diff options
author | Armin Rigo <arigo@tunes.org> | 2017-01-28 17:15:12 +0100 |
---|---|---|
committer | Armin Rigo <arigo@tunes.org> | 2017-01-28 17:15:12 +0100 |
commit | 00c4cf9b031aa19905e6e87325269acf2ae47121 (patch) | |
tree | e00f7d0c34dbaad15e5b81c30888f8ea03385eb6 /doc/source/using.rst | |
parent | d55000271fc0f0356e99be9523d45e5d3c90afef (diff) | |
download | cffi-00c4cf9b031aa19905e6e87325269acf2ae47121.tar.gz |
Expand the warning box
Diffstat (limited to 'doc/source/using.rst')
-rw-r--r-- | doc/source/using.rst | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/doc/source/using.rst b/doc/source/using.rst index 924309f..21c15c4 100644 --- a/doc/source/using.rst +++ b/doc/source/using.rst @@ -776,13 +776,21 @@ ffi.callback() and the result is the same. Callbacks are provided for the ABI mode or for backward compatibility. If you are using the out-of-line API mode, it is recommended to use the `extern "Python"`_ mechanism instead of - callbacks: it gives faster and cleaner code. It also avoids a - SELinux issue whereby the setting of ``deny_execmem`` must be left - to ``off`` in order to use callbacks. (A fix in cffi was - attempted---see the ``ffi_closure_alloc`` branch---but was not - merged because it creates potential memory corruption with - ``fork()``. For more information, `see here.`__) + callbacks: it gives faster and cleaner code. It also avoids several + issues with old-style callbacks: + - On less common architecture, libffi is more likely to crash on + callbacks (`e.g. on NetBSD`__); + + - On hardened systems like PAX and SELinux, the extra memory + protections can interfere (for example, on SELinux you need to + run with ``deny_execmem`` set to ``off``). + + Note also that a cffi fix for the latter issue was attempted---see + the ``ffi_closure_alloc`` branch---but was not merged because it + creates potential `memory corruption`__ with ``fork()``. + +.. __: https://github.com/pyca/pyopenssl/issues/596 .. __: https://bugzilla.redhat.com/show_bug.cgi?id=1249685 Warning: like ffi.new(), ffi.callback() returns a cdata that has |