The following patch https://gerrit.wikimedia.org/r/c/mediawiki/core/+/657900 fails phan taint check and produces very obscure errors in seemingly entirely unrelated codepaths - https://integration.wikimedia.org/ci/job/mediawiki-core-php72-phan-docker/40225/console for example.
At first I have wrote the new code using SelectQueryBuilder, so thought it was due to T253380 but then I've rolled back the SelectQueryBuilder changes with no effect.
Needs investigation.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T272689 Investigate design of UserStore or UserAccountStore | |||
| Resolved | • Pchelolo | T273932 Obscure phan taint-check failures for ActorStore patches |
in seemingly entirely unrelated codepaths
This is a direct consequence of how taint-check tracks method dependencies. It builts a partial graph along the way, rather than a full (or at least full-ish) graph, and this is affected by several factors. For instance, the order in which methods are analyzed, and what path it takes from a taint source to a sink (if the maximum depth limit kicks in for one path but not another).
ActorMigration is widely used and it does stuff with the Database, so it's a relatively hot file for taint-check, and I'm not very surprised by the new issues.
I think the most sensible approach would be to determine which issues are real, fix them, and then reapply your patch, adding/removing suppressions where needed.
The issue in UploadFromFile is still a false positive, the suppression should be updated to suppress SecurityCheck-Multi, not just PathTraversal. The issues in DefaultPreferencesFactory are caused by T183174. Unused suppressions can be removed. I haven't checked the 2 installer-related issues.