Phan
Phan is a static analyzer for PHP. It apparently originated from Etsy. It will help you write better PHP code. Please note that your source code should follow best practices for directory layout[1]. To use it, you'll need to install the Abstract Syntax Tree PHP extension. See the tutorial for analyzing a large sloppy codebase
The MediaWiki project uses Phan in its Continuous Integration.
Contents
Links[edit | edit source]
- mediawiki-tools-phan on github
- phan/phan on github
- nikic/php-ast on github
- Phan Getting-Started
- Phan CLI-HELP.md
Static Analysis of MediaWiki[edit | edit source]
For some current analysis see https://doc.wikimedia.org/mediawiki-core/master/phpmetrics/complexity.html
- Continuous_integration/Entry_points
- Continuous_integration/Phan
- Continuous_integration/Tutorials/Add_phan_to_a_MediaWiki_extension
- Best_practices_for_extensions#File_structure
The on-wiki documentation (at MediaWiki.org) and even the upstream projects do not exactly provide a usable guide for MediaWiki implementors to use Phan on an extensive codebase (ie. "my whole wiki"). Instead, the documentation describes how MediaWiki extension developers can use Phan by incorporating their code into the larger configuration of MediaWiki Continuous Integration. If you download MediaWiki and composer update (to get dev dependencies) and also install PHP-AST, then you should be able to run composer phan or ./vendor/bin/phan -p . But, that analyzes the entire MediaWiki codebase (using a lot of RAM and time), and does not analyze random extensions (found on client's wiki instance) unless those extensions already have their own ./phan/config.php
The traditional form of that[2], for an extension named "MyExtension", which has dependencies on the Echo and SocialProfile extension, is
$cfg = require __DIR__ . '/../vendor/mediawiki/mediawiki-phan-config/src/config.php';
$cfg['directory_list'] = array_merge(
$cfg['directory_list'],
[
'../../extensions/Echo',
'../../extensions/SocialProfile',
]
);
$cfg['exclude_analysis_directory_list'] = array_merge(
$cfg['exclude_analysis_directory_list'],
[
'../../extensions/Echo',
'../../extensions/SocialProfile',
]
);
return $cfg;
The reason the normal pattern is to include directories and exclude those same directories is that you include 'dependencies' for class definitions etc. (symbol discovery), but do not warn about issues outside the limits of your own MyExtension extension.
 |
If your Extension does have dependencies on other extensions, and you are hosting your code in gerrit for automated CI checks and fixes (you should), you must create an entry in the so-called parameter-functions.py to declare those dependencies. |
MediaWiki Phan Config[edit | edit source]
The bigger (unanswered) question is what does mediawiki-phan-config do? What is the compiled and complete configuration that you are "running" against your codebase?
For example, one basic attribute is the "severity level" or rigor of the analysis. What is that set to for MediaWiki code? Phan has a CLI option named
-y, --minimum-severity <level>
The level can be any digit from 0-10, defaulting to 0. Zero means report every possible problem. Minimum severity of 10 would report only 'critical' problems.
MediaWiki Phan Config has a ConfigBuilder.php class that is used to build up the project's phan config. The main file to see how it's configured is config.php
After reading that and the source of ./phan/config.php, we figured out the full configuration, and that you can create your own overrides/customizations in a file called .phan/local-config.php
Fully parsed configuration[edit | edit source]
Show the full configuration for MediaWiki phan
.phan/config.php I simply added print_r( $cfg ); exit();
composer phan to invoke it from my shell and display the object variable.
