ZendPHP 8.5.0

November 19, 2025

Community Changes

PHP Version PHP 8.5.0 Release

1. Backward Incompatible Changes

Core
- It is no longer possible to use array and callable as class alias names in class_alias().
- Loosely comparing uncomparable objects (e.g. enums, \CurlHandle and other internal classes) to booleans was previously inconsistent. If compared to a boolean literal $object == true, it would behave the same way as (bool) $object. If compared to a statically unknown value $object == $true, it would always return false. This behavior was consolidated to always follow the behavior of (bool) $object.
- The return value of gc_collect_cycles() no longer includes strings and resources that were indirectly collected through cycles.
- It is now allowed to substitute static with self or the concrete class name in final subclasses.
- The tick handlers are now deactivated after all shutdown functions, destructors have run and the output handlers have been cleaned up. This is a consequence of fixing GH-18033.
- Traits are now bound before the parent class. This is a subtle behavioral change, but should more closely match user expectations, demonstrated by GH-15753 and GH-16198.
- Errors emitted during compilation and class linking are now always delayed and handled after compilation or class linking. Fatal errors emitted during compilation or class linking cause any delayed errors to be handled immediately, without calling user-defined error handlers.
- Exceptions thrown by user-defined error handlers when handling class linking errors are not promoted to fatal errors anymore and do not prevent linking.
- Applying #[\Attribute] to an abstract class, enum, interface, or trait triggers an error during compilation. Previously, the attribute could be added, but when ReflectionAttribute::newInstance() was called an error would be thrown. The error can be delayed from compilation to runtime using the new #[\DelayedTargetValidation] attribute.
- The disable_classes INI setting has been removed as it causes various engine assumptions to be broken.
- Destructing non-array values (other than NULL) using [] or list() now emits a warning.
- A warning is now emitted when casting floats (or strings that look like floats) to int if they cannot be represented as one. This affects explicit int casts and implicit int casts.
- A warning is now emitted when casting NAN to other types.
BZ2
- bzcompress() now throws a ValueError when $block_size is not between 1 and 9.
- bzcompress() now throws a ValueError when $work_factor is not between 0 and 250.
DOM
- Cloning a DOMNamedNodeMap, DOMNodeList, Dom\NamedNodeMap, Dom\NodeList, Dom\HTMLCollection, and Dom\DtdNamedNodeMap now fails. This never actually resulted in a working object, so the impact should actually be zero.
FileInfo
- finfo_file() and finfo::file() now throws a ValueError instead of a TypeError when $filename contains nul bytes. This aligns the type of Error thrown to be consistent with the rest of the language.
Intl
- The extension now requires at least ICU 57.1.
- The behaviour of Collator::SORT_REGULAR with respect to handling numeric strings is now aligned with the behaviour of SORT_REGULAR in ext/standard. This is a consequence of fixing bug GH-18566.
LDAP
- ldap_get_option() and ldap_set_option() now throw a ValueError when passing an invalid option.
MBstring
- Unicode data tables have been updated to Unicode 17.0.
MySQLi
- Calling the mysqli constructor on an already-constructed object is now no longer possible and throws an Error.
ODBC
- ODBC now assumes that at least ODBC 3.5 functionality is available. The ODBCVER definition and build system flags to control it have been removed.
- ODBC no longer has build flags to build against specific drivers (except for DB2) and removes special cases for those drivers. It is strongly recommended to use a driver manager like iODBC or unixODBC on non-Windows.
Opcache
- The Opcache extension is now always built into the PHP binary and is always loaded. The INI directives opcache.enable and opcache.enable_cli are still honored. The --enable-opcache/--disable-opcache configure flags have been removed, and the build does not produce opcache.so or php_opcache.dll objects anymore. Using zend_extension=opcache.so or zend_extension=php_opcache.dll INI directives will emit a warning.
PCNTL
- pcntl_exec() now throws ValueErrors when entries of the $args parameter contain null bytes.
- pcntl_exec() now throws ValueErrors when entries or keys of the $env_vars parameter contain null bytes.
PCRE
- The extension is compiled without semi-deprecated PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK compile option.
PDO
- The constructor arguments set in conjunction with PDO::FETCH_CLASS now follow the usual CUFA (call_user_func_array) semantics. This means string keys will act like a named argument. Moreover, automatic wrapping for by-value arguments passed to a by-ref parameter has been removed, and the usual E_WARNING about this is now emitted. To pass a variable by-ref to a constructor argument use the general array value reference assignment: $ctor_args = [&$valByRef].
- Attempting to call PDOStatement::setFetchMode during a call to PDO::fetch(), PDO::fetchObject(), PDO::fetchAll(), for example using tricks such as passing the statement object as a constructor argument when fetching into an object, will now throw an Error.
- The value of the constants PDO::FETCH_GROUP, PDO::FETCH_UNIQUE, PDO::FETCH_CLASSTYPE, PDO::FETCH_PROPS_LATE, and PDO::FETCH_SERIALIZE have changed.
- A ValueError is now thrown if PDO::FETCH_PROPS_LATE is used with a fetch mode different than PDO::FETCH_CLASS, consistent with other fetch flags.
- A ValueError is now thrown if PDO::FETCH_INTO is used as a fetch mode in PDO::fetchAll(), similar to PDO::FETCH_LAZY.
PDO_FIREBIRD
- A ValueError is now thrown when trying to set a cursor name that is too long on a PDOStatement resulting from the Firebird driver.
Session
- Attempting to write session data where $_SESSION has a key containing the pipe character will now emit a warning instead of silently failing.
SimpleXML
- Passing an XPath expression that returns something other than a node set to SimpleXMLElement::xpath() will now emit a warning and return false, instead of silently failing and returning an empty array.
SPL
- ArrayObject no longer accepts enums, as modifying the $name or $value properties can break engine assumptions.
- SplFileObject::fwrite's parameter $length is now nullable. The default value changed from 0 to null.
Standard
- Using a printf-family function with a formatter that did not specify the precision previously incorrectly reset the precision instead of treating it as a precision of 0. See GH-18897.
SOAP
- SoapClient::__doRequest() expects a new, optional $uriParserClass parameter as described in the URL parsing API.

