MemoryError: Cannot allocate write+execute memory for ffi.callback()

[askaliuk]

For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks

Found originally here: scrapy/scrapy#4117
Seems like pyOpenSSL issue, that's why creating it here.

Any advice or workaround is appreciated.

Traceback:

2019-10-31 20:24:51 [scrapy.downloadermiddlewares.robotstxt] ERROR: Error downloading <GET https://xxx.yyy/robots.txt>: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
Traceback (most recent call last):
.... skipped as non-relevant ...
 File "/home/scrapy/env/local/lib/python2.7/site-packages/twisted/internet/_sslverify.py", line 1709, in _makeContext
    ctx.set_verify(verifyFlags, _verifyCallback)
  File "/home/scrapy/env/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1103, in set_verify
    self._verify_helper = _VerifyHelper(callback)

OS:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"

[steve-estes]

FWIW, I get the same message, on Ubuntu 18.04.3. It actually results in the same stack trace even when I go to execute other things (like install unrelated packages via pip). Uninstalling pyOpenSSL (after the scrapy install) allowed other installations to proceed, showing that it was pyOpenSSL related, but of course scrapy and other dependants can't fully function without it.

Andrii's first link above suggests some workarounds, but not for Ubuntu.

Root of the issue might be a grsecurity override, in (say) a shared webhosting environment. Use of ffi.callback() is apparently frowned-upon now as insecure, and that link above has suggested workarounds.

The end of my stack trace, just to note slight variations in line numbers from the above:

  File "/home/username/opt/python-2.7.15/lib/python2.7/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 286, in create_urllib3_context
    context.verify_mode = cert_reqs
  File "/home/username/opt/python-2.7.15/lib/python2.7/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py", line 438, in verify_mode
    self._ctx.set_verify(_stdlib_to_openssl_verify[value], _verify_callback)
  File "/home/username/opt/python-2.7.15/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1119, in set_verify
    self._verify_helper = _VerifyHelper(callback)
  File "/home/username/opt/python-2.7.15/lib/python2.7/site-packages/OpenSSL/SSL.py", line 338, in __init__
    "int (*)(int, X509_STORE_CTX *)", wrapper)
MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks

[tiran]

pyOpenSSL is not compatible with systems that prevent writeable and executable memory pages. You either have to disable the security feature, use another TLS library like the builtin ssl module, or redesign+rewrite pyOpenSSL's callback system.

[steve-estes]

Yeah, seems like there's a ready way to fix the code by changing to new-style "Extern Python" callbacks in CFFI. Here's another project that ran into the same issue and fixed it that way, with a real fast turnaround:

Issue: FSX/misaka#72
Commit: FSX/misaka@321357b#diff-cd1259298a2efe394f2d1bbea8b0d39e

I'm not familiar enough with the pyOpenSSL codebase to risk giving it a try, but otherwise it seems fairly straightforward - and would add some performance too, according to CFFI.

[jeromepin]

I know this is almost a year later, but I too have the issue using my M1 Silicon mac. I first encountered it using Azure's CLI and then with home-made softwares, while it was working great on Intel platforms (both darwin and linux).

Reading the answers above, does it mean every library using openssl has to made that kind of changes ?

When @tiran mentions "use another TLS library", is this at the OS level (like replacing OpenSSL by LibreSSL or BoringSSL) or inside the Python software ?

[tiran]

tl;dr it's a problem in pyOpenSSL. OpenSSL is fine.

I see how my comment can be understand the wrong way. I was referring to another Python TLS library such as ssl module from Python's standard library. OpenSSL does not require executable+writable memory. The problem only effects pyOpenSSL.

It's an implementation artifact of pyOpenSSL's glue code that wraps OpenSSL's C-API and makes it available for Python. pyOpenSSL uses CFFI, which is a Python interface to libffi. libffi (library for foreign function interface) uses dynamic code creation for dynamic callbacks. Every time the code passes a Python method to OpenSSL, it has to wrap the Python method into machine code, so it looks like a C function to the C-API of OpenSSL. It writes dynamic code to an executable memory page. CFFI calls this old style callbacks.

There are ways to work around the problem, but it's complicated and lots of work. Nobody has contributed a solution yet.

[thomasaarholt]

This issue seems to be blocking snowflake-python-connector and hence dbt, as well as some other packages (see mentions above), from running on M1 (arm64) Macs.

