Don't silence fatal errors

Hi internals,

When the silencing operator @ is used, the intention is generally to
silence expected warnings or notices. However, it currently also silences
fatal errors. As fatal errors also abort request execution, the result will
often be a hard to debug white screen of death.

The most recent occurrence which motivated me to write this mail is
https://bugs.php.net/bug.php?id=77205, but I've seen this play out multiple
times already.

I would like to propose to change the behavior of @ to only silence
warnings, notices and other low-level diagnostics, but leave fatal errors
intake. In particular, the following should not be silenced:

• E_ERROR
• E_CORE_ERROR
• E_COMPILE_ERROR
• E_USER_ERROR
• E_RECOVERABLE_ERROR
• E_PARSE

This change would have two main implications for backwards compatibility:

1. Code that legitimately wants to silence fatal errors for whatever reason
   should now use error_reporting() (or ini_set()) to do so, instead of @.

2. Error handlers that want to only handle non-silenced errors may have to
   be adjusted. A common pattern I found in our own tests if checks for
   error_reporting() != 0 to detect silencing. This should be changed to
   error_reporting() & $err_no to detect whether the specific error type is
   silenced.

A preliminary patch for this change is available at
https://github.com/php/php-src/pull/3685.

What do you think about this?

Nikita

Hi!

It's always been bizarre to me that @ can silence fatal errors, which
has no practical application and makes using @ to silence a lower-level
error potentially hszardous if its targeted function can also produce a
fatal error.

Yes, silencing something that kills the script is probably not a very
great idea. It can have some BC effects if this is a part of larger
environments where outgoing messages are tracked, but I think it's a
worthy price to pay for making it more sensible.

This won't fix WSOD problem by itself, but probably will make WSODs a
little less annoying to debug. Which is a win in my book.

Stas Malyshev
smalyshev@gmail.com

Hi Nikita,

Nikita Popov wrote:

When the silencing operator @ is used, the intention is generally to
silence expected warnings or notices. However, it currently also silences
fatal errors. As fatal errors also abort request execution, the result
will
often be a hard to debug white screen of death.

The most recent occurrence which motivated me to write this mail is
https://bugs.php.net/bug.php?id=77205, but I've seen this play out
multiple
times already.

I would like to propose to change the behavior of @ to only silence
warnings, notices and other low-level diagnostics, but leave fatal errors
intake.
It's always been bizarre to me that @ can silence fatal errors, which
has no practical application and makes using @ to silence a lower-level
error potentially hszardous if its targeted function can also produce a
fatal error.

Well, it does have one practical application which I think we should pay
attention to if we are to change the behavior - in case of display_errors
being on (yes, nobody should have that in production, but that doesn't
change the fact that many do) - suddenly we would potentially be exposing
sensitive data to remote users - data that was previously explicitly
silenced and with this change we'd be breaking that contract. This is not
an unlikely scenario.

OTOH I do see the value of being able to silence only non-critical
messages. What if we do something along the lines of what somebody
proposed, and introduce another error level E_ERROR_WHILE_SILENCED or
something like that? Folks who would want to will be able to turn it on,
and we can leave it out of E_ALL so that it would require explicit enabling.

Zeev

As long as we have a prominent warning about this in our migration guide
alerting people to the associated risk in setups where display errors is on

• I can live with the change as-is. How do we ensure that it doesn't get
  lost in the clutter given that it has no RFC?

Generally, everything that needs to be mentionend in the migration
guide, should have a respective entry in UPGRADING. That makes creating
the migration guide straight forward for the doc team, and worked quite
well for PHP 7.3 at least.

--
Christoph M. Becker

Good morning Nikita,

Hi internals,

When the silencing operator @ is used, the intention is generally to
silence expected warnings or notices. However, it currently also silences
fatal errors. As fatal errors also abort request execution, the result will
often be a hard to debug white screen of death.

The most recent occurrence which motivated me to write this mail is
https://bugs.php.net/bug.php?id=77205, but I've seen this play out
multiple
times already.

I would like to propose to change the behavior of @ to only silence
warnings, notices and other low-level diagnostics, but leave fatal errors
intake. In particular, the following should not be silenced:

I am surely missing use cases because I wonder why we need @, at all?

Yes there are functions generating extra messages and should not, be fro.
PHP implementation or from external libraries (wrapping stderr to php
errors). All of them could be fixed.