2. New Features

Core
- Closure is now a proper subtype of callable.
- Added support for Closures and first class callables in constant expressions.
- Fatal Errors (such as an exceeded maximum execution time) now include a backtrace.
- Added the #[\NoDiscard] attribute to indicate that a function's return value is important and should be consumed.
- Added the (void) cast to indicate that not using a value is intentional. The (void) cast has no effect on the program's execution by itself, but it can be used to suppress warnings emitted by #[\NoDiscard] and possibly also diagnostics emitted by external IDEs or static analysis tools.
- Added asymmetric visibility support for static properties.
- Added support for casts in constant expressions.
- Added support for attributes on compile-time non-class constants.
- The #[\Deprecated] attribute can now be used on constants.
- Added the pipe (|>) operator.
- Constructor property promotion can now be used for final properties.
- #[\Override] can now be applied to properties.
- The #[\DelayedTargetValidation] attribute can be used to suppress compile-time errors from core (or extension) attributes that are used on invalid targets. These errors are instead reported at runtime if and when ReflectionAttribute::newInstance() is called.
Curl
- Added support for share handles that are persisted across multiple PHP requests, safely allowing for more effective connection reuse.
- Added support for CURLINFO_USED_PROXY (libcurl >= 8.7.0), CURLINFO_HTTPAUTH_USED, and CURLINFO_PROXYAUTH_USED (libcurl >= 8.12.0) to the curl_getinfo() function. When curl_getinfo() returns an array, the same information is available as "used_proxy", "httpauth_used", and "proxyauth_used" keys. CURLINFO_USED_PROXY gets zero set if no proxy was used in the previous transfer or a non-zero value if a proxy was used. CURLINFO_HTTPAUTH_USED and CURLINFO_PROXYAUTH_USED get bitmasks indicating the HTTP and proxy authentication methods that were used in the previous request. See CURLAUTH_* constants for possible values.
- Added CURLOPT_INFILESIZE_LARGE Curl option, which is a safe replacement for CURLOPT_INFILESIZE. On certain systems, CURLOPT_INFILESIZE only accepts a 32-bit signed integer as the file size (2.0 GiB) even on 64-bit systems. CURLOPT_INFILESIZE_LARGE accepts the largest integer value the system can handle.
- Added CURLFOLLOW_OBEYCODE, CURLFOLLOW_FIRSTONLY and CURLFOLLOW_ALL values for CURLOPT_FOLLOWLOCATION curl_easy_setopt option. CURLFOLLOW_OBEYCODE to follow more strictly in regard to redirect if they are allowed. CURLFOLLOW_FIRSTONLY to follow only the first redirect thus if there is any follow up redirect, it won't go any further. CURLFOLLOW_ALL is equivalent to setting CURLOPT_FOLLOWLOCATION to true.
- Added support for CURLINFO_CONN_ID (libcurl >= 8.2.0) to the curl_getinfo() function. This constant allows retrieving the unique ID of the connection used by a cURL transfer. It is primarily useful when connection reuse or connection pooling logic is needed in PHP-level applications. When curl_getinfo() returns an array, this value is available as the "conn_id" key.
- Added support for CURLINFO_QUEUE_TIME_T (libcurl >= 8.6.0) to the curl_getinfo() function. This constant allows retrieving the time (in microseconds) that the request spent in libcurl’s connection queue before it was sent. This value can also be retrieved by passing CURLINFO_QUEUE_TIME_T to the curl_getinfo() $option parameter.
- Added support for CURLOPT_SSL_SIGNATURE_ALGORITHMS to specify the signature algorithms to use for TLS.
DOM
- Added Dom\Element::$outerHTML.
- Added $children property to Dom\ParentNode implementations.
EXIF
- Add OffsetTime* Exif tags.
- Added support for HEIF/HEIC.
Filter
- Add new FILTER_THROW_ON_FAILURE flag which can be passed to the filter functions and will force an exception to be triggered when validation fails. The new flag cannot be combined with FILTER_NULL_ON_FAILURE; trying to do so will result in a ValueError being thrown.
Intl
- Added class constants NumberFormatter::CURRENCY_ISO, NumberFormatter::CURRENCY_PLURAL, NumberFormatter::CASH_CURRENCY, and NumberFormatter::CURRENCY_STANDARD for various currency-related number formats.
- Added Locale::addLikelySubtags and Locale::minimizeSubtags to handle likely tags on a given locale.
- Added IntlListFormatter class to format, order, and punctuate a list of items with a given locale, IntlListFormatter::TYPE_AND, IntlListFormatter::TYPE_OR, IntlListFormatter::TYPE_UNITS operands and IntlListFormatter::WIDTH_WIDE, IntlListFormatter::WIDTH_SHORT and IntlListFormatter::WIDTH_NARROW widths. It is supported from icu 67.
PDO_Sqlite
- Added class constant Pdo_Sqlite::ATTR_BUSY_STATEMENT.
- Added class constants Pdo_Sqlite::ATTR_EXPLAIN_STATEMENT, Pdo_Sqlite::EXPLAIN_MODE_PREPARED, Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN, Pdo_Sqlite::EXPLAIN_MODE_EXPLAIN_QUERY_PLAN.
- Added PDO\Sqlite::ATTR_TRANSACTION_MODE connection attribute with possible values PDO\Sqlite::TRANSACTION_MODE_DEFERRED, PDO\Sqlite::TRANSACTION_MODE_IMMEDIATE, and PDO\Sqlite::TRANSACTION_MODE_EXCLUSIVE, allowing to configure the transaction mode to use when calling beginTransaction().
Session
- session_set_cookie_params(), session_get_cookie_params(), and session_start() now support partitioned cookies via the "partitioned" key.
SOAP
- Enumeration cases are now dumped in __getTypes().
- Implemented request #61105: support for Soap 1.2 Reason Text xml:lang attribute. The signature of SoapFault::__construct() and SoapServer::fault() therefore now have an optional $lang parameter. This support solves compatibility with .NET SOAP clients.
Sqlite
- Added class constants Sqlite3Stmt::EXPLAIN_MODE_PREPARED, Sqlite3Stmt::EXPLAIN_MODE_EXPLAIN and Sqlite3Stmt::EXPLAIN_MODE_EXPLAIN_QUERY_PLAN.
Standard
- mail() now returns the actual sendmail error and detects if the sendmail process was terminated unexpectedly. In such cases, a warning is emitted and the function returns false. Previously, these errors were silently ignored. This change affects only the sendmail transport.
- getimagesize() now supports HEIF/HEIC images.
- getimagesize() now supports SVG images when ext-libxml is also loaded. Similarly, image_type_to_extension() and image_type_to_mime_type() now also handle IMAGETYPE_SVG.
- The array returned by getimagesize() now has two additional entries: "width_unit" and "height_unit" to indicate in which units the dimensions are expressed. These units are px by default. They are not necessarily the same.
- setcookie() and setrawcookie() now support the "partitioned" key.
XSL
- The $namespace argument of XSLTProcessor::getParameter(), XSLTProcessor::setParameter() and XSLTProcessor::removeParameter() now actually works instead of being treated as empty. This only works if the $name argument does not use Clark notation and is not a QName because in those cases the namespace is taken from the namespace href or prefix respectively.
Zlib
- flock() is now supported on zlib streams. Previously, this always failed to perform any locking action.

3. Changes in SAPI modules

CLI
- Trying to set a process title that is too long with cli_set_process_title() will now fail instead of silently truncating the given title.
- Added a new --ini=diff option to print INI settings changed from the builtin default.
FPM
- FPM with httpd ProxyPass optionally decodes the full script path. Added fastcgi.script_path_encoded INI setting to prevent this new behavior.
- FPM access log limit now respects log_limit value.

4. Deprecated Functionality

Core
- Trying to produce output (e.g. with echo) within a user output handler is deprecated. The deprecation warning will bypass the handler producing the output to ensure it is visible; if there are nested output handlers the next one will still be used.
- Non-canonical cast names (boolean), (integer), (double), and (binary) have been deprecated, use (bool), (int), (float), and (string) respectively.
- The $exclude_disabled parameter of the get_defined_functions() function has been deprecated, as it no longer has any effect since PHP 8.0.
- Terminating case statements with a semicolon instead of a colon has been deprecated.
- The backtick operator as an alias for shell_exec() has been deprecated.
- Returning null from __debugInfo() has been deprecated. Return an empty array instead. [cite: 118, 119]
- The report_memleaks INI directive has been deprecated.
- Constant redeclaration has been deprecated.
- Enacted the follow-up phase of the "Path to Saner Increment/Decrement operators" RFC, meaning that incrementing non-numeric strings is now deprecated. Instead the str_increment() function should be used.
- The following closure binding issues, which already emit an E_WARNING, are now deprecated: Binding an instance to a static closure; Binding methods to objects that are not instances of the class (or subclass) that the method is defined; Unbinding $this from a method; Unbinding $this from a closure that uses $this; Binding a closure to the scope of an internal class; Rebinding the scope of a closure created from a function or method.
- Using null as an array offset or when calling array_key_exists() is now deprecated. Instead an empty string should be used.
- Deriving $_SERVER['argc'] and $_SERVER['argv'] from the query string for non-CLI SAPIs has been deprecated. Configure register_argc_argv=0 and switch to either $_GET or $_SERVER['QUERY_STRING'] to access the information, after verifying that the usage is safe.
- The __sleep() and __wakeup() magic methods have been soft-deprecated. The __serialize() and __unserialize() magic methods should be used instead, or at the same time if compatibility with PHP 7 is required.
Curl
- The curl_close() function has been deprecated, as CurlHandle objects are freed automatically.
- The curl_share_close() function has been deprecated, as CurlShareHandle objects are freed automatically.
Date
- The DATE_RFC7231 and DateTimeInterface::RFC7231 constants have been deprecated. This is because the associated timezone is ignored and always uses GMT.
- The __wakeup() magic method of DateTimeInterface, DateTime, DateTimeImmutable, DateTimeZone, DateInterval, and DatePeriod has been deprecated in favour of the __unserialize() magic method.
FileInfo
- The finfo_close() function has been deprecated. As finfo objects are freed automatically.
- The $context parameter of the finfo_buffer() function has been deprecated as it is ignored.
GD
- The imagedestroy() function has been deprecated, as GdImage objects are freed automatically.
Hash
- The MHASH_* constants have been deprecated. These have been overlooked when the mhash*() function family has been deprecated.
Intl
- The intl.error_level INI setting has been deprecated. Errors should either be checked manually or exceptions should be enabled by using the intl.use_exceptions INI setting.
LDAP
- Specific Oracle Instant Client calls and constants have been deprecated. List of affected calls: ldap_connect() with wallet support, ldap_connect_wallet(). List of affected constants: GSLC_SSL_NO_UATH, GSLC_SSL_ONEWAY_UATH, GSLC_SSL_TWOWAY_UATH.
MySQLi
- The mysqli_execute() alias function has been deprecated. Use mysqli_stmt_execute() instead. [cite: 136, 137]
OpenSSL
- The $key_length parameter for openssl_pkey_derive() has been deprecated. This is because it is either ignored, or truncates the key, which can be a vulnerability.
PDO
- The "uri:" DSN scheme has been deprecated due to security concerns with DSNs coming from remote URIs.
- Driver specific constants in the PDO class have been deprecated.
- Driver specific methods in the PDO class have been deprecated.
PDO_PGSQL
- Constants related to transaction states have been deprecated: PDO::PGSQL_TRANSACTION_IDLE, PDO::PGSQL_TRANSACTION_ACTIVE, PDO::PGSQL_TRANSACTION_INTRANS, PDO::PGSQL_TRANSACTION_INERROR, PDO::PGSQL_TRANSACTION_UNKNOWN.
Reflection
- The setAccessible() methods of various Reflection objects have been deprecated, as those no longer have an effect.
- Calling ReflectionClass::getConstant() for constants that do not exist has been deprecated.
- Calling ReflectionProperty::getDefaultValue() for properties without default values has been deprecated.
SPL
- Unregistering all autoloaders by passing the spl_autoload_call() function as a callback argument to spl_autoload_unregister() has been deprecated. Instead if this is needed, one should iterate over the return value of spl_autoload_functions() and call spl_autoload_unregister() on each value.
- The SplObjectStorage::contains(), SplObjectStorage::attach(), and SplObjectStorage::detach() methods have been deprecated in favour of SplObjectStorage::offsetExists(), SplObjectStorage::offsetSet(), and SplObjectStorage::offsetUnset() respectively.
- Using ArrayObject and ArrayIterator with objects has been deprecated.
Standard
- The socket_set_timeout() alias function has been deprecated. Use stream_set_timeout() instead.
- Passing null to readdir(), rewinddir(), and closedir() to use the last opened directory has been deprecated. Provide the last opened directory explicitly instead.
- Passing integers outside the interval [0, 255] to chr() is now deprecated. This is because a byte can only hold a value within this interval.
- Passing a string which is not a single byte to ord() is now deprecated, this is indicative of a bug.
- The locally predefined variable $http_response_header is deprecated. Instead one should call the http_get_last_response_headers() function.
XML
- The xml_parser_free() function has been deprecated, as XMLParser objects are freed automatically.

