Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117784 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 80743 invoked from network); 24 May 2022 12:23:31 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 May 2022 12:23:31 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D504C180084 for ; Tue, 24 May 2022 07:05:46 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 24 May 2022 07:05:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1653401143; bh=0TehU/ad2TIA3VpgEKuhw4ZrD1qB/nBP+EGIKtT98Uw=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=i4vKfp1VnRSgVlIHuAZr74UCf/ns70vaiIxCjfqsyNuY2d05l4Ae/GS5SGQmhA/dl p0+2JQxINFkNsgv6QDm4bYqx2/Fclmffp1KLUdfawoV8t2XX/H53ce+3njrXSZc+Ot WyvntSt1qdQf4uLSve1DMmEQiv746w4I0QZd8XUc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.120] ([24.134.51.41]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MQe5k-1oEtOb1LGg-00NevB; Tue, 24 May 2022 16:05:43 +0200 Message-ID: Date: Tue, 24 May 2022 16:05:42 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Content-Language: en-US To: Dan Ackroyd Cc: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:mWWinZ1IAwqkqgC2SWbqA/OkF+y7HHGCBHAVr7dEcfiDvNSUJ28 H8Xn73JIjD48q6nsdislMCVLpi4eooSconoO9sF/UmVGpb4gxAYxQgOPv2laSFx2dvXHLOZ AVlLNUWCDVuD6ea9BqtoobPeFIo7ycC52B0sceZjvLkPw04qUVUuhkUIhjs6M2qjKAvo8NG 1Ez2RdbZpo3ZB7DD6WsxA== X-UI-Out-Filterresults: notjunk:1;V03:K0:MqsnuiTDgLs=:X6nX7hNa3uspp++CSO5MI+ HWerQI2b59/NYNjfZ9eIIbNfgKg2Q4nWJPYT/YE+NXnlNj7d3I5b/CQHU1gQwiDzw/X/AAHQ0 mGP+i/B3kh3ZDJftjBw/FlvuorRBVe37rCaAH9UGBK8lw92RO634r1CVIV2idUFEwRsBvWQSB JYQivCUyXULd+ks966V03kkoXn7BEfFPLaq2Rz0z1Ce/QYJuohhesWvezpPhuBGIbDCp+Fhat NGj6FptkJj9dlAx+0+0frjzlFBKkGKoTCPiyhVfPvwXjrv63Ktx6eEFiCZWbiLRj9p2/Ny54e BBgKUKLAxUPBYPJ8GsYzfWyUr9rL7A/obn5vL5flMZVuJOt1SsBL8Wc/wzxcAtmc2lf8Iqrnl iXw1AGh4QwI1lBqvvghZY5McAONDMS2qH98VON0QJqGzr48c0feup93rz5pToJB843nXZWVRv k7JYJlOQTPdJfJpUKMBW/u7KHG1HI0rdrP4qegmXUbG8Mb+ytltHhsSLNHXyNH/FFgLARbAOh zu3n+8oRdQ/W7xbbfD0Bdxo+lb0caJUT+HdPH7ZWW2nMnCP1ZFnyOv+UgRk1XWHMVVOda9Gqk tCbQAUhwFc2Xgb6wBRWn3P0sBgOLZ9IS9p9I+Hf9AdujUOjUjKBz/9pV+HyNAZM7/Kf2RwfyC xqF0WNkMHd7sN1zJyh6QrTQXdqMLSjzWANiIRNeNyMOA22kfEKz0JjpG2aHsgX4o/8/zQUEQC AbUp89MCUCAVPJDVE2y6O0Cje4cOecKvJuF5NVuLQqNwVdVOADDHwKyaG2KPWaJE/t4kLDZKg Vlod/Lnk4IY23B/H4pOaKay8q18/naPyuK9la1Te2LXfR27XgKTfVlBppyWccjvCRIOUtvENj nTX7E6q8QsldEUq+B6Ld0H5H95vnL1wybhMqE8UvVqKI4taFUdJu5l5gJl9shHXtgrs7QOiwG 6xOqN1/sVfCIY+rBEr7QMJOqGSmKEAzTjSAfACR8UIWc/x6kw41C1IAbO2yuGTun4rwuDeodL va+mRbytvIt0NAQwWtrF4nffpnzDI9g+nLhDjRbfLI5dP9wvYA4C31twmCMwk2NXgcIigw6wo S3vXKG8y73XzsXmOdkbZ5uZ3I7SQxVsaHen54Jr5/Ls1gtDaw5GH9F7Pw== Subject: Re: [PHP-DEV] [Discussion] Stricter implicit boolean coercions From: a.leathley@gmx.net (Andreas Leathley) On 24.05.22 15:33, Dan Ackroyd wrote: > "When discussion ends, and a minimum period of two weeks has passed" > Fyi, the two weeks is a minimum, and almost certainly not enough time > for subtle BC breaking RFCs like this. I explicitely stated that to make it clear that this should be considered a discussion period. I am not trying to circumvent anything, just make it clear that now is the time to discuss this. And I am ready to fully discuss this, as hopefully I have shown so far. I am also not sure what you mean with "subtle BC breaking RFCs". How is this RFC subtly BC breaking? It introduces a deprecation notice, that is it - for one that is not subtle, it is explicit, and it does not break BC except for introducing said notice. Is that not the very minimal BC break you can achieve to highlight a possible problem in code? > I think you should really explicitly