Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104582 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 42804 invoked from network); 4 Mar 2019 20:12:49 -0000 Received: from unknown (HELO mail-it1-f193.google.com) (209.85.166.193) by pb1.pair.com with SMTP; 4 Mar 2019 20:12:49 -0000 Received: by mail-it1-f193.google.com with SMTP id v2so8255619ith.3 for ; Mon, 04 Mar 2019 09:00:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gSwHHiuttcG/r0P9GKl+m3e/FDlN01FQmvM20rQhq/A=; b=YRJhfz+WpR3mZUy8MIpYGxOUKnZOUETiZvhT55QLgUFBdWfmPt8RQ5XLQ84HuoFZIq wKiDRqylx53HyY0V4zTwrrBI0kuBOpRXvKDqUzunpymdEvS/jVu/tFQyQyzsEZBs8vX4 HgPfCmxXM5YcEuXMXMcmkaESqf87RHCZBb7cP0EmyLWnnharWxqLu1u37ZKiESSclkau s7jA3cMthiTMf3pJV0k9I1dhEVJvq8uoxlK5lKb5j1r0S0ghXTqEoq+vZRIn9hrxsUIZ qx7l8r5NQzmZ6fW+uhFjEK00EpWKGU+lw7zh9V32W72AG23WRmNYruifP68yttQAWu72 RWLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gSwHHiuttcG/r0P9GKl+m3e/FDlN01FQmvM20rQhq/A=; b=aHMaf8B0MPDr0NZN+j7YrXP1JXo/Kf4ub05UjK5xBfAUQcTastZsMAkctkTFAhsBDa +f4YZSn7oQhIqtIrrP0TU8i9ihZw8b4JCvhYswnhmCE7jljs0Ez8a5q8k4xL3ilnxfs4 /XdB6uv1z6F6ZK1X0PTHhesqnnUCIjqFUL0ucaArz7S2X3wEUFHDyOM4Arb6rVjbsklU acfNcm0Ywb1+fyk828kJMOQCtXqyAFCRzLYF3hTJjvGjAHJp6b8HDK+0H0b++wYxymbW eM5V/9adyg2gn1/JuuU3cwdRBqaBBaibSBHQK2GuWlHjYK7FPzJFqOhivKI4eM4TLsNW FvRQ== X-Gm-Message-State: APjAAAUQU+uX6J4KV9XjxeBgIeTQx+SI/Nb1mje6WBxyxR4PwClHz87X yko5XP7ttfLe/dmB9UAs1TxBi1maPWr7+/pwDbxneh7V X-Google-Smtp-Source: APXvYqyOb9YBPJJaBQpJpS3C6zCjlKQuFiJOl7moa8BqqaiyKVIfaYShUyndNzJSOZ1pNfXybXKR1o/GUgW+4uX77lc= X-Received: by 2002:a05:6638:285:: with SMTP id c5mr6384026jaq.36.1551718845234; Mon, 04 Mar 2019 09:00:45 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 4 Mar 2019 18:00:26 +0100 Message-ID: To: Zeev Suraski Cc: PHP internals Content-Type: multipart/alternative; boundary="0000000000008fc396058347b2e7" Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons From: nikita.ppv@gmail.com (Nikita Popov) --0000000000008fc396058347b2e7 Content-Type: text/plain; charset="UTF-8" On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > > > On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wrote: > >> Hi internals, >> >> I think it is well known that == in PHP is a pretty big footgun. It >> doesn't >> have to be. I think that type juggling comparisons in a language like PHP >> have some merit, it's just that the particular semantics of == in PHP make >> it so dangerous. The biggest WTF factor is probably that 0 == "foobar" >> returns true. >> >> I'd like to bring forward an RFC for PHP 8 to change the semantics of == >> and other non-strict comparisons, when used between a number and a string: >> >> https://wiki.php.net/rfc/string_to_number_comparison >> >> The tl;dr is that if you compare a number and a numeric string, they'll be >> compared as numbers. Otherwise, the number is converted into a string and >> they'll be compared as strings. >> >> This is a very significant change -- not so much because the actual BC >> breakage is expected to be particularly large, but because it is a silent >> change in core language semantics, which makes it hard to determine >> whether >> or not code is affected by the change. There are things we can do about >> this, for example the RFC suggests that we might want to have a transition >> mode where we perform the comparison using both the old and the new >> semantics and warn if the result differs. >> >> I think we should give serious consideration to making such a change. I'd >> be interested to hear whether other people think this is worthwhile, and >> how we could go about doing it, while minimizing breakage. >> > > I generally like the direction and think we should seriously consider it. > > I think that before we make any decisions on this, or even dive too deep > into the discussion - we actually need to implement this behavior, > including the proposed INI setting you mentioned we might add in 7.4 - and > see what happens in some real world apps, at least in terms of potential > danger (as you say, figuring out whether there's actual breakage would > require a full audit of every potentially problematic sample. Ultimately, > I think there's no question that if we were to start from scratch, we'd be > going for something along these lines. But since we're not starting from > scratch - scoping the level of breakage is key here. > > Zeev > Totally agree that assessing the amount of breakage in real code is key here. I have now implemented a warning for PHP 7.4 (for now unconditional, no ini setting) that is thrown whenever the result of a comparison is going to change under the currently proposed rules: https://github.com/php/php-src/pull/3917 I've done a few initial tests by running this against the Laravel, Symfony and pear-core. The warning was thrown 2 times for Laravel, 1 times for Symfony and 2 times for pear-core. (See PR for the results.) Both of the warnings in pear-core pointed to implementation bugs. The Symfony warning was due to trailing whitespace not being allowed in numeric strings (something we should definitely change). One of the Laravel warnings is ultimately a false-positive (does not change behavior), though code could be improved to avoid it. I wasn't able to tell whether the other one is problematic, as it affects sorting order. I have to say that this is a lot less warnings than I expected. Makes me wonder if I didn't make an implementation mistake ^^ Regards, Nikita --0000000000008fc396058347b2e7--