5. Changed Functions

Intl
- IntlDateFormatter::setTimeZone()/datefmt_set_timezone() throws an IntlException on uninitialised classes/clone failures.
- grapheme_extract() properly assigns $next value when skipping over invalid starting bytes. Previously there were cases where it would point to the start of the grapheme boundary instead of the end.
- Locale:: methods throw a ValueError when locale inputs contain null bytes.
- transliterator_get_error_code(), transliterator_get_error_message() TransLiterator::getErrorCode(), and TransLiterator::getErrorMessage() have dropped the false from the return type union. Returning false was actually never possible.
- grapheme_strpos(), grapheme_stripos(), grapheme_strrpos(), grapheme_strripos(), grapheme_substr(), grapheme_strstr() and grapheme_stristr() functions add $locale parameter.
LDAP
- ldap_get_option() now accepts a NULL connection, like ldap_set_option(), to allow retrieval of global options.
libxml
- libxml_set_external_entity_loader() now has a formal return type of true.
OpenSSL
- openssl_public_encrypt() and openssl_private_decrypt() have a new parameter $digest_algo that allows specifying the hash digest algorithm for OAEP padding.
- openssl_sign() and openssl_verify() have a new parameter $padding to allow using more secure RSA PSS padding.
- openssl_cms_encrypt() $cipher_algo parameter can be a string with the cipher name. That allows to use more algorithms including AES GCM cipher algorithms for auth enveloped data.
PCNTL
- pcntl_exec() now has a formal return type of false.
- pcntl_waitid() takes an additional resource_usage argument to gather various platform specific metrics about the child process.
PDO_PGSQL
- PDO::pgsqlCopyFromArray now supports Iterable inputs.
- Pdo\Pgsql::setAttribute and Pdo\Pgsql::prepare support setting PDO::ATTR_PREFETCH to 0 which enters lazy fetch mode. In this mode, statements cannot be run in parallel.
PDO_SQLITE
- SQLite PDO::quote() will now throw an exception or emit a warning, depending on the error mode, if the string contains a null byte.
- PDO::sqliteCreateCollation will now throw an exception if the callback has the wrong return type, making it more in line with Pdo_Sqlite::createCollation behavior.
PGSQL
- pg_copy_from now supports Iterable inputs.
- pg_connect checks if the connection_string argument contains any null byte.
- pg_close_stmt checks if the statement_name argument contains any null byte.
POSIX
- posix_ttyname sets last_error to EBADF when encountering an invalid file descriptor.
- posix_isatty raises an E_WARNING message when encountering an invalid file descriptor.
- posix_fpathconf checks invalid file descriptors and sets last_error to EBADF and raises an E_WARNING message.
- posix_kill throws a ValueError when the process_id argument is lower or greater than what the platform supports (signed integer or long range).
- posix_setpgid throws a ValueError when the process_id or the process_group_id is lower than zero or greater than what the platform supports.
- posix_setrlimit throws a ValueError when the hard_limit or soft_limit arguments are lower than -1 or if soft_limit is greater than hard_limit.
Reflection
- The output of ReflectionClass::__toString() for enums has changed to better indicate that the class is an enum, and that the enum cases are enum cases rather than normal class constants.
- The output of ReflectionProperty::__toString() for properties with hooks has changed to indicate what hooks the property has, whether those hooks are final, and whether the property is virtual. This also affects the output of ReflectionClass::__toString() when a class contains hooked properties.
- ReflectionAttribute::newInstance() can now throw errors for internal attributes if the attribute was applied on an invalid target and the error was delayed from compile time to runtime via the #[\DelayedTargetValidation] attribute.
Session
- session_start is stricter in regard to the options argument. It throws a ValueError if the array is not a hashmap, or a TypeError if the read_and_close value is not a valid type compatible with int. [cite: 185, 186]
SNMP
- snmpget, snmpset, snmp_get2, snmp_set2, snmp_get3, snmp_set3 and SNMP::__construct() throw a ValueError when the hostname is too large, contains any null byte or if the port is given when negative or greater than 65535, timeout and retries values are lower than -1 or too large.
Sockets
- socket_create_listen, socket_bind and socket_sendto throw a ValueError if the port is lower than 0 or greater than 65535, and also if any of the hints array entries are indexed numerically.
- socket_addrinfo_lookup throws a TypeError if any of the hints values cannot be cast to int and can throw a ValueError if any of these values overflow.
- socket_set_option with MCAST_LEAVE_GROUP/MCAST_LEAVE_SOURCE_GROUP options will throw an exception if the value isn't a valid object or array.
- socket_create/socket_bind can create AF_PACKET family sockets.
- socket_getsockname gets the interface index and its string representation with AF_PACKET socket.
- socket_set_option with multicast context throws a ValueError when the created socket is not of AF_INET/AF_INET6 family.
Tidy
- tidy::__construct/parseFile/parseString now throws a ValueError if the configuration contains an invalid value or attempts to set a read-only internal entry, and a TypeError if a configuration key is not a string.
Zlib
- The "use_include_path" argument for the gzfile, gzopen and readgzfile functions has been changed from int to boolean.
- gzfile, gzopen and readgzfile functions now respect the default stream context.

