fix(jit): Add MAP_JIT support for 100% stable JIT on ARM64 macOS

[darmie]

Title

fix(jit): Add MAP_JIT support for 100% stable JIT execution on ARM64 macOS

Related Issue: #12076

Summary

This PR fixes non-deterministic JIT execution failures on Apple Silicon by implementing proper memory allocation and W^X mode handling required by the platform.

Before: ~56% success rate
After: 100% success rate (verified over 50+ consecutive runs)

Problem

JIT-compiled code on ARM64 macOS fails non-deterministically in multi-threaded scenarios. Symptoms include:

Failure Mode	Frequency
SIGBUS on JIT function calls	~30%
Silent incorrect results	~10%
Segmentation fault	~4%

Root Cause

Apple Silicon enforces W^X (Write XOR Execute) at the hardware level:

1. Memory must be allocated with MAP_JIT flag so the kernel can track it for W^X enforcement
2. Threads must switch to execute mode via pthread_jit_write_protect_np(1) before calling JIT code

The current implementation:

• Uses standard allocator (no MAP_JIT)
• Doesn't call pthread_jit_write_protect_np()

Solution

cranelift/jit/src/memory/system.rs

Added an ARM64 macOS-specific PtrLen::with_size() implementation that uses mmap with the MAP_JIT flag (0x0800) instead of the standard allocator. This allows macOS to properly track the memory for W^X policy enforcement.

Also added a corresponding Drop implementation that uses munmap to deallocate the memory, since memory allocated with mmap cannot be freed with the standard allocator.

cranelift/jit/src/memory/mod.rs

After making memory executable in set_readable_and_executable(), added a call to pthread_jit_write_protect_np(1) to switch the current thread to execute mode. This is required by Apple's W^X enforcement - threads must explicitly opt into execute mode before running JIT code.

Testing

Test Script

#!/bin/bash
passed=0
failed=0

for i in {1..50}; do
    result=$(timeout 120 ./target/release/jit_test 2>&1)
    if echo "$result" | grep -q "All tests passed"; then
        echo "Run $i: PASSED"
        passed=$((passed+1))
    else
        echo "Run $i: FAILED"
        failed=$((failed+1))
    fi
done

echo ""
echo "=== RESULTS ==="
echo "Passed: $passed/50, Failed: $failed/50"
echo "Success rate: $((passed * 100 / 50))%"

Results

Tested with the Rayzor compiler's stdlib e2e test suite (50+ JIT-compiled runtime functions, multi-threaded):

Configuration	Success Rate
Before fix (standard allocator)	~56% (28/50)
After fix (MAP_JIT + pthread_jit_write_protect_np)	100% (50/50)

Note: Simple standalone tests may not reliably reproduce this issue. The failure is non-deterministic and depends on timing, memory layout, and CPU core scheduling (P-core vs E-core).

Platform Impact

• ARM64 macOS: Fixed (was broken)
• x86_64 macOS: No change (not affected)
• Linux (all arch): No change (not affected)
• Windows: No change (not affected)

All changes are gated behind #[cfg(all(target_arch = "aarch64", target_os = "macos"))].

Related Issues

• Fixes Cranelift: Non-deterministic JIT execution failures on ARM64 macOS #12076
• Related to Support PLT entries in cranelift-jit crate on aarch64 #2735 - Support PLT entries in cranelift-jit crate on aarch64
• Related to Cranelift: JIT assertion failure when using ArgumentPurpose::StructArgument on macOS (A64) #8852 - Cranelift: JIT assertion failure on macOS (A64)
• Related to Cranelift: JIT relocations depend on system allocator behaviour #4000 - JIT relocations depend on system allocator behaviour

[alexcrichton]

@bjorn3 are you willing to take on review here as an owner of the cranelift-jit crate? I've written up my thoughts here on how this would all affect Wasmtime but this doesn't actually touch wasmtime except for the jit-icache-coherence crate, so my comment there is only tangentially applicable.

[bjorn3]

#12133 implemented another approach for this.

[cfallin]

Ah, yes, I had forgotten that this PR also handled this detail. Thanks for connecting the dots!

[bjorn3]

Would it be possible to scope those pthread_jit_write_protect_np calls to the actual section that does the writes. That would be more secure.

[bjorn3]

We should only pass MAP_JIT for pages that will actually end up being executable in the end.