Page MenuHomePhabricator
Create Task
Maniphest T298576

Upgrade phan to 5.3.2 or later
Closed, ResolvedPublic
Actions

Description

Currently we're on 5.2.0. As of writing, four newer releases exist

https://github.com/phan/phan/releases/tag/5.2.1
https://github.com/phan/phan/releases/tag/5.3.0
https://github.com/phan/phan/releases/tag/5.3.1
https://github.com/phan/phan/releases/tag/5.3.2

Details

SubjectRepoBranchLines +/-
Bump phan to 5.4.1 and taint-check to 4.0.0mediawiki/tools/phanmaster+2 -2
Bump phan to 5.4.1 and prepare for 4.0.0 releasemediawiki/tools/phan/SecurityCheckPluginmaster+3 -3
Bump phan to 5.3.2mediawiki/tools/phan/SecurityCheckPluginmaster+21 -11
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Jan 5 2022, 12:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2022, 12:23 AM
Reedy updated the task description. (Show Details)Jan 5 2022, 12:24 AM
Reedy mentioned this in T298571: PhanCommentAbstractOnInheritedMethod false positive.Jan 5 2022, 4:48 PM
Reedy renamed this task from Upgrade phan to 5.3.1 to Upgrade phan to 5.3.1 or later.Jan 5 2022, 4:50 PM
Umherirrender added a project: phan-taint-check-plugin.Jan 7 2022, 9:14 PM
Umherirrender added subscribers: Daimona, Umherirrender.

Updates of phan in mediawiki/mediawiki-phan-config needs also update of phan in taint-plugin

For 5.2.1 there is a bump already - https://gerrit.wikimedia.org/r/c/mediawiki/tools/phan/SecurityCheckPlugin/+/721411, but no release

Reedy renamed this task from Upgrade phan to 5.3.1 or later to Upgrade phan to 5.3.2 or later.Feb 3 2022, 5:36 PM
Reedy updated the task description. (Show Details)
Reedy added a parent task: T298571: PhanCommentAbstractOnInheritedMethod false positive.
Reedy updated the task description. (Show Details)
Daimona mentioned this in T301079: PhanPossiblyUndeclaredVariable false positive.Feb 6 2022, 6:28 PM
Reedy added a parent task: T301079: PhanPossiblyUndeclaredVariable false positive.Feb 6 2022, 6:31 PM
gerritbot added a comment.Feb 7 2022, 1:21 PM

Change 760569 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan to 5.3.2

https://gerrit.wikimedia.org/r/760569

gerritbot added a project: Patch-For-Review.Feb 7 2022, 1:21 PM
Daimona added a comment.Feb 7 2022, 2:57 PM
In T298576#7688759, @gerritbot wrote:

Change 760569 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan to 5.3.2

https://gerrit.wikimedia.org/r/760569

I tried... CI is now failing with a mysterious message when running PHPUnit. It doesn't seem to fail for other patches in the same repo, but there shouldn't be any difference. Also, the disabling of xdebug inevitably clutters the output and it's unclear whether it might be related. The relevant task is T269489, which requires T280170, which iscurrently blocked on T243847 for the 7.2 package.

Daimona added a comment.Feb 10 2022, 10:48 AM

I've confirmed locally that T269489 is indeed the issue -- if I run the taint-check PHPUnit suite with xdebug enabled, it tries to restart itself but for some reason it fails. Likely, the xdebug-checking logic changed in phan > 5.2.1.

For now I'm setting the env var which bypasses the xdebug check, but that's not something I'd like to keep in the long term, since phan is terribly slow if xdebug is enabled (I think the docs used to say 5x slow, I personally saw it run like 20x slower with taint-check enabled). xdebug should really really really not be enabled in the base CI images.

gerritbot added a comment.Mar 5 2022, 5:34 PM

Change 760569 merged by jenkins-bot:

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan to 5.3.2

https://gerrit.wikimedia.org/r/760569

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2022, 6:10 PM
Reedy closed this task as Resolved.Mar 5 2022, 6:14 PM
Reedy assigned this task to Daimona.
Daimona reopened this task as Open.Mar 5 2022, 6:19 PM

I'd rather close this after we tag a new version of taint-check, use it in mw-phan-config and then tag a new version of that. Upgrading phan is a bit annoying, unfortunately...