6. New Functions

Core
- get_error_handler() allows retrieving the current user-defined error handler function.
- get_exception_handler() allows retrieving the current user-defined exception handler function.
- The clone language construct is now a function and supports reassigning (readonly) properties during cloning via the new $withProperties parameter.
- Added Closure::getCurrent() to receive currently executing closure.
Curl
- curl_multi_get_handles() allows retrieving all CurlHandles currently attached to a CurlMultiHandle. This includes both handles added using curl_multi_add_handle() and handles accepted by CURLMOPT_PUSHFUNCTION.
- curl_share_init_persistent() allows creating a share handle that is persisted across multiple PHP requests.
DOM
- Added Dom\Element::getElementsByClassName().
- Added Dom\Element::insertAdjacentHTML().
Enchant
- Added enchant_dict_remove_from_session() to remove a word added to the spellcheck session via enchant_dict_add_to_session().
- Added enchant_dict_remove() to put a word on the exclusion list and remove it from the session dictionary.
Intl
- Added locale_is_right_to_left/Locale::isRightToLeft, returns true if the locale is written right to left (after its enrichment with likely subtags).
- Added grapheme_levenshtein() function.
Opcache
- Added opcache_is_script_cached_in_file_cache().
Pdo\Sqlite
- Added support for Pdo\Sqlite::setAuthorizer(), which is the equivalent of SQLite3::setAuthorizer(). The only interface difference is that the pdo version returns void.
PGSQL
- pg_close_stmt offers an alternative way to close a prepared statement from the DEALLOCATE sql command in that we can reuse its name afterwards.
- pg_service returns the ongoing service name of the connection.
Reflection
- ReflectionConstant::getFileName() was introduced.
- ReflectionConstant::getExtension() and ReflectionConstant::getExtensionName() were introduced.
- ReflectionConstant::getAttributes() was introduced.
- ReflectionProperty::getMangledName() was introduced.
Sqlite
- Sqlite3Stmt::busy to check if a statement had been fetched but not completely.
Standard
- Added array_first() and array_last().

7. New Classes and Interfaces

Core
- NoDiscard attribute was added.
- DelayedTargetValidation attribute was added.
Curl
- CurlSharePersistentHandle representing a share handle that is persisted across multiple PHP requests.
Filter
- Filter\FilterException and Filter\FilterFailedException for use when FILTER_THROW_ON_FAILURE has been enabled.
URI
- Uri\UriException, Uri\InvalidUriException, Uri\UriComparisonMode, Uri\Rfc3986\Uri, Uri\WhatWg\InvalidUrlException, Uri\WhatWg\UrlValidationErrorType, Uri\WhatWg\UrlValidationError, and Uri\WhatWg\Url are added.

9. Other Changes to Extensions

Curl
- curl_easy_setopt with CURLOPT_FOLLOWLOCATION option's value no longer is treated as boolean but integer to handle CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY.
Fileinfo
- Upgraded file from 5.45 to 5.46.
- The return type of finfo_close() has been changed to true, rather than bool.
Intl
- Intl's internal error mechanism has been modernized so that it indicates more accurately which call site caused what error. Moreover, some ext/date exceptions have been wrapped inside a IntlException now.
Lexbor
- An always enabled lexbor extension is added. It contains the lexbor library that was separated from ext/dom for being reused among other extensions. The new extension is not directly exposed to userland.
Opcache
- The Opcache extension is now always built into the PHP binary and is always loaded. The INI directives opcache.enable and opcache.enable_cli are still honored.
URI
- An always enabled uri extension is added that can be used for handling URIs and URLs according to RFC 3986 and WHATWG URL.
PDO_Sqlite
- Increased minimum release version support from 3.7.7 to 3.7.17.
Readline
- The return types of readline_add_history(), readline_clear_history(), and readline_callback_handler_install() have been changed to true, rather than bool.
Reflection
- ReflectionConstant is no longer final.

10. New Global Constants

Core
- PHP_BUILD_DATE.
- PHP_BUILD_PROVIDER.
Curl
- CURLINFO_USED_PROXY.
- CURLINFO_HTTPAUTH_USED.
- CURLINFO_PROXYAUTH_USED.
- CURLINFO_CONN_ID.
- CURLINFO_QUEUE_TIME_T.
- CURLOPT_INFILESIZE_LARGE.
- CURLFOLLOW_ALL.
- CURLFOLLOW_OBEYCODE.
- CURLFOLLOW_FIRSTONLY.
Filter
- FILTER_THROW_ON_FAILURE.
Intl
- DECIMAL_COMPACT_SHORT.
- DECIMAL_COMPACT_LONG.
OpenSSL
- OPENSSL_PKCS1_PSS_PADDING.
- PKCS7_NOSMIMECAP.
- PKCS7_CRLFEOL.
- PKCS7_NOCRL.
- PKCS7_NO_DUAL_CONTENT.
POSIX
- POSIX_SC_OPEN_MAX.
Sockets
- IPPROTO_ICMP/IPPROTO_ICMPV6.
- TCP_FUNCTION_BLK (FreeBSD only).
- TCP_FUNCTION_ALIAS (FreeBSD only).
- TCP_REUSPORT_LB_NUMA (FreeBSD only).
- TCP_REUSPORT_LB_NUMA_NODOM (FreeBSD only).
- TCP_REUSPORT_LB_NUMA_CURDOM (FreeBSD only).
- TCP_BBR_ALGORITHM (FreeBSD only).
- AF_PACKET (Linux only).
- ETH_P_IP (Linux only).
- ETH_P_IPV6 (Linux only).
- ETH_P_LOOP (Linux only).
- ETH_P_ALL (Linux only).
- IP_BINDANY (FreeBSD/NetBSD/OpenBSD only).
- SO_BUSY_POLL (Linux only).
- UDP_SEGMENT (Linux only).
- SHUT_RD.
- SHUT_WR.
- SHUT_RDWR.
Tokenizer
- T_VOID_CAST.
- T_PIPE.
Standard
- IMAGETYPE_SVG when libxml is loaded.

11. Changes to INI File Handling

Core
- Added fatal_error_backtraces to control whether fatal errors should include a backtrace.
- Added startup-only max_memory_limit INI setting to control the maximum memory_limit that may be configured at startup or runtime. Exceeding this value emits a warning, unless set to -1, and sets memory_limit to the current max_memory_limit instead.
Opcache
- Added opcache.file_cache_read_only to support a read-only opcache.file_cache directory, for use with read-only file systems (e.g. read-only Docker containers). Best used with opcache.validate_timestamps=0, opcache.enable_file_override=1, and opcache.file_cache_consistency_checks=0.
- The default value of opcache.jit_hot_loop is now 61 (a prime) to prevent it from being a multiple of loop iteration counts. It is recommended that this parameter is set to a prime number.
- Changing opcache.memory_consumption when OPcache SHM is already set up will now correctly report a failure instead of silently doing nothing and showing misleading values in PHPInfo.
OpenSSL
- Added openssl.libctx to select the OpenSSL library context type. Either custom libctx for each thread can be used or a single global (default) libctx is used.

12. Windows Support

Core
- The configuration variables PHP_VERSION, PHP_MINOR_VERSION, and PHP_RELEASE_VERSION are now always numbers. Previously, they have been strings for buildconf builds.
- phpize builds now reflect the source tree in the build dir (as it already worked for in-tree builds); some extension builds (especially when using Makefile.frag.w32) may need adjustments.
- --enable-sanitizer is now supported for MSVC builds. This enables ASan and debug assertions, and is supported as of MSVC 16.10 and Windows 10.
- The --with-uncritical-warn-choke configuration option for clang builds is no longer supported. Select warnings to suppress via CFLAGS instead.
COM
- The extension is now build shared by default; previously it defaulted to a static extension, although the official Windows binaries built a shared extension.
FFI
- It is no longer necessary to specify the library when using FFI::cdef() and FFI::load(). However, this convenience feature should not be used in production.
Streams
- If only pipe streams are contained in the $read array, and the $write and $except arrays are empty, stream_select() now behaves similar to POSIX systems, i.e. the function only returns if at least one pipe is ready to be read, or after the timeout expires. Previously, stream_select() returned immediately, reporting all streams as ready to read.

13. Other Changes

Core
- The high resolution timer (hrtime()) on macOS now uses the recommended clock_gettime_nsec_np(CLOCK_UPTIME_RAW) API instead of mach_absolute_time().
CLI/CGI
- The -z or --zend-extension option has been removed as it was non-functional. Use -d zend_extension= instead.
PDO_ODBC
- The fetch behaviour for larger columns has been changed. Rather than fetching 256 byte blocks, PDO_ODBC will try to fetch a larger block size; currently, this is the page size minus string overhead. Drivers that return SQL_NO_TOTAL in SQLGetData are also better handled as well. This should improve compatibility and performance. See GH-10809, GH-10733.

