HipHop Virtual Machine for PHP

HHVM 4.104 is released! This release marks the end of support for 4.56 (LTS) and 4.98; HHVM 4.99–4.103 remain supported, as does the 4.80 LTS release. Note that HHVM 4.104 is not a long-term support (LTS) release as originally scheduled. Instead ... [More] , HHVM 4.102 was promoted to a LTS release. Highlights Various IDE integration improvements (autocomplete, go-to-definition, tooltips). Breaking Changes We no longer build packages for MacOS 10.14 (Mojave). [Less]

HHVM 4.103 is released! This release marks the end of support for 4.97; HHVM 4.98–4.101 remain supported, as do the 4.56, 4.80, and 4.102 LTS releases. Highlights Functions with implicit/no return are now considered a subtype of functions that ... [More] return mixed or dynamic; for example, it is now possible to pass () ==> { echo "hello"; } as a (function(): mixed) Improved autocomplete support for enum classes Reduced typechecker memory usage for large classes (including small classes with many inherited members). Enum classes are now enabled by default. Added HH\EnumClassAttribute interface, allowing definition of user attributes for enum classes. Many builtins are now marked as pure. Breaking Changes Hack arrays and legacy arrays are unified; due to the potential scope of this change, 4.102 has been made an additional out-of-schedule LTS release to allow more time to determine migration paths. varray is now an alias for vec darray is now an alias for dict Shapes are now backed by dicts at runtime; this generally remains considered an implementation detail, but will be helpful when handling untyped data such as decoded JSON. Tuples are now backed by vecs at runtime; this is also an considered an implementation detail. Removed runtime support for PHP-style static anonymous functions; these have been disabled by default since May 2020, and were not correctly handled by the typechecker. Typechecker errors are now raised for some circular definitions of class constants; this is ongoing work, and we expect more circular definitions to be detected in future versions. apc_prime.so support has been removed; this was an undocumented feature that would allow providing a C++ library to pre-fill APC on HHVM startup. A typechecker error is now raised if an XHP class declares two attributes with the same name. PowerPC64 support has been removed; it has been unusable for some time, and we do not have the CI infrastructure necessary to support it. Future Changes HHVM still uses hh_single_compile, however the parser and emitter are also embedded, and we expect to remove the dependency on hh_single_compile and potentially remove the executable in the future. The embedded compiler can be tested with the hhvm.hack_compiler_use_compiler_pool=false INI setting. We expect to remove support for MacOS 10.14 (Mojave) in the near future. [Less]

HHVM 4.102 is the last release where varray and darray are treated as distinct types from vec and dict. From HHVM 4.103 on, varray becomes an alias for vec, and darray an alias for dict (in HHVM 4.101 and 4.102, the INI option hhvm.hack_arr_dv_arrs=1 ... [More] can be used to enable the new behavior). To give users more time to migrate, we are promoting HHVM 4.102 to a long-term support (LTS) release. Similarly to other LTS releases, it will be supported until superseded by two regularly scheduled LTS releases. We expect these releases to be HHVM 4.128 and 4.152, in which case, 4.102 will be supported for ~ 50 weeks. This replaces the regularly scheduled LTS release, HHVM 4.104, which will likely be a standard release (supported for 6 weeks). However, we might add one more unscheduled LTS release between HHVM 4.102 and 4.128 if it makes the migration from varray/darray to vec/dict easier. [Less]

HHVM 4.102 is the last release where varray and darray are treated as distinct types from vec and dict. From HHVM 4.103 on, varray becomes an alias for vec, and darray an alias for dict (in HHVM 4.101 and 4.102, the INI option hhvm.hack_arr_dv_arrs=1 ... [More] can be used to enable the new behavior). To give users more time to migrate, we are promoting HHVM 4.102 to a long-term support (LTS) release. Similarly to other LTS releases, it will be supported for approximately 48 weeks—until superseded by two regularly scheduled LTS releases, expected to be HHVM 4.128 and 4.152. This replaces the regularly scheduled LTS release, HHVM 4.104, which will likely be a standard release (supported for 6 weeks). However, we might add one more unscheduled LTS release between HHVM 4.102 and 4.128 if it makes the migration from varray/darray to vec/dict easier. [Less]

HHVM 4.102 is released! This release marks the end of support for 4.96; HHVM 4.97–4.101 remain supported, as do the 4.56 and 4.80 LTS releases. Breaking Changes Usage of <<__Override>> is now correctly enforced on methods declared on ... [More] interfaces (previously it was only enforced on methods declared in classes and traits). The typechecker will raise an error if the attribute is used on an interface method that was not declared on any of your interface’s parent interfaces. The typechecker now correctly raises an error if a protected method declared in a trait is called from an invalid context. Previously, there was a bug where the typechecker would allow calling the protected method from any class that used the same trait, even if it wasn’t a child or parent of the target class. Such calls would cause a runtime error but previously wouldn’t be caught by the typechecker. Future Changes In the future, using any of the arithmetic operators (+, -, *, /, %, **) with values of non-numeric types (all types except int and float) will cause an exception to be thrown at runtime. All of these cases already raise typechecker errors. Same rules apply to the respective assignment operators (+=, **=, etc.). The INI option hhvm.notice_on_coerce_for_math=2 can be used to enable the future behavior now (set to 1 to raise a notice instead of throwing an exception). Similar restrictions also apply to the increment and decrement operators ($i++, --$i). The INI option hhvm.notice_on_coerce_for_inc_dec can be used to enable the future behavior for these (set to 1 for notice, 2 for exception). [Less]

