Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:127894 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id E80611A0112 for ; Fri, 4 Jul 2025 22:58:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1751669785; bh=VwcoJmpN5d1NCRScEbvyHuC1McX9XRf3OnN9UA1itwQ=; h=Date:From:To:In-Reply-To:References:Subject:From; b=QfS8yttfXSD9lHIRhsZYnGR2cGl9z9iVfXWGZEUz7ZBPfDa54lg1MGV8nJS2ibNBU kgXW87cNBaIBdQbzcs+lISaGj2d1qEh3xR9YPwfjhR+CDNhQLBRJLMBBu2kEUunyQX h8FNZgZRahygqF/jwSHYpSUr4KKgrnYXF8Sn/hvXklNvpwlFXiycUA6ckjL18PA7/d UvZ1IJdsNzc+Zhu1GnTTnE4ynEX4Mjf5ayakyabMcyWPJFCbVmZHQdR4p2THMYbE4A +d2PMb1YoGws7uAx5Dd8UZ+PCCe9EuM7AgyCyuRjXTl0/J7QCU20KSJr4x0vwNgkC8 OnZVnuRtUuXsA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DC88C180879 for ; Fri, 4 Jul 2025 22:56:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_MISSING,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from fhigh-b6-smtp.messagingengine.com (fhigh-b6-smtp.messagingengine.com [202.12.124.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 4 Jul 2025 22:56:19 +0000 (UTC) Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfhigh.stl.internal (Postfix) with ESMTP id 083797A00DF for ; Fri, 4 Jul 2025 18:58:11 -0400 (EDT) Received: from phl-imap-06 ([10.202.2.83]) by phl-compute-05.internal (MEProxy); Fri, 04 Jul 2025 18:58:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bottled.codes; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1751669890; x=1751756290; bh=VwcoJmpN5d 1NCRScEbvyHuC1McX9XRf3OnN9UA1itwQ=; b=ha49BUkX1Dznr4GDGzQ/HDdxVa UCxmdQEnREzOpAitO3aI86jUAkMeCNes2NcAs+3A59Kpc9GnlV2sNJbackklPlzd NATdT/jwa8MQi+wnjyh9siau5+PYB6I8pDA8VqDnatgBppa9EQie+Kfj9fAIn3n8 2V46b/Z1cIFLrftiPzmU/aNbnXI9FYW3quLTFZWx25Xc88UssBOZG7M+56MdyhF+ 5f7V/zdtfrys5hw5BnvaKRw4/0rm2nNrYtauqVhgavrg6DJwjfxD+eDz78a6Oeki QFRWxySY5inCtwBvkNgJIEhSCqXIF7jkrknacqvEeXpsJhf8PSS4HiA/POmQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1751669890; x=1751756290; bh=VwcoJmpN5d1NCRScEbvyHuC1McX9XRf3OnN 9UA1itwQ=; b=KRlxVFqrh9kzOC7ad28pihy9SCuAFDH+rwl6zFsca9yBCpK8F/j thtszEJ5+CY/gFgCQ8B1bS5vlRLKWsD+6ydRlGs/zGntW29xMYfrWWXsiYAPtHNi Uf8ARLJZpFbBP0G2hpcxG7gaSdmsVowFQTPbi2JksXw8W0JX+BJjxrgFK1allwko AIHFWPldWomxMSyUkz5zmtA0V720fRjphymeAerwDnX3U3Ap8geyvK2NON3pAScs nbrXgRAbBthTxA8Y9rUcUYeqiEkHeLlbk2GQkMe1U5J8P5rVeewA/CgJdIULcB+u mk4KdbcLEDSaOcbrPhQvgwxOgY6fbJ/JDKg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddvgeegvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurhepofggfffhvffkjghfufgtsegrtderreertd ejnecuhfhrohhmpedftfhosgcunfgrnhguvghrshdfuceorhhosgessghothhtlhgvugdr tghouggvsheqnecuggftrfgrthhtvghrnhepheeiffekteeljeeufeejffeuffehvedugf etveefieejveffhffhgeeuteetffelnecuffhomhgrihhnpehphhhprdhnvghtpdhgihht hhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehrohgssegsohhtthhlvggurdgtohguvghspdhnsggprhgtphhtthhopedupdhm ohguvgepshhmthhpohhuthdprhgtphhtthhopehinhhtvghrnhgrlhhssehlihhsthhsrd hphhhprdhnvght X-ME-Proxy: Feedback-ID: ifab94697:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id AB5D42400094; Fri, 4 Jul 2025 18:58:10 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: Tdffe2a2312921c9a Date: Sat, 05 Jul 2025 00:57:50 +0200 To: internals@lists.php.net Message-ID: <96e5addb-1570-4b4f-9915-c3fc55988f24@app.fastmail.com> In-Reply-To: References: Subject: Re: [PHP-DEV] Re: [RFC] [Discussion] #[\DelayedTargetValidation] attribute Content-Type: multipart/alternative; boundary=b3ca75ad1104462784f9cf737fd30866 From: rob@bottled.codes ("Rob Landers") --b3ca75ad1104462784f9cf737fd30866 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sun, Jun 22, 2025, at 22:00, Daniel Scherzer wrote: > On Tue, Jun 17, 2025 at 4:26=E2=80=AFPM Daniel Scherzer wrote: >> Hi internals, >>=20 >> I'd like to start the discussion for a new RFC about adding a `#[\Del= ayedTargetValidation]` attribute. >>=20 >> * RFC: https://wiki.php.net/rfc/delayedtargetvalidation_attribute >> * Implementation: https://github.com/php/php-src/pull/18817 >>=20 >> --Daniel >=20 >=20 > It seems a common point of discussion is the difference in behavior be= tween internal and userland attributes, so I wanted to clarify a few thi= ngs: >=20 > * Userland attributes are always metadata, in part because of the back= wards and forward compatibility that those attributes provide - the attr= ibute does not need to exist in order to be used, it just needs to exist= (and target the location) when you call ReflectionAttribute::newInstanc= e() to instantiate > * Internal attributes are a mix between metadata and a way to plug int= o the engine. There were already existing ways to plug into the engine (= e.g. using magic methods or implementing the Countable or ArrayAccess in= terfaces) but attributes provided a way to plug into the engine when you= don't just want to add a function override, but rather something else (= like indicating a parameter should be redacted in backtraces with `#[\Se= nsitiveParameter]`). It would probably be impossible to do that securely= with a userland attribute and userland error handler that manually reda= cted things... > * Attributes were designed to have good compatibility - the syntax cho= sen for PHP 8.0 was, in prior versions of PHP, used for comments - so an= y code with attributes could also work in PHP 7.4, just without the meta= data. Similarly, by not validating userland attributes until they are ac= cessed with reflection, you can add an attribute that does not exist yet= (e.g. if using different versions of a library) with minimal complicati= ons. > * Internal attributes are validated at compile time - because they can= be. Internal attributes tell the engine to do something, and it makes s= ense (at least to me) that if the engine cannot do that thing, there sho= uld be an error without needing to wait for ReflectionAttribute::newInst= ance() to be called. >=20 > But, the validation of internal attributes at compile time means that = they lose the compatibility features of userland attributes, and that is= what this RFC is trying to address. To be clear, I think the difference= in behavior between userland and internal attributes is a) fundamentall= y based on the difference in capabilities (pure metadata vs engine behav= ior) and b) something that should not be changed without significant fur= ther investigation. I don=E2=80=99t think this is quite right. Because non-existent attribut= es can be used, if you use attributes in your library, you already know = to only ever, and I mean only ever, instantiate your own attributes. Att= empting to instantiate someone else=E2=80=99s attributes can result in c= rashes. This means any delayed attributes will most likely never be vali= dated by anything. >=20 > This new `#[\DelayedTargetValidation]` is meant to simplify things, an= d to partially unify the behavior of the errors - if you are getting any= errors from internal attributes and want to suppress them at compile ti= me, just add the new attribute everywhere. >=20 > -Daniel=20 I don=E2=80=99t think this is =E2=80=9Cforward compatibility=E2=80=9D, t= his is completely disabling the attribute. =E2=80=94 Rob --b3ca75ad1104462784f9cf737fd30866 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On Sun, Jun 22, 2025, at 22:00, Daniel Scherzer wrote:
= On Tue, Jun 17, 2025 at 4:26=E2=80=AFPM Daniel Scherzer <daniel.e.scherzer@gmail.com> w= rote:
Hi internals,

