To compare the hashed password with the one provided by the user there is the util StringUtilprovided by the Symfony.
The documentation speaks about the "timing attacks": an attacker may have useful information about the complexity of the password observing the time needed to a website to compare the provided password with the one it stores.
The documentation says also that
To avoid timing attacks, the known string must be the first argument and the user-entered string the second.
Why does the order matter?
Based on the current version of StringUtils, it actually doesn't matter. What does matter is the correct order of, e.g. password_verify().
The documentation is likely referring to the 2014 and earlier version of StringUtils, which tried to avoid leaking the string length. During the discussion to harden this class against mbstring.func_overload configuration, it was decided that leaking length was unavoidable, the string length is usually public (i.e. for a MAC), and it's generally better to focus on stopping the leak of useful information.
In that case, the order used to matter, but now it really doesn't.
I'd call it an outdated documentation issue. I opened a ticked in symfony-docs to correct it.