From 6dc3ef5e1a99bdb9a1bb0f5136b67fadab92c122 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Mon, 1 Aug 2022 22:24:53 +0200
Subject: php8*: disable PCRE2 JIT SEAlloc to avoid crashes

Using PHP with PCRE2 built with the JIT SEAlloc is known to be
problematic [0] and it may crashes apps using pcntl to process a
workload in parallel like Psalm or PHPCS.

Another solution would be to disable `pcre.jit` but this is likely to
have a noticeable performance impact.

PCRE2 JIT SEAlloc was enabled in order to make possible to use
`MemoryDenyWriteExecute=true` in the NixOS Gitea module [1]. Doing
something similar for a PHP module is likely to involve more steps as
you will also need to disable PHP's JIT. Not building PCRE2 with the JIT
SEAlloc is however not really blocking for someone wanting to build an
hardened PHP module as they likely will disable `pcre.jit` and make sure
`opcache.jit` is disabled.

It should also be noted that OpenSUSE did try to enable PCRE2 JIT
SEAlloc by default in the past but recently reverted the change [2].

[0] https://bugs.php.net/bug.php?id=78630
[1] https://github.com/NixOS/nixpkgs/commit/c990bd600791a4c7070aa377a93adcdc319c6cdb
[2] https://bugzilla.opensuse.org/show_bug.cgi?id=1182864
---
 pkgs/development/libraries/pcre2/default.nix | 7 ++++---
 pkgs/top-level/all-packages.nix              | 6 ++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/pcre2/default.nix b/pkgs/development/libraries/pcre2/default.nix
index ea0ca3e4030c0..226b92ccfdd35 100644
--- a/pkgs/development/libraries/pcre2/default.nix
+++ b/pkgs/development/libraries/pcre2/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchurl
+, withJitSealloc ? true
 }:
 
 stdenv.mkDerivation rec {
@@ -17,9 +18,9 @@ stdenv.mkDerivation rec {
     "--enable-pcre2-32"
     # only enable jit on supported platforms which excludes Apple Silicon, see https://github.com/zherczeg/sljit/issues/51
     "--enable-jit=auto"
-    # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
-    "--enable-jit-sealloc"
-  ];
+  ]
+  # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
+  ++ lib.optional withJitSealloc "--enable-jit-sealloc";
 
   outputs = [ "bin" "dev" "out" "doc" "man" "devdoc" ];
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 5d5e966accc3d..103b844de083a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14815,6 +14815,9 @@ with pkgs;
   # Import PHP81 interpreter, extensions and packages
   php81 = callPackage ../development/interpreters/php/8.1.nix {
     stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
+    pcre2 = pcre2.override {
+      withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630
+    };
   };
   php81Extensions = recurseIntoAttrs php81.extensions;
   php81Packages = recurseIntoAttrs php81.packages;
@@ -14822,6 +14825,9 @@ with pkgs;
   # Import PHP80 interpreter, extensions and packages
   php80 = callPackage ../development/interpreters/php/8.0.nix {
     stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
+    pcre2 = pcre2.override {
+      withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630
+    };
   };
   php80Extensions = recurseIntoAttrs php80.extensions;
   php80Packages = recurseIntoAttrs php80.packages;
-- 
cgit 1.4.1