PHP 8.3 UPGRADE NOTES 1. Backward Incompatible Changes 2. New Features 3. Changes in SAPI modules 4. Deprecated Functionality 5. Changed Functions 6. New Functions 7. New Classes and Interfaces 8. Removed Extensions and SAPIs 9. Other Changes to Extensions 10. New Global Constants 11. Changes to INI File Handling 12. Windows Support 13. Other Changes 14. Performance Improvements ======================================== 1. Backward Incompatible Changes ======================================== - Core: . Programs that were very close to overflowing the call stack may now throw an Error when using more than `zend.max_allowed_stack_size-zend.reserved_stack_size` bytes of stack (`fiber.stack_size-zend.reserved_stack_size` for fibers). . Class constants can now be accessed dynamically using the C::{$name} syntax. RFC: https://wiki.php.net/rfc/dynamic_class_constant_fetch . Executing proc_get_status() multiple times will now always return the right value on posix systems. Previously, only the first call of the function returned the right value. Executing proc_close() after proc_get_status() will now also return the right exit code. Previously this would return -1. Internally, this works by caching the result on posix systems. If you want the old behaviour, you can check the "cached" key in the array returned by proc_get_status() to check whether the result was cached. . Zend Max Execution Timers is now enabled by default for ZTS builds on Linux. . Uses of traits with static properties will now redeclare static properties inherited from the parent class. This will create a separate static property storage for the current class. This is analogous to adding the static property to the class directly without traits. . Assigning a negative index n to an empty array will now make sure that the next index is n+1 instead of 0. . Static variable initializers can now contain arbitrary expressions. RFC: https://wiki.php.net/rfc/arbitrary_static_variable_initializers . Class constant visibility variance is now correctly checked when inherited from interfaces. . WeakMaps entries whose key maps to itself (possibly transitively) may now be removed during cycle collection if the key is not reachable except by iterating over the WeakMap (reachability via iteration is considered weak). Previously, such entries would never be automatically removed. - FFI: . C functions that have a return type of void now return null instead of returning the following object object(FFI\CData:void) { } - Standard: . The range() function has had various changes: * A TypeError is now thrown when passing objects, resources, or arrays as the boundary inputs * A more descriptive ValueError is thrown when passing 0 for $step * A ValueError is now thrown when using a negative $step for increasing ranges * If $step is a float that can be interpreted as an int, it is now done so * A ValueError is now thrown if any argument is infinity or NAN * An E_WARNING is now emitted if $start or $end is the empty string. The value continues to be cast to the value 0. * An E_WARNING is now emitted if $start or $end has more than one byte, only if it is a non-numeric string. * An E_WARNING is now emitted if $start or $end is cast to an integer because the other boundary input is a number. (e.g. range(5, 'z');) * An E_WARNING is now emitted if $step is a float when trying to generate a range of characters, except if both boundary inputs are numeric strings (e.g. range('5', '9', 0.5); does not produce a warning) * range() now produce a list of characters if one of the boundary inputs is a string digit instead of casting the other input to int (e.g. range('5', 'z');) . The file() flags error check now catches all invalid flags. Notably FILE_APPEND was previously silently accepted. ======================================== 2. New Features ======================================== - Core . Anonymous classes may now be marked as readonly. . Readonly properties can now be reinitialized during cloning. RFC: https://wiki.php.net/rfc/readonly_amendments . Class, interface, trait, and enum constants now support type declarations. RFC: https://wiki.php.net/rfc/typed_class_constants . Closures created from magic methods can now accept named arguments. . The final modifier may now be used when using a method from a trait. . Added the #[\Override] attribute to check that a method exists in a parent class or implemented interface. RFC: https://wiki.php.net/rfc/marking_overriden_methods - CLI . It is now possible to lint multiple files. - Posix . posix_getrlimit() now takes an optional $res parameter to allow fetching a single resource limit. . posix_isatty() now raises type warnings for integers following the usual ZPP semantics . posix_ttyname() now raises type warnings for integers following the usual ZPP semantics and value warnings for invalid file descriptor integers. - Streams . Streams can now emit the STREAM_NOTIFY_COMPLETED notification. This was previously not implemented. ======================================== 3. Changes in SAPI modules ======================================== - $_SERVER['SERVER_SOFTWARE'] value from the built-in CLI server changed to make it compliant with RFC3875. ======================================== 4. Deprecated Functionality ======================================== - Core . Using the ++ operator on empty, non-numeric, or non-alphanumeric strings is now deprecated. Moreover, incrementing non-numeric strings is soft deprecated and the new str_increment() function should be used instead. RFC: https://wiki.php.net/rfc/saner-inc-dec-operators . Using the -- operator on empty or non-numeric strings is now deprecated. RFC: https://wiki.php.net/rfc/saner-inc-dec-operators - Intl . The U_MULTIPLE_DECIMAL_SEP*E*RATORS constant had been deprecated, using the U_MULTIPLE_DECIMAL_SEP*A*RATORS instead is recommended. - LDAP . Calling ldap_connect() with separate hostname and port is deprecated. RFC: https://wiki.php.net/rfc/deprecations_php_8_3#deprecate_calling_ldap_connect_with_2_parameters - Random . The MT_RAND_PHP Mt19937 variant is deprecated. RFC: https://wiki.php.net/rfc/deprecations_php_8_3#mt_rand_php - Standard: . The assert_option() function is now deprecated. . The ASSERT_ACTIVE, ASSERT_BAIL,ASSERT_CALLBACK, ASSERT_EXCEPTION, and ASSERT_WARNING constants have been deprecated. RFC: https://wiki.php.net/rfc/assert-string-eval-cleanup - SQLite3 . Using exceptions is now preferred, warnings will be removed in the future. Calling SQLite3::enableExceptions(false) will trigger a depreciation warning in this version. - Zip: . The ZipArchive::FL_RECOMPRESS constant is deprecated and will be removed in a future version of libzip ======================================== 5. Changed Functions ======================================== - Core: . gc_status() has added the following 8 fields: "running" => bool "protected" => bool "full" => bool "buffer_size" => int "application_time" => float: Total application time, in seconds (including collector_time) "collector_time" => float: Time spent collecting cycles, in seconds (including destructor_time and free_time) "destructor_time" => float: Time spent executing destructors during cycle collection, in seconds "free_time" => float: Time spent freeing values during cycle collection, in seconds See GH-9336, GH-11523 . class_alias() now supports creating an alias of an internal class. . Setting `open_basedir` at runtime using `ini_set('open_basedir', ...);` no longer accepts paths containing the parent directory (`..`). Previously, only paths starting with `..` were disallowed. This could easily be circumvented by prepending `./` to the path. . User exception handlers now catch exceptions during shutdown. - Dom: . Changed DOMCharacterData::appendData() tentative return type to true. - Gd: . Changed imagerotate signature, removed the `ignore_transparent` argument as it was not used internally anyway from PHP 7.x. - Intl: . datefmt_set_timezone (and its alias IntlDateformatter::setTimeZone) now returns true on success, previously null was returned. . IntlBreakiterator::setText() now returns false on failure, previously null was returned. now returns true on sucess, previously null was returned. . IntlChar::enumCharNames is now returning a boolean. Previously it returned null on success and false on failure. - Curl: . curl_getinfo() now supports two new constants: CURLINFO_CAPATH and CURLINFO_CAINFO. If option is null, the following two additional keys are present: "capath" and "cainfo". - MBString: . mb_strtolower, mb_strtotitle, and mb_convert_case implement conditional casing rules for the Greek letter sigma. For mb_convert_case, conditional casing only applies to MB_CASE_LOWER and MB_CASE_TITLE modes, not to MB_CASE_LOWER_SIMPLE and MB_CASE_TITLE_SIMPLE. . mb_decode_mimeheader interprets underscores in QPrint-encoded MIME encoded words as required by RFC 2047; they are converted to spaces. Underscores must be encoded as "=5F" in such MIME encoded words. . In rare cases, mb_encode_mimeheader will transfer-encode its input string where it would pass it through as raw ASCII in PHP 8.2. . mb_encode_mimeheader no longer drops NUL (zero) bytes when QPrint-encoding the input string. This previously caused strings in certain text encodings, especially UTF-16 and UTF-32, to be corrupted by mb_encode_mimeheader. . mb_detect_encoding's "non-strict" mode now behaves as described in the documentation. Previously, it would return false if the same byte (for example, the first byte) of the input string was invalid in all candidate encodings. More generally, it would eliminate candidate encodings from consideration when an invalid byte was seen, and if the same input byte eliminated all remaining encodings still under consideration, it would return false. On the other hand, if all candidate encodings but one were eliminated from consideration, it would return the last remaining one without regard for how many encoding errors might be encountered later in the string. This is different from the behavior described in the documentation, which says: "If strict is set to false, the closest matching encoding will be returned." - mysqli: . mysqli_fetch_object now raises a ValueError instead of an Exception when the constructor_args argument is non empty with the class not having constructor. . mysqli_poll now raises a ValueError when the read nor error arguments are passed. - PGSQL: . pg_fetch_object now raises a ValueError instead of an Exception when the constructor_args argument is non empty with the class not having constructor. . pg_insert now raises a ValueError instead of a WARNING when the table specified is invalid. . pg_insert and pg_convert raises a ValueError or a TypeError instead of a WARNING when the value/type of a field does not match properly with a PostGreSQL's type. - Random: . Changed mt_srand() and srand() to not check the number of arguments to determine whether a random seed should be used. Passing null will generate a random seed, 0 will use zero as the seed. The functions are now consistent with Mt19937::__construct(). - Standard: . E_NOTICEs emitted by unserialize() have been promoted to E_WARNING. RFC: https://wiki.php.net/rfc/improve_unserialize_error_handling . unserialize() now emits a new E_WARNING if the input contains unconsumed bytes. RFC: https://wiki.php.net/rfc/unserialize_warn_on_trailing_data . array_pad() is now only limited by the maximum number of elements an array can have. Before, it was only possible to add at most 1048576 elements at a time. . strtok() raises a warning in the case token is not provided when starting tokenization. . password_hash() will now chain the underlying Random\RandomException as the ValueError’s $previous Exception when salt generation fails. . proc_open() $command array must now have at least one non empty element. . array_sum() and array_product() now warn when values in the array cannot be converted to int/float. Previously arrays and objects where ignored whilst every other value was cast to int. Moreover, objects that define a numeric cast (e.g. GMP) are now casted instead of ignored. RFC: https://wiki.php.net/rfc/saner-array-sum-product . number_format() $decimal parameter handles rounding to negative places. It means that when $decimals is negative, $num is rounded to $decimals significant digits before the decimal point. Previously negative $decimals got silently ignored and the number got rounded to zero decimal places. ======================================== 6. New Functions ======================================== - DOM: . Added DOMNode::contains() and DOMNameSpaceNode::contains(). . Added DOMElement::getAttributeNames(). . Added DOMNode::getRootNode(). The $options argument does