b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

php8*: disable PCRE2 JIT SEAlloc to avoid crashes when forking

Browse source 
This is a follow up to #200815 and #184634.

The PCRE2 JIT SEAlloc does not support the `fork()` as announced in
their README [0]:
> If you are enabling JIT under SELinux environment you may also want to add
>  --enable-jit-sealloc, which enables the use of an executable memory allocator
>  that is compatible with SELinux. Warning: this allocator is experimental!
>  It does not support fork() operation and may crash when no disk space is
>  available. This option has no effect if JIT is disabled.

As a result using it in PHP can break apps and tools, it can only be
enabled under very specific context where you have a full picture of
what the PHP code is doing.

This contribution disables again the PCRE2 JIT SEAlloc and extends the
existing PHP/PCRE2 tests to make sure we do not enable it again by
mistake.

[0] https://www.pcre.org/readme.txt
This commit is contained in:
Thomas Gerbet 2022-11-29 18:36:38 +01:00
parent ed4a7faf43
commit 622f4ee354
2 changed files with 16 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
nixos/tests/php/pcre.nix
View file

@ -1,7 +1,7 @@
let
testString = "can-use-subgroups";
in
import ../make-test-python.nix ({ lib, php, ... }: {
import ../make-test-python.nix ({ pkgs, lib, php, ... }: {
name = "php-${php.version}-httpd-pcre-jit-test";
meta.maintainers = lib.teams.php.members;
@ -31,12 +31,22 @@ import ../make-test-python.nix ({ lib, php, ... }: {
'';
};
};
testScript = { ... }:
''
testScript = let
# PCRE JIT SEAlloc feature does not play well with fork()
# The feature needs to either be disabled or PHP configured correctly
# More information in https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
pcreJitSeallocForkIssue = pkgs.writeText "pcre-jit-sealloc-issue.php" ''
<?php
preg_match('/nixos/', 'nixos');
$pid = pcntl_fork();
pcntl_wait($pid);
'';
in ''
machine.wait_for_unit("httpd.service")
# Ensure php evaluation by matching on the var_dump syntax
response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php")
expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"'
assert expected in response, "Does not appear to be able to use subgroups."
machine.succeed("${php}/bin/php -f ${pcreJitSeallocForkIssue}")
'';
})

6
pkgs/top-level/all-packages.nix
View file

@ -15834,7 +15834,7 @@ with pkgs;
php82 = callPackage ../development/interpreters/php/8.2.nix {
stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
pcre2 = pcre2.override {
withJitSealloc = !stdenv.isDarwin;
withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
};
};
php82Extensions = recurseIntoAttrs php82.extensions;
@ -15844,7 +15844,7 @@ with pkgs;
php81 = callPackage ../development/interpreters/php/8.1.nix {
stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
pcre2 = pcre2.override {
withJitSealloc = !stdenv.isDarwin;
withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
};
};
php81Extensions = recurseIntoAttrs php81.extensions;
@ -15854,7 +15854,7 @@ with pkgs;
php80 = callPackage ../development/interpreters/php/8.0.nix {
stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv;
pcre2 = pcre2.override {
withJitSealloc = !stdenv.isDarwin;
withJitSealloc = false; # See https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
};
};
php80Extensions = recurseIntoAttrs php80.extensions;