When doing [ebuild U ] dev-java/icedtea-7.2.4.1:7 [7.2.3.9:7] USE="X alsa cups jbootstrap nsplugin nss pax_kernel webstart -cjk -debug -doc -examples -javascript -pulseaudio -source -systemtap {-test}": make[6]: Entering directory `/var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk-boot/jdk/make/com/sun/jmx' /bin/mkdir -p /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes/javax/management/remote/rmi rm -f /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes/javax/management/remote/rmi/RMIConnectionImpl_Stub.class /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/bin/java -XX:-PrintVMOptions -XX:+UnlockDiagnosticVMOptions -XX:-LogVMOutput -Xmx512m -Xms512m -XX:PermSize=32m -XX:MaxPermSize=160m -cp /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes sun.rmi.rmic.Main -classpath "/var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes" \ -d /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes \ -v1.2 \ -keepgenerated \ javax.management.remote.rmi.RMIConnectionImpl OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000346c87b4000, 2555904, 1) failed; error='Operation not permitted' (errno=1) # # There is insufficient memory for the Java Runtime Environment to continue. # Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory. # An error report file with more information is saved as: # /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk-boot/jdk/make/com/sun/jmx/hs_err_pid17204.log make[6]: *** [/var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/classes/javax/management/remote/rmi/RMIConnectionImpl_Stub.class] Error 1 However, the reason is not insufficient memory, the reason is that java tries to RWX map memory and pax prohibits that. From the syslog: grsec: denied RWX mmap of <anonymous mapping> by /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/bin/java[java:17205] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/gmake[make:17137] paxctl -v /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build-boot/bin/java says PaX flags: -------x-e--, so obviously the ebuild forgot to run paxctl -m on that file. Same problem somewhat later in the build for /var/portage/portage/dev-java/icedtea-7.2.4.1/work/icedtea-2.4.1/openjdk.build/bin/java, also lacks paxctl -m. After calling paxctl -m manually twice, the build finishes. emerge --info =icedtea-7.2.4.1 Portage 2.1.12.13 (default/linux/amd64/13.0/no-multilib, gcc-4.7.3, glibc-2.17, 3.10.0-hardened x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.10.0-hardened-x86_64-Intel-R-_Core-TM-_i7_CPU_Q_820_@_1.73GHz-with-gentoo-2.2 KiB Mem: 8089676 total, 1527288 free KiB Swap: 33554428 total, 33554428 free Timestamp of tree: Sat, 20 Jul 2013 05:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.5-r1, 3.3.2-r1 dev-util/cmake: 2.8.11.1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.13.4, 1.14 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.7.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA dlj-1.1 AdobeFlash-11.x Oracle-BCLA-JavaSE google-chrome" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -mtune=native -O2 -finline-functions -fomit-frame-pointer -fgcse-after-reload -frename-registers -fweb -ftracer -fivopts -maccumulate-outgoing-args -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -mtune=native -O2 -finline-functions -fomit-frame-pointer -fgcse-after-reload -frename-registers -fweb -ftracer -fivopts -maccumulate-outgoing-args -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build=n --with-bdeps=y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles keeptemp keepwork merge-sync news noclean parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo http://gentoo.inode.at http://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp.spline.inf.fu-berlin.de/mirrors/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_DE.iso885915" LC_ALL="en_DE.iso885915" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="64bit X a52 aac adobe-cff alsa amd64 apng applet archive ass bzip2 cairo cdda cdparanoia cli contrast cups curl cxx dbus dconf demosaic detex devfs-compat dga divx dot dri dts dvd dvdnav dvdr dvi dvipdfm egl encode epspdf exif expat extra faad ffmpeg fftw flac fontconfig foomaticdb fts3 g3dvl gallium gbm gif gimp gles gles1 gles2 glib glibc-omitfp gmp graphics gs gstreamer gtk gtk2 gudev htmlreport http hwdb iconv imagemagick inotify jbig jit jpeg jpeg2k kpathsea lasi latex latex3 lcdfilter lcms lensfun libkms libnotify libopts libsamplerate libwww lightning llvm-gcc lua lzma lzo mad metric midi minizip mmap mms mmx mmxext mng modules mp3 mpeg mta mudflap natspec ncat ncurses ndiff nping nptl nscd nsplugin offensive ogg oldnet openmp openvg opus orc pam pango pax_kernel pcre pdf pic plugins png postproc postscript ppds pstricks pth quicktime rar raw readline realmedia rle rpc rtc rule_generator scanner schroedinger secure-delete session smp sndfile sound sqlite sqlite3 sse sse2 sse3 sse4_1 sse4_2 ssh ssl ssse3 svg symlink system-cairo system-jpeg system-sqlite t1lib texi2html theora threads thunar tiff tremor truetype udev unlock-notify unwind usb utils vaapi vdpau vim-with-x vnc vorbis vpx webkit2 webp wmf wmp x264 xa xcb xkb xmp xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer pdfimport" LINGUAS="en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" SANE_BACKENDS="epson" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
> OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000346c87b4000, 2555904, 1) failed; error='Operation not permitted' (errno=1) Yes, it indeed says here that it is not permitted. > After calling paxctl -m manually twice, the build finishes. From what I see this doesn't seem possible to do from the ebuild itself, it does a simple `emake` call; so, this would have to be corrected in the build system, I haven't yet looked into it but this will take some figuring out to know at which point we need to call this. From the build log I followed yesterday, I understood it first compiles java / javac and then uses that to compile some java files into classes; it's where it tries to use these two that it fails, so, somewhere in that `emake` call. We'll try to look into this; given that I don't run PaX and it takes quite long to build this, help from someone running PaX that knows some the basics of the build system will definitely be welcome.
