Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:104610 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 86342 invoked from network); 6 Mar 2019 23:29:41 -0000 Received: from unknown (HELO mo4-p00-ob.smtp.rzone.de) (85.215.255.25) by pb1.pair.com with SMTP; 6 Mar 2019 23:29:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1551903488; s=strato-dkim-0002; d=kelunik.com; h=Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=bZoFXFhEB1/MRxUBI25G43fG83fq/bI6a0CyRsRii9Y=; b=GXLvXWvcS5ETnU9/CE42MBQkZU5/tYW2Y9tlxdbH7aNaEifhfT8qXU6n+LUqjMjmbf X5SmB0mQs/yJ5R5FJ+7V8d7vC4mCs6glWC0Dqh2KkNYSszQ10my8tUO2w3TDIB9KF332 UEKKDQA1gJ+uDVnt2vGYDwZksbVjNmlI3aY5Y/T2q1TI/JALq6vcPxUBqduARkWCjjkb 1EAqFfbt3kk2xjv/qdygI215M2ybDhtM9oYl+N3vFpsuOtg18uf0UFjbyLbjnZ2Cpald VLTEdR0pV4m+kHRGusXtoIuUDE23UEvqR+RvOvHzYaScV4Ls2ccPMHxbAhHlkudBEbWB edWQ== X-RZG-AUTH: ":IWkkfkWkbvHsXQGmRYmUo9mlsGbEv0XHBzMIJSS+jKTzde5mDb8AaBYcZiAkcA==" X-RZG-CLASS-ID: mo00 Received: from mail-pf1-f178.google.com by smtp.strato.de (RZmta 44.13 AUTH) with ESMTPSA id h072d0v26KI8iUM (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Wed, 6 Mar 2019 21:18:08 +0100 (CET) Received: by mail-pf1-f178.google.com with SMTP id q17so9491346pfh.10 for ; Wed, 06 Mar 2019 12:18:08 -0800 (PST) X-Gm-Message-State: APjAAAWZx810gTdWK+xJzMbeB92K7OX1P+kYJF2VB23uBaJtpIpRcLiY c05Lfc8oPBsjiMjM75KMFpLWdcjB4vbbZZ+F+qY= X-Google-Smtp-Source: APXvYqx+0/aQtwwMIFCEUmRu/2kIcK8j44uM0wfPr8Evt5Gr4q3wTL8ivJaJhGicpp0OjK9Z1reT7IOnRmmYowHc1cA= X-Received: by 2002:aa7:80c8:: with SMTP id a8mr9210911pfn.193.1551903487173; Wed, 06 Mar 2019 12:18:07 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Wed, 6 Mar 2019 21:17:56 +0100 X-Gmail-Original-Message-ID: Message-ID: To: Nikita Popov Cc: Zeev Suraski , PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons From: me@kelunik.com (Niklas Keller) Am Mo., 4. M=C3=A4rz 2019 um 18:00 Uhr schrieb Nikita Popov : > > On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > > > > > > > On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov wro= te: > > > >> Hi internals, > >> > >> I think it is well known that =3D=3D in PHP is a pretty big footgun. I= t > >> doesn't > >> have to be. I think that type juggling comparisons in a language like = PHP > >> have some merit, it's just that the particular semantics of =3D=3D in = PHP make > >> it so dangerous. The biggest WTF factor is probably that 0 =3D=3D "foo= bar" > >> returns true. > >> > >> I'd like to bring forward an RFC for PHP 8 to change the semantics of = =3D=3D > >> and other non-strict comparisons, when used between a number and a str= ing: > >> > >> https://wiki.php.net/rfc/string_to_number_comparison > >> > >> The tl;dr is that if you compare a number and a numeric string, they'l= l be > >> compared as numbers. Otherwise, the number is converted into a string = and > >> they'll be compared as strings. > >> > >> This is a very significant change -- not so much because the actual BC > >> breakage is expected to be particularly large, but because it is a sil= ent > >> change in core language semantics, which makes it hard to determine > >> whether > >> or not code is affected by the change. There are things we can do abou= t > >> this, for example the RFC suggests that we might want to have a transi= tion > >> mode where we perform the comparison using both the old and the new > >> semantics and warn if the result differs. > >> > >> I think we should give serious consideration to making such a change. = I'd > >> be interested to hear whether other people think this is worthwhile, a= nd > >> how we could go about doing it, while minimizing breakage. > >> > > > > I generally like the direction and think we should seriously consider i= t. > > > > I think that before we make any decisions on this, or even dive too dee= p > > into the discussion - we actually need to implement this behavior, > > including the proposed INI setting you mentioned we might add in 7.4 - = and > > see what happens in some real world apps, at least in terms of potentia= l > > danger (as you say, figuring out whether there's actual breakage would > > require a full audit of every potentially problematic sample. Ultimate= ly, > > I think there's no question that if we were to start from scratch, we'd= be > > going for something along these lines. But since we're not starting fr= om > > scratch - scoping the level of breakage is key here. > > > > Zeev > > > > Totally agree that assessing the amount of breakage in real code is key > here. I have now implemented a warning for PHP 7.4 (for now unconditional= , > no ini setting) that is thrown whenever the result of a comparison is goi= ng > to change under the currently proposed rules: > https://github.com/php/php-src/pull/3917 > > I've done a few initial tests by running this against the Laravel, Symfon= y > and pear-core. The warning was thrown 2 times for Laravel, 1 times for > Symfony and 2 times for pear-core. (See PR for the results.) > > Both of the warnings in pear-core pointed to implementation bugs. The > Symfony warning was due to trailing whitespace not being allowed in numer= ic > strings (something we should definitely change). One of the Laravel > warnings is ultimately a false-positive (does not change behavior), thoug= h > code could be improved to avoid it. I wasn't able to tell whether the oth= er > one is problematic, as it affects sorting order. > > I have to say that this is a lot less warnings than I expected. Makes me > wonder if I didn't make an implementation mistake ^^ > > Regards, > Nikita Most warnings will not come from framework code, but code interfacing with browsers, I guess. Regards, Niklas