The next version of HHVM is out (well it came out 6 days ago, I’ve just been at OSCON all week and haven’t had a chance to do this post).

Some of the highlights:

The other 100 bugfixes from our last lockdown.

hh_client and hh_server now build on OSX and don’t need .hhi files.

fastcgi params are now in $_SERVER .

$php_errormsg works.

PHP_VERSION now is 5.6.

Security Fixes:

CVE-2010-3065: PHP Session Serializer Session Data Injection Vulnerability

CVE-2013-3735: Segfault on memory exhaustion within function definition

CVE-2006-7243: NULL byte poisoning fix

Full HHVM Changelog:

“Outkast” 17-July 2014

PHP_VERSION is now 5.6

Introduce Dbl specific relational IR opcodes

Expose APC info to admin port

Improve Zend compatibility in the reflection API

Implement xdebug_call_class

Hack: first version of formatter

Convert ext/xsl to HNI

Hack: improve init time

Remove JIT::RuntimeType

Fix floating-point overflow for binary, octal and hex literals

Collections: Vector::addAllKeysOf

Hack can build on OSX now

Fix await/yield operator precedence

Fix various xcontroller issues

Enable HHIRBytecodeControlFlow by default

Various changes/fixes to WholeCFG region selector

Introduce async generators

Kill clock_settime

Fix Memcache::get($keys) when $keys is an array

Implement xdebug_call_function

Change order of wait handle processing from FIFO to LIFO

Add Redis::_serialize()

“Notorious B.I.G.” 25-Jun-2014

Remove Translator::analyze (replaced by tracelet region selector)

Allow empty keys in hash_hmac() and hash_hmac_file()

Interface requirements supported in parser

Implement xdebug_{peak_,}memory_usage

Inline singleton-pattern functions

Cleanup in PhpFile and FileRepository

Fix mysqli_query return value for query without result

Implement xdebug_call_file

Add fastlz support to memcached extension

Fix ini_get to return false for non-supported settings

Fix PHP version constants

All numeric comparisons involving NAN, except != and !==, are now false.

Implement xdebug_call_line

Optimize ini_get

Remove dump-file-repo admin command

Fix stdclass promotion of static private properties

Remove unused locals in global dce (HHBBC)

Get mockery at 100%

Fix casting resource to object

Relocate code to arbitrary alignment

Always let the first character through for camelcase searching

Implement xdebug configuration options

Convert ext/memcache to HNI

Match php5’s memcache getoption

./configure –help now has all the options

mysqli: return false on non-selects

Don’t include bt_handler or killpg in backtraces

Don’t buffer overrun on bad DNS TXT records

Fixed property access to DOM and XMLReader classes

Add support for ParamCoerceModeFalse

“Mos Def” 11-Jun-2014

Turn on new tracelet region selector by default; analyze() is deprecated

Fix a bug in debugBacktrace with NativeImpl methods

Request local allocator now uses logarithmically spaced size classes

Improvements to JIT’d FCallBuiltin to cause fewer spills

Enable vtable-style dispatch on methods marked “abstract”

JIT several instructions that were being punted: Unbox, File, Dir

Increase “hinted drop” time on write lease, improving JIT’d code layout

Implemented __toString functions in reflection classes

functions in reflection classes Several tc-print bug fixes

Some improvements in hhbbc arithmetic type inference

More service requests are “ephemeral”, reducing wasted stubs space

HH\Vector now has a packed array internally, for O(1) conversions to array

current() and key() now support expressions that can’t be taken by reference

Fix a long-standing but very rare race condition with Closure class names

gcc 4.8 is the new minimum to build

Various bug/compat fixes in Soap, SimpleXML, ArrayObject, DOMNode, mysqli

Add a scheme to extend support for efficient packed arrays w/ cap up to 2^32

Move vmfp, vmsp, and vmpc into RDS

Fix some hard-to-hit bugs in inlining relating to stack overflow checks

Faster int to double conversion when calling builtins from the JIT

Fix ReflectionParameter::getClass for scalar typehints

better tuning of the PGO ‘hot function’ threshold

performance improvements to calling native class methods

improve performance of async functions that exit via exception

several bug fixes in refcount optimization pass relating to async functions

More hhir-related docs in the hackers-guide

Initial support for relocating generated machine code

JIT optimizations for count()

Corrected the result of var_dump and print_r for ArrayObject

fix HH\autoload_set_paths with nested maps

make ReflectionClass serializable

ext/standard/output HNI conversion

allow usage of zend-qsort in user sorts with a runtime option

“LL Cool J” 28-May-2014

Over 200 other bug fixes (go lockdown!)

Every HDF setting is now available as INI

Cut session_id() size by 1/2

Added ‘Z’ format string for pack/unpack

We now build on clang

Fix pcre cache to not fatal when full

Implement $php_errormsg

Adding -n CLI option to hhvm php mode

Fix substitution of invalid UTF8 sequences in htmlspecialchars

FastCGI: Use SCRIPT_FILENAME as the PHP script to run

Can create DateTimeZone’s from abbreviations

Put all fastcgi params into $_SERVER

Many DOM classes are now serializable

Define the xhp tokens

Many reflection changes for perf and compatibility

Default fastcgi to listen on 127.0.0.1

remove register_cleanup_function

Map: reserve()

Set: retain(), reserve(), addAllKeysOf()

{Set|ImmSet|Vector|ImmVector}::fromKeysOf()

Comments