I'd like to start= the discussion for a new RFC about adding a `#[\DelayedTargetValidation= ]` attribute.

<= div>
--Daniel

=
It seems a common point of discussion is the difference i= n behavior between internal and userland attributes, so I wanted to clar= ify a few things:

* Userland attributes are alw= ays metadata, in part because of the backwards and forward compatibility=  that those attributes provide - the attribute does not need t= o exist in order to be used, it just needs to exist (and target the loca= tion) when you call ReflectionAttribute::newInstance() to instantiate
* Internal attributes are a mix between metadata and a way to pl= ug into the engine. There were already existing ways to plug into the en= gine (e.g. using magic methods or implementing the Countable or ArrayAcc= ess interfaces) but attributes provided a way to plug into the engine wh= en you don't just want to add a function override, but rather something = else (like indicating a parameter should be redacted in backtraces with = `#[\SensitiveParameter]`). It would probably be impossible to do that se= curely with a userland attribute and userland error handler that manuall= y redacted things...
* Attributes were designed to have good c= ompatibility - the syntax chosen for PHP 8.0 was, in prior versions of P= HP, used for comments - so any code with attributes could also work in P= HP 7.4, just without the metadata. Similarly, by not validating userland= attributes until they are accessed with reflection, you can add an attr= ibute that does not exist yet (e.g. if using different versions of a lib= rary) with minimal complications.
* Internal attributes are va= lidated at compile time - because they can be. Internal attributes tell = the engine to do something, and it makes sense (at least to me) that if = the engine cannot do that thing, there should be an error without needin= g to wait for ReflectionAttribute::newInstance() to be called.

But, the validation of internal attributes at compile ti= me means that they lose the compatibility features of userland attribute= s, and that is what this RFC is trying to address. To be clear, I think = the difference in behavior between userland and internal attributes is a= ) fundamentally based on the difference in capabilities (pure metadata v= s engine behavior) and b) something that should not be changed without s= ignificant further investigation.
I don=E2=80=99t think this is quite right. Because non-exist= ent attributes can be used, if you use attributes in your library, you a= lready know to only ever, and I mean only ever, instantiate your own att= ributes. Attempting to instantiate someone else=E2=80=99s attributes can= result in crashes. This means any delayed attributes will most likely n= ever be validated by anything.


This new `#[\DelayedTarget= Validation]` is meant to simplify things, and to partially unify the beh= avior of the errors - if you are getting any errors from internal attrib= utes and want to suppress them at compile time, just add the new attribu= te everywhere.

-Daniel 
<= /blockquote>

I don=E2=80=99t think this is =E2=80=9Cf= orward compatibility=E2=80=9D, this is completely disabling the attribut= e.

=E2=80=94 Rob
--b3ca75ad1104462784f9cf737fd30866--