The PHP 8.5.6 release candidate shifts focus from new features to critical stability patches that target memory leaks, JIT assertion failures, and garbage collection crashes. Core engine updates resolve reference counting issues while bundled extensions like Phar, OpenSSL, Curl, and SPL get fixed for null dereferences, concurrency bugs, and missing Windows compression support. Security hardening also rounds out the release by locking down predictable random state generation and fixing use-after-free errors in iterator handling. Developers should test this build against their production workloads to catch segfaults before the final stable version ships.

PHP 8.5.6 Release Candidate Fixes Memory Leaks and JIT Crashes Before Final Launch

The latest batch of PHP 8.5.6 release candidate fixes targets the kind of crashes that keep server admins up at night. Instead of adding flashy new features, the focus lands squarely on memory leaks, JIT assertion failures, and segfaults that have been quietly breaking production environments. Anyone running PHP in a live setup should pay attention to what got patched before the final build ships.

Core Engine and PHP 8.5.6 Release Candidate Fixes

The core engine updates tackle some nasty edge cases that usually only show up under heavy load or during garbage collection sweeps. Developers have been hitting assertion failures when fibers, generators, and destructors interact with the reference counting system, which basically means scripts would just vanish without a trace. The JIT compiler also gets a serious tune up after recent commits introduced faulty returns out of try blocks and broke smart branch optimization for JMPNZ instructions. These kinds of low level fixes matter because they stop random segfaults that look like hardware failures but are actually just the engine tripping over its own feet. Lazy proxies finally get forwarded property operations to the real instance, which clears up confusion when code expects an object to behave normally instead of returning ghost references.

Extension Specific Patches

Several bundled extensions needed attention after developers noticed memory leaks and null pointer dereferences creeping into production logs. The Phar extension alone had multiple issues fixed, including a NULL dereference when SCRIPT_NAME disappears from the SAPI environment and several memory leaks in file verification routines. Curl finally gets brotli and zstd compression support on Windows, which means less CPU overhead when fetching compressed payloads without needing external libraries. OpenSSL saw its openssl_pbkdf2 function patched to stop leaking memory during key derivation, while PDO_PGSQL stops throwing errors when prefetching returns an empty result set. These are the quiet fixes that prevent slow server degradation over weeks of uptime.

Security and Edge Case Hardening

The Random extension got a lock on Xoshiro256StarState after it accepted all zero states, which basically meant predictable output in security sensitive contexts. SPL iterators finally stop triggering use after free errors when RecursiveArrayIterator children get freed prematurely, and concurrent iteration issues in SplObjectStorage get sorted out so scripts do not crash during mass deletions. Streams also gets a fix for file_get_contents segfaults that happen when an HTTPS proxy is configured but the connection drops unexpectedly. The DOM extension stops spitting out duplicate xmlns declarations after setting namespaced attributes, which keeps XML parsing from choking on malformed output.

Release php-8.5.6RC1

Tag for php-8.5.6RC1

Release php-8.5.6RC1 · php/php-src

Grab the release candidate if you want to test your stack before the final build hits stable channels. The patch list reads like a cleanup crew sweeping up loose ends, and that is exactly what you want right now. Keep an eye on the official changelog when the stable version drops, and run your integration tests against this RC if your app touches JIT compiled code or heavy file operations.