nixpkgs/pkgs/development/libraries/pcre2/default.nix
Thomas Gerbet 6dc3ef5e1a php8*: disable PCRE2 JIT SEAlloc to avoid crashes
Using PHP with PCRE2 built with the JIT SEAlloc is known to be
problematic [0] and it may crashes apps using pcntl to process a
workload in parallel like Psalm or PHPCS.

Another solution would be to disable `pcre.jit` but this is likely to
have a noticeable performance impact.

PCRE2 JIT SEAlloc was enabled in order to make possible to use
`MemoryDenyWriteExecute=true` in the NixOS Gitea module [1]. Doing
something similar for a PHP module is likely to involve more steps as
you will also need to disable PHP's JIT. Not building PCRE2 with the JIT
SEAlloc is however not really blocking for someone wanting to build an
hardened PHP module as they likely will disable `pcre.jit` and make sure
`opcache.jit` is disabled.

It should also be noted that OpenSUSE did try to enable PCRE2 JIT
SEAlloc by default in the past but recently reverted the change [2].

[0] https://bugs.php.net/bug.php?id=78630
[1] c990bd6007
[2] https://bugzilla.opensuse.org/show_bug.cgi?id=1182864
2022-08-14 08:46:18 +02:00

38 lines
1 KiB
Nix

{ lib
, stdenv
, fetchurl
, withJitSealloc ? true
}:
stdenv.mkDerivation rec {
pname = "pcre2";
version = "10.40";
src = fetchurl {
url = "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${version}/pcre2-${version}.tar.bz2";
hash = "sha256-FOS4PEeDkz3BfpZDGOYyT3yuG8ddjzx5vGlp8AwVnWg=";
};
configureFlags = [
"--enable-pcre2-16"
"--enable-pcre2-32"
# only enable jit on supported platforms which excludes Apple Silicon, see https://github.com/zherczeg/sljit/issues/51
"--enable-jit=auto"
]
# fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
++ lib.optional withJitSealloc "--enable-jit-sealloc";
outputs = [ "bin" "dev" "out" "doc" "man" "devdoc" ];
postFixup = ''
moveToOutput bin/pcre2-config "$dev"
'';
meta = with lib; {
homepage = "https://www.pcre.org/";
description = "Perl Compatible Regular Expressions";
license = licenses.bsd3;
maintainers = with maintainers; [ ttuegel ];
platforms = platforms.all;
};
}