HHVM 4.101 is released! This release marks the end of support for 4.95; HHVM 4.96–4.100 remain supported, as do the 4.56 and 4.80 LTS releases. Highlights ‘Variable $x is undefined, or not always defined’ errors will no longer suggest ... [More] non-denotable internal variable names, such as $0splice0 Breaking Changes The typechecker now checks that switch($x) is exhaustive for enum classes, not just for normal enums; the runtime continues to require that either a case matches, or there is a default case. array_slice() no longer converts int-like string keys to ints hhbbc now always runs in repo-authoritative mode Future Changes Hack arrays: in the next 2-8 weeks, we expect to make varray an alias for vec, and darray an alias for dict; varray and darray will no longer be distinct types to Hack arrays. This will also affect the runtime implementation of shapes and tuples, which are currently implemented with darrays and varrays respectively. You can test this behavior now with the hhvm.hack_arr_dv_arrs=1 ini setting. [Less]

HHVM 4.100 is released! This release marks the end of support for 4.94; HHVM 4.95–4.99 remain supported, as do the 4.56 and 4.80 LTS releases. Highlights The typechecker now takes advantage of the guarantee that switch statements are exhaustive ... [More] (this has been enforced at runtime since HHVM 4.80), i.e. that at least one branch of the switch statement is guaranteed to be executed (or an exception is thrown). This allows the typechecker to e.g. correctly infer the type of any variable that is set in all branches of the switch statement, allowing some previously rejected programs to pass. Breaking Changes The built-in attribute <<__Pure>> and all related attributes (__AtMostRxAsArgs, __AtMostRxAsFunc, __Cipp, __CippGlobal, __CippLocal, __MaybeMutable, __Mutable, __MutableReturn, __NonRx, __OnlyRxIfImpl, __OwnedMutable, __ReturnsVoidToRx) were removed. They have been replaced by contexts and capabilities. The typechecker now raises an error if the is and as operators are used with the type nothing ($x is nothing, $x as nothing). Future Changes In the future, using any of the bitwise operators with values of incompatible types will cause an exception to be thrown at runtime (all of these cases already raise typechecker errors). Affected operators: &, |, ^: both operands must be int or both string ~ (unary): operand must not be double <<, >>: both operands must be int Same rules apply to the respective assignment operators (&=, <<=, etc.). The INI option hhvm.notice_on_coerce_for_bit_op=2 can be used to enable the future behavior now (set to 1 to raise a notice instead of throwing an exception). [Less]

HHVM 4.99 is released! This release marks the end of support for 4.93; HHVM 4.94–4.98 remain supported, as do the 4.56 and 4.80 LTS releases. Highlights IDE support (LSP) now recognizes XHP attributes, enabling features like go-to-definition and ... [More] hover to peek definition. Breaking Changes The typechecker now raises an error in some previously undetected cases where a class inherits multiple conflicting definitions of the same type constant. These had already been runtime errors, but previously some cases wouldn’t be caught by the typechecker. See updated documentation for more details about how naming conflicts are resolved. The built-in classes Exception, Error, Throwable no longer have their methods marked as <<__Pure>>. This means that exceptions can no longer be thrown from other <<__Pure>> functions. The affected methods are annotated with the “pure” (empty) context list, so exceptions can still be thrown from similarly annotated pure functions. Future Changes In the future, we expect the return type of meth_caller to change from __SystemLib\MethCallerHelper to a native function reference type. This shouldn’t affect normal usage, but may affect edge cases like serialization. Notably, the new values cannot be stored in APC. The INI option hhvm.emit_meth_caller_func_pointers=true can be used to switch to the new format now. Separately, the INI option hhvm.forbid_meth_caller_apc_serialize=1 can be used to raise a warning when values in the old format are stored in APC, without switching to the new format. Setting it to 2 will throw an exception instead of the warning. The built-in attribute <<__Pure>> will be removed in a future release. It has been replaced by contexts and capabilities. [Less]

A security update has been released for all supported HHVM versions. Please update to one of the following versions to make sure you’re secure: 4.56.3 (release 4.56.4 is identical but fixes Ubuntu 16.04 and Debian 8 support) 4.80.2 (release ... [More] 4.80.3 is identical but fixes Ubuntu 20.10 support) 4.93.2 4.94.1 4.95.1 4.96.1 4.97.1 4.98.1 This security update addresses the following vulnerabilities: CVE-2020-1917: out-of-bounds write (1 byte) in exif_read_data() CVE-2020-1918: memory disclosure vulnerability using “data:” URLs CVE-2020-1919: out-of-bounds heap read in substr_compare() CVE-2020-1921: out-of-bounds write (1 byte) in crypt() CVE-2021-24025: integer overflow causing out-of-bounds heap write in preg_quote() out-of-bounds heap read (2 bytes) in exif_read_data() [Less]

HHVM 4.98 is released! This release marks the end of support for 4.92; HHVM 4.93–4.97 remain supported, as do the 4.56 and 4.80 LTS releases. Highlights Minor improvements to various typechecker error messages. Breaking Changes The ... [More] typechecker now correctly reports errors when a class inherits multiple conflicting definitions of the same non-abstract constant from its parent class/interfaces/traits. These had already been runtime errors, but previously wouldn’t be caught by the typechecker. Future Changes We expect the built-in function inst_meth to be removed in a future release (anonymous functions or meth_caller can be used instead). The .hhconfig flag disallow_inst_meth=true and the INI option hhvm.hack.lang.disallow_inst_meth=true can be used to enforce the future behavior now. As mentioned last week, we expect string concatenation ('hello '.$name) and interpolation ("hello $name") to become restricted to string and int values in the future. This release adds the runtime (INI) option hhvm.notice_on_coerce_for_str_concat which can be used to raise a notice (if set to 1) or throw an InvalidOperationException (if set to 2) when concatenating/interpolating other types, in addition to the typechecker flag added in last week’s release. [Less]