PHP 8.4.19 Release – What’s New and Fixed
The newest point release of PHP, 8.4.19, arrives with a tidy list of bug fixes that touch almost every core component, from the Zend engine to OpenSSL and even Windows builds. If an app has been stuttering after a recent upgrade or you’ve been hunting down a mysterious assertion failure, this update is worth pulling in.
Core Fixes in PHP 8.4.19
The heart of the language received several important patches. One that stood out was the resolution of GH‑21029, which fixed a heap corruption bug on Aarch64 when compiling with LTO. Developers who had reported crashes during heavy memory allocation now see stable builds. Another tweak addressed an assertion failure in zend_lazy_object_get_info, triggered by the newer lazy ghost mechanism; this means that modules using lazy properties no longer hit unexpected termination.
The change list also includes a fix for GH‑20657, which prevented setRawValueWithoutLazyInitialization() from causing a hard stop when called on uninitialized objects. The overall effect is smoother handling of dynamic property access across the board. A side note: the build system now correctly installs libtool wrappers when slibtool is used (GH‑13674), so automake projects that depend on PHP’s shared libraries should no longer be surprised by missing symbols.
cURL Improvements in PHP 8.4.19
cURL users will notice two straightforward but useful changes. First, GH‑21023 now protects against a crash that occurred when CURLOPT_XFERINFOFUNCTION was set to a null callback; the function guard has been tightened so that an empty handler no longer explodes the interpreter. Second, a length truncation bug identified by ndossche in various transfer scenarios is fixed, ensuring accurate data sizes are reported during large downloads.
Date Module Updates
The Date library had a couple of quirks that were finally squashed. GH‑20936 corrected DatePeriod::__set_state() so it can gracefully handle a null start date—a common source of failure when serializing period objects for caching. Additionally, the timezone offset logic was revised to maintain second‑level precision, preventing subtle drift in schedules calculated across daylight saving transitions.
DOM Adjustments
DOM users often run into type errors when accessing node properties, and PHP 8.4.19 has tightened those checks. The update addresses GH‑21077, which caused Dom\Node::baseURI to throw a TypeError under certain conditions, and GH‑21097, where arbitrary property access could trigger the same issue. After the patch, scripts that traverse or manipulate the DOM no longer need defensive type handling for these properties.
MBString Stability
A performance regression in mb_guess_encoding()—when fed an enormous list of candidate encodings—has been resolved (GH‑21223). The function now returns safely even with more than 200,000 entries, which is handy for applications that scan large text corpora and need to guess the encoding on the fly.
Opcache Enhancements
Opcache has seen a couple of important adjustments. GH‑20718, which previously reported an “Insufficient shared memory” error when JIT was enabled on Solaris, has been fixed, making JIT more reliable across Unix flavors. Two additional bug fixes (GH‑21227 and GH‑21052) improved handling of partial objects in SCCP optimizations and prevented preloaded constants from leaking into file‑cached scripts.
OpenSSL Fixes
The OpenSSL extension now includes a set of memory leak fixes and better error propagation, courtesy of ndossche. These changes reduce the likelihood that a misbehaving TLS connection will leave dangling resources behind, which is particularly valuable for long‑running daemons or web servers that open many short connections.
PCNTL and PCRE Tweaks
The process control API has received several stability patches: pcntl_setns() now handles errno correctly, and cpuset leaks in pcntl_setcpuaffinity have been eliminated on NetBSD/Solaris. The signal registration logic was reordered to prioritize OS‑level callbacks, while stale pointers in pcntl_signal_dispatch() are now properly cleared.
PCRE’s preg_match function no longer leaks memory when encountering invalid regular expressions, thanks to a fix applied by David Carlier. This means scripts that validate user input with regexes can now run without fear of gradual degradation.
PDO_PGSQL and PGSQL Corrections
In the PostgreSQL data access layer, GH‑21055 corrected a typo in connection attribute status for GSS negotiation, ensuring proper authentication reporting. The core PGSQL driver now also avoids memory leaks on pg_connect() errors (GH‑21162), so failed connection attempts will not bloat process memory.
Sockets Security
Socket handling has been tightened: passing a null address entry to socket_set_option() no longer crashes the interpreter (GH‑21161). An overflow bug involving AF_UNIX family sockets was also addressed, preventing accidental buffer overreads during connection setup.
Windows Build Fixes
Finally, PHP 8.4.19 now compiles cleanly with Clang on Windows, thanks to a missing intrin.h inclusion that had caused build failures for developers targeting the newer compiler toolchains.
Release php-8.4.19 · php/php-src
Tag for php-8.4.19
