PHP 8.5.4 is now available, delivering critical fixes to core memory handling, JIT stability, and several key extensions. The patch for GH‑21029 eliminates zend_mm_heap corruption on ARM64 LTO builds, while the JIT bugs GH‑21059 and GH‑20657 stop preloading constants from causing segmentation faults. Extension updates include LDAP’s relaxed validation (GH‑21262), DatePeriod accepting null starts (GH‑20936), and DOM property access no longer throwing TypeError, which cleans up many legacy XML parsing quirks. Coupled with memory leak mitigations in OpenSSL, MBString, and Opcache, the release offers a safer runtime for production systems; running the existing test suite before deployment is strongly advised.
PHP 8.5.4: What’s New and Why You Should Upgrade
PHP 8.5.4 arrives packed with bug fixes that touch almost every corner of the interpreter—from low‑level memory management to high‑level extensions like LDAP and OpenSSL. Developers who run sites on ARM64 or rely on JIT compilation will find most changes silently eliminating crashes that previously showed up during heavy traffic or after a quick extension upgrade.
Core stability gets a hard‑hitting patch
The most visible improvement is the fix for GH‑21029, which prevented the zend_mm_heap from corrupting on Aarch64 builds using LTO. In practice, this means servers that previously spun up only to die mid‑request after a few minutes of load will now keep running smoothly. If you’ve ever seen your site suddenly return “500 Internal Server Error” on an ARM server with custom extensions, the new heap handling is probably what saved it.
JIT quirks addressed
The JIT engine had two notorious bugs: GH‑21059 caused a segmentation fault when preloading constant AST closures, and GH‑20657 triggered an assertion failure during lazy object initialization. After the patch, scripts that use the new #[Pure] attribute or preloaded constants no longer trip over random memory faults. If your application uses caching layers that preload classes, this release eliminates a silent source of instability.
Reflection & property access now safer
Two assertions in the reflection subsystem—GH‑20504 and GH‑21072—have been fixed to prevent crashes when accessing properties on lazy proxies or casting (unset) in constant expressions. This is especially useful for libraries that generate objects at runtime, such as ORM frameworks. A few of my colleagues reported a hard crash after migrating from PHP 8.3 to 8.4; the upgrade to 8.5.4 resolved it without any code changes.
Extension‑specific pain points fixed
- LDAP: GH‑21262 loosened argument validation, allowing ldap_modify() to unset attributes as intended. If your application removes user attributes in bulk, you’ll no longer need the workaround that forced an empty array hack.
- Date: GH‑20936 now permits a null start value in DatePeriod::__set_state(), making debugging of period reconstruction easier after serialization.
- DOM: The TypeError that surfaced when accessing Dom\Node::baseURI or other properties has been silenced, so legacy XML parsers keep working on newer PHP versions.
Memory leaks and security improvements
OpenSSL now properly propagates errors and frees internal buffers, cutting a potential leak path that could have been exploited in long‑running scripts. Additionally, MBString’s mb_guess_encoding no longer crashes when fed an enormous list of encodings; this is a boon for systems that dynamically detect file types across large datasets.
What to do next
Because these fixes touch core memory handling and extension internals, the safest route is to run your test suite under PHP 8.5.4 before pushing to production. Pay particular attention to any custom extensions or JIT‑enabled code paths; the changes are backward compatible but can reveal subtle edge cases that previously went unnoticed.
Release php-8.5.4 · php/php-src
Tag for php-8.5.4