Best,
Pierre

Good morning Nikita,

Hi internals,

When the silencing operator @ is used, the intention is generally to
silence expected warnings or notices. However, it currently also silences
fatal errors. As fatal errors also abort request execution, the result
will
often be a hard to debug white screen of death.

The most recent occurrence which motivated me to write this mail is
https://bugs.php.net/bug.php?id=77205, but I've seen this play out
multiple
times already.

I would like to propose to change the behavior of @ to only silence
warnings, notices and other low-level diagnostics, but leave fatal errors
intake. In particular, the following should not be silenced:

I am surely missing use cases because I wonder why we need @, at all?

Yes there are functions generating extra messages and should not, be fro.
PHP implementation or from external libraries (wrapping stderr to php
errors). All of them could be fixed.

Best,
Pierre

The most common case which comes to mind is to suppress erros while file
reading.
Because even if you check a file exists it could be deleted inbetween the
check and the
read command. As you can see this is even written in the documentation [1]

Best regards

George Peter Banyard

[1] https://secure.php.net/manual/en/function.fopen.php

Good morning Nikita,

Hi internals,

When the silencing operator @ is used, the intention is generally to
silence expected warnings or notices. However, it currently also
silences
fatal errors. As fatal errors also abort request execution, the result
will
often be a hard to debug white screen of death.

The most recent occurrence which motivated me to write this mail is
https://bugs.php.net/bug.php?id=77205, but I've seen this play out
multiple
times already.

I would like to propose to change the behavior of @ to only silence
warnings, notices and other low-level diagnostics, but leave fatal
errors
intake. In particular, the following should not be silenced:

I am surely missing use cases because I wonder why we need @, at all?

Yes there are functions generating extra messages and should not, be fro.
PHP implementation or from external libraries (wrapping stderr to php
errors). All of them could be fixed.

Best,
Pierre

The most common case which comes to mind is to suppress erros while file
reading.
Because even if you check a file exists it could be deleted inbetween the
check and the
read command. As you can see this is even written in the documentation [1]

Best regards

George Peter Banyard

[1] https://secure.php.net/manual/en/function.fopen.php

If a developer decides to write sloppy code, then @ may be acceptable.
I wouldn't use @, though.

IMO, there should be INI switch that kills @ operator.
There is extension module for this purpose, but PHP itself should have it.
@ operator is convenient, but @ is evil and make debugging a lot harder.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

The most common case which comes to mind is to suppress erros while file
reading.
Because even if you check a file exists it could be deleted inbetween the
check and the
read command. As you can see this is even written in the documentation [1]

Best regards

George Peter Banyard

[1] https://secure.php.net/manual/en/function.fopen.php

That is one the cases I meant. Also this is a bug in the user code. I can
imagine doing it on purpose for performance reasons (if the file is
created/deleted by other apps) tho'.
flock is what should be used here.

best,
Pierre

On Thu, Feb 7, 2019 at 3:14 PM Christian Schneider
cschneid@cschneid.com wrote:

Am 07.02.2019 um 02:32 schrieb Pierre Joye pierre.php@gmail.com:

The most common case which comes to mind is to suppress erros while file reading.
Because even if you check a file exists it could be deleted inbetween the check and the
read command. As you can see this is even written in the documentation [1]

[1] https://secure.php.net/manual/en/function.fopen.php

That is one the cases I meant. Also this is a bug in the user code. I can
imagine doing it on purpose for performance reasons (if the file is created/deleted by other apps) tho'.
flock is what should be used here.

Sorry if I'm missing something but would flock() help with file_get_contents() and an external program deleting a file?

We have the following fields where we sometimes use @ to suppress error_log entries so they do not hide real problems not handled by our code already:

• filesystem operations like file_get_contents() or mkdir() which can have (benevolent) races
• json_decode() of external data (we check the validity of the data afterwards anyway)
• DB connections which we log more detailed separately where the generic error is not interesting

In general I agree with the notion of using @ as little as possible but I think it will has use cases where using error_reporting() instead would decrease code readability.

Please do not remove @ ;-)

My thought that @ mainly relates to another RFC where errors/warning
are very inconsistently reported or designed (like forcing one to use
@). 8 would be a good candidate to clean that up, like the TypeError
RFC.

best,
Pierre

Am 07.02.2019 um 02:32 schrieb Pierre Joye pierre.php@gmail.com:

The most common case which comes to mind is to suppress erros while file reading.
Because even if you check a file exists it could be deleted inbetween the check and the
read command. As you can see this is even written in the documentation [1]

[1] https://secure.php.net/manual/en/function.fopen.php

That is one the cases I meant. Also this is a bug in the user code. I can
imagine doing it on purpose for performance reasons (if the file is created/deleted by other apps) tho'.
flock is what should be used here.