1 Array
2 (
3 [backward_compatibility_checks] =>
4 [parent_constructor_required] => Array
5 (
6 )
7
8 [quick_mode] =>
9 [analyze_signature_compatibility] => 1
10 [ignore_undeclared_variables_in_global_scope] => 1
11 [read_type_annotations] => 1
12 [disable_suppression] =>
13 [dump_ast] =>
14 [dump_signatures_file] =>
15 [processes] => 1
16 [whitelist_issue_types] => Array
17 (
18 )
19
20 [markdown_issue_messages] =>
21 [generic_types_enabled] => 1
22 [plugins] => Array
23 (
24 [0] => PregRegexCheckerPlugin
25 [1] => UnusedSuppressionPlugin
26 [2] => DuplicateExpressionPlugin
27 [3] => LoopVariableReusePlugin
28 [4] => RedundantAssignmentPlugin
29 [5] => UnreachableCodePlugin
30 [6] => SimplifyExpressionPlugin
31 [7] => DuplicateArrayKeyPlugin
32 [8] => UseReturnValuePlugin
33 [9] => AddNeverReturnTypePlugin
34 [10] => /opt/htdocs/mediawiki/vendor/mediawiki/mediawiki-phan-config/src/../../phan-taint-check-plugin/MediaWikiSecurityCheckPlugin.php
35 )
36
37 [plugin_config] => Array
38 (
39 )
40
41 [file_list] => Array
42 (
43 [0] => .phan/stubs/password.php
44 [1] => .phan/stubs/Socket.php
45 [2] => .phan/stubs/WeakMap.php
46 [3] => includes/Defines.php
47 [4] => tests/phpunit/MediaWikiIntegrationTestCase.php
48 [5] => tests/phpunit/includes/TestUser.php
49 )
50
51 [exclude_file_list] => Array
52 (
53 [0] => vendor/squizlabs/php_codesniffer/src/Standards/PSR2/Tests/Methods/MethodDeclarationUnitTest.inc
54 [1] => vendor/php-parallel-lint/php-parallel-lint/src/polyfill.php
55 )
56
57 [exclude_analysis_directory_list] => Array
58 (
59 [0] => vendor/
60 [1] => .phan/
61 [2] => tests/phpunit/
62 [3] => includes/config-vars.php
63 [4] => includes/composer/
64 [5] => maintenance/language/
65 [6] => includes/libs/jsminplus.php
66 [7] => includes/libs/objectcache/utils/MemcachedClient.php
67 [8] => includes/PHPVersionCheck.php
68 )
69
70 [exclude_file_regex] => @vendor/((composer/installers|php-parallel-lint/php-console-color|php-parallel-lint/php-console-highlighter|php-parallel-lint/php-parallel-lint|mediawiki/mediawiki-codesniffer|microsoft/tolerant-php-parser|phan/phan|phpunit/php-code-coverage|squizlabs/php_codesniffer|[^/]+/[^/]+/\.phan)|.*/[Tt]ests?)/@
71 [minimum_severity] => 0
72 [allow_missing_properties] =>
73 [null_casts_as_any_type] =>
74 [scalar_implicit_cast] =>
75 [dead_code_detection] =>
76 [dead_code_detection_prefer_false_negative] => 1
77 [progress_bar] =>
78 [enable_class_alias_support] =>
79 [redundant_condition_detection] => 1
80 [minimum_target_php_version] => 7.4.3
81 [target_php_version] => 8.1
82 [directory_list] => Array
83 (
84 [0] => includes/
85 [1] => languages/
86 [2] => maintenance/
87 [3] => mw-config/
88 [4] => resources/
89 [5] => vendor/
90 [6] => tests/common/
91 [7] => tests/parser/
92 [8] => tests/phpunit/mocks/
93 )
94
95 [suppress_issue_types] => Array
96 (
97 [0] => PhanDeprecatedFunction
98 [1] => PhanDeprecatedClass
99 [2] => PhanDeprecatedClassConstant
100 [3] => PhanDeprecatedFunctionInternal
101 [4] => PhanDeprecatedInterface
102 [5] => PhanDeprecatedProperty
103 [6] => PhanDeprecatedTrait
104 [7] => PhanUnreferencedUseNormal
105 [8] => PhanUnreferencedUseFunction
106 [9] => PhanUnreferencedUseConstant
107 [10] => PhanDuplicateUseNormal
108 [11] => PhanDuplicateUseFunction
109 [12] => PhanDuplicateUseConstant
110 [13] => PhanUseNormalNoEffect
111 [14] => PhanUseNormalNamespacedNoEffect
112 [15] => PhanUseFunctionNoEffect
113 [16] => PhanUseConstantNoEffect
114 [17] => PhanDeprecatedCaseInsensitiveDefine
115 [18] => PhanAccessClassConstantInternal
116 [19] => PhanAccessClassInternal
117 [20] => PhanAccessConstantInternal
118 [21] => PhanAccessMethodInternal
119 [22] => PhanAccessPropertyInternal
120 [23] => PhanParamNameIndicatingUnused
121 [24] => PhanParamNameIndicatingUnusedInClosure
122 [25] => PhanProvidingUnusedParameter
123 [26] => PhanPluginMixedKeyNoKey
124 [27] => SecurityCheck-LikelyFalsePositive
