dev-qt/qtwebengine-5.7.0_alpha grsec: denied RWX mmap of <anonymous mapping> by [...]src/core/Release/mksnapshot [...]src/core/Release/mksnapshot needs to be pax-marked m to finish compilation successfully (workaround: do it on the fly) This probably affects qtwebengine-5.6.0 too, at least I ran into this problem with qtwebengine-5.6.9999 some time ago. Can't test 5.6.0 though due to bug 577676. www-client/chromium-49.0.2623.108 does pax-mark m out/Release/mksnapshot
Created attachment 430226 [details] emerge --info
Created attachment 430244 [details] build.log
at tinderbox image amd64-plasma-unstable_20160423-224414 I do get : FAILED: cd /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp; /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/mksnapshot --log-snapshot-positions --logfile /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/obj/src/3rdparty/chromium/v8/tools/gyp/v8_snapshot.gen/snapshot.log --random-seed 314159265 /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/obj/src/3rdparty/chromium/v8/tools/gyp/v8_snapshot.gen/snapshot.cc "" /bin/sh: line 1: 2244 Segmentation fault /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/mksnapshot --log-snapshot-positions --logfile /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/obj/src/3rdparty/chromium/v8/tools/gyp/v8_snapshot.gen/snapshot.log --random-seed 314159265 /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/obj/src/3rdparty/chromium/v8/tools/gyp/v8_snapshot.gen/snapshot.cc "" [4741/10705] CXX obj/src/3rdparty/chromium/third_party/mojo/src/mojo/public/cpp/environment/lib/mojo_environment_chromium.logging.o <command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined <built-in>: note: this is the location of the previous definition
Created attachment 432808 [details, diff] proposed ebuild patch For those looking to try a workaround, you can skip this ebuild patch and try just placing the patches: qtwebengine-5.6.0-paxmark-mksnapshot.patch qtwebengine-5.6.0-Fix-_FORTIFY_SOURCE-redefined-warnings.patch in /etc/portage/patches/dev-qt/qtwebengine-5.6.0
Created attachment 432810 [details, diff] just suppresses warnings to make the build.log easier to follow
Created attachment 432812 [details, diff] just suppresses warnings to make the build.log easier to follow
Created attachment 432814 [details, diff] proposed patch to paxmark mksnapshot Should be ok on pax systems, the ebuild patch adds the dependency on sys-apps/elfix to ensure that /usr/sbin/paxmark.sh is available. And the ebuild patch only applies this patch if host-is-pax is true.
Created attachment 432980 [details] excerpt from build.log
Unfortunately paxmark-mksnapshot-patch doesn't work for me: [4339/10677] CXX obj/src/3rdparty/chromium/net/proxy/net.proxy_script_decider.o [4340/10677] ACTION mksnapshot: paxmark_m_mksnapshot_a6e4cbd821bd99545f38405d521e648f FAILED: mksnapshot cd /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/3rdparty/chromium/v8/tools/gyp; bash -c "cp /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/mksnapshot_u /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/mksnapshot && paxmark.sh m /var/tmp/portage/dev-qt/qtwebengine-5.6.0/work/qtwebengine-opensource-src-5.6.0/src/core/Release/mksnapshot" I didn't apply the suppress-warnings-patch yet. [...]src/core/Release/ contains both mksnapshot and mksnapshot_u but they are not paxmarked m (/usr/sbin/paxmark.sh exists)
Created attachment 433530 [details] pax-related changes in kernel config 4.4 vs. 4.5 Ok, I think I narrowed it down: building qtwebengine with paxmark-mksnapshot-patch succeeds running kernel 4.4.8-r1, but it doesn't work with kernel 4.5.2-r1 I only did minor changes to kernel-config (attached those related to pax). Paxmarking m mksnapshot on the fly (with paxctl-ng and paxmark.sh) running kernel-4.5.2-r1 doesn't work either, I can only manipulate mksnapshot's PT_PAX but not XATTR_PAX flags, although paxctl-ng works correctly with e.g. /usr/bin/firefox.
IIRC there is a way to disable the use of mksnapshot, with a small penalty to v8 startup performance. Would that be acceptable?
To me, yes.
With kernel-4.5.3 and paxmark-mksnapshot-patch compilation succeeds.
Patch attached by Mark solves the compile-time problem. However the ebuild modifications can no longer be applied cleanly to qtwebengine-5.6.1 due to changes in the ebuild. Thanks: Dw.
*** Bug 596632 has been marked as a duplicate of this bug. ***
Version bump: dev-qt/qtwebengine-5.6.2 Bug is still there, attached patch still solves the problem.
Thanks, fixed in git by Aric Belsito. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c774a4445fb38143628450af34608353efc1bd78
The mechanism no longer works for dev-qt/qtwebengine-5.9.*, although the patch is there and applies cleanly. Should this bug be reopened, or a separate on is needed?
Created attachment 539070 [details, diff] Updated patch for qtwebengine-5.11.1 Upcoming version of qtwebengine changed the whitespaces for the file involved, so I introduced some trivial changes to actualize the patch.
Created attachment 539690 [details, diff] Updated patch for qtwebengine-5.11.1 I missed a file in the previous patch. This one really does it for x86_64.