Is there anyone who could take a look at this?

[tiran]

It would take a serious effort and redesign to address the issue. Somebody would have to replace all existing callbacks in PyCA cryptography and pyOpenSSL with a different design. It's a non-trivial effort, because the implementation must be thread-safe and multi subinterpreter-safe. The effort could easily take two weeks or more even for an expert.

At work we had similar issues with SELinux enforcement of read-only executable mmap pages. We followed a different approach and replaced pyOpenSSL with Python's ssl module.

[thomasaarholt]

@tiran Thanks for the comment! I'll suggest dbt/snowflake-connector do the same thing you folks did.

[ImAlien]

encounter the same problems on m1 mac

[keyserwood]

Still having this issue on apple m1 2020, when launching API calls via asyncio [python 3.8.12 & natively installed - no rosetta here]. Hope that folks buying new MacBook Pro with M1 chip will push to fix this kind of issues 🤞

[fgiroud]

Same issue with the new macbook pros M1 (no rosetta)

[xros]

Same problem on M1 MacBook Pro. It's going to be year 2022 and Apple Silicon is still not supported.

[reaperhulk]

That attitude is extremely unproductive. As always, please try to remember that these are open source projects and someone has to actually do the work to fully understand the problem and implement a fix. Posts like yours are at best an irritant and quite frequently actively harmful.

[alex]

And not for nothing, but our test suite runs without segfaulting on an M1, so either our coverage is lousy (quite possible!) or there's slightly more involved in reproducing this than just using an M1.

[n8henrie]

FWIW, I've been following this issue for about a year after (like the OP) encountering it on Scrapy on my M1 MBP (0, 1). I've come back to it every few months to see if it was still crashing (and it has been).

After seeing @alex's comment I wanted to see if I could contribute to the test suite, and lo and behold the crash is gone.

• M1 Macbook Pro
• MacOS 12.0.1
• Python 3.10.0
• Scrapy==2.5.1

My test case has always been:

$ scrapy shell 'http:https://httpforever.com/' # <- succeeds
$ scrapy shell 'https://n8henrie.com' # <- crashes with `Cannot allocate write+execute memory for ffi.callback()`

For me, both seem to now work without error on http or https sites, so perhaps some of the others following this thread might recheck to see if it is still an issue for them or not.

[xros]

I have tested the latest verion of pyopenssl with Python 3.10.0 and 3.9.9 on M1 MacBook Pro, it turns out (probably) a problem of the Python Interpreter on M1. The Python interpreter 3.10 (might) change the ways to access(write) memory on M1 chips.

It works on both Python 3.10.0 and 3.9.9 (the scrapy shell). I need to install PyTorch, but PyTorch isn't working with Python 3.10 right now... And when I was tring to build pytorch from source with M1, pytorch dragged me back to install conda before compiling ,which only supports upto python 3.9.7 right now. It's like a dead loop...

[shaders]

Same thing happening on Python 3.8.9

[upuil]

pip3 uninstall pyopenssl may get around to this.

[anribras]

Resolved under newest python 3.10.2 , using conda virturl env
conda create -n py310 python=3.10
my laptop is Mac m1 .

[candlerb]

@shaders:

Same thing happening on Python 3.8.9

Can you give a specific way to reproduce the problem? e.g. a short, standalone python script which reproduces it for you?

[sfc-gh-mkeller]

The root cause of this issue has been found and fixed (for snowflake-connector-python which also affects snowflake-snowpark-python) by conda-forge/cffi-feedstock#47 (files) for Conda users (a simple conda install cffi should update you to build number 3 of version 1.15.1 has the fix included).
The solution itself is described at foss.heptapod.net/pypy/cffi/-/blob/branch/default/c/_cffi_backend.c#L64-89. This macro just needs to be enabled for cffi to build correctly on M1 macs.

[jonbuffington]

@sfc-gh-mkeller Thanks for the pointer! It appears the changes have not been merged yet though. Hopefully, the change will be merged and build 3 will be available in the condo-forge channel soon.

