Skip to content

Fix race condition in memory_decommit/memory_reset on Apple ARM64#18423

Open
Drustburn wants to merge 6 commits intoRPCS3:masterfrom
Drustburn:fix/apple-arm64-memory-decommit-race
Open

Fix race condition in memory_decommit/memory_reset on Apple ARM64#18423
Drustburn wants to merge 6 commits intoRPCS3:masterfrom
Drustburn:fix/apple-arm64-memory-decommit-race

Conversation

@Drustburn
Copy link
Copy Markdown

@Drustburn Drustburn commented Mar 22, 2026

Summary

On Apple ARM64, memory_decommit and memory_reset used a munmap followed by mmap without MAP_FIXED (since Apple rejects MAP_FIXED | MAP_JIT). Between the two calls, another thread could claim the unmapped address range, causing mmap to return a different address and triggering a fatal verification error.

Under concurrent load (e.g. PPU LLVM compilation with many worker threads), this race manifests reliably as Verification failed (object: 0x0) crashes across all PPUW threads.

Fix

Use MAP_FIXED without MAP_JIT instead. This atomically replaces the mapping without any window for other threads to interfere. The MAP_JIT attribute is lost on the replaced pages, but the application's code signing entitlements (allow-unsigned-executable-memory, disable-executable-page-protection) permit executable mappings without it.

Before (crashes under load)

ensure(::munmap(pointer, size) != -1);
ensure(::mmap(pointer, size, PROT_NONE, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0) == pointer);

After (atomic, race-free)

ensure(::mmap(pointer, size, PROT_NONE, MAP_FIXED | MAP_ANON | MAP_PRIVATE | c_map_noreserve, -1, 0) != reinterpret_cast<void*>(uptr{umax}));

Test plan

  • Tested on Apple M3 Max, macOS 26.3.1
  • Verified all PPUW memory_decommit verification failures are eliminated
  • PPU LLVM module loading completes without errors
  • SPU interpreter builds successfully

Fix race condition in memory_decommit/memory_reset on Apple ARM64
acdad8b 
The previous approach used munmap followed by mmap without MAP_FIXED
(since Apple rejects MAP_FIXED | MAP_JIT). Between the two calls,
another thread could claim the unmapped address range, causing mmap
to return a different address and triggering a fatal verification error.

Under concurrent load (e.g. PPU LLVM compilation with many worker threads),
this race manifests reliably as "Verification failed (object: 0x0)" crashes
across all PPUW threads in memory_decommit.

Fix: Use MAP_FIXED without MAP_JIT instead. This atomically replaces the
mapping without any window for other threads to interfere. The MAP_JIT
attribute is lost on the replaced pages, but the application's code signing
entitlements (allow-unsigned-executable-memory, disable-executable-page-protection)
permit executable mappings without it.

Applied the same fix to memory_reset which had the identical pattern.
@AniLeo AniLeo requested a review from kd-11 March 22, 2026 09:55
AniLeo
AniLeo reviewed Mar 22, 2026
View reviewed changes
Comment thread rpcs3/util/vm_native.cpp
AniLeo
AniLeo reviewed Mar 22, 2026
View reviewed changes
Comment thread rpcs3/util/vm_native.cpp
Remove redundant Apple ARM64 ifdef blocks
5cb8759 
The Apple ARM64 code paths are now identical to the generic case,
so the ifdef blocks are unnecessary.
@schm1dtmac schm1dtmac mentioned this pull request Mar 23, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AniLeo AniLeo AniLeo left review comments

@kd-11 kd-11 Awaiting requested review from kd-11

Assignees

No one assigned

Labels

CPU: Arm64 OS: macOS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Drustburn @AniLeo @Megamouse @elad335 @kd-11