With some systems going into core including classes implementing ArrayAccess in order to preserve backward compatibility, we will need to bump the minimum version of PHP to 5.3.4 in order to allow offsetGet() to return by reference.
From: http://php.net/manual/en/arrayaccess.offsetset.php
This function is not called in assignments by reference and otherwise indirect changes to array dimensions overloaded with ArrayAccess (indirect in the sense they are made not by changing the dimension directly, but by changing a sub-dimension or sub-property or assigning the array dimension by reference to another variable). Instead, ArrayAccess::offsetGet() is called. The operation will only be successful if that method returns by reference, which is only possible since PHP 5.3.4.
From: http://www.php.net/manual/en/arrayaccess.offsetget.php
Starting with PHP 5.3.4, the prototype checks were relaxed and it's possible for implementations of this method to return by reference. This makes indirect modifications to the overloaded array dimensions of ArrayAccess objects possible.
A direct modification is one that replaces completely the value of the array dimension, as in $obj[6] = 7. An indirect modification, on the other hand, only changes part of the dimension, or attempts to assign the dimension by reference to another variable, as in $obj[6][7] = 7 or $var =& $obj[6]. Increments with ++ and decrements with -- are also implemented in a way that requires indirect modification.
While direct modification triggers a call to ArrayAccess::offsetSet(), indirect modification triggers a call to ArrayAccess::offsetGet(). In that case, the implementation of ArrayAccess::offsetGet() must be able to return by reference, otherwise an E_NOTICE message is raised.
Related issues:
#1717186: Empty class attributes being printed in elements using $attributes, $title_attributes, or $content_attributes
#1742734: [META] Widgets as Plugins
#1744216: Implementation of Number widgets
While 5.3.4 would be enough, it was a shortlived release and we recommend PHP 5.3.5 instead. Here are some operating systems:
- Ubuntu 12.04: 5.3.10
- OSX 10.7: 5.3.10
- OSX Mountain Lion: 5.3.13
- Red Hat Enterprise Linux RHEL-6.3: 5.3.3
- XAMPP for Linux: 5.4.4
- MAMP: 5.4.4 / 5.3.14
- WAMP: 5.3.13
- Fedora: 5.4.6
- Debian 6.0 "squeeze": 5.3.3
- Debian 7.0 "Wheezy" beta: 5.4.4
- Centos: 5.3.3
- FreeBSD 9.0: 5.3.8
- FreeBSD 8.2: 5.3.5
- FreeBSD 7.4: 5.3.5
- OpenBSD 5.0: 5.3.6
- OpenBSD 5.1: 5.3.10
For Red Hat Enterprise Linux and CentOS we recommend http://iuscommunity.org/Repos (maintained by Rackspace staff). For Debian, we hope by the time we release, Wheezy ships, but for people with Squeeze, http://www.dotdeb.org/ (dotdeb shows how shortlived 5.3.4 was, it doesn't even exist for Lenny)
Comment | File | Size | Author |
---|---|---|---|
#22 | 535.patch | 408 bytes | chx |
bump-minimum-version.patch | 408 bytes | jerdavis | |
Comments
Comment #1
jerdavisA quick survey of current OS and *AMP distributions looks like
Red Hat Enterprise Linux and CentOS are the only ones so far that look problematic. @chx suggests pointing RHEL users here:
http://www.webtatic.com/news/2012/07/latest-updates-php-5-4-5-5-3-15/
Comment #3
catchDo we have an idea when the next versions of RHEL and Centos are due out? Presumably they'll update PHP at least one point release.
I'm absolutely fine with upping requirements for 8.x (and the specific ArrayAccess issue will be useful for a few things), the only question is whether we'll break people's development environments now as we did for a while with Ubuntu.
Comment #4
Cameron Tod CreditAttribution: Cameron Tod commented"Sometime in 2013" according to this article http://www.serverwatch.com/server-trends/the-future-of-red-hat-enterpris...
CentOS will follow shortly afterwards. I'm not sure of Red Hat's update cycle within a major version though.
Comment #5
geerlingguy CreditAttribution: geerlingguy commentedbump-minimum-version.patch queued for re-testing.
Comment #7
geerlingguy CreditAttribution: geerlingguy commentedI'd be okay with this; we CentOS users are definitely used to using different repos for things like PHP anyways, lest we be stuck 3 years behind on certain packages (I'm running a few 5.x servers with PHP 5.3.10 and the remi repo).
Comment #8
webchickBased on those testbot results, I don't think this patch will be possible without upgrading all testbots to PHP 5.3.4+
Comment #9
chx CreditAttribution: chx commentedRight but the testbot people #1759340: Roll and deploy 2.13 want committer approval first (obviously).
Edit: #3 seems to be it.
