Andrew Haley
2012-04-29 15:34 ` Gaash Hazan [this message]
2012-04-29 17:58 ` Anthony Green
2012-04-30 8:32 ` Andrew Haley
2012-04-30 19:16 ` Anthony Green
2012-05-01 7:56 ` Andrew Haley
2012-05-02 20:23 ` Anthony Green
2012-05-04 9:00 ` Andrew Haley
2012-05-05 13:19 ` Anthony Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+vr+MhMzK=-gQ-Nz-avPcCfEgVPwQ7KyaOjFK4TKspyKBHdg@mail.gmail.com' \
--to=gaash@qwilt.com \
--cc=aph@redhat.com \
--cc=libffi-discuss@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).