Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:110811 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 76403 invoked from network); 2 Jul 2020 09:20:29 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 2 Jul 2020 09:20:29 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5CAA51804E2 for ; Thu, 2 Jul 2020 01:09:53 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 2 Jul 2020 01:09:52 -0700 (PDT) Received: by mail-lf1-f48.google.com with SMTP id o4so15470412lfi.7 for ; Thu, 02 Jul 2020 01:09:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bbQHtgXogSuLwemNOkEZwrZFJCJ4UNXEeIfbFVC52zw=; b=lMCRmYc+p87C5h+/R8bWYthFOk1xHY0g5F8svBrx4bZSgdP8jpAqhExaqAvAy9iSlv C/TVNNMJrYJpbG5Ym9hHAL+qLfPzCeX+n5Ks4ZiZ9xqdyqQwPPJ2s1vIjiEz8kcVDBXQ MmzbIfi5XBBO9b+FsmMrufGhRLn3ZWT612ybTdgFhgferUtrQi5ON7xYkgrMkfaBOZ2X T0QjPi1li83Ny71hv3O/DR/8yeSmfOVc/gyLG/OUAyaTKG87s34CiuQtEz5BXbubaCz1 2lTwPkV2jusU0+sSbXmxHsEg459FXtfUVN3jJs4HfnCnozwbxPe8nrPzd3Rtgwol5RDU hL0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bbQHtgXogSuLwemNOkEZwrZFJCJ4UNXEeIfbFVC52zw=; b=OD5JDycFtQDwKbILeGjNnpWrFo1sGSHXLcQCMqIzuFjXIx4RStm7UqOgFDHpZ4YRd2 SkWw3vzjV7mFiJKmqOUhiB1sZJSqLzKmOWCY5A5me7vmLDAxk4RD0ily7B/M11wyjTTp j5U9ivYC5et43PqloUPaD3cbwY4DDiLSZWk5Hln467JayyI69NaSQfpV1WDxLxGKD/ub jxTV5uiTnlgvh7/fugbtvscbT22boQTQgu8/DNIF8O6YJZ2omNTkGXAjhyVbeIWbKqTW BGlDnLpyso8oQi52fYubijKtCysaD1Qw6MEgATJR/eJRtmQUQ26x/eOaq3oFhR02i00D IVKA== X-Gm-Message-State: AOAM53238WlzrCpZvYmhepmG6mwdSDMVWjGqHBgiNbTCwWy2ErkMIWkW 9GcOXRRi2D1pEDwVNeVgcSHWXT9svVxWS6Qofzs= X-Google-Smtp-Source: ABdhPJzg0AzulO+DcNqaSa8eSjMDF5hLqqjuLLBl/5jmvCo6UX5rJS7GdVtZjbbWipTxBIT5mOYFsDhueIDmXaNONKc= X-Received: by 2002:a19:ad41:: with SMTP id s1mr1335411lfd.191.1593677391266; Thu, 02 Jul 2020 01:09:51 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 2 Jul 2020 10:09:35 +0200 Message-ID: To: Zeev Suraski Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000cb078705a970ee5a" Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons From: nikita.ppv@gmail.com (Nikita Popov) --000000000000cb078705a970ee5a Content-Type: text/plain; charset="UTF-8" On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: > On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: > >> >> >> On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov >> wrote: >> >>> Hi internals, >>> >>> I think it is well known that == in PHP is a pretty big footgun. It >>> doesn't >>> have to be. I think that type juggling comparisons in a language like PHP >>> have some merit, it's just that the particular semantics of == in PHP >>> make >>> it so dangerous. The biggest WTF factor is probably that 0 == "foobar" >>> returns true. >>> >>> I'd like to bring forward an RFC for PHP 8 to change the semantics of == >>> and other non-strict comparisons, when used between a number and a >>> string: >>> >>> https://wiki.php.net/rfc/string_to_number_comparison >>> >>> The tl;dr is that if you compare a number and a numeric string, they'll >>> be >>> compared as numbers. Otherwise, the number is converted into a string and >>> they'll be compared as strings. >>> >>> This is a very significant change -- not so much because the actual BC >>> breakage is expected to be particularly large, but because it is a silent >>> change in core language semantics, which makes it hard to determine >>> whether >>> or not code is affected by the change. There are things we can do about >>> this, for example the RFC suggests that we might want to have a >>> transition >>> mode where we perform the comparison using both the old and the new >>> semantics and warn if the result differs. >>> >>> I think we should give serious consideration to making such a change. I'd >>> be interested to hear whether other people think this is worthwhile, and >>> how we could go about doing it, while minimizing breakage. >>> >> >> I generally like the direction and think we should seriously consider it. >> >> I think that before we make any decisions on this, or even dive too deep >> into the discussion - we actually need to implement this behavior, >> including the proposed INI setting you mentioned we might add in 7.4 - and >> see what happens in some real world apps, at least in terms of potential >> danger (as you say, figuring out whether there's actual breakage would >> require a full audit of every potentially problematic sample. Ultimately, >> I think there's no question that if we were to start from scratch, we'd be >> going for something along these lines. But since we're not starting from >> scratch - scoping the level of breakage is key here. >> >> Zeev >> > > Totally agree that assessing the amount of breakage in real code is key > here. I have now implemented a warning for PHP 7.4 (for now unconditional, > no ini setting) that is thrown whenever the result of a comparison is going > to change under the currently proposed rules: > https://github.com/php/php-src/pull/3917 > > I've done a few initial tests by running this against the Laravel, Symfony > and pear-core. The warning was thrown 2 times for Laravel, 1 times for > Symfony and 2 times for pear-core. (See PR for the results.) > > Both of the warnings in pear-core pointed to implementation bugs. The > Symfony warning was due to trailing whitespace not being allowed in numeric > strings (something we should definitely change). One of the Laravel > warnings is ultimately a false-positive (does not change behavior), though > code could be improved to avoid it. I wasn't able to tell whether the other > one is problematic, as it affects sorting order. > > I have to say that this is a lot less warnings than I expected. Makes me > wonder if I didn't make an implementation mistake ^^ > > Regards, > Nikita > As we're moving closer to PHP 8 feature freeze, I want to give this RFC a bump. I've updated the text to account for some changes that have happened in the meantime, such as the removal of locale-sensitivity for float to string conversions. It's been quite a while since we discussed this last, and back then the discussion was fairly positive. Some experiments with a warning mode also showed that the impact, at least in framework/library code, appears to be fairly low in practice, contrary to what one might intuitively expect. Now would be the time to decide whether or not we want to pursue this change for PHP 8. Regards, Nikita --000000000000cb078705a970ee5a--