php8*: disable PCRE2 JIT SEAlloc to avoid crashes

Using PHP with PCRE2 built with the JIT SEAlloc is known to be problematic [0] and it may crashes apps using pcntl to process a workload in parallel like Psalm or PHPCS. Another solution would be to disable `pcre.jit` but this is likely to have a noticeable performance impact. PCRE2 JIT SEAlloc was enabled in order to make possible to use `MemoryDenyWriteExecute=true` in the NixOS Gitea module [1]. Doing something similar for a PHP module is likely to involve more steps as you will also need to disable PHP's JIT. Not building PCRE2 with the JIT SEAlloc is however not really blocking for someone wanting to build an hardened PHP module as they likely will disable `pcre.jit` and make sure `opcache.jit` is disabled. It should also be noted that OpenSUSE did try to enable PCRE2 JIT SEAlloc by default in the past but recently reverted the change [2]. [0] https://bugs.php.net/bug.php?id=78630 [1] c990bd6007 [2] https://bugzilla.opensuse.org/show_bug.cgi?id=1182864
2 years ago · 6dc3ef5e1a
parent 605bd637bc
commit 6dc3ef5e1a
2 changed files with 10 additions and 3 deletions
--- a/pkgs/development/libraries/pcre2/default.nix
+++ b/pkgs/development/libraries/pcre2/default.nix
@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchurl
+, withJitSealloc ? true
 }:

 stdenv.mkDerivation rec {
@ -17,9 +18,9 @@ stdenv.mkDerivation rec {
    "--enable-pcre2-32"
    # only enable jit on supported platforms which excludes Apple Silicon, see https://github.com/zherczeg/sljit/issues/51
    "--enable-jit=auto"
-    # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
-    "--enable-jit-sealloc"
-  ];
+  ]
+  # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
+  ++ lib.optional withJitSealloc "--enable-jit-sealloc";

  outputs = [ "bin" "dev" "out" "doc" "man" "devdoc" ];

--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -14815,6 +14815,9 @@ with pkgs;
  # Import PHP81 interpreter, extensions and packages
  php81 = callPackage ../development/interpreters/php/8.1.nix {
    stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
+    pcre2 = pcre2.override {
+      withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630
+    };
  };
  php81Extensions = recurseIntoAttrs php81.extensions;
  php81Packages = recurseIntoAttrs php81.packages;
@ -14822,6 +14825,9 @@ with pkgs;
  # Import PHP80 interpreter, extensions and packages
  php80 = callPackage ../development/interpreters/php/8.0.nix {
    stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
+    pcre2 = pcre2.override {
+      withJitSealloc = false; # Needed to avoid crashes, see https://bugs.php.net/bug.php?id=78630
+    };
  };
  php80Extensions = recurseIntoAttrs php80.extensions;
  php80Packages = recurseIntoAttrs php80.packages;