Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:127734
Precedence: bulk
MIME-Version: 1.0
References: <CALaXqqRKy4_y3HkO6dVhVcOjoHOp=HYdsU7v3SVZQ8kr1EfgLA@mail.gmail.com>
In-Reply-To: <CALaXqqRKy4_y3HkO6dVhVcOjoHOp=HYdsU7v3SVZQ8kr1EfgLA@mail.gmail.com>
Date: Sun, 22 Jun 2025 13:00:57 -0700
Message-ID: <CALaXqqSPwzfvnNs=xyenP9+KJ9wC5p4nBXdmzjCezpMpzoFCYg@mail.gmail.com>
Subject: [PHP-DEV] Re: [RFC] [Discussion] #[\DelayedTargetValidation] attribute
To: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000385edb06382e8f99"
From: daniel.e.scherzer@gmail.com (Daniel Scherzer)

--000000000000385edb06382e8f99
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 17, 2025 at 4:26=E2=80=AFPM Daniel Scherzer <daniel.e.scherzer@=
gmail.com>
wrote:

> Hi internals,
>
> I'd like to start the discussion for a new RFC about adding a
> `#[\DelayedTargetValidation]` attribute.
>
> * RFC: https://wiki.php.net/rfc/delayedtargetvalidation_attribute
> * Implementation: https://github.com/php/php-src/pull/18817
>
> --Daniel
>


It seems a common point of discussion is the difference in behavior between
internal and userland attributes, so I wanted to clarify a few things:

* Userland attributes are always metadata, in part because of the backwards
and forward compatibility that those attributes provide - the
attribute does not need to exist in order to be used, it just needs to
exist (and target the location) when you call
ReflectionAttribute::newInstance() to instantiate
* Internal attributes are a mix between metadata and a way to plug into the
engine. There were already existing ways to plug into the engine (e.g.
using magic methods or implementing the Countable or ArrayAccess
interfaces) but attributes provided a way to plug into the engine when you
don't just want to add a function override, but rather something else (like
indicating a parameter should be redacted in backtraces with
`#[\SensitiveParameter]`). It would probably be impossible to do that
securely with a userland attribute and userland error handler that manually
redacted things...
* Attributes were designed to have good compatibility - the syntax chosen
for PHP 8.0 was, in prior versions of PHP, used for comments - so any code
with attributes could also work in PHP 7.4, just without the metadata.
Similarly, by not validating userland attributes until they are accessed
with reflection, you can add an attribute that does not exist yet (e.g. if
using different versions of a library) with minimal complications.
* Internal attributes are validated at compile time - because they can be.
Internal attributes tell the engine to do something, and it makes sense (at
least to me) that if the engine cannot do that thing, there should be an
error without needing to wait for ReflectionAttribute::newInstance() to be
called.

But, the validation of internal attributes at compile time means that they
lose the compatibility features of userland attributes, and that is what
this RFC is trying to address. To be clear, I think the difference in
behavior between userland and internal attributes is a) fundamentally based
on the difference in capabilities (pure metadata vs engine behavior) and b)
something that should not be changed without significant further
investigation.

This new `#[\DelayedTargetValidation]` is meant to simplify things, and to
partially unify the behavior of the errors - if you are getting any errors
from internal attributes and want to suppress them at compile time, just
add the new attribute everywhere.

-Daniel

--000000000000385edb06382e8f99
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Jun 17, 2025 at 4:26=E2=80=AFPM D=
aniel Scherzer &lt;<a href=3D"mailto:daniel.e.scherzer@gmail.com">daniel.e.=
scherzer@gmail.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quot=
e_container"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"=
ltr">Hi internals,<div><br></div><div>I&#39;d like to start the discussion =
for a new RFC about adding a `#[\DelayedTargetValidation]` attribute.</div>=
<div><br></div><div>* RFC:=C2=A0<a href=3D"https://wiki.php.net/rfc/delayed=
targetvalidation_attribute" target=3D"_blank">https://wiki.php.net/rfc/dela=
yedtargetvalidation_attribute</a></div><div>* Implementation:=C2=A0<a href=
=3D"https://github.com/php/php-src/pull/18817" target=3D"_blank">https://gi=
thub.com/php/php-src/pull/18817</a></div><div><br></div><div>--Daniel</div>=
</div></blockquote><div><br></div><div><br></div><div>It seems a common poi=
nt of discussion is the difference in behavior between internal and userlan=
d attributes, so I wanted to clarify a few things:</div><div><br></div><div=
>* Userland attributes are always metadata, in part because of the backward=
s and forward compatibility=C2=A0that those attributes provide - the attrib=
ute=C2=A0does not need to exist in order to be used, it just needs to exist=
 (and target the location) when you call ReflectionAttribute::newInstance()=
 to instantiate</div><div>* Internal attributes are a mix between metadata =
and a way to plug into the engine. There were already existing ways to plug=
 into the engine (e.g. using magic methods or implementing the Countable or=
 ArrayAccess interfaces) but attributes provided a way to plug into the eng=
ine when you don&#39;t just want to add a function override, but rather som=
ething else (like indicating a parameter should be redacted in backtraces w=
ith `#[\SensitiveParameter]`). It would probably be impossible to do that s=
ecurely with a userland attribute and userland error handler that manually =
redacted things...</div><div>* Attributes were designed to have good compat=
ibility - the syntax chosen for PHP 8.0 was, in prior versions of PHP, used=
 for comments - so any code with attributes could also work in PHP 7.4, jus=
t without the metadata. Similarly, by not validating userland attributes un=
til they are accessed with reflection, you can add an attribute that does n=
ot exist yet (e.g. if using different versions of a library) with minimal c=
omplications.</div><div>* Internal attributes are validated at compile time=
 - because they can be. Internal attributes tell the engine to do something=
, and it makes sense (at least to me) that if the engine cannot do that thi=
ng, there should be an error without needing to wait for ReflectionAttribut=
e::newInstance() to be called.</div><div><br></div><div>But, the validation=
 of internal attributes at compile time means that they lose the compatibil=
ity features of userland attributes, and that is what this RFC is trying to=
 address. To be clear, I think the difference in behavior between userland =
and internal attributes is a) fundamentally based on the difference in capa=
bilities (pure metadata vs engine behavior) and b) something that should no=
t be changed without significant further investigation.</div><div><br></div=
><div>This new `#[\DelayedTargetValidation]` is meant to simplify things, a=
nd to partially unify the behavior of the errors - if you are getting any e=
rrors from internal attributes and want to suppress them at compile time, j=
ust add the new attribute everywhere.</div><div><br></div><div>-Daniel=C2=
=A0</div></div></div>

--000000000000385edb06382e8f99--