14. Performance Improvements

Core
- Remove OPcodes for identity comparisons against booleans, particularly for the match(true) pattern.
- Add OPcode specialization for === [] and !== [] comparisons.
- Creating exception objects is now much faster.
- The parts of the code that used SSE2 have been adapted to use SIMD with ARM NEON as well.
- Introduced the TAILCALL VM, enabled by default when compiling with Clang>=19 on x86_64 or aarch64. The TAILCALL VM is as fast as the HYBRID VM used when compiling with GCC. This makes PHP binaries built with Clang>=19 as fast as binaries built with GCC. The performance of the CALL VM, used with other compilers, has also improved considerably.
Intl
- Now avoids creating extra string copies when converting strings for use in the collator.
MBString
- The parts of the code that used SSE2 have been adapted to use SIMD with ARM NEON as well.
Opcache
- Improved performance of fetching TLS variables in JIT'ed code in non-Glibc builds.
ReflectionProperty
- Improved performance of the following methods: getValue(), getRawValue(), isInitialized(), setValue(), setRawValue().
SPL
- Improved performance of dimension accessors and methods of SplFixedArray.
Standard
- Improved performance of array functions with callbacks (array_find, array_filter, array_map, usort, ...).
- Improved performance of urlencode() and rawurlencode().
- Improved unpack() performance with nameless repetitions by avoiding creating temporary strings and reparsing them.
- Improved pack() performance.
- Minor improvements in array_chunk() performance.
XMLReader
- Improved property access performance.
XMLWriter
- Improved performance and reduced memory consumption.

