Continuous integration/Phan


 * For the security plugin built on top of phan, see phan-taint-check-plugin.

We perform static analysis of MediaWiki's PHP code base using Phan. MediaWiki core configuration for Phan is in the  directory. All MediaWiki core patches are analyzed by Phan as part of the CI infrastructure, and the same goes for many extensions.

Installing Phan
Phan requires PHP >= 7.0 to run. This is because Phan analyzes the AST that was added to PHP in version 7. It fully supports analyzing PHP 5 codebases, but the analysis must be run from PHP 7. The php-ast extension is also strongly recommended. You can use phan without it (as long as you pass the  option), but it will be way slower.

Getting Phan
From composer

From docker
TODO: Document the docker method

From git
You can figure out the exact version of phan you need based on looking at the "extra.phan" key in the repository's composer.json. If that isn't present, you might need to look at vendor/mediawiki/mediawiki-phan-config/composer.json.

From git

 * tells it to analyze the current directory
 * tells it to output a progress bar

Upstream Documentation

 * Annotating Your Source Code
 * About Union Types
 * Issue Types Caught by Phan
 * Typing Parameters

Interpreting Results
Results are in the following structure, one per line.

Suppressing Issues
Sometimes phan gets it wrong. Or the code is just so hopeless that a large refactor is needed to make the analysis line up. In these cases errors from individual lines can be suppressed with the following format:

See the upstream documentation.

Known Problems

 * Phan cannot read  annotations in the middle of functions. This is a limitation of the PHP AST, and it likely won't change in the near future. The closest workaround currently is to specify @var annotations in the method doc block.
 * You can also use the ugly-but-it-works string literal version:  see line 302 in this commit for an example.