Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:130280
Precedence: list
MIME-Version: 1.0
References: <Sm1GZb5hgsnp0GsxSRFcsRA5FiZoHJMi9368TSt4Qb8Qr61aFDSGxQMP9fpj58uMVwPgynuve8bplPhSZhR4HSnfHUCpoBqInTHWjd-uUyA=@gpb.moe>
 <FAEFF35B-D1DB-4C1C-8F92-213EECDD6230@cschneid.com> <b431a150-a4d2-42ee-b918-d9ad38fa7719@bastelstu.be>
 <650FCF24-CDBD-4F37-BA50-6D691EE3E3E1@cschneid.com> <gpSgetGUf_ezKIy9oE-9KdL2GvX21uWTZBl2LnVI7a0LXjBLONNcEk1dCNoMoPBXPx_FO00cITiqQ9yqoc0AVQg6i-de1PwZbNvwLUEUals=@gpb.moe>
 <CAGBsUrd=GDPznp2fqM6=Rb3GbhDh8apmSSa-s3NooOaJ=NG+kA@mail.gmail.com>
In-Reply-To: <CAGBsUrd=GDPznp2fqM6=Rb3GbhDh8apmSSa-s3NooOaJ=NG+kA@mail.gmail.com>
Date: Mon, 9 Mar 2026 17:28:04 +0100
Message-ID: <CAEKnhAHQ3JuYOVAxbm9yVURsGsSgibzJP2WMK9Pctg2fqAwxvQ@mail.gmail.com>
Subject: Re: [PHP-DEV] [RFC] Exempt input type and value validation from BC
 Break policy
To: Kamil Tekiela <tekiela246@gmail.com>
Cc: "Gina P. Banyard" <internals@gpb.moe>, Christian Schneider <cschneid@cschneid.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000c752a1064c99e39e"
From: bukka@php.net (Jakub Zelenka)

--000000000000c752a1064c99e39e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Mon, Mar 9, 2026 at 2:55=E2=80=AFPM Kamil Tekiela <tekiela246@gmail.com>=
 wrote:

> On Mon, 9 Mar 2026 at 13:37, Gina P. Banyard <internals@gpb.moe> wrote:
> >
> > On Monday, 2 March 2026 at 19:54, Christian Schneider <
> cschneid@cschneid.com> wrote:
> >
> > > Am 02.03.2026 um 20:12 schrieb Tim D=C3=BCsterhus <tim@bastelstu.be>:
> > > > On 3/2/26 14:49, Christian Schneider wrote:
> > > >> Playing my favourite broken record:
> > > >> Can we please state that additions of Exceptions should (in most
> cases) go through an E_WARNING phase to allow a time window to fix code
> before changing the behaviour?
> > > >
> > > > =E2=80=9CNot passing invalid values=E2=80=9D is perfectly backwards=
 compatible.
> Folks can just fix their code before upgrading their production deploymen=
t
> to the new PHP version, e.g. by trying out the new PHP version in a stagi=
ng
> system or running CI for both the old and new PHP version.
> > >
> > > - Not everybody has access to a staging system, e.g. people running
> stuff on hosting services.
> > > - As a hoster I'd rather have a phase where my customers get warnings
> instead of errors, creates less emergency support load.
> > >
> > > > In practice an E_WARNING is no less breaking than going straight to
> an Error, because:
> > > > 1. The common frameworks include error handlers that just convert
> any warning and notice to an Exception.
> > >
> > > So in that sense there is also no advantage to NOT having a warning
> phase for those people.
> > > But people treating E_WARNING different from Exceptions (which is
> probably the exact people whose code breaks with an immediate Exception) =
do
> have a time window to fix things.
> > >
> > > > 2. The code is already broken, because it relies on unspecified
> behavior. The error would just making the user aware that the code is ver=
y
> likely not doing what it appears to be doing based on the input values
> passed to a function.
> > >
> > > It can easily do something valid and ignore the extra bits (pun kind
> of intended), see
> > >       mkdir("foo", 070777);
> > > which passes extra bits with are ignored but the application was
> behaving in a completely deterministic and valid way.
> > >
> > > > Going through an E_WARNING would add maintainer busywork and
> complicate the php-src codebase for no real gain.
> > >
> > > We've been over this before:
> > > If people *really* feel that the additional burden to change the code
> twice then I'd be happy to volunteer providing a small helper
> function/macro to generate an E_WARNING and either (the more aggressive
> approach) switch to an exception once a certain PHP version is reached or
> (probably the more flexible way) issue a compile time warning/error
> informing the maintainer to switch the warning to an Exception.
> > > The most simplistic version of this is a FIXME comment annotated with
> a version number. Easy to grep, easy to trigger automatic alerts about on=
ce
> the specified version is reached, but it can also be something more
> sophisticated..
> > > One way or the other could also be integrated into the CI/CD system.
> > >
> > > Our main disagreement is about the "no real gain" part as it IMHO
> targets the long tail of PHP code / developers out there not using
> full-fledged frameworks and dev environments or running legacy software o=
n
> hosting services.
> > >
> > > I am very much in favor of making things easy for the code developers
> but I am of the strong believe that it can be done in a good way for
> developers.
> >
> > I don't see how going through an E_WARNING phase is helpful, rather I
> see it as detrimental.
> > Foremost, what is the behaviour of introducing a warning?
> > Do we exit early and return false?
> > Or do we just warn and continue to use a possible default or nonsensica=
l
> value?
> > AFAIK every time a warning got introduced it followed the first
> approach, so this doesn't seem to address the concern of giving developer=
s
> more time.
> > However, if we do continue using the prior behaviour then we haven't
> solved the concern in the slightest.
> > As it may be a warning for one PHP version and in the next PHP version
> the extension supports a new flag which removes the warning for that valu=
e,
> leading back to a silent BC break if the warning wasn't addressed.
> >
> > Another technical aspect is that warnings allows userland code to run
> and change the state of the VM and extension in unexpected way (we have
> countless fuzzying reports about this) an issue that does not exist with
> Exceptions.
> >
> > Then comes the topic about how long should it be a warning? Until the
> next major? A single release cycle? I don't want warning promotion to
> become the same exhausting discussion that deprecation duration already i=
s.
> >
> > I have no idea how you handle hosting, but when I used shared hosting i=
n
> the past I would never have anyone tell me that my code was producing
> warnings or notices.
> > And even the one website I manage for someone which is on OVH shared
> hosting I can still select a PHP version (heck even downgrading to 5.4 fo=
r
> some reason).
> > So I'm struggling to see how for the average end user this is impacting
> them?
> > And if you do just bump the PHP version for them, I'm not sure what's
> the difference between having an Error immediately or producing warnings
> for X years before throwing an Error and breaking
> >
> > Best regards,
> >
> > Gina P. Banyard
>
> I am in favour of exempting the validation errors from requiring RFCs,
> and as Gina, I do not believe that warnings are useful. I don't like
> that warnings even exist in the PHP language. I can see the case that
> you don't want to break a running application by upgrading the PHP
> version, but it can happen regardless. Minor PHP releases can contain
> minor breaking changes and each time someone upgrades PHP, they should
> run their test suite and verify that the application still works the
> same as before. Whether we introduce a Warning or ValueError, it will
> be caught during the upgrade process and fixed. It may even help avoid
> nasty bugs if the application stops on invalid input; something which
> could go unnoticed if it were only a warning.
>
>
Well the mentioned breaking changes must all go through RFC - that's our
policy. The reason is that breaking changes should get always a bit more
consideration. It doesn't mean that they cannot be done. If this RFC
passes, then the ValueError conversion can be done without RFC unless there
is an objection - it means any core developer can still require RFC if they
wish.


> I am, however, concerned about one thing. If we don't require RFCs
> there may be situations when a contentious validation is introduced.
> For example, many validations can be implemented in such a way that
> they don't cause additional performance loss, but let's say someone
> decides that validating the value provides more benefit than the
> performance cost. Without RFC, the community cannot share their
> feedback, and one person's opinion wins. But if the function is used
> with the correct values 99.99% of the time and it's used in the hot
> code, the performance cost isn't worth catching the accidental invalid
> value.
>

We could probably relay on some developers noticing such changes and
calling for RFC which can be done for any feature. But my worry is that
some of the cases that could be problematic just slip in and they might
cause problems for users later. So my preference is to require RFC for all
which should make sure that there is a good visibility for any such change.
Those changes are usually trivial so grouping them to a single RFC should
not be that much work.