[WittmannF]

Still getting the issue in my Mac Pro 2021 M1 running MacOS Monterey. Tried all suggestions from above:

• Using Python 3.10
• Install cffi 1.15.1
• Updating requests

Still not working. Here's my full enviroment:

❯ conda list
# packages in environment at /Users/wittmann/miniforge3/envs/fixssl:
#
# Name                    Version                   Build  Channel
_ipython_minor_entry_point 8.7.0                hb6b4a82_0    conda-forge
appnope                   0.1.3              pyhd8ed1ab_0    conda-forge
asttokens                 2.2.1              pyhd8ed1ab_0    conda-forge
backcall                  0.2.0              pyh9f0ad1d_0    conda-forge
backports                 1.0                pyhd8ed1ab_3    conda-forge
backports.functools_lru_cache 1.6.4              pyhd8ed1ab_0    conda-forge
bzip2                     1.0.8                h3422bc3_4    conda-forge
ca-certificates           2022.12.7            h4653dfc_0    conda-forge
certifi                   2022.12.7                pypi_0    pypi
cffi                      1.15.1          py310h2399d43_2    conda-forge
charset-normalizer        2.1.1                    pypi_0    pypi
click                     8.1.3           unix_pyhd8ed1ab_2    conda-forge
colorama                  0.4.6                    pypi_0    pypi
comm                      0.1.2              pyhd8ed1ab_0    conda-forge
cryptography              38.0.4                   pypi_0    pypi
debugpy                   1.6.4           py310h0f1eb42_0    conda-forge
decorator                 5.1.1              pyhd8ed1ab_0    conda-forge
deprecated                1.2.13                   pypi_0    pypi
entrypoints               0.4                pyhd8ed1ab_0    conda-forge
executing                 1.2.0              pyhd8ed1ab_0    conda-forge
idna                      3.4                      pypi_0    pypi
ipykernel                 6.19.2             pyh736e0ef_0    conda-forge
ipython                   8.7.0              pyhd1c38e8_0    conda-forge
jedi                      0.18.2             pyhd8ed1ab_0    conda-forge
jupyter_client            7.4.8              pyhd8ed1ab_0    conda-forge
jupyter_core              5.1.0           py310hbe9552e_0    conda-forge
libcxx                    14.0.6               h2692d47_0    conda-forge
libffi                    3.4.2                h3422bc3_5    conda-forge
libsodium                 1.0.18               h27ca646_1    conda-forge
libsqlite                 3.40.0               h76d750c_0    conda-forge
libzlib                   1.2.13               h03a7124_4    conda-forge
matplotlib-inline         0.1.6              pyhd8ed1ab_0    conda-forge
ncurses                   6.3                  h07bb92c_1    conda-forge
nest-asyncio              1.5.6              pyhd8ed1ab_0    conda-forge
openssl                   3.0.7                h03a7124_1    conda-forge
packaging                 22.0               pyhd8ed1ab_0    conda-forge
parso                     0.8.3              pyhd8ed1ab_0    conda-forge
pexpect                   4.8.0              pyh1a96a4e_2    conda-forge
pickleshare               0.7.5                   py_1003    conda-forge
pip                       22.3.1             pyhd8ed1ab_0    conda-forge
platformdirs              2.6.0              pyhd8ed1ab_0    conda-forge
prompt-toolkit            3.0.36             pyha770c72_0    conda-forge
psutil                    5.9.4           py310h8e9501a_0    conda-forge
ptyprocess                0.7.0              pyhd3deb0d_0    conda-forge
pure_eval                 0.2.2              pyhd8ed1ab_0    conda-forge
pycparser                 2.21               pyhd8ed1ab_0    conda-forge
pygments                  2.13.0             pyhd8ed1ab_0    conda-forge
pynubank                  2.21.1                   pypi_0    pypi
pyopenssl                 22.1.0                   pypi_0    pypi
python                    3.10.8          h3ba56d0_0_cpython    conda-forge
python-dateutil           2.8.2              pyhd8ed1ab_0    conda-forge
python-dotenv             0.21.0             pyhd8ed1ab_0    conda-forge
python_abi                3.10                    3_cp310    conda-forge
pyzmq                     24.0.1          py310hc407298_1    conda-forge
qrcode                    7.3.1                    pypi_0    pypi
readline                  8.1.2                h46ed386_0    conda-forge
requests                  2.28.1                   pypi_0    pypi
requests-pkcs12           1.14                     pypi_0    pypi
setuptools                65.5.1             pyhd8ed1ab_0    conda-forge
six                       1.16.0             pyh6c4a22f_0    conda-forge
stack_data                0.6.2              pyhd8ed1ab_0    conda-forge
tk                        8.6.12               he1e0b03_0    conda-forge
tornado                   6.2             py310h8e9501a_1    conda-forge
traitlets                 5.7.0              pyhd8ed1ab_0    conda-forge
tzdata                    2022g                h191b570_0    conda-forge
urllib3                   1.26.13                  pypi_0    pypi
wcwidth                   0.2.5              pyh9f0ad1d_2    conda-forge
wheel                     0.38.4             pyhd8ed1ab_0    conda-forge
wrapt                     1.14.1                   pypi_0    pypi
xz                        5.2.6                h57fd34a_0    conda-forge
zeromq                    4.3.4                hbdafb3b_1    conda-forge

