build: update and shrink build images, migrate to clang 19#3771
Merged
morrisonlevi merged 31 commits intomasterfrom Apr 9, 2026
Merged
build: update and shrink build images, migrate to clang 19#3771morrisonlevi merged 31 commits intomasterfrom
morrisonlevi merged 31 commits intomasterfrom
Conversation
|
✅ Tests 🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: f7dc60b | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
This matches Rust 1.84, but libdatadog recently introduced a flag which was introduced in this version. Although this should not cause a hard failure and libdatadog should be patched, it's also a good idea to upgrade.
morrisonlevi
force-pushed
the
levi/clang-17-to-19
branch
from
9171217 to
eb6cef6
Compare
- Exclude kernel-core, kernel-modules, linux-firmware globally via yum.conf (~183 MB; these are useless in containers) - Move devtoolset-9 into the LLVM RUN layer and remove it afterward (~196 MB) - Build LLVM with CLANG_BUILD_TOOLS=OFF and LLVM_INSTALL_TOOLCHAIN_ONLY=ON to skip building unused tools (~1.3 GB) - Remove LLVM internal C++ headers and cmake config dirs post-install (~54 MB) - Add --disable-static to libxml2, libffi, oniguruma, curl, sqlite3 configure - Remove .a static archives from openssl and zlib after install - Fix catch2 build/source cleanup (cd - && rm -fr build was a no-op) - Remove cmake Help docs and man pages post-install (~10 MB) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- PHP 8.5: RC3 -> 8.5.4 (stable) across centos-7, bookworm - PHP 8.4: 8.4.1/8.4.16 -> 8.4.19 across centos-7, bookworm - PHP 8.3: 8.3.14/8.3.29 -> 8.3.30 across centos-7, bookworm - PHP 8.2: 8.2.26/8.2.28 -> 8.2.30 across centos-7, bookworm - PHP 8.1: 8.1.8/8.1.31 -> 8.1.32 across centos-6, centos-7 - PHP 8.0: 8.0.15/8.0.21/8.0.27 -> 8.0.30 across centos-6, centos-7, alpine - PHP 7.4: 7.4.30 -> 7.4.33 on centos-6 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
morrisonlevi
changed the title
morrisonlevi
changed the title
- sqlsrv 5.13.0 raised minimum to PHP 8.3; pin PHP 8.1-8.2 to 5.12.0 - grpc 1.80.0 uses EG(max_allowed_stack_size) gated on PHP_VERSION_ID>=80300 but the field is absent in ASan builds because the ZEND_CHECK_STACK_LIMIT autoconf test cannot execute sanitized binaries during configure; pin to 1.78.0 which predates that change Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
preserve_none + -fsanitize=address crashes clang 19+ on x86-64 (llvm/llvm-project#95928). Apply a patch at source-tree build time that guards ZEND_PRESERVE_NONE with __has_feature(address_sanitizer), following the fix pattern from llvm-project commit 996157c. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds -s (silent) to all make invocations in build-php.sh and to MAKEFLAGS in build-extensions.sh (which covers pecl installs too). Compiler errors still print via stderr; only the cc/ld recipe lines are suppressed. Reduces log volume significantly given parallel stages. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
morrisonlevi
force-pushed
the
levi/clang-17-to-19
branch
from
2d15ef6 to
7da2707
Compare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
danielsn
reviewed
Apr 7, 2026
| script: | ||
| - cd dockerfiles/ci/alpine_compile_extension | ||
| - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_TOKEN" $CI_REGISTRY | ||
| - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY" |
There was a problem hiding this comment.
Is this to prevent tokens from leaking into the logs?
Collaborator
Author
There was a problem hiding this comment.
Something like that, something complained here, claude recommended this as more secure anyway and it seemed plausible enough while being harmless if wrong.
| sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \ | ||
| echo 'ip_resolve = IPv4' >>/etc/yum.conf; \ | ||
| # kernel and linux-firmware are useless in containers (host kernel is used); | ||
| # excluding them globally prevents ~183 MB of waste from being pulled in as side-effects. |
| @@ -0,0 +1,32 @@ | |||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | |||
There was a problem hiding this comment.
Is there a test for this patch, and a test to see when this patch is no longer necessary?
Collaborator
Author
There was a problem hiding this comment.
