Hi internals,
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.
Regards,
Calvin
On Wednesday, 11 March 2026 at 15:58, Calvin Buckley <calvin@cmpct.info> wrote:
Hi internals,
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.PHP: rfc:display_error_function_args
Regards,
Calvin
I'm looking forward to this RFC, as normalizing the behaviour of diagnostics by removing the various docref functions is something I proposed back in 2019. [1]
And I do think that we should remove the parameter versions of the docref functions as the behaviour of them if this is accepted seems hard to determine.
Best regards,
Gina P. Banyard
[1] Standardize PHP's docref errors by Girgias · Pull Request #4254 · php/php-src · GitHub
Hi
On 3/11/26 16:55, Calvin Buckley wrote:
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.
Thank you for the RFC. I have the following comments:
1.
I believe there is almost never “No Impact” to the ecosystem. In fact the RFC partly acknowledges it in the “Backward Incompatible Changes” section. Even if the corresponding sub-vote to default to 1 doesn't pass, code needs to be prepared for someone to set it to 1 themselves. This includes off-the-shelf software (such as WordPress, or Drupal, or whatever).
I have the following two suggestions (that follow pretty naturally, but are nevertheless an impact that should be spelled out):
a) Custom error handlers (set_error_handlers()) need to be prepared for the error message format to change. Even though we don't make any guarantees about error messages themselves, the existing format with “function name first” is reasonably structured for automated parsing (e.g. using a regular expression). This also includes error tracking tools that try to group error messages by function or similar.
b) System administrators have one more INI setting to deal with and need to make a decision. Previous versions of the RFC template had an explicit “INI setting” section, but given it's so rare we add new INI settings these days, it has been removed from the template. For the few that still add one, properly discussing the consequences still is valuable.
2.
As for the naming of the bikeshed, I suggest `error_ignore_args` for consistency with `zend.exception_ignore_args`.
3.
For the voting options: You need to define a tie-breaker for the secondary votes.
Best regards
Tim Düsterhus
Hi,
On Wed, Mar 11, 2026 at 8:38 PM Tim Düsterhus <tim@bastelstu.be> wrote:
I believe there is almost never “No Impact” to the ecosystem. In fact
the RFC partly acknowledges it in the “Backward Incompatible Changes”
section. Even if the corresponding sub-vote to default to 1 doesn’t
pass, code needs to be prepared for someone to set it to 1 themselves.
This includes off-the-shelf software (such as WordPress, or Drupal, or
whatever).I have the following two suggestions (that follow pretty naturally, but
are nevertheless an impact that should be spelled out):a) Custom error handlers (set_error_handlers()) need to be prepared for
the error message format to change. Even though we don’t make any
guarantees about error messages themselves, the existing format with
“function name first” is reasonably structured for automated parsing
(e.g. using a regular expression). This also includes error tracking
tools that try to group error messages by function or similar.b) System administrators have one more INI setting to deal with and need
to make a decision. Previous versions of the RFC template had an
explicit “INI setting” section, but given it’s so rare we add new INI
settings these days, it has been removed from the template. For the few
that still add one, properly discussing the consequences still is valuable.
These are all excellent points.
I want to add one more side-effect that feels discounted: PII and other sensitive data leaking through logs. Partly what the INI setting is supposed to address, but IMO it only does so on paper.
I have dealt with that issue many times, and developers tend to either not take it seriously or propose naive patchwork solutions such as blacklisting patterns in already produced logs. Plus, there’s an inherent temptation to temporarily enable such settings for debugging purposes, not realizing the act itself represents a data leak and it is permanent. If this is a serious problem without args values being present today, imagine the amplification effect from this addition.
With that being said, I also know the pain of having to deal with borderline useless error messages. The proposal isn’t without merit, but I’d look for alternative approaches that don’t create security headaches.
Cheers,
Andrey.
On Mar 11, 2026, at 3:35 PM, Tim Düsterhus <tim@bastelstu.be> wrote:
Hi
On 3/11/26 16:55, Calvin Buckley wrote:
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.
PHP: rfc:display_error_function_argsThank you for the RFC. I have the following comments:
1.
I believe there is almost never “No Impact” to the ecosystem. In fact the RFC partly acknowledges it in the “Backward Incompatible Changes” section. Even if the corresponding sub-vote to default to 1 doesn't pass, code needs to be prepared for someone to set it to 1 themselves. This includes off-the-shelf software (such as WordPress, or Drupal, or whatever).
I'm adding this to the ecosystem impact section.
