The new release candidate for PHP 8.4.19 is now available, bringing several bug fixes to address issues with stability, crashes, and memory leaks across various components including core, Curl, Date, DOM, MBString, Opcache, OpenSSL, PCNTL, PCRE, PDO_PGSQL, PGSQL, Sockets, and Windows compilation. The patches resolve problems such as assertion failures, null callbacks, handling of null start dates in DatePeriod, and memory overflows that could cause scripts to crash or consume excessive resources. Developers are advised to test the release candidate on their servers or local environments before upgrading to PHP 8.4.19, particularly for applications that rely on lazy objects, database connections, or socket handling. To obtain the release candidate, download the source tarball from the official PHP site and follow the instructions provided in the text to compile and install it.

PHP 8.4.19 Release Candidate Out—What You Need to Know Before Testing

The new release candidate for PHP 8.4.19 is now available, bringing a bundle of bug fixes that touch everything from the core engine to Windows compilation quirks. If you’re planning to try it on your servers or in local dev environments, read on.

Core: Stability Gains for Aarch64 and LTO Builds

A recent crash on ARM servers—where a corrupted memory heap caused scripts to die mid‑execution—has been squashed. The fix is especially relevant if you’re building PHP with link‑time optimisation (LTO) or running on an Aarch64 machine. Without the patch, simple include statements could bring down your worker pool.

The other core updates address a handful of assertion failures that surfaced during heavy use of lazy objects and reflection proxies. Those bugs were silent until you tried to inspect properties with isset(), so if you’ve been experimenting with lazy loading in your ORM, this patch should keep the debug output sane.

Curl: Preventing Crashes on Null Callbacks

When PHP’s cURL wrapper receives a null callback for CURLOPT_XFERINFOFUNCTION, older versions would crash immediately. That behaviour was reported by a user running a long‑running file transfer that never called the progress hook. The new patch simply checks the function pointer before invoking it, turning a hard failure into a harmless no‑op.

If you rely on custom progress functions in background jobs, make sure the callback is defined or allow PHP to skip it safely now.

Date: Handling Null Starts in DatePeriod

A bug that caused DatePeriod::__set_state() to choke when given a null start date was found during automated tests of calendar generation. The patch guarantees that even an empty start value yields a predictable period object, which is handy for scripts that build ranges from user input that may be missing.

DOM: Avoiding Unexpected TypeErrors

Previously, accessing Dom\Node::baseURI or other properties could throw a TypeError if the node was not fully initialised. That subtle issue showed up in an application that dynamically created nodes for XSLT transformations and then queried their URI. The new code now performs a safer type check before returning values.

If your app manipulates XML on the fly, you’ll notice fewer sporadic exceptions when debugging large documents.

MBString: Resilient Encoding Guessing

When mb_guess_encoding() was fed a massive list of candidate encodings (over 200 000 entries), it would crash. The change prevents that by limiting the recursion depth and guarding against stack overflows. If you’re processing text from external sources with an exhaustive encoding list, this ensures your script continues to run instead of aborting.

Opcache: Fixes for JIT on Solaris and Shared Memory Issues

Users running PHP‑JIT on Solaris previously hit “Insufficient shared memory” errors after a few hours of execution. The patch resolves the underlying allocation bug, allowing longer sessions without manual sysctl tweaks. Additionally, an array containing partially initialised objects no longer triggers a super‑optimisation crash in the SCCP pass.

If you’re using Opcache on a production Solaris box, this update should eliminate those mysterious “shared memory” failures.

OpenSSL: Leak and Error Propagation Corrections

A handful of memory leaks involving SSL context teardown have been eliminated, along with better error propagation when handshake failures occur. If you run HTTPS servers or use cURL with SSL verification, the changes reduce the risk of leaking sensitive key material into the heap.

PCNTL: Safer Signal Handling on NetBSD/Solaris

Signal‑related bugs that caused crashes on out‑of‑range CPU IDs during set‑affinity calls have been patched. Moreover, pcntl_signal() now registers callbacks in the order expected by the operating system rather than PHP’s internal list first, which improves reliability when multiple signals are queued.

PCRE: Memory Leak in preg_match for Invalid Regexes

If a script passes an invalid regular expression to preg_match, older versions leaked memory. The new implementation checks the compiled pattern before allocation, so scripts that validate user input won’t gradually consume RAM and eventually exhaust the process.

PDO_PGSQL: GSS Negotiation Status Fix

A typo in the connection attribute status for GSS authentication caused a misleading “connection failed” message. The fix corrects the flag name, which should make troubleshooting PostgreSQL connections on Kerberos‑enabled hosts smoother.

PGSQL: pg_connect() Memory Leak on Error

When pg_connect() encounters an error (e.g., wrong credentials), it would leak a small buffer that grew with each retry. The patch cleans up the buffer, preventing long‑running scripts from slowly increasing their memory footprint.

Sockets: Null Address Handling and Length Overflow Fixes

Two separate socket bugs were addressed:

• socket_set_option() no longer crashes when an address entry is null.
• A potential overflow in the length field of AF_UNIX sockets during socket_connect() has been mitigated, stopping malformed requests from causing undefined behaviour.

If your application creates Unix domain sockets or passes optional parameters to socket_set_option(), you’ll see more stable behaviour.

Windows: Clang Build Compatibility

A missing header prevented PHP from compiling on Windows with clang. The update includes the required intrin.h reference, allowing developers who use Visual Studio’s newer compiler to build the core without tweaking their project files.

How to Get the RC

1. Download the source tarball from the official PHP site:
   wget https://www.php.net/distributions/php-8.4.19RC.tar.gz
   Why? Pulling directly from php.net guarantees you’re getting the exact release candidate, not a mirror that may be out of sync.

2. Extract and navigate into the directory:

   tar -xf php-8.4.19RC.tar.gz
   cd php-8.4.19RC

3. Configure with your preferred options; for most users a quick run is enough:<

   ./configure --enable-mbstring --with-openssl

   The configure script validates that all optional extensions are present and will warn you if any critical dependency is missing.

4. Compile and install (use -j$(nproc) to parallelise):

   make -j$(nproc)
   sudo make install

5. Verify the version:

   php -v

   The output will now show “PHP 8.4.19RC” confirming you’re on the right build.

If your server runs critical workloads, run a smoke test with a subset of your codebase to surface any regressions introduced by these fixes. For developers working locally, simply swap the binary in /usr/local/bin/php or adjust your php.ini path and watch for changes in behaviour—especially around lazy objects, database connections, and socket handling.

Release php-8.4.19RC1

Tag for php-8.4.19RC1

Release php-8.4.19RC1 · php/php-src