-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS arm64 runner doesn't allow access to system registers #11127
Comments
As a side note, the JIT protection is not enabled at all on the macos arm64 runners. For instance, we can use the following code to confirm: #include "sys/mman.h"
#include "pthread.h"
#include "stdio.h"
#include "stdlib.h"
int main() {
uint64_t* p = mmap(NULL, 0x8192, PROT_WRITE | PROT_READ | PROT_EXEC, MAP_JIT | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (p == MAP_FAILED) {
perror("allocate");
return -1;
}
pthread_jit_write_protect_np(0);
p[0] = 0xff;
fprintf(stderr, "Initial %llx\n", p[0]);
pthread_jit_write_protect_np(1);
p[1] = 0xee; // This shall be denied
fprintf(stderr, "Enable write protection %llx\n", p[1]);
return 0;
} On my m2 pro, this gives:
But on Github Action, this gives:
|
HI @wtdcode , We will look into the issue and keep you posted with updates. |
Hey guys, can I have some updates? @prasanjitsahoo @erik-bershel |
no. the hypervisor already has TL;DR: This issue can't be fixed for as long as a virtual machine is used, unless Apple changes how the virtual machines work in the future. |
How do you confirm the entitlement is there? |
|
I think the entitlement I'm referring is |
|
Thank you for raising this issue. As mentioned, the restrictions on macOS arm64 runners related to system registers stem from entitlement limitations (com.apple.security.hypervisor and com.apple.vm.hypervisor). Unfortunately, these constraints make it infeasible for us to provide prebuilt wheels on arm64 macOS. |
Description
Hello,
Thanks for offering the precious macOS arm runners! However, as suggested in many places, the runners are virtualized with Apple Virtualization Framework and thus run jobs under EL1. This doesn't allow users to access many system registers, including SPRR. Our use case is to use this register to determine the current JIT state, as Apple doesn't offer an API to do so. This works pretty well on bare metal machines as SPRR is accessible.
From the post here, probably Github Action needs to add
com.apple.private.hypervisor.vmapple
entitlement to the hypervisor to enable the access. I understand this use case might be minor but I would appreciate if Github Action can add this so that we can test and distribute pre-built python wheels.Platforms affected
Runner images affected
Image version and build link
Image: macos-14-arm64
Version: 20241202.580
Included Software: https://github.com/actions/runner-images/blob/macos-14-arm64/20241202.580/images/macos/macos-14-arm64-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/macos-14-arm64%2F20241202.580
Is it regression?
No
Expected behavior
Allow acess to system registers.
Actual behavior
Receive
Illegal instruction: 4
Repro steps
We have a code snippet to reproduce this:
Run it by:
This works well on bare metal machines while crashes on Github Action runners.
The text was updated successfully, but these errors were encountered: