Partials v2 gen

.github/matrix.php

@@ -61,7 +61,6 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
     $test_macos = in_array('CI: macOS', $labels, true);
     $test_msan = in_array('CI: MSAN', $labels, true);
     $test_opcache_variation = in_array('CI: Opcache Variation', $labels, true);
-    $test_pecl = in_array('CI: PECL', $labels, true);
     $test_solaris = in_array('CI: Solaris', $labels, true);
     $test_windows = in_array('CI: Windows', $labels, true);
 
@@ -137,9 +136,6 @@ function select_jobs($repository, $trigger, $nightly, $labels, $php_version, $re
     if ($all_jobs || $test_opcache_variation) {
         $jobs['OPCACHE_VARIATION'] = true;
     }
-    if (($all_jobs && $ref === 'master') || $test_pecl) {
-        $jobs['PECL'] = true;
-    }
     if (version_compare($php_version, '8.6', '>=') && ($all_jobs || $test_solaris)) {
         $jobs['SOLARIS'] = true;
     }

.github/workflows/test-suite.yml

@@ -827,114 +827,6 @@ jobs:
         uses: ./.github/actions/test-libmysqlclient
       - name: Verify generated files are up to date
         uses: ./.github/actions/verify-generated-files
-  PECL:
-    if: ${{ fromJson(inputs.branch).jobs.PECL }}
-    runs-on: ubuntu-24.04
-    steps:
-      - name: git checkout PHP
-        uses: actions/checkout@v6
-        with:
-          path: php
-          ref: ${{ fromJson(inputs.branch).ref }}
-      # Used for ccache action
-      - name: Move .github
-        run: mv php/.github .
-      - name: git checkout apcu
-        uses: actions/checkout@v6
-        with:
-          repository: krakjoe/apcu
-          path: apcu
-      - name: git checkout imagick
-        uses: actions/checkout@v6
-        with:
-          repository: Imagick/imagick
-          path: imagick
-      - name: git checkout memcached
-        uses: actions/checkout@v6
-        with:
-          repository: php-memcached-dev/php-memcached
-          path: memcached
-      - name: git checkout redis
-        if: ${{ false }}
-        uses: actions/checkout@v6
-        with:
-          repository: phpredis/phpredis
-          path: redis
-      - name: git checkout xdebug
-        uses: actions/checkout@v6
-        with:
-          repository: xdebug/xdebug
-          path: xdebug
-      - name: git checkout yaml
-        uses: actions/checkout@v6
-        with:
-          repository: php/pecl-file_formats-yaml
-          path: yaml
-      - name: apt
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-            ccache \
-            libmemcached-dev \
-            imagemagick \
-            libmagickwand-dev \
-            bison \
-            re2c
-      - name: ccache
-        uses: ./.github/actions/ccache
-        with:
-          name: "${{ github.job }}"
-          php_directory: php
-      - name: build PHP
-        run: |
-          cd php
-          ./buildconf --force
-          ./configure \
-            --enable-option-checking=fatal \
-            --prefix=/opt/php \
-            --enable-cli \
-            --disable-all \
-            --enable-session \
-            --enable-werror
-          make -j$(/usr/bin/nproc)
-          sudo make install
-      - name: build apcu
-        run: |
-          cd apcu
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build imagick
-        run: |
-          cd imagick
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build memcached
-        run: |
-          cd memcached
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build redis
-        if: ${{ false }}
-        run: |
-          cd redis
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build xdebug
-        run: |
-          cd xdebug
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
-      - name: build yaml
-        run: |
-          cd yaml
-          /opt/php/bin/phpize
-          ./configure --prefix=/opt/php --with-php-config=/opt/php/bin/php-config
-          make -j$(/usr/bin/nproc)
   WINDOWS:
     if: ${{ fromJson(inputs.branch).jobs.WINDOWS }}
     strategy:

NEWS

@@ -19,6 +19,8 @@ PHP                                                                        NEWS
   . Enabled the TAILCALL VM on Windows when compiling with Clang >= 19 x86_64.
     (henderkes)
   . Deprecate specifying a nullable return type for __debugInfo(). (timwolla)
+  . Fixed bug GH-22142 (Assertion failure in zendi_try_get_long() on IS_UNDEF).
+    (David Carlier)
 
 - BCMath:
   . Added NUL-byte validation to BCMath functions. (jorgsowa)
@@ -69,6 +71,8 @@ PHP                                                                        NEWS
     argument handling now raises TypeError instead of Error. (Weilin Du)
   . IntlBreakIterator::getLocale() now raises ValueError for invalid locale
     types. (Weilin Du)
+  . Fixed MessageFormatter::parse() and parseMessage() returning PHP_INT_MIN
+    as float rather than int on 64-bit platforms. (Weilin Du)
 
 - JSON:
   . Enriched JSON last error / exception message with error location.
@@ -105,6 +109,8 @@ PHP                                                                        NEWS
     openssl_x509_parse() output). (StephenWall)
   . Added TLS session resumption support for streams with new context options
     and Openssl\Session class. (Jakub Zelenka)
+  . Added TLS external PSK support for streams with new context options and
+    Openssl\Psk class. (Jakub Zelenka)
 
 - PCNTL:
   . pcntl_exec() now throws a ValueError if the $args array is not a list
@@ -156,6 +162,12 @@ PHP                                                                        NEWS
     (Girgias)
   . Null bytes in session.cookie_path, session.cookie_domain, and
     session.cache_limiter are now rejected with a warning. (jorgsowa)
+  . session.cookie_samesite now rejects invalid values with a warning; only
+    "Strict", "Lax", "None", or "" are accepted. (jorgsowa)
+  . session.cookie_lifetime now rejects non-integer and out-of-range values
+    with a warning. (jorgsowa)
+  . Session file GC now recursively cleans nested subdirectories when
+    session.save_path uses the dirdepth prefix. (jorgsowa)
   . Changed defaults of session.use_strict_mode (now 1), session.cookie_httponly
     (now 1) and session.cookie_samesite (now "Lax"). (jorgsowa)
 
@@ -216,12 +228,21 @@ PHP                                                                        NEWS
     null bytes. (Weilin Du)
   . proc_open() now raises a ValueError when the $cwd argument contains
     null bytes. (Weilin Du)
+  . ini_get_all() now includes the built-in default value in the details.
+    (sebastian)
+  . Fixed bug GH-22171 (Invalid auth header generation in
+    http(s) stream wrapper). (David Carlier)
 
 - Streams:
+  . Added new stream errors API including new StreamException, StreamError
+    classes, StreamErrorStore, StreamErrorMode, StreamErrorCode enums,
+    stream_last_errors() and stream_clear_errors() functions, error_mode,
+    error_store and error_handler stream context options and extending some
+    stream functions with context param. (Jakub Zelenka)
   . Added so_keepalive, tcp_keepidle, tcp_keepintvl and tcp_keepcnt stream
-    socket context options.
+    socket context options. (Jakub Zelenka)
   . Added so_reuseaddr streams context socket option that allows disabling
-    address reuse.
+    address reuse. (Jakub Zelenka)
   . Fixed bug GH-20370 (User stream filters could violate typed property
     constraints). (alexandre-daubois)
   . Allowed filtered streams to be casted as fd for select. (Jakub Zelenka)
@@ -231,6 +252,12 @@ PHP                                                                        NEWS
   . Fixed bug #49874 (ftell() and fseek() inconsistency when using stream
     filters). (Jakub Zelenka)
 
+- URI:
+  . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().
+    (kocsismate)
+  . Added Uri\Rfc3986\Uri:getHostType() and Uri\WhatWg\Url:getHostType().
+    (kocsismate)
+
 - Zip:
   . Fixed ZipArchive callback being called after executor has shut down.
     (ilutov)

SECURITY.md

@@ -11,6 +11,31 @@ Vulnerability reports remain private until published. When published, you will
 be credited as a contributor, and your contribution will reflect the MITRE
 Credit System.
 