Comment #10
boombatower CreditAttribution: boombatower commentedphp version increase is something we are tracking #1759340: Roll and deploy 2.13 along with other changes to be rolled out soon.
Comment #11
chx CreditAttribution: chx commentedSorry guys for the disruption but 5.3.4 is almost nonexistent. There are no distros shipping it, there was only one change between 5.3.4 and 5.3.5 in the changelog (the famous big number crash), dotdeb only has http://archives.dotdeb.org/dists/lenny/php5/ http://archives.dotdeb.org/dists/squeeze/php5/ 5.3.5 too. So I strongly recommend going to 5.3.5 otherwise we need to roll our own deb package for the testbot.
Comment #12
chx CreditAttribution: chx commentedOr perhaps go straight to 5.3.8 as the lowest common denominator? Reviewing the changelog there are quite a few useful fixes and I remember someone wanting 5.3.6 for something (perhaps the argumentless debug_backtrace?)
Comment #13
rfayPer #1 Current Debian (squeeze) is 5.3.3, not 5.4. So it goes on the problem list as well.
This actually comes up because the testbots run Debian squeeze, so we'll have to use dotdeb packages or something when 5.3.4 is required.
Comment #14
rfayCollision; restoring title and status
Comment #15
chx CreditAttribution: chx commentedNote that by the time we ship, Debian will be at Wheezy (it's beta already) so that will cease to be a problem (it ships 5.4.4).sarge, etch, lenny and squeeze both came at roughly two year intervals, by that count wheezy should be released 2013 spring (and it's beta already).
Comment #16
Crell CreditAttribution: Crell commentedCurrent Debian stable is 5.3.3 (that's what our Dev system at work has), which is my only concern. The next stable will be 5.4, which should be fine. So +1 in general, cautious on timing.
Comment #17
sunComment #18
chx CreditAttribution: chx commentedI withdraw #12 and stick with the title: FreeBSD 7.4 and 8.2 both shipped with 5.3.5. Let's go 5.3.5.
Comment #19
chx CreditAttribution: chx commentedOpenBSD 5.0 was 5.3.6 and 5.1 is 5.3.10. That's fine too.
Comment #20
yched CreditAttribution: yched commented[edit: crosspost]
Not sure what is needed to move forward here, but we'd really need this to move forward on a couple topics.
"widgets as Plugins" & "move Field config to CMI / ConfigEntities" require turning $field and $instance into classed objects, and using ArrayAccess is the only way for both issues to not start with a 500k patch upfront.
And being able to use d.o testbots would also be a significant help.
[edit: and, as noted above Field API is not the only subsystem involved. ArrayAccess will be an instrumental kickstart tool for many "X as plugins" or "Y as ConfigEntity"]
Comment #21
rfayI will take a look at building a testbot with higher php 5.3. If it works, we can see how we do.
Comment #21.0
chx CreditAttribution: chx commentedAdded OS to summary
Comment #22
chx CreditAttribution: chx commentedComment #24
rfayOK, testing on testbot 953, which is a 5.3.5 testbot it works :-) (I forced it to retry there.)
Comment #25
rfayOK, seems that everybody is in favor. The testbots are all upgraded to php 5.3.5.
Comment #26
catchAre there any current patches blocked on this?
I'd like to schedule this and announce it in g.d.o/core so that anyone on an older version of PHP has time to update, but how long it's scheduled in advance depends on the answer to the first question :p
Comment #27
Crell CreditAttribution: Crell commentedAs above I think the Field API as Plugins code is going to require either this patch or a 1MB patch file. :-) I don't know how close that is to caring though, now that testbots are upgraded.
Comment #28
yched CreditAttribution: yched commentedWe're good as long as the test bots run 5.3.4+. No hurry for the actual requirement bump.
Comment #28.0
yched CreditAttribution: yched commentedadded a note on 5.3.4
Comment #29
webchickLooks like catch has got this one.
Comment #30
chx CreditAttribution: chx commentedyched, if you start using 5.3.4 features -- that's IMO fine -- we already need to announce in case some developers use Squeeze / CentOS and we do not want them to file bug reports.
Comment #31
webchickOver at #1201444: Strenghten password hashing mechanism they are suggesting PHP 5.3.7 as the minimum version. Cross-posting.
Comment #32
chx CreditAttribution: chx commentedGoing 5.3.10 would only burn a few *BSD systems -- and FreeBSD has their 'ports' repository which is source code based so available on every release if I understand this correctly and that is latest PHP (5.4.x). Also, FreeBSD 9.1 is already RC. OpenBSD 5.0, well, it's already not the latest OpenBSD. So, Ubuntu LTS and OS X lets us go with 5.3.10. That's the bold question: do we skip those too and go 5.4 immediately? Traits. $this binding closures. That'd be very yummy.
So, 5.4.0 or 5.3.10?