I have the following two suggestions (that follow pretty naturally, but are nevertheless an impact that should be spelled out):
a) Custom error handlers (set_error_handlers()) need to be prepared for the error message format to change. Even though we don't make any guarantees about error messages themselves, the existing format with “function name first” is reasonably structured for automated parsing (e.g. using a regular expression). This also includes error tracking tools that try to group error messages by function or similar.
b) System administrators have one more INI setting to deal with and need to make a decision. Previous versions of the RFC template had an explicit “INI setting” section, but given it's so rare we add new INI settings these days, it has been removed from the template. For the few that still add one, properly discussing the consequences still is valuable.
I do recognize that PHP has been trending towards fewer knobs;
unfortunately, I don't see a better way other than adding a new
knob.
2.
As for the naming of the bikeshed, I suggest `error_ignore_args` for consistency with `zend.exception_ignore_args`.
I'm not attached to the name; if others think this sounds good, I'll
adjust the RFC and PR.
3.
For the voting options: You need to define a tie-breaker for the secondary votes.
I might be a little dense here; I see tie-breakers mentioned in
feature-proposals, but I don't see any guidance on how to include them
in an RFC. The other RFCs I've been skimming don't seem to mention them
either.
Best regards
Tim Düsterhus
On Mar 11, 2026, at 7:06 PM, Andrey Andreev <narf@devilix.net> wrote:
Hi,
On Wed, Mar 11, 2026 at 8:38 PM Tim Düsterhus <tim@bastelstu.be> wrote:
I believe there is almost never “No Impact” to the ecosystem. In fact
the RFC partly acknowledges it in the “Backward Incompatible Changes”
section. Even if the corresponding sub-vote to default to 1 doesn't
pass, code needs to be prepared for someone to set it to 1 themselves.
This includes off-the-shelf software (such as WordPress, or Drupal, or
whatever).I have the following two suggestions (that follow pretty naturally, but
are nevertheless an impact that should be spelled out):a) Custom error handlers (set_error_handlers()) need to be prepared for
the error message format to change. Even though we don't make any
guarantees about error messages themselves, the existing format with
“function name first” is reasonably structured for automated parsing
(e.g. using a regular expression). This also includes error tracking
tools that try to group error messages by function or similar.b) System administrators have one more INI setting to deal with and need
to make a decision. Previous versions of the RFC template had an
explicit “INI setting” section, but given it's so rare we add new INI
settings these days, it has been removed from the template. For the few
that still add one, properly discussing the consequences still is valuable.These are all excellent points.
I want to add one more side-effect that feels discounted: PII and other sensitive data leaking through logs. Partly what the INI setting is supposed to address, but IMO it only does so on paper.
I have dealt with that issue many times, and developers tend to either not take it seriously or propose naive patchwork solutions such as blacklisting patterns in already produced logs. Plus, there's an inherent temptation to temporarily enable such settings for debugging purposes, not realizing the act itself represents a data leak and it is permanent. If this is a serious problem without args values being present today, imagine the amplification effect from this addition.With that being said, I also know the pain of having to deal with borderline useless error messages. The proposal isn't without merit, but I'd look for alternative approaches that don't create security headaches.
Cheers,
Andrey.
This is something I'm also concerned about, but I feel the cat is
already out of the bag with backtraces in exceptions providing the same
parameter information. PHP and the library ecosystem seem to be adopting
the sensitive parameter attribute, so my hope is that applications also
start adopting it.
On Thu, Mar 12, 2026, at 10:53 AM, Calvin Buckley wrote:
On Mar 11, 2026, at 3:35 PM, Tim Düsterhus <tim@bastelstu.be> wrote:
3.
For the voting options: You need to define a tie-breaker for the secondary votes.
I might be a little dense here; I see tie-breakers mentioned in
feature-proposals, but I don't see any guidance on how to include them
in an RFC. The other RFCs I've been skimming don't seem to mention them
either.
Just put something like "in case of a tie, the default will be 1" above that voting widget. (Or 0 if you want to go that way.) Same for the other one.
Few RFCs have secondary votes, so you won't see it very often. And they don't always mention a tie breaker, even though they arguably should.
--Larry Garfield
On Mar 12, 2026, at 2:54 PM, Larry Garfield <larry@garfieldtech.com> wrote:
On Thu, Mar 12, 2026, at 10:53 AM, Calvin Buckley wrote:
On Mar 11, 2026, at 3:35 PM, Tim Düsterhus <tim@bastelstu.be> wrote:
3.
For the voting options: You need to define a tie-breaker for the secondary votes.
I might be a little dense here; I see tie-breakers mentioned in
feature-proposals, but I don't see any guidance on how to include them
in an RFC. The other RFCs I've been skimming don't seem to mention them
either.Just put something like "in case of a tie, the default will be 1" above that voting widget. (Or 0 if you want to go that way.) Same for the other one.