Anything else I should try? The package I'm trying to use is called pynubank. Here's the full traceback:

---------------------------------------------------------------------------
MemoryError                               Traceback (most recent call last)
Cell In[10], line 1
----> 1 nu.authenticate_with_cert(
      2     os.getenv("CPF"), 
      3     os.getenv("NU_PASS"),
      4     'cert.p12'
      5 )

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/pynubank/nubank.py:118, in Nubank.authenticate_with_cert(self, cpf, password, cert_path)
    109 url = self._discovery.get_app_url('token')
    110 payload = {
    111     'grant_type': 'password',
    112     'client_id': 'legacy_client_id',
   (...)
    115     'password': password
    116 }
--> 118 response = self._client.post(url, json=payload)
    120 self._save_auth_data(response)
    121 self._auth_mode = AuthMode.APP

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/pynubank/utils/http.py:46, in HttpClient.post(self, url, json)
     45 def post(self, url: str, json: dict) -> dict:
---> 46     return self._handle_response(post(url, json=json, headers=self._headers, **self._cert_args))

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/requests_pkcs12.py:157, in post(*args, **kwargs)
    156 def post(*args, **kwargs):
--> 157     return request('post', *args, **kwargs)

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/requests_pkcs12.py:136, in request(*args, **kwargs)
    129 pkcs12_adapter = Pkcs12Adapter(
    130     pkcs12_data=pkcs12_data,
    131     pkcs12_filename=pkcs12_filename,
    132     pkcs12_password=pkcs12_password,
    133     ssl_protocol=ssl_protocol,
    134 )
    135 session.mount('https://', pkcs12_adapter)
--> 136 return session.request(*args, **kwargs)

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/requests/sessions.py:587, in Session.request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)
    582 send_kwargs = {
    583     "timeout": timeout,
    584     "allow_redirects": allow_redirects,
    585 }
    586 send_kwargs.update(settings)
--> 587 resp = self.send(prep, **send_kwargs)
    589 return resp

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/requests/sessions.py:701, in Session.send(self, request, **kwargs)
    698 start = preferred_clock()
    700 # Send the request
--> 701 r = adapter.send(request, **kwargs)
    703 # Total elapsed time of the request (approximately)
    704 elapsed = preferred_clock() - start

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/requests/adapters.py:489, in HTTPAdapter.send(self, request, stream, timeout, verify, cert, proxies)
    487 try:
    488     if not chunked:
--> 489         resp = conn.urlopen(
    490             method=request.method,
    491             url=url,
    492             body=request.body,
    493             headers=request.headers,
    494             redirect=False,
    495             assert_same_host=False,
    496             preload_content=False,
    497             decode_content=False,
    498             retries=self.max_retries,
    499             timeout=timeout,
    500         )
    502     # Send the request.
    503     else:
    504         if hasattr(conn, "proxy_pool"):

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/urllib3/connectionpool.py:703, in HTTPConnectionPool.urlopen(self, method, url, body, headers, retries, redirect, assert_same_host, timeout, pool_timeout, release_conn, chunked, body_pos, **response_kw)
    700     self._prepare_proxy(conn)
    702 # Make the request on the httplib connection object.
--> 703 httplib_response = self._make_request(
    704     conn,
    705     method,
    706     url,
    707     timeout=timeout_obj,
    708     body=body,
    709     headers=headers,
    710     chunked=chunked,
    711 )
    713 # If we're going to release the connection in ``finally:``, then
    714 # the response doesn't need to know about the connection. Otherwise
    715 # it will also try to release it and we'll have a double-release
    716 # mess.
    717 response_conn = conn if not release_conn else None