nothing at the moment because it only influences the shadow DOM, which we do not support yet. . Added DOMElement::className and DOMElement::id. This is not binary-safe at the moment because of underlying limitations of libxml2. . Added DOMParentNode::replaceChildren(). . Added DOMNode::isConnected and DOMNameSpaceNode::isConnected. . Added DOMNode::parentElement and DOMNameSpaceNode::parentElement. . Added DOMNode::isEqualNode(). . Added DOMElement::insertAdjacentElement() and DOMElement::insertAdjacentText(). . Added DOMElement::toggleAttribute(). - JSON: . Added json_validate(), which returns whether the json is valid for the given $depth and $options. RFC: https://wiki.php.net/rfc/json_validate - MBString: . Added mb_str_pad(), which is the mbstring equivalent of str_pad(). RFC: https://wiki.php.net/rfc/mb_str_pad - Posix: . Added posix_sysconf call to get runtime informations. . Added posix_pathconf call to get configuration value from a directory/file. . Added posix_fpathconf call to get configuration value from a file descriptor. . Added posix_eaccess call to check the effective user id's permission for a path. - PGSQL: . Added pg_set_error_context_visilibity to set the visibility of the context in error messages (with libpq >= 9.6). - Random: . Added Randomizer::getBytesFromString(). RFC: https://wiki.php.net/rfc/randomizer_additions . Added Randomizer::nextFloat(), ::getFloat(), and IntervalBoundary. RFC: https://wiki.php.net/rfc/randomizer_additions - Reflection: . Return type of ReflectionClass::getStaticProperties() is no longer nullable. - Sockets: . Added socket_atmark to checks if the socket is OOB marked. - Standard: . Added the str_increment() and str_decrement() functions. RFC: https://wiki.php.net/rfc/saner-inc-dec-operators - Zip: . Added ZipArchive::setArchiveFlag and ZipArchive::getArchiveFlag methods. ======================================== 7. New Classes and Interfaces ======================================== ======================================== 8. Removed Extensions and SAPIs ======================================== ======================================== 9. Other Changes to Extensions ======================================== - Core: . WeakMaps now have ephemeron-like behavior: Entries whose key maps to itself (possibly transitively) may be removed during cycle collection if the key is not reachable except by iterating over the WeakMap (reachability via iteration is considered weak). Previously, such entries would never be automatically removed. (See GH-10932.) . The ++ and -- operators now emit warnings when attempting to increment values of type bool as this will change in the next major version. A warning is emitted when trying to decrement values of type null, as this will change in the next major version. Internal objects that implement an _IS_NUMBER cast but not a do_operator handler that overrides addition and substraction now can be incremented and decrement as if one would do $o += 1 or $o -= 1 - DOM: . The DOM lifetime mechanism has been reworked such that implicitly removed nodes can still be fetched. Previously this resulted in an exception. - SQLite3 . The SQLite3 class now throws \SQLite3Exception (extends \Exception) instead of \Exception. . The SQLite error code is now passed in the exception error code instead of being included in the error message. ======================================== 10. New Global Constants ======================================== - Curl: . CURLINFO_CAPATH . CURLINFO_CAINFO . CURLOPT_MIME_OPTIONS . CURLMIMEOPT_FORMESCAPE . CURLOPT_WS_OPTIONS . CURLWS_RAW_MODE . CURLOPT_SSH_HOSTKEYFUNCTION . CURLOPT_PROTOCOLS_STR . CURLOPT_REDIR_PROTOCOLS_STR . CURLOPT_CA_CACHE_TIMEOUT . CURLOPT_QUICK_EXIT . CURLKHMATCH_OK . CURLKHMATCH_MISMATCH . CURLKHMATCH_MISSING . CURLKHMATCH_LAST - Intl: . MIXED_NUMBERS (Spoofchecker). . HIDDEN_OVERLAY (Spoofchecker). - OpenSSL: . OPENSSL_CMS_OLDMIMETYPE . PKCS7_NOOLDMIMETYPE - PCNTL: . SIGINFO - PGSQL: . PGSQL_TRACE_SUPPRESS_TIMESTAMPS. . PGSQL_TRACE_REGRESS_MODE. . PGSQL_ERRORS_SQLSTATE. - Posix: . POSIX_SC_ARG_MAX. . POSIX_SC_PAGESIZE. . POSIX_SC_NPROCESSORS_CONF. . POSIX_SC_NPROCESSORS_ONLN. - Sockets: . SO_ATTACH_REUSEPORT_CBPF (Linux only). . TCP_QUICKACK (Linux only). . IP_DONTFRAG (FreeBSD only). . IP_MTU_DISCOVER (Linux only). . IP_PMTUDISC_DO (Linux only). . IP_PMTUDISC_DONT (Linux only). . IP_PMTUDISC_WANT (Linux only). . IP_PMTUDISC_PROBE (Linux only). . IP_PMTUDISC_INTERFACE (Linux only). . IP_PMTUDISC_OMIT (Linux only). . AF_DIVERT (FreeBSD only). . SOL_UDPLITE. . UDPLITE_RECV_CSCOV. . UDPLITE_SEND_CSCOV. . SO_RERROR (NetBSD only). . SO_ZEROIZE (OpenBSD only). . SO_SPLICE (OpenBSD only). . TCP_REPAIR (Linux only). . SO_REUSEPORT_LB (FreeBSD only). . IP_BIND_ADDRESS_NO_PORT (Linux only). - Zip: . ZipArchive::ER_DATA_LENGTH (libzip >= 1.10) . ZipArchive::ER_NOT_ALLOWED (libzip >= 1.10) . ZipArchive::AFL_RDONLY (libzip >= 1.10) . ZipArchive::AFL_IS_TORRENTZIP (libzip >= 1.10) . ZipArchive::AFL_WANT_TORRENTZIP (libzip >= 1.10) . ZipArchive::AFL_CREATE_OR_KEEP_FILE_FOR_EMPTY_ARCHIVE (libzip >= 1.10) . ZipArchive::FL_OPEN_FILE_NOW ======================================== 11. Changes to INI File Handling ======================================== - assert.* . The assert.* INI settings have been deprecated. This comprises the following INI settings: - assert.active - assert.bail - assert.callback - assert.exception - assert.warning If the value of the setting is equal to the default value, no deprecation notice is emitted. The zend.assertions INI setting should be used instead. - zend.max_allowed_stack_size . New INI directive to set the maximum allowed stack size. Possible values are `0` (detect the process or thread maximum stack size), `-1` (no limit), or a positive number of bytes. The default is `0`. When it is not possible to detect the the process or thread maximum stack size, a known system default is used. Setting this value too high has the same effect as disabling the stack size limit. Fibers use fiber.stack_size as maximum allowed stack size. An Error is thrown when the process call stack exceeds `zend.max_allowed_stack_size-zend.reserved_stack_size` bytes, to prevent stack-overflow-induced segmentation faults, with the goal of making debugging easier. The stack size increases during uncontrolled recursions involving internal functions or the magic methods __toString, __clone, __sleep, __destruct. This is not related to stack buffer overflows, and is not a security feature. - zend.reserved_stack_size . New INI directive to set the reserved stack size, in bytes. This is subtracted from the max allowed stack size, as a buffer, when checking the stack size. ======================================== 12. Windows Support ======================================== - Minimum supported Windows version has been bumped to Windows 8 or Windows Server 2012 ======================================== 13. Other Changes ======================================== - Core: . An Error is now thrown when the process call stack exceeds a certain size, to prevent stack-overflow-induced segmentation faults, with the goal of making debugging easier. The maximum allowed stack size is controlled by the INI directives zend.max_allowed_stack_size, zend.reserved_stack_size, and fiber.stack_size. - FFI: . FFI::load() is now allowed during preloading when opcache.preload_user is the current system user. Previously, calling FFI::load() was not possible during preloading if the opcache.preload_user directive was set. - FPM: . FPM CLI test now fails if the socket path is longer than supported by OS. - Opcache: . In the cli and phpdbg SAPIs, preloading does not require the opcache.preload_user directive to be set anymore when running as root. In other SAPIs, this directive is required when running as root because preloading is done before the SAPI switches to an unprivileged user. - Streams: . Blocking fread() on socket connection returns immediately if there are any buffered data instead of waiting for more data. ======================================== 14. Performance Improvements ======================================== - DOM: . Looping over a DOMNodeList now uses caching. Therefore requesting items no longer takes quadratic time by default. . Getting text content from nodes now avoids an allocation, resulting in a performance gain. - Standard: . The file() flags error check is now about 7% faster. - SPL: . RecursiveDirectoryIterator now performs less I/O when looping over a directory.