Do not use RTLD_DEEPBIND if dlmopen is available

[danog]

This pull request disables usage of RTLD_DEEPBIND if dlmopen is available.

Context:

• Php8.1 with alternative malloc allocators #10670 - The issue this PR fixes, using RTLD_DEEPBIND with custom allocators preloaded via LD_PRELOAD causes segfaults as the main binary is using the custom malloc, while shared libs use the global malloc due to RTLD_DEEPBIND
• Add --enable-rtld-deepbind configure flag, disable it by default except for apache #16779 - My previous PR which disables RTLD_DEEPBIND only on non-apache SAPIs via autoconf at buildtime, which raised some questions when building multiple SAPIs
• Php8.1 with alternative malloc allocators #10670 (comment) - Context as to why RTLD_DEEPBIND was initially added, to avoid symbol conflicts with already loaded libraries when using the embed SAPI for example via apache.

After careful consideration, I believe this is the best approach, after considering the following alternatives:

• Making a PR based on Add zend.dlopen_deepbind php.ini directive #11094, disabling deepbind by default via an ini default except when using the embed SAPI, changing the ini value in php_embed_init; this is still SAPI-dependent behavior, which will still cause the same segfaults if jemalloc is used with the embed SAPI.
• Writing a wrapper for the embed SAPI which dlmopens the real libphp.so within a new namespace (essentially what @dstogov intended with his suggestion, except with RTLD_DEEPBIND the isolation is not propagated, with dlmopen namespaces it is)

I opted for the much cleaner approach of completely disabling RTLD_DEEPBIND if dlmopen with LM_ID_NEWLM is available, leaving to users the resposibility of isolating libphp.so when including it by using dlmopen(LM_ID_NEWLM, "libphp.so", RTLD_LAZY); instead of dlopen("libphp.so", RTLD_LAZY|RTLD_DEEPBIND);.

dlmopen provides full recursive isolation for all symbols both in the opened library, and in libraries opened by that library, avoiding symbol conflict issues even more effectively than RTLD_DEEPBIND, which is not recursive.

On platforms where GNU extensions aren't available (and dlmopen thus isn't available), RTLD_DEEPBIND is left enabled; if equivalent namespace isolation methods are available on other platforms, they can be added with later pull requests if needed.

[danog]

Ping? :)

[danog]

After some more testing, noticed that since full isolation via dlmopen of libphp.so with LM_ID_NEWLM can completely replace DEEPBIND in the sense that it avoids conflicts even better than DEEPBIND does, it has the side effect that isolation can't be enabled on the user side with the apache sapi, as it explicitly requires apache symbols from the parent scope of the executable (I initially assumed this wasn't the case).

Fixed this by re-enabling deepbind only when the apache SAPI is enabled, checking via a SAPI module property instead of at compile-time, to avoid issues when building multiple SAPIs at the same time (this is not the case in most distros, but is still supported by the build system, so leaving it like this).

Ping @iluuu1994 for a review :)

[bukka]

I wonder if it should be also enabled for embed and possibly lightspeed as well.

[danog]

Re: embed, no, deepbind does not need to be enabled for it to be usabile via dlmopen, as the embed SAPI alone only exports symbols, and only when the apache SAPI is enabled some symbols are imported.

Re: litespeed, its SAPI is built as a standalone executable so it shouldn't need deepbind.

[dstogov]

See my comments. I think, they should help making the patch more consistent and simple.

[nielsdos]

In general, I think this is a neat approach. Please see my questions/comments

[nielsdos]

You still have this include, but I don't understand why you still need this?

[nielsdos]

Why did you add this include? I removed it and it still compiles. Same question for the other SAPI files.

[danog]

It still fails here and elsewhere if removed (though not locally on my glibc linux machine either): https://github.com/php/php-src/actions/runs/15554443234/job/43791709784?pr=18612

[nielsdos]

I understand. That's unfortunate.
The portability include should not require the SAPI header.
Going via CG() globals (or alike) is better but I see this had issues on ZTS. Not sure how to fix this at this moment. I may be able to take a look later this week.

[danog]

Hmm, I don't quite see why is requiring the SAPI header such a dealbreaker; granted, it should probably be included by zend_portability.h directly (though that's a bit trickier to do), but even if included separately it shouldn't be an issue IMO

[danog]

Ping for tomorrow :)

[bwoebi]

If it depends on the SAPI header (and only that one really), maybe ... it should be defined in the SAPI header instead now?

[nielsdos]

If it depends on the SAPI header (and only that one really), maybe ... it should be defined in the SAPI header instead now?

I think that's wrong too. The macro abstracts away loading the library on different plaforms, so clearly it belongs to zend_portability.h

I wonder if it isn't even better to have a true process-wide global variable instead? No more trouble with CG(...) in ZTS and no dependency on the SAPI level...

[bwoebi]

Agree, a new static variable is better than making this part of sapi_module.

[bwoebi]

This must be ZEND_API to use the symbol within DL_LOAD() from extensions.

[nielsdos]

I'd call it also zend_dl_use_deepbind. The reason being that public symbols normally need to be prefixed by zend_ or php_ (depending on where it is) and the "dl" in the prefix makes it clear it's about dynamic loading.

[danog]

Not sure about the causes of the windows failure, the UNIX build seems to use the same inputs to the linker...

[bwoebi]

@danog Not sure, but I believe these extern declarations also need ZEND_API.

[bukka]

Wouldn't work if this was wrapped to some functio (e.g. zend_use_deepbind() that would set such variable in zend code). I don't mind the Zend part but it's not exactly nice API for SAPI...