+# Classification
+
+Issues commonly reported that are _not_ considered security issues include (but
+are not limited to):
+
+- Invocation of specially crafted, malicious code intended to cause memory
+  violations. This commonly includes malicious error handlers, destructors or
+  `__toString()` functions. PHP does not offer sandboxing, and the execution of
+  untrusted code is always considered unsafe. Such issues are bugs, but not
+  security issues. They may still be reported, though please avoid reporting
+  the known issues.
+
+- Passing malicious arguments to functions clearly not intended to receive
+  unsanitized values, e.g. `mysqli_query()`. `escapeshellarg()` on the other
+  hand should clearly be hardened against unsafe inputs.
+
+- The use of legacy APIs or settings known to be insecure, particularly those
+  documented as such, or those with a secure alternative.
+
+- The use of FFI.
+
+- `open_basedir` or `disable_functions` bypasses.
+
+- Malicious `unserialize()` inputs.
+
 # Vulnerability Policy
 
 Our full policy is described at

UPGRADING

@@ -40,6 +40,10 @@ PHP 8.6 UPGRADE NOTES
   . IntlBreakIterator::getLocale() now raises a ValueError when the type is
     neither Locale::ACTUAL_LOCALE nor Locale::VALID_LOCALE instead of
     returning false.
+  . MessageFormatter::parse() and parseMessage() now return PHP_INT_MIN as
+    int, rather than float, on 64-bit platforms when parsing integer values.
+  . The $type parameter of IntlBreakIterator::getPartsIterator() has been
+    changed from string to int to match the underlying implementation.
 
 - PCNTL:
   . pcntl_alarm() now raises a ValueError if the seconds argument is
@@ -194,13 +198,19 @@ PHP 8.6 UPGRADE NOTES
     requests, implementing custom server-side session storage, and controlling
     session cache behavior.
     RFC: https://wiki.php.net/rfc/tls_session_resumption
+  . Added TLS external PSK support for streams with new strem context options:
+    psk_client_cb and psk_server_cb. This allows setting and receiving PSK.
 
 - Phar:
   . Overriding the getMTime() and getPathname() methods of SplFileInfo now
     influences the result of the phar buildFrom family of functions.
     This makes it possible to override the timestamp and names of files.
 
 - Streams:
+  . Added new stream errors API including new classes, enums, functions and
+    internal API. It is controlled using error_mode, error_store and
+    error_handler stream context options.
+    RFC: https://wiki.php.net/rfc/stream_errors
   . Added stream socket context option so_reuseaddr that allows disabling
     address reuse (SO_REUSEADDR) and explicitly uses SO_EXCLUSIVEADDRUSE on
     Windows.
@@ -209,6 +219,12 @@ PHP 8.6 UPGRADE NOTES
     options.
   . Allowed casting casting filtered streams as file descriptor for select.
 
+- URI:
+  . Added Uri\Rfc3986\Uri:getUriType() and Uri\WhatWg\Url:isSpecialScheme().
+    RFC: https://wiki.php.net/rfc/uri_followup#uri_type_detection
+  . Added Uri\Rfc3986\Uri:getHostType() and Uri\WhatWg\Url:getHostType().
+    RFC: https://wiki.php.net/rfc/uri_followup#host_type_detection
+
 ========================================
 3. Changes in SAPI modules
 ========================================
@@ -268,6 +284,12 @@ PHP 8.6 UPGRADE NOTES
     when not null, and on failure, gives the error code (one of the EAI_*
     constants).
 
+- Standard:
+  . ini_get_all() now includes a "builtin_default_value" element for each
+    directive when $details is true. It holds the built-in default value of
+    the directive (or null if it has none), independent of values set in
+    php.ini, on the command line, or at runtime.
+
 ========================================
 6. New Functions
 ========================================
@@ -291,9 +313,12 @@ PHP 8.6 UPGRADE NOTES
   . `clamp()` returns the given value if in range, else return the nearest
     bound.
     RFC: https://wiki.php.net/rfc/clamp_v2
+  . `stream_last_errors()` and `stream_clear_errors()`.
+    RFC: https://wiki.php.net/rfc/stream_errors
 
 - Zip:
   . Added ZipArchive::openString() method.
+  . Added ZipArchive::closeString() method.
 
