Stanislav Malyshev schrieb: >> * the code gets smaller because not so many typechecks in every function > What do you mean "not so many"? You need one per checked parameter. There is a difference in complexity between a userlevel type check and a low level type check. >> * with type hints byte code optimizer can optimize the code far better > Do you have any optimizer that can do that? Any plans to make one? Any > tests showing you can optimize real-life application this way? How should one have an optimizer for that as long PHP does not have this feature? Noone would implement one that is capable of doing this not knowing if the feature ever makes it into PHP. > That is true, type hints do make static analysis easier - strict > typing is created exactly for that purpose. However, it only helps if > all the code is strictly typed - otherwise you just move point of > failure around. And in any case, type won't help you much form most > real static analysis purposes, such as security - "string" can hold > anything. That is not completely true. If for example 10 functions use type hinting and other functions not, then you have atleast 10 functions where you can analyse better.
A "simple" example is: function decryptID($id) { return $id ^ SOME_RUNTIME_CONSTANT; } function getUserFromId($id) { $sql = "select * from user where id=".decrypt($id); ... } To analyse this construct a static code analyser has a lot todo and it still needs to check every call to getUserFromId() to verify if this is an actual security hole, because it doesn't know the content of SOME_RUNTIME_CONSTANT and therefore the return value of decryptID could be a binary xored string. However a type hint of int in the decryptID() function would allow the analyser to know that decryptID() always return int and this would tell it that this is not a security hole. You see in this example that just partial usage of type hinting can mean the difference between a false positive and a definitive unexploitability. Greetings, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php