We cannot build the PHP 8.5 CI image without this patch, the build will fail. I'll need to make an upstream PR, I have not done this yet, just discovered this edge late last night or this morning (can't quite remember which).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ctest is required by the appsec C components ASAN job (make test calls ctest internally). cpack remains removed as it is genuinely unused. Also updates clang-tidy, llvm-cov, llvm-profdata, clang-format, and libc++ references from version 17 to 19 in appsec CI and cmake config. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Alpine compile extension image: llvm17-libs/clang17-dev/llvm17 → 19 - build-profiler.sh, generate-profiler.php, build-debug-artifact: Alpine aarch64 clang symlink llvm17 → llvm19 - appsec/cmake/clang-format.cmake: llvm@17 → llvm@19 - centos-7 base.Dockerfile: remove -DCLANG_BUILD_TOOLS=OFF which prevented the clang binary itself from being built/installed, leaving broken symlinks and breaking bindgen Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Newer clang versions return a per-target path from -print-runtime-dir (e.g. .../lib/x86_64-pc-linux-gnu) but Debian/Ubuntu packages install compiler-rt runtime libs in a sibling "linux/" directory. Add that as a fallback search path for both find_library and target_link_directories. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… variadic clang 19 with -Werror,-Wc23-extensions rejects calling a variadic macro with no argument for '...'. CONFIG's body called SYSCFG(type, name) with only 2 args. Pass CONFIG's own __VA_ARGS__ through instead — CONFIG is always called with at least a default value, so the variadic arg is never empty. SYSCFG ignores the extra args in this context anyway. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
morrisonlevi
force-pushed
the
levi/clang-17-to-19
branch
from
5a57599 to
3ee2336
Compare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
morrisonlevi
force-pushed
the
levi/clang-17-to-19
branch
from
8e5bfc7 to
dc150da
Compare
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Benchmarks [ appsec ]Benchmark execution time: 2026-04-08 20:00:02 Comparing candidate commit dc150da in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. |
- acceptor.cpp: use designated initializer for timeval (layout is system-dependent, so positional init is unsafe) - extension/.clang-tidy: suppress checks new in clang-tidy 19 that fire on pre-existing C code (math-missing-parentheses, macro-to-enum, multi-level-implicit-pointer-conversion, redundant-casting) - helper/.clang-tidy: suppress modernize-use-designated-initializers for internal structs where positional init is unambiguous Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
clang-tidy 19 readability-avoid-return-with-void-value rejects returning the result of a void function call. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reverts all appsec source/config changes that were made to accommodate clang-19 warnings and formatting. Appsec jobs stay on clang-17 for now. Bumps appsec CI image from bookworm-6 to bookworm-7. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bookworm-7 only ships clang-19 in its apt repo; appsec jobs still need clang-17 so stay on bookworm-6 for now. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The test lacks a SKIPIF guard for IPv6 availability. In CI (Kubernetes pods), IPv6 is unavailable so socket_create() returns false, causing a TypeError instead of the expected warnings. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
zai_reset_observed_frame_post_bailout (PHP 8.0/8.1) calls zend_observer_fcall_end_all after a sandbox bailout. At that point current_observed_frame may point to a dummy_execute_data that was stack-allocated inside zend_call_function and already freed by the unwind. PHP 8.2+ is safe via zai_set_observed_frame(NULL). Suppress for the "multiple observers" ASAN job while Bob investigates a proper fix in zai_reset_observed_frame_post_bailout. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Same stack-use-after-return in zai_reset_observed_frame_post_bailout seen in Zend Abstract Interface Tests with debug-zts-asan. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ASAN error ASAN suppression files don't support fun: entries; that's TSan/LSan format. Use detect_stack_use_after_return=0 in the affected jobs instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bwoebi
reviewed
Apr 9, 2026
| -# define ZEND_PRESERVE_NONE __attribute__((preserve_none)) | ||
| +# if __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__) | ||
| +/* preserve_none + ASan crashes clang 19+ on x86-64, see llvm/llvm-project#95928 */ | ||
| +# define ZEND_PRESERVE_NONE |
Collaborator
There was a problem hiding this comment.
Bummer, that's what enables the tail call VM. Which is something probably worth testing under asan for interceptors.
Maybe we should go straight for newer clang versions where that's fixed.
Collaborator
Author
There was a problem hiding this comment.
See my upstream PHP PR: php/php-src#21676 because LLVM itself disabled it in main just 1 week ago: llvm/llvm-project#190001.
bwoebi
approved these changes
Apr 9, 2026
Collaborator
bwoebi
left a comment
bwoebi
left a comment
There was a problem hiding this comment.
Overall looks great, thanks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
A few key changes:
Reviewer checklist