CE changes

Core
- Added the #[\NoDiscard] attribute to indicate that a function's return value is important and should be consumed. (timwolla, edorian) [cite: 272, 273]
- Added the (void) cast to indicate that not using a value is intentional. (timwolla, edorian)
- Added get_error_handler(), get_exception_handler() functions. (Arnaud)
- Added support for casts in constant expressions. (nielsdos)
- Added the pipe (|>) operator. (crell)
- Added support for final with constructor property promotion. (DanielEScherzer)
- Added support for configuring the URI parser for the FTP/FTPS as well as the SSL/TLS stream wrappers as described in the URL parsing API plugability RFC. (kocsismate)
- Added PHP_BUILD_PROVIDER constant. (timwolla)
- Added PHP_BUILD_DATE constant. (cmb)
- Added support for Closures and first class callables in constant expressions. (timwolla, edorian) [cite: 276, 277]
- Add support for backtraces for fatal errors. (enorris)
- Add clone-with support to the clone() function. (timwolla, edorian)
- Add RFC 3986 and WHATWG URL compliant APIs for URL parsing and manipulation (kocsismate, timwolla)
- Fixed AST printing for immediately invoked Closure. (Dmitrii Derepko)
- Properly handle __debugInfo() returning an array reference. (nielsdos)
- Properly handle reference return value from __toString(). (nielsdos)
- Improved error message of UnhandledMatchError for zend.exception_string_param_max_len=0. (timwolla)
- Fixed bug GH-15753 and GH-16198 (Bind traits before parent class). (ilutov)
- Fixed bug GH-17951 (memory_limit is not always limited by max_memory_limit). (manuelm)
- Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). (ilutov)
- Fixed bug GH-20113 (Missing new Foo(...) error in constant expressions). (ilutov)
- Fixed bug GH-19844 (Don't bail when closing resources on shutdown). (ilutov)
- Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). (ilutov)
- Fix OSS-Fuzz #447521098 (Fatal error during sccp shift eval). (ilutov)
- Fixed bug GH-20002 (Broken build on *BSD with MSAN). (outtersg)
- Fixed bug GH-19352 (Cross-compilation with musl C library). (henderkes, Peter Kokot)
- Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks). (timwolla)
- Fixed hard_timeout with --enable-zend-max-execution-timers. (Appla)
- Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array). (ilutov)
- Fixed bug GH-19823 (register_argc_argv deprecation emitted twice when using OPcache). (timwolla)
- Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). (nielsdos)
- Fixed bug GH-19719 (Allow empty statements before declare(strict_types)). (nielsdos) [cite: 290, 291]
- Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). (ilutov)
- Fixed bug GH-19613 (Stale array iterator pointer). (ilutov)
- Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). (Arnaud)
- Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). (Remi)
- Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning). (ilutov)
- Fixed bug GH-19476 (pipe operator fails to correctly handle returning by reference). (alexandre-daubois)
- Fixed bug GH-19081 (Wrong lineno in property error with constructor property promotion). (ilutov)
- Fixed bug GH-17959 (Relax missing trait fatal error to error exception). (ilutov)
- Fixed bug GH-18033 (NULL-ptr dereference when using register_tick_function in destructor). (nielsdos)
- Fixed bug GH-18026 (Improve "expecting token" error for ampersand). (ilutov)
- The report_memleaks INI directive has been deprecated. (alexandre-daubois)
- Fixed OSS-Fuzz #439125710 (Pipe cannot be used in write context). (nielsdos)
- Fixed bug GH-19548 (Shared memory violation on property inheritance). (alexandre-daubois)
- Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). (Arnaud, timwolla) [cite: 299, 300]
- Fixed bug GH-18373 (Don't substitute self/parent with anonymous class). (ilutov)
- Fix support for non-userland stream notifiers. (timwolla)
- Fixed bug GH-19305 (Operands may be being released during comparison). (Arnaud)
- Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). (Arnaud)
- Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). (Arnaud)
- Fix OSS-Fuzz #427814452 (pipe compilation fails with assert). (nielsdos, ilutov)
- Fixed bug GH-16665 (\array and \callable should not be usable in class_alias). (nielsdos)
- Use clock_gettime_nsec_np() for high resolution timer on macOS if available. (timwolla)
- Make clone() a function. (timwolla, edorian)
- Introduced the TAILCALL VM, enabled by default when compiling with Clang>=19 on x86_64 or aarch64. (Arnaud)
- Enacted the follow-up phase of the "Path to Saner Increment/Decrement operators" RFC, meaning that incrementing non-numeric strings is now deprecated. (Girgias).
- Various closure binding issues are now deprecated. (alexandre-daubois)
- Constant redeclaration has been deprecated. (alexandre-daubois)
- Marks the stack as non-executable on Haiku. (David Carlier)
- Deriving $_SERVER['argc'] and $_SERVER['argv'] from the query string is now deprecated. (timwolla, nicolasgrekas) [cite: 310, 311]
- Using null as an array offset or when calling array_key_exists() is now deprecated. (alexandre-daubois)
- The disable_classes INI directive has been removed. (Girgias)
- The locally predefined variable $http_response_header is deprecated. (Girgias)
- Non-canonical cast names (boolean), (integer), (double), and (binary) have been deprecated. (Girgias)
- The $exclude_disabled parameter of the get_defined_functions() function has been deprecated, as it no longer has any effect since PHP 8.0. (Girgias)
- Terminating case statements with a semicolon instead of a colon has been deprecated. (theodorejb)
- The backtick operator as an alias for shell_exec() has been deprecated. (timwolla)
- Returning null from __debugInfo() has been deprecated. (DanielEScherzer)
- Support #[\Override] on properties. (Jiří Pudil)
- Destructing non-array values (other than NULL) using [] or list() now emits a warning. (Girgias)
- Casting floats that are not representable as ints now emits a warning. (Girgias)
- Casting NAN to other types now emits a warning. (Girgias)
- Implement GH-15680 (Enhance zend_dump_op_array to properly represent non-printable characters in string literals). (nielsdos, WangYihang)
- Fixed bug GH-17442 (Engine UAF with reference assign and dtor). (nielsdos)
- Do not use RTLD_DEEPBIND if dlmopen is available. (Daniil Gentili) [cite: 321, 322]
BCMath
- Simplify bc_divide() code. (SakiTakamachi)
- If the result is 0, n_scale is set to 0. (SakiTakamachi)
- If size of BC_VECTOR array is within 64 bytes, stack area is now used. (SakiTakamachi)
- Fixed bug GH-20006 (Power of 0 of BcMath number causes UB). (nielsdos)
Bz2
- Fixed bug GH-19810 (Broken bzopen() stream mode validation). (ilutov)
CLI
- Add --ini=diff to print INI settings changed from the builtin default. (timwolla)
- Drop support for -z CLI/CGI flag. (nielsdos)
- Fixed GH-17956 - development server 404 page does not adapt to mobiles. (pascalchevrel)
- Fix useless "Failed to poll event" error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS. (leotaku)
- Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). (alexandre-daubois)
COM
- Fixed property access of PHP objects wrapped in variant. (cmb)
- Fixed method calls for PHP objects wrapped in variant. (cmb) [cite: 330, 331]
Curl
- Added CURLFOLLOW_ALL, CURLFOLLOW_OBEYCODE and CURLFOLLOW_FIRSTONLY values for CURLOPT_FOLLOWLOCATION curl_easy_setopt option. (David Carlier)
- Added curl_multi_get_handles(). (timwolla)
- Added curl_share_init_persistent(). (enorris)
- Added CURLINFO_USED_PROXY, CURLINFO_HTTPAUTH_USED, and CURLINFO_PROXYAUTH_USED support to curl_getinfo. (Ayesh Karunaratne)
- Add support for CURLINFO_CONN_ID in curl_getinfo() (thecaliskan)
- Add support for CURLINFO_QUEUE_TIME_T in curl_getinfo() (thecaliskan)
- Add support for CURLOPT_SSL_SIGNATURE_ALGORITHMS. (Ayesh Karunaratne)
- The curl_close() function has been deprecated. (DanielEScherzer)
- The curl_share_close() function has been deprecated. (DanielEScherzer)
- Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. (timwolla) [cite: 334, 335]
Date
- Fix undefined behaviour problems regarding integer overflow in extreme edge cases. (nielsdos, cmb, ilutov)
- The DATE_RFC7231 and DateTimeInterface::RFC7231 constants have been deprecated. (jorgsowa)
- Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. (ilutov)
- Fixed GH-17159: "P" format for ::createFromFormat swallows string literals. (nielsdos)
- The __wakeup() magic method of DateTimeInterface, DateTime, DateTimeImmutable, DateTimeZone, DateInterval, and DatePeriod has been deprecated in favour of the __unserialize() magic method. (Girgias) [cite: 338, 339]
DOM
- Added Dom\Element::$outerHTML. (nielsdos)
- Added Dom\Element::insertAdjacentHTML(). (nielsdos)
- Added $children property to ParentNode implementations. (nielsdos)
- Make cloning DOM node lists, maps, and collections fail. (nielsdos)
- Added Dom\Element::getElementsByClassName(). (nielsdos)
- Fixed bug GH-18877 (\Dom\HTMLDocument querySelectorAll selecting only the first when using ~ and :has). (nielsdos, lexborisov)
- Fix getNamedItemNS() incorrect namespace check. (nielsdos) [cite: 341, 342]
Enchant
- Added enchant_dict_remove_from_session(). (nielsdos)
- Added enchant_dict_remove(). (nielsdos)
- Fix missing empty string checks. (nielsdos)
EXIF
- Add OffsetTime* Exif tags. (acc987)
- Added support to retrieve Exif from HEIF file. (Benstone Zhang)
- Fix OSS-Fuzz #442954659 (zero-size box in HEIF file causes infinite loop). (nielsdos)
- Fix OSS-Fuzz #442954659 (Crash in exif_scan_HEIF_header). (nielsdos)
- Various hardening fixes to HEIF parsing. (nielsdos)
FileInfo
- The finfo_close() function has been deprecated. (timwolla)
