diff options
| author | Thomas Gerbet <thomas@gerbet.me> | 2022-08-01 22:24:53 +0200 |
|---|---|---|
| committer | Thomas Gerbet <thomas@gerbet.me> | 2022-08-14 08:46:18 +0200 |
| commit | 6dc3ef5e1a99bdb9a1bb0f5136b67fadab92c122 (patch) | |
| tree | 1fd03b8022cd8eb1f61b666d4adb6231633e1b08 | |
| parent | 605bd637bc8eff20cc0eab220f3c9f190603dae6 (diff) | |
php8*: disable PCRE2 JIT SEAlloc to avoid crashes
Using PHP with PCRE2 built with the JIT SEAlloc is known to be problematic [0] and it may crashes apps using pcntl to process a workload in parallel like Psalm or PHPCS. Another solution would be to disable `pcre.jit` but this is likely to have a noticeable performance impact. PCRE2 JIT SEAlloc was enabled in order to make possible to use `MemoryDenyWriteExecute=true` in the NixOS Gitea module [1]. Doing something similar for a PHP module is likely to involve more steps as you will also need to disable PHP's JIT. Not building PCRE2 with the JIT SEAlloc is however not really blocking for someone wanting to build an hardened PHP module as they likely will disable `pcre.jit` and make sure `opcache.jit` is disabled. It should also be noted that OpenSUSE did try to enable PCRE2 JIT SEAlloc by default in the past but recently reverted the change [2]. [0] https://bugs.php.net/bug.php?id=78630 [1] https://github.com/NixOS/nixpkgs/commit/c990bd600791a4c7070aa377a93adcdc319c6cdb [2] https://bugzilla.opensuse.org/show_bug.cgi?id=1182864
| -rw-r--r-- | pkgs/development/libraries/pcre2/default.nix | 7 | ||||
| -rw-r--r-- | pkgs/top-level/all-packages.nix | 6 |
2 files changed, 10 insertions, 3 deletions
diff --git a/pkgs/development/libraries/pcre2/default.nix b/pkgs/development/libraries/pcre2/default.nix index ea0ca3e4030c0..226b92ccfdd35 100644 --- a/pkgs/development/libraries/pcre2/default.nix +++ b/pkgs/development/libraries/pcre2/default.nix @@ -1,6 +1,7 @@ { lib , stdenv , fetchurl +, withJitSealloc ? true }: stdenv.mkDerivation rec { @@ -17,9 +18,9 @@ stdenv.mkDerivation rec { "--enable-pcre2-32" # only enable jit on supported platforms which excludes Apple Silicon, see https://github.com/zherczeg/sljit/issues/51 "--enable-jit=auto" - # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea - "--enable-jit-sealloc" - ]; + ] + # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea + ++ lib.optional withJitSealloc "--enable-jit-sealloc"; outputs = [ "bin" "dev" "out" "doc" "man" "devdoc" ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5d5e966accc3d..103b844de083a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14815,6 +14815,9 @@ with pkgs; # Import PHP81 interpreter, extensions and packages php81 = callPackage ../development/interpreters/php/8.1.nix { stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; + pcre2 = pcre2.override { + withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630 + }; }; php81Extensions = recurseIntoAttrs php81.extensions; php81Packages = recurseIntoAttrs php81.packages; @@ -14822,6 +14825,9 @@ with pkgs; # Import PHP80 interpreter, extensions and packages php80 = callPackage ../development/interpreters/php/8.0.nix { stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; + pcre2 = pcre2.override { + withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630 + }; }; php80Extensions = recurseIntoAttrs php80.extensions; php80Packages = recurseIntoAttrs php80.packages; |