Sorry if I'm missing something but would flock() help with file_get_contents() and an external program deleting a file?

We have the following fields where we sometimes use @ to suppress error_log entries so they do not hide real problems not handled by our code already:

• filesystem operations like file_get_contents() or mkdir() which can have (benevolent) races
• json_decode() of external data (we check the validity of the data afterwards anyway)
• DB connections which we log more detailed separately where the generic error is not interesting

In general I agree with the notion of using @ as little as possible but I think it will has use cases where using error_reporting() instead would decrease code readability.

Please do not remove @ ;-)

• Chris

That is one the cases I meant. Also this is a bug in the user code. I can
imagine doing it on purpose for performance reasons (if the file is
created/deleted by other apps) tho'.
flock is what should be used here.

flock doesn't protect from other failures, such as a fread()ing a file
located on NFS. As it stands now, @ may still useful to mute warnings and
throw exceptions instead. The other solution today is to set up a temporary
error handler before calling the native function, and restore the previous
error handler right after, such as here
https://github.com/brick/std/blob/master/src/Internal/ErrorCatcher.php.
This allows to get the error message, but might incur a small performance
penalty.

IMO, @ can be safely removed the day PHP converts current warnings to
exceptions.

The most common case which comes to mind is to suppress erros while file
reading.
Because even if you check a file exists it could be deleted inbetween the
check and the
read command. As you can see this is even written in the documentation
[1]

Best regards

George Peter Banyard

[1] https://secure.php.net/manual/en/function.fopen.php

That is one the cases I meant. Also this is a bug in the user code. I can
imagine doing it on purpose for performance reasons (if the file is
created/deleted by other apps) tho'.
flock is what should be used here.

best,
Pierre

Am 07.02.2019 um 10:01 schrieb Benjamin Morel benjamin.morel@gmail.com:

IMO, @ can be safely removed the day PHP converts current warnings to exceptions.

Please don't do that either, I don't want to convert
@mkdir("foo");
to
try { mkdir("foo"); } catch (Exception $e) {}
just to stop my script from exiting if the directory already exists.

• Chris

Please don't do that either, I don't want to convert
@mkdir("foo");
to
try { mkdir("foo"); } catch (Exception $e) {}
just to stop my script from exiting if the directory already exists.

What you really want is either another function that does not throw an
exception in the specific case of "the directory already exists", or a
switch to not throw an exception in this specific case: there might be
other reasons that make mkdir() fail, such as a permission error. By
blindly silencing mkdir(), you have no guarantee that the directory will
exist after this call is executed. When mkdir() fails for another reason,
I can tell you that you do want an exception.

Also, some applications might assume that the directory does not already
exist, and want to fail if it does. So both use cases must be available in
the API.

On Thu, 7 Feb 2019 at 10:17, Christian Schneider cschneid@cschneid.com
wrote:

Am 07.02.2019 um 10:01 schrieb Benjamin Morel benjamin.morel@gmail.com:

IMO, @ can be safely removed the day PHP converts current warnings to
exceptions.

Please don't do that either, I don't want to convert
@mkdir("foo");
to
try { mkdir("foo"); } catch (Exception $e) {}
just to stop my script from exiting if the directory already exists.

• Chris

Also, some applications might assume that the directory does not
already
exist, and want to fail if it does. So both use cases must be available
in
the API.

I absolutely agree, but I also agree that the task here is not "convert warnings to exceptions", it's "design a new I/O API".

It's a subtle difference in framing: the warnings are just a symptom, and we need to address the cause.

Regards,

--
Rowan Collins
[IMSoP]

Am 07.02.2019 um 14:28 schrieb Rowan Collins rowan.collins@gmail.com:

Also, some applications might assume that the directory does not already
exist, and want to fail if it does. So both use cases must be available in the API.

mkdir("foo") or fail();

I absolutely agree, but I also agree that the task here is not "convert warnings to exceptions", it's "design a new I/O API".

Agreed.

Please don't try to mutate an existing API into something it is not designed for while introducing BC headaches in the process.

• Chris

Hi!

I am surely missing use cases because I wonder why we need @, at all?

