php8*: disable PCRE2 JIT SEAlloc to avoid crashes when forking

lol

This is a follow up to #200815 and #184634.

The PCRE2 JIT SEAlloc does not support the `fork()` as announced in
their README [0]:
> If you are enabling JIT under SELinux environment you may also want to add
> --enable-jit-sealloc, which enables the use of an executable memory allocator
> that is compatible with SELinux. Warning: this allocator is experimental!
> It does not support fork() operation and may crash when no disk space is
> available. This option has no effect if JIT is disabled.

As a result using it in PHP can break apps and tools, it can only be
enabled under very specific context where you have a full picture of
what the PHP code is doing.

This contribution disables again the PCRE2 JIT SEAlloc and extends the
existing PHP/PCRE2 tests to make sure we do not enable it again by
mistake.

[0] https://www.pcre.org/readme.txt

Thomas Gerbet 3 years ago 622f4ee3 ed4a7faf

+16 -6

2 changed files

expand all

nixos

tests

php

pcre.nix

pkgs

top-level

all-packages.nix

+13 -3

nixos/tests/php/pcre.nix

··· 1 1 let 2 2 testString = "can-use-subgroups"; 3 3 in 4 - import ../make-test-python.nix ({ lib, php, ... }: { 4 + import ../make-test-python.nix ({ pkgs, lib, php, ... }: { 5 5 name = "php-${php.version}-httpd-pcre-jit-test"; 6 6 meta.maintainers = lib.teams.php.members; 7 7 ··· 31 31 ''; 32 32 }; 33 33 }; 34 - testScript = { ... }: 35 - '' 34 + testScript = let 35 + # PCRE JIT SEAlloc feature does not play well with fork() 36 + # The feature needs to either be disabled or PHP configured correctly 37 + # More information in https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630 38 + pcreJitSeallocForkIssue = pkgs.writeText "pcre-jit-sealloc-issue.php" '' 39 + <?php 40 + preg_match('/nixos/', 'nixos'); 41 + $pid = pcntl_fork(); 42 + pcntl_wait($pid); 43 + ''; 44 + in '' 36 45 machine.wait_for_unit("httpd.service") 37 46 # Ensure php evaluation by matching on the var_dump syntax 38 47 response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php") 39 48 expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"' 40 49 assert expected in response, "Does not appear to be able to use subgroups." 50 + machine.succeed("${php}/bin/php -f ${pcreJitSeallocForkIssue}") 41 51 ''; 42 52 })

+3 -3

pkgs/top-level/all-packages.nix

··· 15834 15834 php82 = callPackage ../development/interpreters/php/8.2.nix { 15835 15835 stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; 15836 15836 pcre2 = pcre2.override { 15837 - withJitSealloc = !stdenv.isDarwin; 15837 + withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630 15838 15838 }; 15839 15839 }; 15840 15840 php82Extensions = recurseIntoAttrs php82.extensions; ··· 15844 15844 php81 = callPackage ../development/interpreters/php/8.1.nix { 15845 15845 stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; 15846 15846 pcre2 = pcre2.override { 15847 - withJitSealloc = !stdenv.isDarwin; 15847 + withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630 15848 15848 }; 15849 15849 }; 15850 15850 php81Extensions = recurseIntoAttrs php81.extensions; ··· 15854 15854 php80 = callPackage ../development/interpreters/php/8.0.nix { 15855 15855 stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; 15856 15856 pcre2 = pcre2.override { 15857 - withJitSealloc = !stdenv.isDarwin; 15857 + withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630 15858 15858 }; 15859 15859 }; 15860 15860 php80Extensions = recurseIntoAttrs php80.extensions;