 ========================================
 7. New Classes and Interfaces
@@ -303,10 +328,17 @@ PHP 8.6 UPGRADE NOTES
   . Openssl\OpensslException
   . Openssl\Session
     RFC: https://wiki.php.net/rfc/tls_session_resumption
+  . Openssl\Psk
 
 - Standard:
   . enum SortDirection
     RFC: https://wiki.php.net/rfc/sort_direction_enum
+  . StreamError
+  . StreamException
+  . enum StreamErrorStore
+  . enum StreamErrorMode
+  . enum StreamErrorCode
+    RFC: https://wiki.php.net/rfc/stream_errors
 
 ========================================
 8. Removed Extensions and SAPIs
@@ -416,7 +448,10 @@ PHP 8.6 UPGRADE NOTES
   . Improved performance of str_split().
 
 - URI:
-  . Reduced allocations when reading RFC3986 IPv6/IPFuture hosts and paths.
+  . Reduced allocations when reading IPv6/IPFuture hosts and paths with
+    Uri\Rfc3986\Uri.
+  . Improved performance and memory consumption when using normalizing
+    (non-raw) getters on already-normalized URIs with Uri\Rfc3986\Uri.
 
 - Zip:
   . Avoid string copies in ZipArchive::addFromString().

UPGRADING.INTERNALS

@@ -108,6 +108,8 @@ PHP 8.6 INTERNALS UPGRADE NOTES
     instead of copying it in zend_call_function(). Currently only a single
     consumed argument is supported.
   . Added ZEND_CONTAINER_OF().
+  . The OPENBASEDIR_CHECKPATH() compatibility macro has been removed, instead
+    use php_check_open_basedir() directly.
 
 ========================
 2. Build system changes

Zend/Optimizer/compact_literals.c

@@ -733,6 +733,7 @@ void zend_optimizer_compact_literals(zend_op_array *op_array, zend_optimizer_ctx
 				case ZEND_SEND_VAR_NO_REF_EX:
 				case ZEND_SEND_REF:
 				case ZEND_SEND_FUNC_ARG:
+				case ZEND_SEND_PLACEHOLDER:
 				case ZEND_CHECK_FUNC_ARG:
 					if (opline->op2_type == IS_CONST) {
 						opline->result.num = cache_size;
@@ -745,6 +746,10 @@ void zend_optimizer_compact_literals(zend_op_array *op_array, zend_optimizer_ctx
 						cache_size += sizeof(void *);
 					}
 					break;
+				case ZEND_CALLABLE_CONVERT_PARTIAL:
+					opline->op1.num = cache_size;
+					cache_size += 2 * sizeof(void *);
+					break;
 			}
 			opline++;
 		}

Zend/Optimizer/optimize_func_calls.c

@@ -191,6 +191,7 @@ void zend_optimize_func_calls(zend_op_array *op_array, zend_optimizer_ctx *ctx)
 			case ZEND_DO_UCALL:
 			case ZEND_DO_FCALL_BY_NAME:
 			case ZEND_CALLABLE_CONVERT:
+			case ZEND_CALLABLE_CONVERT_PARTIAL:
 				call--;
 				if (call_stack[call].func && call_stack[call].opline) {
 					zend_op *fcall = call_stack[call].opline;
@@ -223,13 +224,14 @@ void zend_optimize_func_calls(zend_op_array *op_array, zend_optimizer_ctx *ctx)
 					 * At this point we also know whether or not the result of
 					 * the DO opcode is used, allowing to optimize calls to
 					 * ZEND_ACC_NODISCARD functions. */
-					if (opline->opcode != ZEND_CALLABLE_CONVERT) {
+					if (opline->opcode != ZEND_CALLABLE_CONVERT && opline->opcode != ZEND_CALLABLE_CONVERT_PARTIAL) {
 						opline->opcode = zend_get_call_op(fcall, call_stack[call].func, !RESULT_UNUSED(opline));
 					}
 
 					if ((ZEND_OPTIMIZER_PASS_16 & ctx->optimization_level)
 							&& call_stack[call].try_inline
-							&& opline->opcode != ZEND_CALLABLE_CONVERT) {
+							&& opline->opcode != ZEND_CALLABLE_CONVERT
+							&& opline->opcode != ZEND_CALLABLE_CONVERT_PARTIAL) {
 						zend_try_inline_call(op_array, fcall, opline, call_stack[call].func);
 					}
 				}