Kind regards,

Jakub

--000000000000c752a1064c99e39e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><br><div class=3D"gmail_quote gmail_quote_co=
ntainer"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Mar 9, 2026 at 2:55=
=E2=80=AFPM Kamil Tekiela &lt;<a href=3D"mailto:tekiela246@gmail.com">tekie=
la246@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pad=
ding-left:1ex">On Mon, 9 Mar 2026 at 13:37, Gina P. Banyard &lt;internals@g=
pb.moe&gt; wrote:<br>
&gt;<br>
&gt; On Monday, 2 March 2026 at 19:54, Christian Schneider &lt;<a href=3D"m=
ailto:cschneid@cschneid.com" target=3D"_blank">cschneid@cschneid.com</a>&gt=
; wrote:<br>
&gt;<br>
&gt; &gt; Am 02.03.2026 um 20:12 schrieb Tim D=C3=BCsterhus &lt;<a href=3D"=
mailto:tim@bastelstu.be" target=3D"_blank">tim@bastelstu.be</a>&gt;:<br>
&gt; &gt; &gt; On 3/2/26 14:49, Christian Schneider wrote:<br>
&gt; &gt; &gt;&gt; Playing my favourite broken record:<br>
&gt; &gt; &gt;&gt; Can we please state that additions of Exceptions should =
(in most cases) go through an E_WARNING phase to allow a time window to fix=
 code before changing the behaviour?<br>
&gt; &gt; &gt;<br>
&gt; &gt; &gt; =E2=80=9CNot passing invalid values=E2=80=9D is perfectly ba=
ckwards compatible. Folks can just fix their code before upgrading their pr=
oduction deployment to the new PHP version, e.g. by trying out the new PHP =
version in a staging system or running CI for both the old and new PHP vers=
ion.<br>
&gt; &gt;<br>
&gt; &gt; - Not everybody has access to a staging system, e.g. people runni=
ng stuff on hosting services.<br>
&gt; &gt; - As a hoster I&#39;d rather have a phase where my customers get =
warnings instead of errors, creates less emergency support load.<br>
&gt; &gt;<br>
&gt; &gt; &gt; In practice an E_WARNING is no less breaking than going stra=
ight to an Error, because:<br>
&gt; &gt; &gt; 1. The common frameworks include error handlers that just co=
nvert any warning and notice to an Exception.<br>
&gt; &gt;<br>
&gt; &gt; So in that sense there is also no advantage to NOT having a warni=
ng phase for those people.<br>
&gt; &gt; But people treating E_WARNING different from Exceptions (which is=
 probably the exact people whose code breaks with an immediate Exception) d=
o have a time window to fix things.<br>
&gt; &gt;<br>
&gt; &gt; &gt; 2. The code is already broken, because it relies on unspecif=
ied behavior. The error would just making the user aware that the code is v=
ery likely not doing what it appears to be doing based on the input values =
passed to a function.<br>
&gt; &gt;<br>
&gt; &gt; It can easily do something valid and ignore the extra bits (pun k=
ind of intended), see<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0mkdir(&quot;foo&quot;, 070777);<br>
&gt; &gt; which passes extra bits with are ignored but the application was =
behaving in a completely deterministic and valid way.<br>
&gt; &gt;<br>
&gt; &gt; &gt; Going through an E_WARNING would add maintainer busywork and=
 complicate the php-src codebase for no real gain.<br>
&gt; &gt;<br>
&gt; &gt; We&#39;ve been over this before:<br>
&gt; &gt; If people *really* feel that the additional burden to change the =
code twice then I&#39;d be happy to volunteer providing a small helper func=
tion/macro to generate an E_WARNING and either (the more aggressive approac=
h) switch to an exception once a certain PHP version is reached or=C2=A0 (p=
robably the more flexible way) issue a compile time warning/error informing=
 the maintainer to switch the warning to an Exception.<br>
&gt; &gt; The most simplistic version of this is a FIXME comment annotated =
with a version number. Easy to grep, easy to trigger automatic alerts about=
 once the specified version is reached, but it can also be something more s=
ophisticated..<br>
&gt; &gt; One way or the other could also be integrated into the CI/CD syst=
em.<br>
&gt; &gt;<br>
&gt; &gt; Our main disagreement is about the &quot;no real gain&quot; part =
as it IMHO targets the long tail of PHP code / developers out there not usi=
ng full-fledged frameworks and dev environments or running legacy software =
on hosting services.<br>
&gt; &gt;<br>
&gt; &gt; I am very much in favor of making things easy for the code develo=
pers but I am of the strong believe that it can be done in a good way for d=
evelopers.<br>
&gt;<br>
&gt; I don&#39;t see how going through an E_WARNING phase is helpful, rathe=
r I see it as detrimental.<br>
&gt; Foremost, what is the behaviour of introducing a warning?<br>