Few RFCs have secondary votes, so you won't see it very often. And they don't always mention a tie breaker, even though they arguably should.
--Larry Garfield
Sorry for the late response, I've added tiebreakers to the vote section.
Hi
On 3/16/26 20:04, Calvin Buckley wrote:
Sorry for the late response, I've added tiebreakers to the vote section.
Thank you, that looks good to me.
With the latest changes for the tie-breakers and the impact section I don't have any other comment.
Naming of the INI (i.e. my suggestion for "error_ignore_args") still is open. Does anyone except me have opinion there?
Best regards
Tim Düsterhus
On Thu, Mar 12, 2026 at 5:59 PM Calvin Buckley <calvin@cmpct.info> wrote:
On Mar 11, 2026, at 7:06 PM, Andrey Andreev <narf@devilix.net> wrote:
I want to add one more side-effect that feels discounted: PII and other sensitive data leaking through logs. Partly what the INI setting is supposed to address, but IMO it only does so on paper.
I have dealt with that issue many times, and developers tend to either not take it seriously or propose naive patchwork solutions such as blacklisting patterns in already produced logs. Plus, there’s an inherent temptation to temporarily enable such settings for debugging purposes, not realizing the act itself represents a data leak and it is permanent. If this is a serious problem without args values being present today, imagine the amplification effect from this addition.With that being said, I also know the pain of having to deal with borderline useless error messages. The proposal isn’t without merit, but I’d look for alternative approaches that don’t create security headaches.
This is something I’m also concerned about, but I feel the cat is
already out of the bag with backtraces in exceptions providing the same
parameter information. PHP and the library ecosystem seem to be adopting
the sensitive parameter attribute, so my hope is that applications also
start adopting it.
On one hand, it’s true that the cat is already out of the bag. On the other, that’s been the case since at least the days of PHP 4 and related effort since has been to limit the danger. This would be a first in the other direction.
Semi-random idea: what if it was a declare statement instead of an INI? That would have multiple benefits:
- Can limit the exposure to particular scripts rather than globally
- Easy to spot during code reviews and therefore little danger of negligent leaks
- Potential to consolidate backtraces under the same umbrella and eventually retire zend.exception_ignore_args
Cheers,
Andrey.
On Mar 11, 2026, at 12:55 PM, Calvin Buckley <calvin@cmpct.info> wrote:
Hi internals,
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.PHP: rfc:display_error_function_args
Regards,
Calvin
If I don't hear any additional feedback, I think I'll open this for
voting at the end of the week.
Hi
Am 2026-03-30 16:40, schrieb Calvin Buckley:
If I don't hear any additional feedback, I think I'll open this for
voting at the end of the week.
I've looked once more into my “naming remark” and realized that the `display_` prefix might actually be misleading (instead of “just” inconsistent) when compared to `display_errors` or `display_startup_errors`, because `display_error_function_args` does not control whether the arguments are *displayed*. It also controls whether or not the arguments are visible to a registered error_handler, which is quite different from just suppressing them from public display as done by `display_errors`.
My suggestion of `error_ignore_args` thus still stands and I would likely vote against the RFC with the current naming (despite being in favor of the feature itself).
Best regards
Tim Düsterhus
On Mar 30, 2026, at 12:24 PM, Tim Düsterhus <tim@bastelstu.be> wrote:
Hi
Am 2026-03-30 16:40, schrieb Calvin Buckley:
If I don't hear any additional feedback, I think I'll open this for
voting at the end of the week.I've looked once more into my “naming remark” and realized that the `display_` prefix might actually be misleading (instead of “just” inconsistent) when compared to `display_errors` or `display_startup_errors`, because `display_error_function_args` does not control whether the arguments are *displayed*. It also controls whether or not the arguments are visible to a registered error_handler, which is quite different from just suppressing them from public display as done by `display_errors`.
My suggestion of `error_ignore_args` thus still stands and I would likely vote against the RFC with the current naming (despite being in favor of the feature itself).
Best regards
Tim Düsterhus
I can rename this in the RFC since no one else had any other suggestions.
I'm not attached to any name for the INI option myself.
On Mar 30, 2026, at 12:24 PM, Tim Düsterhus <tim@bastelstu.be> wrote:
Hi
Am 2026-03-30 16:40, schrieb Calvin Buckley:
If I don't hear any additional feedback, I think I'll open this for
voting at the end of the week.I've looked once more into my “naming remark” and realized that the `display_` prefix might actually be misleading (instead of “just” inconsistent) when compared to `display_errors` or `display_startup_errors`, because `display_error_function_args` does not control whether the arguments are *displayed*. It also controls whether or not the arguments are visible to a registered error_handler, which is quite different from just suppressing them from public display as done by `display_errors`.