- The $context parameter of the finfo_buffer() function has been deprecated as it is ignored. (Girgias)
- Upgrade to file 5.46. (nielsdos)
- Change return type of finfo_close() to true. (timwolla)
Filter
- Added support for configuring the URI parser for FILTER_VALIDATE_URL as described in the URL parsing API plugability RFC. (kocsismate) [cite: 347, 348]
- Fixed bug GH-16993 (filter_var_array with FILTER_VALIDATE_INT|FILTER_NULL_ON_FAILURE should emit warning for invalid filter usage). (alexandre-daubois)
FPM
- Fixed bug GH-19817 (Decode SCRIPT_FILENAME issue in php 8.5). (Jakub Zelenka)
- Fixed bug GH-19989 (PHP 8.5 FPM access log lines also go to STDERR). (Jakub Zelenka)
- Fixed GH-17645 (FPM with httpd ProxyPass does not decode script path). (Jakub Zelenka)
- Make FPM access log limit configurable using log_limit. (Jakub Zelenka)
- Fixed failed debug assertion when php_admin_value setting fails. (ilutov)
- Fixed GH-8157 (post_max_size evaluates .user.ini too late in php-fpm). (Jakub Zelenka)
GD
- Fixed bug #68629 (Transparent artifacts when using imagerotate). (pierre, cmb) [cite: 353, 354]
- Fixed bug #64823 (ZTS GD fails to find system TrueType font). (cmb)
- Fix incorrect comparison with result of php_stream_can_cast(). (Girgias) [cite: 354, 355]
- The imagedestroy() function has been deprecated. (DanielEScherzer)
Iconv
- Extends the ICONV_CONST preprocessor for illumos/solaris. (jMichaelA)
Intl
- Bumped ICU requirement to ICU >= 57.1. (cmb)
- IntlDateFormatter::setTimeZone()/datefmt_set_timezone() throws an exception with uninitialised classes or clone failure. (David Carlier)
- Added DECIMAL_COMPACT_SHORT/DECIMAL_COMPACT_LONG for NumberFormatter class. (BogdanUngureanu)
- Added Locale::isRightToLeft to check if a locale is written right to left. (David Carlier)
- Added null bytes presence in locale inputs for Locale class. (David Carlier)
- Added grapheme_levenshtein() function. (Yuya Hamada)
- Added Locale::addLikelySubtags/Locale::minimizeSubtags to handle adding/removing likely subtags to a locale. (David Carlier)
- Added IntlListFormatter class to format a list of items with a locale, operands types and units. (BogdanUngureanu)
- Added grapheme_strpos(), grapheme_stripos(), grapheme_strrpos(), grapheme_strripos(), grapheme_substr(), grapheme_strstr(), grapheme_stristr() and grapheme_levenshtein() functions add $locale parameter (Yuya Hamada).
- Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). (alexandre-daubois)
- Fixed bug GH-18566 ([intl] Weird numeric sort in Collator). (nielsdos) [cite: 362, 363]
- Fix return value on failure for resourcebundle count handler. (Girgias)
- Fixed bug GH-19307 (PGO builds of shared ext-intl are broken). (cmb)
- Intl's internal error mechanism has been modernized so that it indicates more accurately which call site caused what error. Moreover, some ext/date exceptions have been wrapped inside a IntlException now. (Girgias)
- The intl.error_level INI setting has been deprecated. (Girgias)
LDAP
- Allow ldap_get_option to retrieve global option by allowing NULL for connection instance ($ldap). (Remi)
MBstring
- Updated Unicode data tables to Unicode 17.0. (Yuya Hamada)
MySQLi
- Fixed bugs GH-17900 and GH-8084 (calling mysqli::__construct twice). (nielsdos)
- The mysqli_execute() alias function has been deprecated. (timwolla)
MySQLnd
- Added mysqlnd.collect_memory_statistics to ini quick reference. (hauk92)
ODBC
- Removed driver-specific build flags and support. (Calvin Buckley)
- Remove ODBCVER and assume ODBC 3.5. (Calvin Buckley)
Opcache
- Make OPcache non-optional (Arnaud, timwolla)
- Added opcache.file_cache_read_only. (Samuel Melrose)
- Updated default value of opcache.jit_hot_loop. (Arnaud)
- Log a warning when opcache lock file permissions could not be changed. (Taavi Eomäe)
- Fixed bug GH-20012 (heap buffer overflow in jit). (Arnaud)
- Partially fixed bug GH-17733 (Avoid calling wrong function when reusing file caches across differing environments). (ilutov) [cite: 373, 374]
- Disallow changing opcache.memory_consumption when SHM is already set up. (timwolla)
- Fixed bug GH-15074 (Compiling opcache statically into ZTS PHP fails). (Arnaud)
- Fixed bug GH-17422 (OPcache bypasses the user-defined error handler for deprecations). (Arnaud, timwolla)
- Fixed bug GH-19301 (opcache build failure). (Remi)
- Fixed bug GH-20081 (access to uninitialized vars in preload_load()). (Arnaud)
- Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). (Arnaud, Shivam Mathur)
- Fixed bug GH-19875 (JIT 1205 segfault on large file compiled in subprocess). (Arnaud)
- Fixed segfault in function JIT due to NAN to bool warning. (Girgias)
- Fixed bug GH-19984 (Double-free of EG(errors)/persistent_script->warnings on persist of already persisted file). (ilutov, Arnaud)
- Fixed bug GH-19889 (race condition in zend_runtime_jit(), zend_jit_hot_func()). (Arnaud) [cite: 381, 382]
- Fixed bug GH-19669 (assertion failure in zend_jit_trace_type_to_info_ex). (Arnaud)
- Fixed bug GH-19831 (function JIT may not deref property value). (Arnaud)
- Fixed bug GH-19486 (Incorrect opline after deoptimization). (Arnaud)
- Fixed bug GH-19601 (Wrong JIT stack setup on aarch64/clang). (Arnaud)
- Fixed bug GH-19388 (Broken opcache.huge_code_pages). (Arnaud)
- Fixed bug GH-19657 (Build fails on non-glibc/musl/freebsd/macos/win platforms). (Arnaud)
- Fixed ZTS OPcache build on Cygwin. (cmb) [cite: 384, 385]
- Fixed bug GH-19493 (JIT variable not stored before YIELD). (Arnaud)
OpenSSL
- Added openssl.libctx INI that allows to select the OpenSSL library context type and convert various parts of the extension to use the custom libctx. (Jakub Zelenka) [cite: 386, 387]
- Add $digest_algo parameter to openssl_public_encrypt() and openssl_private_decrypt() functions. (Jakub Zelenka)
- Implement #81724 (openssl_cms_encrypt only allows specific ciphers). (Jakub Zelenka)
- Implement #80495 (Enable to set padding in openssl_(sign|verify)). (Jakub Zelenka)
- Implement #47728 (openssl_pkcs7_sign ignores new openssl flags). (Jakub Zelenka)
- Fixed bug GH-19994 (openssl_get_cipher_methods inconsistent with fetching). (Jakub Zelenka)
- Fixed build when --with-openssl-legacy-provider set. (Jakub Zelenka)
- Fixed bug GH-19369 (8.5 | Regression in openssl_sign() - support for alias algorithms appears to be broken). (Jakub Zelenka)
- The $key_length parameter for openssl_pkey_derive() has been deprecated. (Girgias)
Output
- Fixed calculation of aligned buffer size. (cmb)
PCNTL
- Extend pcntl_waitid with rusage parameter. (vrza)
PCRE
- Remove PCRE2_EXTRA_ALLOW_LOOKAROUND_BSK from pcre compile options. (mvorisek)
PDO
- Fixed bug GH-20095 (Incorrect class name in deprecation message for PDO mixins). (timwolla)
- Driver specific methods and constants in the PDO class are now deprecated. (Arnaud) [cite: 388, 389]
- The "uri:" DSN scheme has been deprecated due to security concerns with DSNs coming from remote URIs. (timwolla) [cite: 389, 390]
PDO_ODBC
- Fetch larger block sizes and better handle SQL_NO_TOTAL when calling SQLGetData. (Calvin Buckley, Saki Takamachi)
PDO_PGSQL
- Added Iterable support for PDO::pgsqlCopyFromArray. (KentarouTakeda)
- Implement GH-15387 Pdo\Pgsql::setAttribute(PDO::ATTR_PREFETCH, 0) or Pdo\Pgsql::prepare(…, [ PDO::ATTR_PREFETCH => 0 ]) make fetch() lazy instead of storing the whole result set in memory (Guillaume Outters)
PDO_SQLITE
- Add PDO\Sqlite::ATTR_TRANSACTION_MODE connection attribute. (Samuel Štancl)
- Implement GH-17321: Add setAuthorizer to Pdo\Sqlite. (nielsdos)
- PDO::sqliteCreateCollation now throws a TypeError if the callback has a wrong return type. (David Carlier)
- Added Pdo_Sqlite::ATTR_BUSY_STATEMENT constant to check if a statement is currently executing. (David Carlier)
- Added Pdo_Sqlite::ATTR_EXPLAIN_STATEMENT constant to set a statement in either EXPLAIN_MODE_PREPARED, EXPLAIN_MODE_EXPLAIN, EXPLAIN_MODE_EXPLAIN_QUERY_PLAN modes. (David Carlier)
- Fix bug GH-13952 (sqlite PDO::quote silently corrupts strings with null bytes) by throwing on null bytes. (divinity76)
PGSQL
- Added pg_close_stmt to close a prepared statement while allowing its name to be reused. (David Carlier)
- Added Iterable support for pgsql_copy_from. (David Carlier) [cite: 397, 398]
- pg_connect checks if connection_string contains any null byte, pg_close_stmt check if the statement contains any null byte. (David Carlier)
- Added pg_service to get the connection current service identifier. (David Carlier)
- Fix segfaults when attempting to fetch row into a non-instantiable class name. (Girgias, nielsdos)
Phar
- Fix potential buffer length truncation due to usage of type int instead of type size_t. (Girgias)
- Fixed memory leaks when verifying OpenSSL signature. (Girgias)
POSIX
- Added POSIX_SC_OPEN_MAX constant to get the number of file descriptors a process can handle. (David Carlier) [cite: 402, 403]
- posix_ttyname() sets last_error to EBADF on invalid file descriptors, posix_isatty() raises E_WARNING on invalid file descriptors, posix_fpathconf checks invalid file descriptors. (David Carlier) [cite: 403, 404]
- posix_kill and posix_setpgid throws a ValueError on invalid process_id. (David Carlier)
- posix_setpgid throws a ValueError on invalid process_group_id, posix_setrlimit throws a ValueError on invalid soft_limit and hard_limit arguments. (David Carlier)
Random
- Moves from /dev/urandom usage to arc4random_buf on Haiku. (David Carlier)
Reflection
- Added ReflectionConstant::getExtension() and ::getExtensionName(). (DanielEScherzer)
- Added ReflectionProperty::getMangledName() method. (alexandre-daubois)
- ReflectionConstant is no longer final. (sasezaki)
- The setAccessible() methods of various Reflection objects have been deprecated, as those no longer have an effect. (timwolla) [cite: 407, 408]
