On 29/01/2022 16:33, Christian Schneider wrote:
If a static analyzer manages to catch it at development time then that is a lot
better.
Of course it's better, but you wouldn't argue that a car doesn't need
airbags because you've tested that the breaks work.
Defense in depth.
Our ecosystem of static analysers are fantastic, but they're standalone
tools outside the remit of internals. Maybe that software has a bug,
maybe it hasn't yet been programmed to recognise the side effects of a
new feature that was added, maybe the user has not updated the library
in a while.
With runtime checking, the engine should always try to protect against
the unexpected, irrespective of if other checking has already been
performed by outside sources.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
