Check for PaX during initialization

Mikael Vidstedt mikael.vidstedt at
Mon May 1 21:02:43 UTC 2017

Please review the following change, which adds code to check for the presence of PaX/MPROTECT ( <>) during VM initialization, and prints out a helpful message if PaX is enabled and interfering with the VM. Specifically, the code checks if a writable page can be made executable (mimicking what the JIT would typically do). Since ZERO doesn’t generate code the check is not performed there.

Copy+paste from the actual change:
// Some linux distributions (notably: Alpine Linux) include the
// grsecurity in the kernel by default. Of particular interest from a
// JVM perspective is PaX (, which adds
// some security features related to page attributes. Specifically,
// the MPROTECT PaX functionality
// ( prevents dynamic
// code generation by disallowing a (previously) writable page to be
// marked as executable. This is, of course, exactly what HotSpot does
// for both JIT compiled method, as well as for stubs, adapters, etc.
// Instead of crashing "lazily" when trying to make a page executable,
// this code probes for the presence of PaX and reports the failure
// eagerly.


More information about the portola-dev mailing list