list what the changes are in a > single table rather than in sentences. What do you think is unclear, and what would you include in such a table? In the Proposal section I listed all values which are considered allowed, and I tried to include more examples there too to highlight the outcome. The behavior is not changed by this RFC. > >> Would you want to know when a value like -375, =E2=80=9Cfalse=E2=80=9D = or NaN >> is given to a typed boolean (and coerced to true) in a codebase? > Yes. > > Which is why I always use both PHPStan and Psalm to detect those types > of things where those types of bugs are important. > > Also, strict mode is great. Even when using PHPStan and Psalm you can encounter such a value, for example coming from a form, or an API. Using strict mode is a possibility, but also a big hammer - so how do you coerce a value coming from a form in strict mode? With an explicit coercion like (bool) or boolval()? Because there you might also be losing information unexpectedly - I do have some ideas to enable implicit coercions in strict mode, because you might not want to convert "failed" from an API to true by using explicit coercions, in my applications I would prefer to at least notice or even throw an exception in such cases, and the programming language streamlining this could be helpful. > >> In one application recently I actually had the string "false" (coming >> from a form transmission) being passed to a boolean argument and leadin= g >> to true, which definitely was unintended. > But "false" is a perfectly sensible thing to pass as a string in an > API (as HTTP is a string based protocol). As is 'faux' if your API is > used by French speaking programmers. > > You need an layer of code that converts from strings to the precise > types your API needs, rather than just passing values straight > through. That sounds good in theory, but it is the exact thing that is so hard in practice, when dealing with forms, APIs, different programming languages, different human languages, different input formats, changing code, etc. I am not against writing great code and checking all values all the time, but I do think this is not the reality. > Although this change would probably detect some bugs, it's not at all > obvious that the amount of pain would be worth it. > > A lot of applications out there aren't being constantly developed. > Instead they are in maintenance mode, where there isn't a programmer > dedicated to constantly work on it. There would be lots of function > calls to check, and some of them would need code to be modified to > maintain the existing behaviour. And all of that would seem to be > subtle work, prone to mistakes. Earlier you argued that there is no need to detect -375, "false" or NaN being coerced to a boolean type, because one can use strict mode and static analyzers, now you argue that legacy applications would have too much work generated by this RFC. But I don't quite understand why: This RFC introduces deprecation notices, not TypeErrors. It does not force legacy applications to change anything, it just points out boolean coercions that seem dodgy. If these deprecation notices provide little value in the upcoming years, there is no need to promote them to a TypeError, they could even be removed again - but I do think they will provide value and often point out bugs, so much so that a TypeError will seem reasonable at some point in the future, but there really is no hurry in escalating it. For now just being able to notice these boolean coercions would make a huge difference.