Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:110999 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 95377 invoked from network); 14 Jul 2020 14:56:26 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Jul 2020 14:56:26 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6C24F18050A for ; Tue, 14 Jul 2020 06:48:51 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, MISSING_HEADERS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 14 Jul 2020 06:48:50 -0700 (PDT) Received: by mail-lj1-f173.google.com with SMTP id b25so22749827ljp.6 for ; Tue, 14 Jul 2020 06:48:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:cc; bh=HQ/RGPa2qtGRKkgE6x3Ww4NPoaJ0gFUAfWTuv7CaUtA=; b=hXlfIF0p9jfG9dfyjJIYOmCBuLhDClaT8p2iisPoh6q6vv9SOL6R3SX+h4SO0h96v5 HueebFoRLIjiPcz4avWar5eqvECYAPRd6lIEBzu8wvz9np6p+0omkzMvt3omRL5wfnUC fDHX8nosODyMe1TmtOs+aZHgr/0ZRj/kkGgpJrFQtcrxYGWmecJQP81lLuqVsUluF1rz 20LfpadkU+0i2WFNXyL+cuDGmmW/QnHErvsA8+M3Vl+9h0aJmNeOpfAH5jGo0VLeZqRg 8vY0XGIfFd2fYYGHUSg0qwsnKQq69JZ/RRlXB4IeCtWHqNi+RY7EbIpazeJHYzDmaY9Y 7URw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=HQ/RGPa2qtGRKkgE6x3Ww4NPoaJ0gFUAfWTuv7CaUtA=; b=cAdlb2jETGZwh66igdggPvWnr+b0w/U+C2bXN0iMhAfd5YEbH7poUWMygspPEndOoB neXqVrpqxZc7rEU5WmMVq0SEPviOGcM2NCisprBnmbGMm+/J1j4FKbCg07aZ9icUPI17 CHU+0iU2E+G2R1Onl/uLdZoMK3s4L1kYRVJfD9mZEzXCw+aeJvSEm312rTsie7ha0Kkx b0tSxav+/M67IC+H7c1dAJa7onNuaPDIUvHyVTKx8S0Q62uviF54ffKYyZ7ZxhjnOLbB qzJLb8ulGjx+FCKTAS2UpId8ChT+7LPRw3yKwA5ZNbkeVdpeOMjXTLGZr2w6DFDLmXBp Lffw== X-Gm-Message-State: AOAM5315foO53qmn8rklPIp29eEbpvFLU1ZDlvgkN0TNC0xhURD58w6X oxlreZjNGQBZ+pRZkgyVOsiyNveBXzGO6DKGzl0/c/KNYvE= X-Google-Smtp-Source: ABdhPJxN57AxhKwjbyQSVkMDHscv288ijlPvAEPkoWyADKihh8ZaOt5my/ZwTXT5AnlN62v+EKU77TlV3+iJxjdTXws= X-Received: by 2002:a2e:8199:: with SMTP id e25mr2180901ljg.307.1594734526095; Tue, 14 Jul 2020 06:48:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 14 Jul 2020 15:48:30 +0200 Message-ID: Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000f0657605aa671082" Subject: Re: [PHP-DEV] [RFC] Saner string to number comparisons From: nikita.ppv@gmail.com (Nikita Popov) --000000000000f0657605aa671082 Content-Type: text/plain; charset="UTF-8" On Thu, Jul 2, 2020 at 10:09 AM Nikita Popov wrote: > On Mon, Mar 4, 2019 at 6:00 PM Nikita Popov wrote: > >> On Wed, Feb 27, 2019 at 10:23 AM Zeev Suraski wrote: >> >>> >>> >>> On Tue, Feb 26, 2019 at 2:27 PM Nikita Popov >>> wrote: >>> >>>> Hi internals, >>>> >>>> I think it is well known that == in PHP is a pretty big footgun. It >>>> doesn't >>>> have to be. I think that type juggling comparisons in a language like >>>> PHP >>>> have some merit, it's just that the particular semantics of == in PHP >>>> make >>>> it so dangerous. The biggest WTF factor is probably that 0 == "foobar" >>>> returns true. >>>> >>>> I'd like to bring forward an RFC for PHP 8 to change the semantics of == >>>> and other non-strict comparisons, when used between a number and a >>>> string: >>>> >>>> https://wiki.php.net/rfc/string_to_number_comparison >>>> >>>> The tl;dr is that if you compare a number and a numeric string, they'll >>>> be >>>> compared as numbers. Otherwise, the number is converted into a string >>>> and >>>> they'll be compared as strings. >>>> >>>> This is a very significant change -- not so much because the actual BC >>>> breakage is expected to be particularly large, but because it is a >>>> silent >>>> change in core language semantics, which makes it hard to determine >>>> whether >>>> or not code is affected by the change. There are things we can do about >>>> this, for example the RFC suggests that we might want to have a >>>> transition >>>> mode where we perform the comparison using both the old and the new >>>> semantics and warn if the result differs. >>>> >>>> I think we should give serious consideration to making such a change. >>>> I'd >>>> be interested to hear whether other people think this is worthwhile, and >>>> how we could go about doing it, while minimizing breakage. >>>> >>> >>> I generally like the direction and think we should seriously consider it. >>> >>> I think that before we make any decisions on this, or even dive too deep >>> into the discussion - we actually need to implement this behavior, >>> including the proposed INI setting you mentioned we might add in 7.4 - and >>> see what happens in some real world apps, at least in terms of potential >>> danger (as you say, figuring out whether there's actual breakage would >>> require a full audit of every potentially problematic sample. Ultimately, >>> I think there's no question that if we were to start from scratch, we'd be >>> going for something along these lines. But since we're not starting from >>> scratch - scoping the level of breakage is key here. >>> >>> Zeev >>> >> >> Totally agree that assessing the amount of breakage in real code is key >> here. I have now implemented a warning for PHP 7.4 (for now unconditional, >> no ini setting) that is thrown whenever the result of a comparison is going >> to change under the currently proposed rules: >> https://github.com/php/php-src/pull/3917 >> >> I've done a few initial tests by running this against the Laravel, >> Symfony and pear-core. The warning was thrown 2 times for Laravel, 1 times >> for Symfony and 2 times for pear-core. (See PR for the results.) >> >> Both of the warnings in pear-core pointed to implementation bugs. The >> Symfony warning was due to trailing whitespace not being allowed in numeric >> strings (something we should definitely change). One of the Laravel >> warnings is ultimately a false-positive (does not change behavior), though >> code could be improved to avoid it. I wasn't able to tell whether the other >> one is problematic, as it affects sorting order. >> >> I have to say that this is a lot less warnings than I expected. Makes me >> wonder if I didn't make an implementation mistake ^^ >> >> Regards, >> Nikita >> > > As we're moving closer to PHP 8 feature freeze, I want to give this RFC a > bump. I've updated the text to account for some changes that have happened > in the meantime, such as the removal of locale-sensitivity for float to > string conversions. > > It's been quite a while since we discussed this last, and back then the > discussion was fairly positive. Some experiments with a warning mode also > showed that the impact, at least in framework/library code, appears to be > fairly low in practice, contrary to what one might intuitively expect. > > Now would be the time to decide whether or not we want to pursue this > change for PHP 8. > And then there was silence... I think I'll just put this up for vote on Friday, and we'll see what people think :) Nikita --000000000000f0657605aa671082--