I found this one: http://icedtea.classpath.org/hg/release/icedtea7-2.3/rev/22c8a74134c1
Well, we do > $(use_with pax_kernel pax paxctl) so that patch is applied.
(In reply to Tom Wijsman (TomWij) from comment #3) > Well, we do > > > $(use_with pax_kernel pax paxctl) > > so that patch is applied. I don't see this patch in workdir.
(In reply to Alon Bar-Lev from comment #4) > (In reply to Tom Wijsman (TomWij) from comment #3) > > Well, we do > > > > > $(use_with pax_kernel pax paxctl) > > > > so that patch is applied. > > I don't see this patch in workdir. I can confirm that with that patch it is working correctly.
(In reply to Alon Bar-Lev from comment #4) > (In reply to Tom Wijsman (TomWij) from comment #3) > > Well, we do > > > > > $(use_with pax_kernel pax paxctl) > > > > so that patch is applied. > > I don't see this patch in workdir. It is in the ebuild; in other words, if you have pax_kernel USE flag then it will use the patch specified in the commit linked to from Comment 2 since it will process the WITH_PAX section. Looking at the unpacked files patches/pax-mark-rmic-java.patch is indeed not present; I wonder how that happened, I will hear with gnu_andrew and see what the appropriate solution here is, trying to fix it upstream instead of the ebuild.
(In reply to Tom Wijsman (TomWij) from comment #6) > (In reply to Alon Bar-Lev from comment #4) > > (In reply to Tom Wijsman (TomWij) from comment #3) > > > Well, we do > > > > > > > $(use_with pax_kernel pax paxctl) > > > > > > so that patch is applied. > > > > I don't see this patch in workdir. > > It is in the ebuild; in other words, if you have pax_kernel USE flag then it > will use the patch specified in the commit linked to from Comment 2 since it > will process the WITH_PAX section. > > Looking at the unpacked files patches/pax-mark-rmic-java.patch is indeed not > present; I wonder how that happened, I will hear with gnu_andrew and see > what the appropriate solution here is, trying to fix it upstream instead of > the ebuild. Can you please provide temporary fix in ebuild as you work on proper upstream support?
I don't know what the problem is, as I showed in Comment #3, #6 it is applied. Though gnu_andrew said on IRC this will be part of the release of today or tomorrow; apart from that, I have no idea what to backport here. And given the complexity / build time it's probably best to move to the newer release instead.
Fixed: http://blog.fuseyism.com/index.php/2013/09/23/icedtea-2-4-2-released/
On system which have migrated to XATTR_PAX marking, this solution doesn't work. The build system should be patch to use paxctl-ng instead of paxctl. paxctl-ng can set both PT_PAX and XATTR_PAX.
Created attachment 362786 [details] icedtea-7.2.4.3-r1.ebuild
Created attachment 362788 [details, diff] icedtea-use-paxctl-ng.patch
Comment on attachment 362786 [details] icedtea-7.2.4.3-r1.ebuild Updated ebuild to use paxctl-ng instead of pax
Comment on attachment 362788 [details, diff] icedtea-use-paxctl-ng.patch Patch to make the build system use paxctl-ng
I build on a PaX xattr system all the time now. All current builds should be fine.
