Nullsafe operator ?-> incorrectly short-circuits subsequent array access [] (Precedence Violation)

[azjezz]

Description

The nullsafe operator (?->) short-circuits execution of subsequent array access operations ([]) if the base object is null. This behavior violates operator precedence rules.

The array subscript [] applies to the result of the method call/property access.

Expression: $nullable?->meth()[0]

• Since $nullable is null, $nullable?->meth() evaluates to null.
• The remaining expression is effectively (null)[0].
• This should trigger a Warning, but currently returns null silently.

The compiler generates a JMP_NULL that skips the FETCH_DIM_R opcode entirely. This is incorrect because the array access is outside the scope of the nullsafe interaction. The issue is even more evident when parentheses are used to strictly contain the nullsafe expression, yet the compiler still jumps over the array access.

Test:

<?php

function example(): void {
    $nullable = null;
    
    // Case 1: Standard Chain
    // Precedence dictates this is ($nullable?->meth())[0]
    // Expected: Warning (accessing offset 0 on null)
    // Actual: Silent null
    $nullable?->meth()[0]; 

    // Case 2: Parenthesized
    // The grouping explicitly separates the operations.
    // Expected: Warning
    // Actual: Silent null
    ($nullable?->meth())[0]; 

    // Case 3: Control
    // Demonstrates that accessing an offset on null throws a warning.
    (null)[0]; 
}

example();

Expected Result:

Warning: Trying to access array offset on value of type null in %s on line %d
Warning: Trying to access array offset on value of type null in %s on line %d
Warning: Trying to access array offset on value of type null in %s on line %d

Actual Result:

Warning: Trying to access array offset on value of type null in %s on line %d

(Only the control case emits the warning)

The issue is confirmed by the generated opcodes. The JMP_NULL instruction (generated by ?->) targets the instruction after the FETCH_DIM_R (array access).

In the dump below (for ($nullable?->meth())[0]), JMP_NULL at line #6 jumps to ~5. The FETCH_DIM_R at #9 writes to ~5. The jump skips the fetch, improperly treating the array access as part of the nullsafe short-circuit.

filename:       /in/n6rgk
function name:  example
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    6     1        JMP_NULL                                         ~3      !0
          2        INIT_METHOD_CALL                                         !0, 'meth'
          3        DO_FCALL                                      0  $2      
          4        FETCH_DIM_R                                      ~3      $2, 0
          5        FREE                                                     ~3
    7     6        JMP_NULL                                         ~5      !0   <-- Jumps to result of FETCH_DIM_R
          7        INIT_METHOD_CALL                                         !0, 'meth'
          8        DO_FCALL                                      0  $4      
          9        FETCH_DIM_R                                      ~5      $4, 0
         10        FREE                                                     ~5

PHP Version

All supported versions

Operating System

N/A

[iluuu1994]

See https://wiki.php.net/rfc/nullsafe_operator#proposal1

The following elements are considered part of the chain.

• Array access ([])

[azjezz]

In that case, $foo?->bar()[0] makes sense to short circut, but not ($foo?->bar())[0]

[iluuu1994]

In PHP, parentheses don't really have an effect after the parsing stage, they're fully elided in the AST. This has some other, similar effects. E.g.:

function takesRef(&$x) {
    $x = 42;
}
takesRef(($x));
var_dump($x); // 42

In most other languages, the extra parentheses in takesRef(($x)); would disqualify the variable from being used as an l-value, but not in PHP. Given this isn't limited to nullsafe I wouldn't qualify this as a bug. I suppose it could be a feature request, but then it'll need an RFC due to breaking changes, or at the very least an ML discussion.

[azjezz]

Okay, so my understand is that this is parsed as ArrayAccess(Parenthesis(NullSafeCall), 0), which is made into ArrayAccess(NullSafeCall, 0), and since the "array" being access contains ?->, it will short-circuit regardless?

[azjezz]

actually, this seems to also effect other currently short circuited operations, e.g ((($foo?->bar)))->baz still results in null if $foo is null with no error.

[iluuu1994]

Okay, so my understand is that this is parsed as ArrayAccess(Parenthesis(NullSafeCall), 0), which is made into ArrayAccess(NullSafeCall, 0), and since the "array" being access contains ?->, it will short-circuit regardless?

Right, in terms of compilation, ($x?->y)['z'] and $x?->y['z'] are fully equivalent. It's as if the parentheses weren't there.

actually, this seems to also effect other currently short circuited operations, e.g ((($foo?->bar)))->baz still results in null if $foo is null with no error.

Right, the same applies here.

php-src/Zend/zend_language_parser.y

Lines 1348 to 1352 in c27368c

	| '(' expr ')' {
	$$ = $2;
	if ($$->kind == ZEND_AST_CONDITIONAL) $$->attr = ZEND_PARENTHESIZED_CONDITIONAL;
	if ($$->kind == ZEND_AST_ARROW_FUNC) $$->attr = ZEND_PARENTHESIZED_ARROW_FUNC;
	}

Only ZEND_AST_CONDITIONAL and ZEND_AST_ARROW_FUNC expressions remember whether they were parenthesized, which is used for some compilation errors.

[azjezz]

I have made an implementation for it here: #20685

do you think this requires an RFC?

[iluuu1994]

do you think this requires an RFC?

Yeah, I think so. This is a breaking change, and while I can see why you expect an error, I don't think that interpretation is super useful, as it would always just errors.

[azjezz]

as it would always just error.

I dont understand what this means? previously this would "fail" silently, while now it is emitting a warning. neither cases are erroring?

[iluuu1994]

We sometimes use the terms error and warning interchangibly, I should have been more explicit. The point is that ($x?->y)[0] terminating the chain is doesn't seem to ever be a useful interpretation, because why would you want to access an array offset on something you know could be null (which results in null anyway)? Nullsafe intentionally skips the entire chain to avoid having to ?-> to ever point of the chain because a previous fetch in the chain failed (which isn't currently possible for [], as we'd need a ?[] operator).

I think the question is why you would ever not want [] to be skipped.

[azjezz]

For the sake of consistency and having a well defined behavior.

Given null[0] gives a warning, so should (<any expression that results in null>)[0].