&gt; Do we exit early and return false?<br>
&gt; Or do we just warn and continue to use a possible default or nonsensic=
al value?<br>
&gt; AFAIK every time a warning got introduced it followed the first approa=
ch, so this doesn&#39;t seem to address the concern of giving developers mo=
re time.<br>
&gt; However, if we do continue using the prior behaviour then we haven&#39=
;t solved the concern in the slightest.<br>
&gt; As it may be a warning for one PHP version and in the next PHP version=
 the extension supports a new flag which removes the warning for that value=
, leading back to a silent BC break if the warning wasn&#39;t addressed.<br=
>
&gt;<br>
&gt; Another technical aspect is that warnings allows userland code to run =
and change the state of the VM and extension in unexpected way (we have cou=
ntless fuzzying reports about this) an issue that does not exist with Excep=
tions.<br>
&gt;<br>
&gt; Then comes the topic about how long should it be a warning? Until the =
next major? A single release cycle? I don&#39;t want warning promotion to b=
ecome the same exhausting discussion that deprecation duration already is.<=
br>
&gt;<br>
&gt; I have no idea how you handle hosting, but when I used shared hosting =
in the past I would never have anyone tell me that my code was producing wa=
rnings or notices.<br>
&gt; And even the one website I manage for someone which is on OVH shared h=
osting I can still select a PHP version (heck even downgrading to 5.4 for s=
ome reason).<br>
&gt; So I&#39;m struggling to see how for the average end user this is impa=
cting them?<br>
&gt; And if you do just bump the PHP version for them, I&#39;m not sure wha=
t&#39;s the difference between having an Error immediately or producing war=
nings for X years before throwing an Error and breaking<br>
&gt;<br>
&gt; Best regards,<br>
&gt;<br>
&gt; Gina P. Banyard<br>
<br>
I am in favour of exempting the validation errors from requiring RFCs,<br>
and as Gina, I do not believe that warnings are useful. I don&#39;t like<br=
>
that warnings even exist in the PHP language. I can see the case that<br>
you don&#39;t want to break a running application by upgrading the PHP<br>
version, but it can happen regardless. Minor PHP releases can contain<br>
minor breaking changes and each time someone upgrades PHP, they should<br>
run their test suite and verify that the application still works the<br>
same as before. Whether we introduce a Warning or ValueError, it will<br>
be caught during the upgrade process and fixed. It may even help avoid<br>
nasty bugs if the application stops on invalid input; something which<br>
could go unnoticed if it were only a warning.<br>
<br></blockquote><div><br></div><div>Well the mentioned breaking changes mu=
st all go through RFC - that&#39;s our policy. The reason is that breaking =
changes should get always a bit more consideration. It doesn&#39;t mean tha=
t they cannot be done. If this RFC passes, then the ValueError conversion c=
an be done without RFC unless there is an objection - it means any core dev=
eloper can still require RFC if they wish.</div><div>=C2=A0</div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex">
I am, however, concerned about one thing. If we don&#39;t require RFCs<br>
there may be situations when a contentious validation is introduced.<br>
For example, many validations can be implemented in such a way that<br>
they don&#39;t cause additional performance loss, but let&#39;s say someone=
<br>
decides that validating the value provides more benefit than the<br>
performance cost. Without RFC, the community cannot share their<br>
feedback, and one person&#39;s opinion wins. But if the function is used<br=
>
with the correct values 99.99% of the time and it&#39;s used in the hot<br>
code, the performance cost isn&#39;t worth catching the accidental invalid<=
br>
value.<br></blockquote><div><br></div><div>We could probably relay on some =
developers noticing such changes and calling for RFC which can be done for =
any feature. But my worry is that some of the cases that could be problemat=
ic just slip in and they might cause problems for users later. So my prefer=
ence is to require RFC for all which should make sure that there is a good =
visibility for any such change. Those changes are usually trivial so groupi=
ng them to a single RFC should not be that much work.</div><div><br></div><=
div>Kind regards,</div><div><br></div><div>Jakub</div></div></div>

--000000000000c752a1064c99e39e--