My suggestion of `error_ignore_args` thus still stands and I would likely vote against the RFC with the current naming (despite being in favor of the feature itself).
Best regards
Tim Düsterhus
I've renamed the INI option per your suggestion. This does invert the
semantics (matching the one for exceptions), so I took some care when
editing. I'll update the PR accordingly soon.
Hi
Am 2026-03-30 21:00, schrieb Calvin Buckley:
I've renamed the INI option per your suggestion. This does invert the
semantics (matching the one for exceptions), so I took some care when
editing. I'll update the PR accordingly soon.
I've checked the diff and noticed that you did not adjust the tie breaker for the “Default value for error_ignore_args” vote (it still favors `1`). Was this intentional or an oversight?
Other than that the RFC looks good to me. Thank you!
Best regards
Tim Düsterhus
On Wed, 11 Mar 2026, Calvin Buckley wrote:
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.
| Add a error_ignore_args, which potentially defaults to “0”. This is
| made an INI option, as some users may want to disable the feature by
| enabling this option, at least for production (e.g. risks of untagged
| PII in logs, size of logs, format compatibility with older versions of
| PHP).
I'm generally not in favour of new ini settings. I also don't think this
is going to help a lot, as many people will likely not change the
default.
But, I am especially not keen on "negative names". Names that include
"ignore" or "disable" for example. If you must have an ini setting, it
ought to be something like "include_error_args" (defaulting to "0", I
suspect).
The confusion in
also explains why I feel this.
cheers,
Derick
--
https://derickrethans.nl | https://xdebug.org | https://dram.io
Author of Xdebug. Like it? Consider supporting me: Xdebug: Support
mastodon: @derickr@phpc.social @xdebug@phpc.social
On Mar 31, 2026, at 6:04 AM, Tim Düsterhus <tim@bastelstu.be> wrote:
Hi
Am 2026-03-30 21:00, schrieb Calvin Buckley:
I've renamed the INI option per your suggestion. This does invert the
semantics (matching the one for exceptions), so I took some care when
editing. I'll update the PR accordingly soon.I've checked the diff and noticed that you did not adjust the tie breaker for the “Default value for error_ignore_args” vote (it still favors `1`). Was this intentional or an oversight?
Other than that the RFC looks good to me. Thank you!
Best regards
Tim Düsterhus
I've corrected this.
On Mar 31, 2026, at 6:53 AM, Derick Rethans <derick@php.net> wrote:
On Wed, 11 Mar 2026, Calvin Buckley wrote:
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.| Add a error_ignore_args, which potentially defaults to “0”. This is
| made an INI option, as some users may want to disable the feature by
| enabling this option, at least for production (e.g. risks of untagged
| PII in logs, size of logs, format compatibility with older versions of
| PHP).I'm generally not in favour of new ini settings. I also don't think this
is going to help a lot, as many people will likely not change the
default.But, I am especially not keen on "negative names". Names that include
"ignore" or "disable" for example. If you must have an ini setting, it
ought to be something like "include_error_args" (defaulting to "0", I
suspect).The confusion in
https://github.com/php/php-src/pull/12276#pullrequestreview-4035216287
also explains why I feel this.cheers,
Derick--
https://derickrethans.nl | https://xdebug.org | https://dram.ioAuthor of Xdebug. Like it? Consider supporting me: Xdebug: Support
mastodon: @derickr@phpc.social @xdebug@phpc.social
Tim, would this name be OK? I also have a preference towards a non-inverted name (it was more overhead to keep track of it), but I do see wanting it consistent.
Have you done any benchmarking on this? What is the performance impact when it is enabled versus disabled? That information will be useful if this passes so that users can understand not just the security impact of having this information reported in logs, but the performance impact.
···
Matthew Weier O’Phinney
mweierophinney@gmail.com
https://mwop.net/
he/him
On Apr 2, 2026, at 11:25 AM, Matthew Weier O'Phinney <mweierophinney@gmail.com> wrote:
On Wed, Mar 11, 2026 at 10:56 AM Calvin Buckley <calvin@cmpct.info> wrote:
Based on the feedback I had from my proposal for function arguments in
errors last week, I'd like to introduce an RFC for it. Please let me
know what you think and please raise any possible issues.PHP: rfc:display_error_function_args
Have you done any benchmarking on this? What is the performance impact when it is enabled versus disabled? That information will be useful if this passes so that users can understand not just the security impact of having this information reported in logs, but the performance impact.
--
Matthew Weier O'Phinney
mweierophinney@gmail.com
https://mwop.net/
he/him
I haven't yet. I suppose the usual benchmark suite PHP runs might not be interesting for this seeing as they probably shouldn't be writing to the error log...