125 [28] => SecurityCheck-PHPSerializeInjection
126 [29] => PhanPluginDuplicateExpressionAssignmentOperation
127 [30] => PhanPluginDuplicateExpressionAssignmentOperation
128 )
129
130 [globals_type_map] => Array
131 (
132 [wgContLang] => \Language
133 [wgParser] => \Parser
134 [wgTitle] => \Title
135 [wgMemc] => \BagOStuff
136 [wgUser] => \User
137 [wgConf] => \SiteConfiguration
138 [wgLang] => \Language
139 [wgOut] => OutputPage
140 [wgRequest] => \WebRequest
141 [IP] => string
142 [wgGalleryOptions] => array
143 [wgDummyLanguageCodes] => string[]
144 [wgNamespaceProtection] => array<int,string|string[]>
145 [wgNamespaceAliases] => array<string,int>
146 [wgLockManagers] => array[]
147 [wgForeignFileRepos] => array[]
148 [wgDefaultUserOptions] => array
149 [wgSkipSkins] => string[]
150 [wgLogTypes] => string[]
151 [wgLogNames] => array<string,string>
152 [wgLogHeaders] => array<string,string>
153 [wgLogActionsHandlers] => array<string,class-string>
154 [wgPasswordPolicy] => array<string,array<string,string|array>>
155 [wgVirtualRestConfig] => array<string,array>
156 [wgWANObjectCaches] => array[]
157 [wgLocalInterwikis] => string[]
158 [wgDebugLogGroups] => string|false|array{destination:string,sample?:int,level:int}
159 [wgCookiePrefix] => string|false
160 [wgExtraNamespaces] => string[]
161 )
162
163 [analyzed_file_extensions] => Array
164 (
165 [0] => php
166 [1] => inc
167 )
168
169 [autoload_internal_extension_signatures] => Array
170 (
171 [dom] => .phan/internal_stubs/dom.phan_php
172 [excimer] => .phan/internal_stubs/excimer.php
173 [imagick] => .phan/internal_stubs/imagick.phan_php
174 [memcached] => .phan/internal_stubs/memcached.phan_php
175 [oci8] => .phan/internal_stubs/oci8.phan_php
176 [pcntl] => .phan/internal_stubs/pcntl.phan_php
177 [pgsql] => .phan/internal_stubs/pgsql.phan_php
178 [redis] => .phan/internal_stubs/redis.phan_php
179 [sockets] => .phan/internal_stubs/sockets.phan_php
180 [sqlsrv] => .phan/internal_stubs/sqlsrv.phan_php
181 [tideways] => .phan/internal_stubs/tideways.phan_php
182 [wikidiff2] => .phan/internal_stubs/wikidiff.php
183 )
184
185 )
Phan has a ton of plugins - but their usage in the MediaWiki configuration is not mentioned or described anywhere (that I could find). I found a list in 'base-config-functions' mediawiki-tools-phan/blob/master/src/base-config-functions.php#L68, but why you need to read the entire source code to "reverse engineer" what is happening? It's not fun. So, again, refer to the fully parsed configuration in the collapsed section above.
Phan Plugins[edit | edit source]
https://github.com/phan/phan/tree/v5/.phan/plugins#2-general-use-plugins
The writing plugins guide also describes how they work.
Check code for compatibility with a particular PHP version[edit | edit source]
One major reason I wanted to use phan was to upgrade a whole codebase, and check its compatibility with an upgraded PHP (moving from 7.4 to 8.1). There is at least one caveat to doing this: You should be running php 8.1 in order to check code for compatibility with 8.1 You can use phan with the config setting of target_php_version[3]
Phan with VSCode[edit | edit source]
https://github.com/phan/phan/wiki/Editor-Support supposed to just work (with the plugin). But after I installed the plugin, it was not producing any hint of working or any errors.
Phan checks[edit | edit source]
There are over 1,000 things that phan tests its own code against
https://github.com/phan/phan/tree/v5/tests
https://github.com/phan/phan/tree/v5/tests/files/src
References[edit source]
- ↑ Essentially, code should live in a 'src' or 'includes' directory; tests go in 'tests' etc. https://www.mediawiki.org/wiki/Best_practices_for_extensions#File_structure
- ↑ https://codesearch.wmcloud.org/things/?q=exclude_analysis_directory_list&files=.phan%2Fconfig.php&excludeFiles=&repos=
- ↑ https://github.com/phan/phan/wiki/Phan-Config-Settings#analysis-of-a-php-version