- ReflectionClass::getConstant() for constants that do not exist has been deprecated. (DanielEScherzer)
- ReflectionProperty::getDefaultValue() for properties without default values has been deprecated. (DanielEScherzer)
- Fixed bug GH-12856 (ReflectionClass::getStaticPropertyValue() returns UNDEF zval for uninitialized typed properties). (nielsdos)
- Fixed bug GH-15766 (ReflectionClass::__toString() should have better output for enums). (DanielEScherzer) [cite: 409, 410]
- Fix GH-19691 (getModifierNames() not reporting asymmetric visibility). (DanielEScherzer)
- Fixed bug GH-17927 (Reflection: have some indication of property hooks in _property_string()). (DanielEScherzer) [cite: 410, 411]
- Fixed bug GH-19187 (ReflectionNamedType::getName() prints nullable type when retrieved from ReflectionProperty::getSettableType()). (ilutov)
- Fixed bug GH-20217 (ReflectionClass::isIterable() incorrectly returns true for classes with property hooks). (alexandre-daubois)
SAPI
- Fixed bug GH-18582 and #81451: http_response_code() does not override the status code generated by header(). (ilutov, Jakub Zelenka)
Session
- session_start() throws a ValueError on option argument if not a hashmap or a TypeError if read_and_close value is not compatible with int. (David Carlier) [cite: 414, 415]
- Added support for partitioned cookies. (nielsdos)
- Fix RC violation of session SID constant deprecation attribute. (ilutov)
- Fixed GH-19197: build broken with ZEND_STRL usage with memcpy when implemented as macro. (David Carlier)
SimpleXML
- Fixed bug GH-12231 (SimpleXML xpath should warn when returning other return types than node lists). (nielsdos)
SNMP
- snmpget, snmpset, snmp_get2, snmp_set2, snmp_get3, snmp_set3 and SNMP::__construct() throw an exception on invalid hostname, community timeout and retries arguments. (David Carlier)
SOAP
- Added support for configuring the URI parser for SoapClient::__doRequest() as described in the URL parsing API plugability RFC. (kocsismate)
- Implement request #55503 (Extend __getTypes to support enumerations). (nielsdos, datibbaw)
- Implement request #61105 (Support Soap 1.2 SoapFault Reason Text lang attribute). (nielsdos) [cite: 420, 421]
- Fixed bug #49169 (SoapServer calls wrong function, although "SOAP action" header is correct). (nielsdos)
- Fix namespace handling of WSDL and XML schema in SOAP, fixing at least GH-16320 and bug #68576. (nielsdos)
- Fixed bug #70951 (Segmentation fault on invalid WSDL cache). (nielsdos)
- Fixed bug GH-19773 (SIGSEGV due to uninitialized soap_globals->lang_en). (nielsdos, KaseyJenkins)
- Fixed bug GH-19226 (Segfault when spawning new thread in soap extension). (Florian Engelhardt)
Sockets
- Added IPPROTO_ICMP/IPPROTO_ICMPV6 to create raw socket for ICMP usage. (David Carlier)
- Added TCP_FUNCTION_BLK to change the TCP stack algorithm on FreeBSD. (David Carlier)
- Added IP_BINDANY for a socket to bind to any address. (David Carlier)
- Added SO_BUSY_POOL to reduce packets poll latency. (David Carlier) [cite: 427, 428]
- Added UDP_SEGMENT support to optimise multiple large datagrams over UDP if the kernel and hardware supports it. (David Carlier)
- Added SHUT_RD, SHUT_WR and SHUT_RDWR constants for socket_shutdown(). (David Carlier)
- Added TCP_FUNCTION_ALIAS, TCP_REUSPORT_LB_NUMA, TCP_REUSPORT_LB_NUMA_NODOM, TCP_REUSPORT_LB_CURDOM, TCP_BBR_ALGORITHM constants.
- socket_set_option() catches possible overflow with SO_RCVTIMEO/SO_SNDTIMEO with timeout setting on windows. (David Carlier)
- socket_create_listen() throws an exception on invalid port value. (David Carlier) [cite: 430, 431]
- socket_bind() throws an exception on invalid port value. (David Carlier)
- socket_sendto() throws an exception on invalid port value. (David Carlier) [cite: 431, 432]
- socket_addrinfo_lookup throws an exception on invalid hints value types. (David Carlier)
- socket_addrinfo_lookup throws an exception if any of the hints value overflows. (David Carlier)
- socket_addrinfo_lookup throws an exception if one or more hints entries has an index as numeric. (David Carlier)
- socket_set_option with the options MCAST_LEAVE_GROUP/MCAST_LEAVE_SOURCE_GROUP will throw an exception if its value is not a valid array/object. (David Carlier)
- socket_getsockname/socket_create/socket_bind handled AF_PACKET family socket. (David Carlier)
- socket_set_option for multicast context throws a ValueError when the socket family is not of AF_INET/AF_INET6 family. (David Carlier) [cite: 436, 437]
Sodium
- Fix overall theoretical overflows on zend_string buffer allocations. (David Carlier/nielsdos)
SPL
- Fixed bug GH-20101 (SplHeap/SplPriorityQueue serialization exposes INDIRECTs). (nielsdos) [cite: 437, 438]
- Improve __unserialize() hardening for SplHeap/SplPriorityQueue. (nielsdos)
- Deprecate ArrayObject and ArrayIterator with objects. (Girgias)
- Unregistering all autoloaders by passing the spl_autoload_call() function as a callback argument to spl_autoload_unregister() has been deprecated. (Girgias)
- The SplObjectStorage::contains(), SplObjectStorage::attach(), and SplObjectStorage::detach() methods have been deprecated in favour of SplObjectStorage::offsetExists(), SplObjectStorage::offsetSet(), and SplObjectStorage::offsetUnset() respectively. (Girgias)
Sqlite
- Added Sqlite3Stmt::busy to check if a statement is still being executed. (David Carlier)
- Added Sqlite3Stmt::explain to produce an explain query plan from the statement. (David Carlier)
- Added Sqlite3Result::fetchAll to return all results at once from a query. (David Carlier)
Standard
- Add HEIF/HEIC support to getimagesize. (Benstone Zhang) [cite: 444, 445]
- Added support for partitioned cookies. (nielsdos)
- Implement #71517 (Implement SVG support for getimagesize() and friends). (nielsdos)
- Implement GH-19188: Add support for new INI mail.cr_lf_mode. (alexandre-daubois)
- Optimized PHP html_entity_decode function. (Artem Ukrainskiy)
- Minor optimization to array_chunk(). (nielsdos)
- Optimized pack(). (nielsdos, divinity76)
- Fixed crypt() tests on musl when using --with-external-libcrypt (Michael Orlitzky).
- Fixed bug GH-18062 (is_callable(func(...), callable_name: $name) for first class callables returns wrong name). (timwolla)
- Added array_first() and array_last(). (nielsdos)
- Fixed bug GH-18823 (setlocale's 2nd and 3rd argument ignores strict_types). (nielsdos)
- Fixed exit code handling of sendmail cmd and added warnings. (Jesse Hathaway)
- Fixed bug GH-18897 (printf: empty precision is interpreted as precision 6, not as precision 0). (nielsdos)
- Fixed bug GH-20257 (mail() heap overflow with an empty message in lf mode). (David Carlier)
- Fixed bug GH-20201 (AVIF images misdetected as HEIF after introducing HEIF support in getimagesize()). (nielsdos)
- Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). (alexandre-daubois)
- Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()). (alexandre-daubois)
- Fixed GH-14402 (SplPriorityQueue, SplMinHeap, and SplMaxHeap lost their data on serialize()). (alexandre-daubois)
- Fixed GH-19610 (Deprecation warnings in functions taking as argument). (Girgias)
- Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator). (alexandre-daubois)
- Fixed bug GH-19153 (#[\Attribute] validation should error on trait/interface/enum/abstract class). (DanielEScherzer)
- Fixed bug GH-19070 (setlocale($type, NULL) should not be deprecated). (nielsdos)
- Fixed bug GH-16649 (UAF during array_splice). (alexandre-daubois)
- Passing strings which are not one byte long to ord() is now deprecated. (Girgias) [cite: 459, 460]
- Passing integers outside the interval [0, 255] to chr() is now deprecated. (Girgias)
- The socket_set_timeout() alias function has been deprecated. (timwolla)
- Passing null to readdir(), rewinddir(), and closedir() to use the last opened directory has been deprecated. (Girgias) [cite: 461, 462]
Streams
- Fixed bug GH-16889 (stream_select() timeout useless for pipes on Windows). (cmb)
- Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. (Jakub Zelenka)
- Fixed bug GH-14506 (Closing a userspace stream inside a userspace handler causes heap corruption). (nielsdos)
- Avoid double conversion to string in php_userstreamop_readdir(). (nielsdos)
Tests
- Allow to shuffle tests even in non-parallel mode. (dhuang00)
Tidy
- tidy::__construct/parseFile/parseString methods throw an exception if the configuration argument is invalid. (David Carlier)
- Fixed GH-19021 (improved tidyOptGetCategory detection). (arjendekorte, David Carlier, Peter Kokot) [cite: 466, 467]
Tokenizer
- Fixed bug GH-19507 (Corrupted result after recursive tokenization during token_get_all()). (kubawerlos, nielsdos, Arnaud)
Windows
- Fixed bug GH-10992 (Improper long path support for relative paths). (cmb, nielsdos)
- Fixed bug GH-16843 (Windows phpize builds ignore source subfolders). (cmb) [cite: 468, 469]
- Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). (dktapps)
XML
- The xml_parser_free() function has been deprecated. (DanielEScherzer) [cite: 469, 470]
XMLWriter
- Improved performance and reduce memory consumption. (nielsdos)
XSL
- Implement request #30622 (make $namespace parameter functional). (nielsdos)
Zlib
- gzfile, gzopen and readgzfile, their "use_include_path" argument is now a boolean. (David Carlier)
- Fixed bug GH-16883 (gzopen() does not use the default stream context when opening HTTP URLs). (nielsdos)
- Implemented GH-17668 (zlib streams should support locking). (nielsdos)
Zip
- Fixed missing zend_release_fcall_info_cache on the following methods ZipArchive::registerProgressCallback() and ZipArchive::registerCancelCallback() on failure. (David Carlier) [cite: 473, 474]

Check out more at

Featured Product

ZendPHP

2025 PHP Landscape Report

ZendPHP 8.5.0

Community Changes