Many functions have to deal with "dirty" data - e.g. loading a file that
is supposed to be JSON but may be in fact be invalid in any of the
hundreds ways. In some cases, we want full diagnostics, in other cases,
just knowing it's a bad file is enough, and any messages are a waste of
time in the best case, and invitation to DoS in the worst. If it'd
invalid, we drop it and ignore it and don't want to hear anymore about it.

Of course, it's possible to make special validation function to be run
before actual parsing, but the obvious performance and stability issues
with this make it far inferior solution to just use actual parser and
suppress all diagnostics that could possibly come from it.

Yes there are functions generating extra messages and should not, be fro.
PHP implementation or from external libraries (wrapping stderr to php
errors). All of them could be fixed.

In theory, yes. In practice, no, it's not happening anytime soon - we
won't get rid of all warnings in all extensions that may not be needed.
Thus, right now and in foreseeable future, using @ in this cases would
be the easiest method.

--
Stas Malyshev
smalyshev@gmail.com

Hi!

My thought that @ mainly relates to another RFC where errors/warning
are very inconsistently reported or designed (like forcing one to use
@). 8 would be a good candidate to clean that up, like the TypeError
RFC.

Cleaning up how PHP does errors would be awesome. After 20+ years of
organic growth without clear standards in this area, we've got a lot of
messy stuff happening there. But I don't think it can solve any
immediate issues - it's not likely that we'll replace every warning in
every extension overnight. It'd be nice if we found some model that
miraculously plugs into existing one and allows to improve things while
keeping everything working. If we get good new APIs - fine, but we'll
need @ to work with old APIs for a while.

Stas Malyshev
smalyshev@gmail.com

HI Stas,

Hi!

My thought that @ mainly relates to another RFC where errors/warning
are very inconsistently reported or designed (like forcing one to use
@). 8 would be a good candidate to clean that up, like the TypeError
RFC.

Cleaning up how PHP does errors would be awesome. After 20+ years of
organic growth without clear standards in this area, we've got a lot of
messy stuff happening there. But I don't think it can solve any
immediate issues

• it's not likely that we'll replace every warning in

every extension overnight.

You are right, long due. Also 8 is not immediate or overnight.

However I think you are right as well in your other replies. While I wrote
@ free code since years and I rarely see some in modern code, removing it
may bring some BC issues that could delay 8 adoptions.

It'd be nice if we found some model that

miraculously plugs into existing one and allows to improve things while
keeping everything working. If we get good new APIs - fine, but we'll
need @ to work with old APIs for a while.

New APis would be amazing. We need a kind of miracle to agree on these new
APIs but it will be really amazing to have new clear APIs. As far as I
remember we have been there for 6/7 and failed to find a consensus.
Resources and procedural APIs behaviors have survived a few attempts to
kill them. I wish we could introduce some key ones with 8 and not barely
focused in JIT and some basics cleanup :)

By procedural behaviors, I mean all these functions based on the 90s
designed C-like behaviors which are not fit anymore for today needs.

best,
Pierre

Le dimanche 10 février 2019, 09:34:16 CET Pierre Joye a écrit :

However I think you are right as well in your other replies. While I wrote
@ free code since years and I rarely see some in modern code, removing it
may bring some BC issues that could delay 8 adoptions.

Not sure where in this thread is the right place to answer, but I felt like I had to report that the php-ldap module triggers warning for about all errors and is almost impossible to use without @ because of this.
I did not attempt at fixing this for now since it would be huge BC breaks and if we’re going for BC breaks a lot of the ldap module API could be redesigned.

The other case where error handling through warning is a big problem is fopen, for which I usually use the same kind of wrapper (setting error handler) as posted by someone else.

Côme

On Wed, Feb 6, 2019 at 10:45 PM Christoph M. Becker cmbecker69@gmx.de
wrote:

As long as we have a prominent warning about this in our migration guide
alerting people to the associated risk in setups where display errors is
on

• I can live with the change as-is. How do we ensure that it doesn't get
  lost in the clutter given that it has no RFC?

Generally, everything that needs to be mentionend in the migration
guide, should have a respective entry in UPGRADING. That makes creating
the migration guide straight forward for the doc team, and worked quite
well for PHP 7.3 at least.

As the discussion here has drifted off towards error handling in general
and there hasn't been any further input on the change itself, I've gone
ahead and committed this:
https://github.com/php/php-src/commit/a302d1161036988fe220ecd8ecd73e6af1a116fc
I've also included a few UPGRADING notes.

Nikita