Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130149
Precedence: list
MIME-Version: 1.0
References: <CAEPPVa312d1LTNjvNTQdcZzue+BU2PV=BgLt7s-AQ2BFn6P13g@mail.gmail.com>
In-Reply-To: <CAEPPVa312d1LTNjvNTQdcZzue+BU2PV=BgLt7s-AQ2BFn6P13g@mail.gmail.com>
Date: Tue, 24 Feb 2026 10:57:00 +0900
Message-ID: <CAON3zHCodb4pi+J15uGuKMytV5Tup=mmQa6_FNnWt+F5po51gw@mail.gmail.com>
Subject: Re: [PHP-DEV][DISCUSSION] Limit of code point for grapheme cluster in
 programming languages
To: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000a74fe4064b88341b"
From: takeda@youmind.jp (Kentaro Takeda)

--000000000000a74fe4064b88341b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Yuya,

I think this is a good idea. While spec compliance is generally desirable,
DoS via unbounded grapheme clusters is a real threat, and it's reasonable
for a language-level implementation to impose practical limits that the
Unicode spec itself doesn't define. This kind of gap between a
general-purpose spec and a concrete implementation is not unusual.

The default of 32 code points sounds sensible given that natural language
grapheme clusters top out well below that.

One minor note: it might help to clarify the intended behavior of
`grapheme_limit_codepoints` a bit more =E2=80=94 for instance, whether it i=
s meant
as a validation check (returning false when a cluster exceeds the limit) or
something else.

Regards,
Kentaro Takeda


2026=E5=B9=B42=E6=9C=8823=E6=97=A5(=E6=9C=88) 20:28 youkidearitai <youkidea=
ritai@gmail.com>:

> Hi, Internals
>
> I noticed grapheme cluster is not limit code points in UAX#29.
> https://www.unicode.org/reports/tr29/
>
> And there is no limit code point in Unicode that confirmed in issue of IC=
U.
> https://unicode-org.atlassian.net/browse/ICU-23302
>
> So that means create many code points in 1 grapheme cluster,
> That is crash for program because computer resource is limited.
>
> For example, this code is 200MB but 1 grapheme cluster in emoji_bomb.txt
> ```
> php -r 'echo(mb_trim(str_repeat("\u{200d}\u{1f468}\u{200d}\u{1f466}\u
> {200d}\u{1f466}", 10000000), "\u{200d}"));' -d memory_limit=3D600M >
> emoji_bomb.txt
> ```
> (PLEASE BE CAREFUL OPEN IN emoji_bomb.txt BECAUSE MAYBE CRASH)
>
> So, I think we(php-src, programming language level) need to create new
> custom limit function.
> My idea is below:
>
> ```
> grapheme_limit_codepoints(string $str, integer $max_codepoints =3D 32): b=
ool
> ```
>
> I don't have heavy opinion that $max_codepoints is 32.
> However, 32 code points is enough of grapheme cluster because
> human language max code points is maybe Hak=E1=B9=A3hmalawaraya=E1=B9=81(=
=E0=BD=A7) in
> 9 code points.
>
> If need more than code points in grapheme cluster,
> Userland can to increase $max_codepoints.
>
> Please see also my speakerdeck.
>
> https://speakerdeck.com/youkidearitai/limit-of-code-point-for-grapheme-cl=
uster
>
> What do you think about this idea?
>
> Regards
> Yuya
>
> --
> ---------------------------
> Yuya Hamada (tekimen)
> - https://tekitoh-memdhoi.info
> - https://github.com/youkidearitai
> -----------------------------
>

--000000000000a74fe4064b88341b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>Hi Yuya,<br><br>I think this is a go=
od idea. While spec compliance is generally desirable, DoS via unbounded gr=
apheme clusters is a real threat, and it&#39;s reasonable for a language-le=
vel implementation to impose practical limits that the Unicode spec itself =
doesn&#39;t define. This kind of gap between a general-purpose spec and a c=
oncrete implementation is not unusual.<br><br>The default of 32 code points=
 sounds sensible given that natural language grapheme clusters top out well=
 below that.<br><br>One minor note: it might help to clarify the intended b=
ehavior of `grapheme_limit_codepoints` a bit more =E2=80=94 for instance, w=
hether it is meant as a validation check (returning false when a cluster ex=
ceeds the limit) or something else.<br><br>Regards,<br>Kentaro Takeda</div>=
<div><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div style=
=3D"color:rgb(34,34,34)"><br></div></div></div></div></div><br><div class=
=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr=
">2026=E5=B9=B42=E6=9C=8823=E6=97=A5(=E6=9C=88) 20:28 youkidearitai &lt;<a =
href=3D"mailto:youkidearitai@gmail.com">youkidearitai@gmail.com</a>&gt;:<br=
></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;=
border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi, Internals<br>
<br>
I noticed grapheme cluster is not limit code points in UAX#29.<br>
<a href=3D"https://www.unicode.org/reports/tr29/" rel=3D"noreferrer" target=
=3D"_blank">https://www.unicode.org/reports/tr29/</a><br>
<br>
And there is no limit code point in Unicode that confirmed in issue of ICU.=
<br>
<a href=3D"https://unicode-org.atlassian.net/browse/ICU-23302" rel=3D"noref=
errer" target=3D"_blank">https://unicode-org.atlassian.net/browse/ICU-23302=
</a><br>
<br>
So that means create many code points in 1 grapheme cluster,<br>
That is crash for program because computer resource is limited.<br>
<br>
For example, this code is 200MB but 1 grapheme cluster in emoji_bomb.txt<br=
>
```<br>
php -r &#39;echo(mb_trim(str_repeat(&quot;\u{200d}\u{1f468}\u{200d}\u{1f466=
}\u<br>
{200d}\u{1f466}&quot;, 10000000), &quot;\u{200d}&quot;));&#39; -d memory_li=
mit=3D600M &gt;<br>
emoji_bomb.txt<br>
```<br>
(PLEASE BE CAREFUL OPEN IN emoji_bomb.txt BECAUSE MAYBE CRASH)<br>
<br>
So, I think we(php-src, programming language level) need to create new<br>
custom limit function.<br>
My idea is below:<br>
<br>
```<br>
grapheme_limit_codepoints(string $str, integer $max_codepoints =3D 32): boo=
l<br>
```<br>
<br>
I don&#39;t have heavy opinion that $max_codepoints is 32.<br>
However, 32 code points is enough of grapheme cluster because<br>
human language max code points is maybe Hak=E1=B9=A3hmalawaraya=E1=B9=81(=
=E0=BD=A7) in<br>
9 code points.<br>
<br>
If need more than code points in grapheme cluster,<br>
Userland can to increase $max_codepoints.<br>
<br>
Please see also my speakerdeck.<br>
<a href=3D"https://speakerdeck.com/youkidearitai/limit-of-code-point-for-gr=
apheme-cluster" rel=3D"noreferrer" target=3D"_blank">https://speakerdeck.co=
m/youkidearitai/limit-of-code-point-for-grapheme-cluster</a><br>
<br>
What do you think about this idea?<br>
<br>
Regards<br>
Yuya<br>
<br>
-- <br>
---------------------------<br>
Yuya Hamada (tekimen)<br>
- <a href=3D"https://tekitoh-memdhoi.info" rel=3D"noreferrer" target=3D"_bl=
ank">https://tekitoh-memdhoi.info</a><br>
- <a href=3D"https://github.com/youkidearitai" rel=3D"noreferrer" target=3D=
"_blank">https://github.com/youkidearitai</a><br>
-----------------------------<br>
</blockquote></div></div>

--000000000000a74fe4064b88341b--