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/urllib3/connectionpool.py:386, in HTTPConnectionPool._make_request(self, conn, method, url, timeout, chunked, **httplib_request_kw)
    384 # Trigger any extra validation we need to do.
    385 try:
--> 386     self._validate_conn(conn)
    387 except (SocketTimeout, BaseSSLError) as e:
    388     # Py2 raises this as a BaseSSLError, Py3 raises it as socket timeout.
    389     self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/urllib3/connectionpool.py:1042, in HTTPSConnectionPool._validate_conn(self, conn)
   1040 # Force connect early to allow us to validate the connection.
   1041 if not getattr(conn, "sock", None):  # AppEngine might not have  `.sock`
-> 1042     conn.connect()
   1044 if not conn.is_verified:
   1045     warnings.warn(
   1046         (
   1047             "Unverified HTTPS request is being made to host '%s'. "
   (...)
   1052         InsecureRequestWarning,
   1053     )

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/urllib3/connection.py:401, in HTTPSConnection.connect(self)
    395     self.ssl_context = create_urllib3_context(
    396         ssl_version=resolve_ssl_version(self.ssl_version),
    397         cert_reqs=resolve_cert_reqs(self.cert_reqs),
    398     )
    400 context = self.ssl_context
--> 401 context.verify_mode = resolve_cert_reqs(self.cert_reqs)
    403 # Try to load OS default certs if none are given.
    404 # Works well on Windows (requires Python3.4+)
    405 if (
    406     not self.ca_certs
    407     and not self.ca_cert_dir
   (...)
    410     and hasattr(context, "load_default_certs")
    411 ):

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/urllib3/contrib/pyopenssl.py:451, in PyOpenSSLContext.verify_mode(self, value)
    449 @verify_mode.setter
    450 def verify_mode(self, value):
--> 451     self._ctx.set_verify(_stdlib_to_openssl_verify[value], _verify_callback)

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/OpenSSL/SSL.py:1135, in Context.set_verify(self, mode, callback)
   1132 if not callable(callback):
   1133     raise TypeError("callback must be callable")
-> 1135 self._verify_helper = _VerifyHelper(callback)
   1136 self._verify_callback = self._verify_helper.callback
   1137 _lib.SSL_CTX_set_verify(self._context, mode, self._verify_callback)

File ~/miniforge3/envs/autofinance/lib/python3.10/site-packages/OpenSSL/SSL.py:365, in _VerifyHelper.__init__(self, callback)
    362         else:
    363             return 0
--> 365 self.callback = _ffi.callback(
    366     "int (*)(int, X509_STORE_CTX *)", wrapper
    367 )

MemoryError: Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks

[jonbuffington]

@WittmannF You are running build 2 of cffi (py310h2399d43_2) and that does not contain the patch @sfc-gh-mkeller shared. The patch is not yet merged and a new build published yet,.

[WittmannF]

Thanks @jonbuffington ! I was able to solve it here with pip install cffi

[jonbuffington]

@WittmannF Yep. Until build 3 of cffi is available, I have been activating the conda/mamba env and:

(my_env) $ pip install --force-reinstall 'cffi>=1.15.1'

[Gastastrophe]

@WittmannF Yep. Until build 3 of cffi is available, I have been activating the conda/mamba env and:

(my_env) $ pip install --force-reinstall 'cffi>=1.15.1'

Confirming that this worked for me on a failing conda environment with only snowflake connector, pandas, and jupyter installed.

[jonbuffington]

The patch @sfc-gh-mkeller found is merged and build 3 is available in the condo-forge channel. The above workaround I mentioned above is no longer necessary.

[elitongadotti]

@WittmannF Yep. Until build 3 of cffi is available, I have been activating the conda/mamba env and:

(my_env) $ pip install --force-reinstall 'cffi>=1.15.1'

It worked here. thanks a lot!

[includeno]

@WittmannF Yep. Until build 3 of cffi is available, I have been activating the conda/mamba env and:

(my_env) $ pip install --force-reinstall 'cffi>=1.15.1'

This is useful! It works on python 3.9.Thank you a lot!

[ftmoztl]

@WittmannF Yep. Until build 3 of cffi is available, I have been activating the conda/mamba env and:

(my_env) $ pip install --force-reinstall 'cffi>=1.15.1'

It worked here. thanks a lot!

As an M1 user, it worked for me also without using conda virtual env. Thank you so much!