|T319596 Upgrade, release, and use new PHP 7.4+ versions of all our home-grown CI libraries
|T319538 Release new version of mediawiki-phan-config with phan 5.4.1 and taint-check 4.0.0 and tell LibUp about it
|T298571 PhanCommentAbstractOnInheritedMethod false positive
|T301079 PhanPossiblyUndeclaredVariable false positive
|T298576 Upgrade phan to 5.3.2 or later
|T311452 Taint Check Plugin release
Updates of phan in mediawiki/mediawiki-phan-config needs also update of phan in taint-plugin
For 5.2.1 there is a bump already - https://gerrit.wikimedia.org/r/c/mediawiki/tools/phan/SecurityCheckPlugin/+/721411, but no release
I tried... CI is now failing with a mysterious message when running PHPUnit. It doesn't seem to fail for other patches in the same repo, but there shouldn't be any difference. Also, the disabling of xdebug inevitably clutters the output and it's unclear whether it might be related. The relevant task is T269489, which requires T280170, which iscurrently blocked on T243847 for the 7.2 package.
I've confirmed locally that T269489 is indeed the issue -- if I run the taint-check PHPUnit suite with xdebug enabled, it tries to restart itself but for some reason it fails. Likely, the xdebug-checking logic changed in phan > 5.2.1.
For now I'm setting the env var which bypasses the xdebug check, but that's not something I'd like to keep in the long term, since phan is terribly slow if xdebug is enabled (I think the docs used to say 5x slow, I personally saw it run like 20x slower with taint-check enabled). xdebug should really really really not be enabled in the base CI images.
Just as note:
When using the new version (5.3.2) one of the most (new) showing up issue is PhanParamTooFewUnpack/PhanParamTooFewInternalUnpack which warns when ... is used to unpack arguments to a function and that array may is empty.
Possible some false positives as well.
includes\api\ApiBase.php:1227 PhanParamTooFewUnpack Call with 0 or more arg(s) to \wfMessage($key, ...$params) which requires 1 arg(s) defined at includes\GlobalFunctions.php:1180. This may throw an ArgumentCountError if there are too few args at runtime.
$msg = wfMessage( ...$msg );
Phan sees a possible empty $msg array
This one (and possibly others) could also be fixed by annotating the parameter as non-empty-array. I'm not sure how "official" that is, and whether it's fine to have it in the standard @param annotation or whether it should be in @phan-param.