Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127101 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 85AF21A00BC for ; Sun, 13 Apr 2025 11:54:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1744545099; bh=DTZMwsZLgc15DOpfnLKm8/mbqICubwWy3yo2iPAzmTo=; h=Date:Subject:To:References:From:In-Reply-To:From; b=KcKj30zmhFwMAWg84LEpy6uVbhRRwXH/uI1L1FtMb0/FaKcIRcYpY6fwYU7JQOKH5 iH7L4xZZ8tV/sDCBwmxLqwcP+frQSFegK3v1EQJUVPEtoTQzGVWMuzwtHkHg2L8qLD yFACflAUaAvRnWPuLWeB+x+Z82iRCZ0Xu6p1n/yqdhagxW4PyfskrXb9/1fOEu7HNE TDtT76l79B8QAN0XT9lEHFqzdE7A+VGtK1UeWjnDgkg8mw+lhlhtQ/899qNKh0WlPw vbMRhabYW8VCa4mXT9XS7SaDhx27uHiSE/KJbB4ST/ioC9wqzOmDoG9WYYLY2IXNIL DKJhEd3XlWnOg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 6CB9E180052 for ; Sun, 13 Apr 2025 11:51:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from fout-a8-smtp.messagingengine.com (fout-a8-smtp.messagingengine.com [103.168.172.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 13 Apr 2025 11:51:38 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id 573F8138014B for ; Sun, 13 Apr 2025 07:54:00 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-12.internal (MEProxy); Sun, 13 Apr 2025 07:54:00 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rwec.co.uk; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1744545240; x=1744631640; bh=wojx9riN2OMozeJuZwNfgx+E44cS93+2GnWqXaK5loI=; b= mYmxOqjvrVPg6uv1DL9OpFhj/sJflX6Nca/TLK7s+MYT85St9J1dM7881nXG/M8r sgH02GhC+qZYrBGgr9qG7FlUwdqRIhcmrFggE8qWfrdrVxt3As0XxBMIfIR4150H OZqkKXV+EfdioYg9lSXfj2QibC5JJ2EqWi8gGq7egwvJ9mvdUBVJcYN+rhYeg3zW 5cPmN7oOc5zc1eL+/bJjbYcsGG0DBBZCiJkShUj9UiNCfvy76W0v7U2yeffDAXbc ncRV9oUkl7iF9jCCiYrHNyE3no0cDMjto5GC/DL28pElvFG1x1l/2MD8HIWqm83n JUKnKw2CEz0jA70xn5tRoA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1744545240; x=1744631640; bh=w ojx9riN2OMozeJuZwNfgx+E44cS93+2GnWqXaK5loI=; b=mmjr+tGRfK/JLUg2z XQ0AvwYnnYqOd9SeMeBsPBZ44/zWJ8afcUaq0ZGycSVLw3vl30lJu7KdQx0jmQGF /HX/RaryM4wqEwGWgq540Os6D4eNUU8WMgq6ofTA/AZeqXGX1iZ62HT9tqf5bjr7 czAYyB7VZU8U5c6ywl3KlgPN8PdTM0D8L3g8FT3Z6muyh6OGba7njBJty2ueftdI 2OsUbvvn+1+3qU4WQHe+KhpJrprpQ/HUqhbUUH/iZ3pTTBKLCEyoFhPsRy7d2mjZ h6RocMKQ65GqCSIFpHLITuOuaqXnom19J5IwKXgIH2NcrxKJnJmy7Xc1PMVL0dUx FMfnQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvudejheejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefkff ggfgfuvfhfhfgjtgfgsehtjeertddtvdejnecuhfhrohhmpedftfhofigrnhcuvfhomhhm ihhnshculgfkoffuohfrngdfuceoihhmshhophdrphhhphesrhifvggtrdgtohdruhhkqe enucggtffrrghtthgvrhhnpeffffdttedtteekiedutdehkedujeffleffffduieekkeev geefgeeifeejkefftdenucffohhmrghinhepphhhphdrnhgvthdpghhithhhuhgsrdgtoh hmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihhm shhophdrphhhphesrhifvggtrdgtohdruhhkpdhnsggprhgtphhtthhopedupdhmohguvg epshhmthhpohhuthdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhsrdhphhhp rdhnvght X-ME-Proxy: Feedback-ID: id5114917:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 13 Apr 2025 07:53:59 -0400 (EDT) Message-ID: Date: Sun, 13 Apr 2025 12:53:58 +0100 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] [Discussion] Change default for zend.exception_ignore_args INI setting To: internals@lists.php.net References: Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit From: imsop.php@rwec.co.uk ("Rowan Tommins [IMSoP]") On 09/04/2025 03:00, Andrew Lyons wrote: > Hi everyone, > > I've been working on a new RFC which proposes changing the default > value for the zend.exception_ignore_args INI setting from Off to On. > > The intent of this change is to make PHP installations safer by > default and prevent the accidental release of sensitive information in > stack traces. > > * RFC: https://wiki.php.net/rfc/exception_ignore_args_default_value > * Implementation: https://github.com/php/php-src/pull/18215 This discussion seems to have overlooked that the setting doesn't just restrict the *display* of arguments, it restricts the *collection* of those arguments into the Exception object, which has visible effects on the behaviour and performance of the program. Because of PHP's reference counting memory model, programmers can usually rely on memory being freed and destructors being called when a local variable goes out of scope. Without zend.exception_ignore_args=1, the lifetime of any zval which happened to be involved in a parameter anywhere on the stack, is extended to last until the Exception object is destructed. That can mean holding onto large amounts of memory, holding open file handles and network connections, or firing "RAII" destructors in an unexpected order. Note that this is tied to the lifetime of the exception object, not when it is thrown and caught; and it is recursive - an array containing an object with a property pointing to another object keeps all those arrays and objects alive, just in case you want to inspect them in the error trace. Another edge case I encountered a few years ago is when I wrote some code that serialized an exception (to propagate it from a worker process to its parent): the exception itself was serializable, but a completely unrelated change caused an unserialized object to show up as a parameter somewhere on the call stack, causing the whole exception to become unserializable. On the other side, PHP is not a Functional Programming language, so knowing the arguments that were passed into a function is rarely enough to reconstruct the state that led to the exception. Manual backtraces can also collect a copy of $this for method calls, with the DEBUG_BACKTRACE_PROVIDE_OBJECT option, but the exception constructor never passes that. Nor does it collect a snapshot of static and global variables, or the state of opaque objects and resources like file/stream handles. Collecting arguments seems like a special case which could be handled by debug or APM extensions, rather than something that most users will ever need. -- Rowan Tommins [IMSoP]