Check for PaX during initialization

David Holmes david.holmes at
Wed May 3 01:36:10 UTC 2017

Seems okay. You may want to add the paxctl instructions as Poonam suggested.


On 2/05/2017 7:02 AM, Mikael Vidstedt wrote:
> Please review the following change, which adds code to check for the presence of PaX/MPROTECT ( <>) during VM initialization, and prints out a helpful message if PaX is enabled and interfering with the VM. Specifically, the code checks if a writable page can be made executable (mimicking what the JIT would typically do). Since ZERO doesn’t generate code the check is not performed there.
> Copy+paste from the actual change:
> // Some linux distributions (notably: Alpine Linux) include the
> // grsecurity in the kernel by default. Of particular interest from a
> // JVM perspective is PaX (, which adds
> // some security features related to page attributes. Specifically,
> // the MPROTECT PaX functionality
> // ( prevents dynamic
> // code generation by disallowing a (previously) writable page to be
> // marked as executable. This is, of course, exactly what HotSpot does
> // for both JIT compiled method, as well as for stubs, adapters, etc.
> //
> // Instead of crashing "lazily" when trying to make a page executable,
> // this code probes for the presence of PaX and reports the failure
> // eagerly.
> Cheers,
> Mikael

More information about the portola-dev mailing list