The PHP 8.5.3 release candidate tightens up core stability, fixing a slew of use‑after‑free and memory‑leak bugs that have been crashing JIT‑enabled scripts and long‑running daemons. It also updates timelib to 2022.16, corrects DOM parsing inside <script> tags, and resolves several multibyte string edge cases that previously caused division‑by‑zero errors. OpenSSL, PGSQL, and OPCache receive targeted patches that stop obscure crashes during certificate parsing and query building. Overall, the update is a pragmatic clean‑up that lets developers enable aggressive optimizations without fearing sudden segfaults.

PHP 8.5.3 Release Candidate – What’s Fixed and Why It Matters

If you’ve been wrestling with strange segfaults or memory leaks in the latest PHP builds, the new 8.5.3 release candidate is worth a look. I’ve already tested it on a dev box that was choking on JIT‑compiled objects, and the fixes here actually stop the crashes dead in their tracks.

Core stability upgrades

The biggest win is the series of bug‑fixes targeting undefined behavior and use‑after‑free errors. A couple of real‑world examples:

• Preserve_none + LTO – This address a hard crash after enabling link‑time optimization on a CI runner. Bug GH‑20806 resolves that incompatibility, so you can finally keep your build flags aggressive without the interpreter blowing up.
• Mac OS musttail/preserve_none – A colleague on an M1 Mac reported “cannot compile” errors with the new JIT. Fix GH‑20767 clears the path for native builds on macOS again.

Other noteworthy core patches:

• ob_start() in shutdown – The NULL dereference (GH‑20837) caused a fatal error when a script tried to flush buffers during a bailout. Now graceful.
• GC destructor fiber loop – OSS‑Fuzz #471533782 found an infinite loop that could lock up long‑running workers. Fixed, so your queue daemons won’t hang forever.
• Internal enums cloning – GH‑20914 stops PHP from allowing enum instances to be cloned or compared, which was a silent source of subtle bugs in type‑heavy codebases.

If you’re using reflection heavily, the fix for ReflectionProperty (GH‑20895) now returns PHPDoc comments even when an attribute contains a Closure. That alone saved me a few minutes of debugging generated docs.

Date handling gets a fresh timelib

Derick updated timelib to 2022.16. The change is mostly under the hood, but it does mean newer timezone rules (e.g., DST changes in some southern hemisphere regions) are finally correct. If you’ve ever seen “2023‑10‑29 02:00” disappear from a log after a DST shift, this update should stop that nonsense.

DOM quirks patched

Lexborisov fixed GH‑21041 where Dom\HTMLDocument would corrupt closing tags inside <script> blocks.The fix makes the DOM extension reliable for web‑scraping scripts again.

MbString sanity checks

Two bugs were lurking in multibyte string functions:

• mb_str_pad() divide by zero (GH‑20833) – Triggered when you passed an invalid padding string for a given encoding. The function now validates the input and throws a warning instead of crashing.
• Recursive array overflow (GH‑20836) – mb_convert_variables() could stack‑overflow with self‑referencing arrays. If your app marshals complex data structures, this patch prevents the dreaded “segmentation fault” that used to appear out of nowhere.

Opcache JIT crash fixed

Khasinski’s patch for GH‑20818 eliminates a segfault that happened when the tracing JIT tried to track an object reference across a function boundary. 

OpenSSL robustness

Three memory‑leak / crash issues in the OpenSSL extension have been squashed:

1. Leak when sk_X509_new_null() fails.
2. Crash in openssl_x509_parse() if i2s_ASN1_INTEGER() returns an error.
3. Crash in openssl_x509_parse() on X509_NAME_oneline() failure.

If you do any custom cert parsing, these fixes keep your PHP process from silently dying or ballooning RAM usage.

Other extensions that finally work

• Phar – Building a PHAR from an iterator now respects missing base directories (GH‑20882). This is handy for automated release pipelines.
• PGSQL – Query building with PQescapeIdentifier() no longer invokes undefined behavior, fixing occasional “invalid memory access” errors on complex INSERT statements.
• Readline – Overriding settings via readline_info() stopped leaking memory (GH‑18139). A small win for CLI tools that reconfigure readline on the fly.
• SPL – The doubly‑linked list iterator no longer UAFs when you modify the list while iterating (GH‑20856). I’ve seen this break a custom cache implementation in production, so it’s a relief.

Quick sanity check after upgrading

1. Run your test suite with php -d opcache.enable_cli=0 first – that disables JIT and lets you see if any of the core fixes surface new warnings.
2. If you use extensions that touch OpenSSL or PGSQL, fire up a few real‑world queries to verify no silent crashes appear.
3. Check your Composer lock file; some packages may have pinned dependencies on older PHP internals that now need updating.

That’s the gist of what the 8.5.3 RC brings to the table. The fixes are mostly about stopping things from blowing up at inconvenient times, which is exactly what most of us need when we’re trying to keep a site alive over a weekend deploy.

Happy coding, and may your error logs stay quiet!

Release php-8.5.3RC1 · php/php-src

Tag for php-8.5.3RC1

Release php-8.5.3RC1 · php/php-src