Comment #33
geerlingguy CreditAttribution: geerlingguy commentedLets not forget the thousands of shared hosts out there who are only just now getting around to 5.3.x... I think 5.4.x would be too ambitious for D8 :(
Comment #34
gddThere is an existing discussion around 5.4 here for reference #1498574: [policy, no patch] Require PHP 5.4
Comment #35
chx CreditAttribution: chx commentedYeah. Likely 5.4 is too ambitious. Sad. Should I bump the title to 5.3.10?
Comment #36
catchMoving back to CNW. I'm personally happing bumping 5.3.x requirements as high as is remotely reasonable as long as we give people some warning to upgrade their dev environments etc. There's still nearly a year before the earliest likely release date so actual sites and hosting companies have ages to catch up.
We should keep 5.4 in a separate issue since that seems unlikely at the moment.
Comment #37
Owen Barton CreditAttribution: Owen Barton commentedI would favor 5.3.7 or higher since that will enable us to switch to bcrypt/blowfish for password hashing, which is stronger than what we have now (a major reason is that the password stretching would be in a C loop rather than a php loop, so harder for an attacker to exploit through optimization), as well as being more standard.
5.3.10 would be fine as well, although unless we have a known requirement or bug it is perhaps unnecessary to push it higher than necessary. It's a long way off though, so we can fine tune as we go.
Comment #38
tim.plunkettAlso, AnnotatedClassDiscovery has a workaround for not having 5.3.6.
Comment #39
yched CreditAttribution: yched commented#1785256: Widgets as Plugins is now RTBC, and currently blocked on this.
On IRC, catch said that we could consider moving to 5.3.5 as an immediate step to make ArrayAccess uses possible, and see about larger bumps later.
So tentatively pushing back to RTBC ?
Comment #40
Dries CreditAttribution: Dries commentedI'll let catch make this decision.
Comment #41
catchI confirmed with yched on #1785256: Widgets as Plugins that the ArrayAccess usage is primarily for backwards compatibility at the moment until all widgets are converted. That means it's at least possible for us to roll this back later if we absolutely had to for some reason - assuming we're not relying on the ArrayAccess bug fix elsewhere by that point.
So, I'm going to commit this in two weeks, then we can move this issue back to active for the 5.3.10 bump (which I'd definitely want to schedule further in advance than two weeks), and tag with revisit before release so we check the distro status closer to the time.
Comment #41.0
catchfix links
Comment #42
tstoecklerCool stuff! Should we post a notice to the Core group to give devs running a D8 site a heads-up?
Comment #43
Owen Barton CreditAttribution: Owen Barton commentedcatch already did (see link in his post), I think.
Comment #44
tstoecklerAhh, that was too nifty for me to catch (no pun intended). Sorry for the noise and thanks @Owen Barton.
Comment #45
chx CreditAttribution: chx commentedI recommend December 1 as the 5.3.10 date.
Comment #46
catchI keep forgetting which day I said I'd commit this. It's October 1st :)
Comment #47
webchickThis is catch's.
Comment #48
catchAlright. Committed/pushed to 8.x.
Comment #49
Owen Barton CreditAttribution: Owen Barton commentedOpened #1800122: Bump minimum version of php required to 5.3.10 to track a second bump.
Comment #50
chx CreditAttribution: chx commentedI have adjusted the change notice at http://drupal.org/node/1600010 accordingly.
Comment #51
pbz1912 CreditAttribution: pbz1912 commentedPosted a patch for INSTALL.txt at http://drupal.org/node/1801032
Comment #52
jhodgdonIt looks like some updates to http://drupal.org/requirements are needed -- and is there any core README or other text file that needs an update besides INSTALL.txt? If so, should we set this to "needs work / needs documentation (tag)" ?
Whoever updates the Reqirements page should probably incorporate the other stuff from http://drupal.org/node/1600010 (change notice) besides just that 5.3.5 is required.
Comment #53
podarok#52 thanks for pointing to docs
updated from change notice for D8
Comment #55
sunIt looks like we have to bump to 5.3.6 due to:
#1333730: [Meta] PHP DOM (libxml2) misinterprets HTML5
The
$node
parameter for DOMDocument::saveHTML() was added in PHP 5.3.6.Since there is #1800122: Bump minimum version of php required to 5.3.10 as separate issue and that one wants to bump even higher, I don't know whether it makes sense to re-open this issue or continue over there.
Comment #55.0
sunWebtatic is a guy in his basement; IUS repo is supported, widely-used, and well-maintained. Let's recommend IUS.
Comment #56
David_Rothstein CreditAttribution: David_Rothstein commentedAt the moment Drupal 8 requires PHP 5.4 (and we are months past whatever release date was originally assumed in these discussions) so I guess the "revisit before beta" tag here should just be removed.