Umherirrender mentioned this in T304906: Update mediawiki/mediawiki-phan-config to latest (0.11.1) in Wikibase extension.Mar 28 2022, 9:23 PM
Umherirrender mentioned this in T259172: Remove suppression of PhanPossiblyUndeclaredVariable issue in core.Mar 31 2022, 5:31 PM
Umherirrender added a comment.Mar 31 2022, 7:45 PM

Just as note:
When using the new version (5.3.2) one of the most (new) showing up issue is PhanParamTooFewUnpack/PhanParamTooFewInternalUnpack which warns when ... is used to unpack arguments to a function and that array may is empty.

Possible some false positives as well.

Example:

includes\api\ApiBase.php:1227 PhanParamTooFewUnpack Call with 0 or more arg(s) to \wfMessage($key, ...$params) which requires 1 arg(s) defined at includes\GlobalFunctions.php:1180. This may throw an ArgumentCountError if there are too few args at runtime.

for

$msg = wfMessage( ...$msg );

Phan sees a possible empty $msg array

Seb35 subscribed.Apr 18 2022, 5:27 PM
Daimona added a comment.May 8 2022, 2:39 PM
In T298576#7822975, @Umherirrender wrote:

Example:

includes\api\ApiBase.php:1227 PhanParamTooFewUnpack Call with 0 or more arg(s) to \wfMessage($key, ...$params) which requires 1 arg(s) defined at includes\GlobalFunctions.php:1180. This may throw an ArgumentCountError if there are too few args at runtime.

for

$msg = wfMessage( ...$msg );

Phan sees a possible empty $msg array

This one (and possibly others) could also be fixed by annotating the parameter as non-empty-array. I'm not sure how "official" that is, and whether it's fine to have it in the standard @param annotation or whether it should be in @phan-param.

Umherirrender unsubscribed.Jun 19 2022, 7:30 PM
Reedy added a subtask: T311452: Taint Check Plugin release.Jun 27 2022, 7:43 PM
Jdforrester-WMF subscribed.Sep 29 2022, 2:50 PM
gerritbot added a comment.Oct 4 2022, 12:05 PM

Change 838128 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan/SecurityCheckPlugin@master] BUmp phan to 5.4.1 and prepare for 4.0.0 release

https://gerrit.wikimedia.org/r/838128

gerritbot added a project: Patch-For-Review.Oct 4 2022, 12:05 PM
gerritbot added a comment.Oct 5 2022, 10:24 PM

Change 838128 merged by jenkins-bot:

[mediawiki/tools/phan/SecurityCheckPlugin@master] Bump phan to 5.4.1 and prepare for 4.0.0 release

https://gerrit.wikimedia.org/r/838128

Maintenance_bot removed a project: Patch-For-Review.Oct 5 2022, 10:30 PM
Daimona closed subtask T311452: Taint Check Plugin release as Resolved.Oct 6 2022, 12:18 PM
gerritbot added a comment.Oct 6 2022, 12:22 PM

Change 839508 had a related patch set uploaded (by Daimona Eaytoy; author: Daimona Eaytoy):

[mediawiki/tools/phan@master] Bump phan to 5.4.1 and taint-check to 4.0.0

https://gerrit.wikimedia.org/r/839508

gerritbot added a project: Patch-For-Review.Oct 6 2022, 12:22 PM
Daimona added a parent task: T319538: Release new version of mediawiki-phan-config with phan 5.4.1 and taint-check 4.0.0 and tell LibUp about it.Oct 6 2022, 12:23 PM
gerritbot added a comment.Oct 6 2022, 12:49 PM

Change 839508 merged by jenkins-bot:

[mediawiki/tools/phan@master] Bump phan to 5.4.1 and taint-check to 4.0.0

https://gerrit.wikimedia.org/r/839508

Daimona closed this task as Resolved.Oct 6 2022, 12:53 PM
Daimona removed a project: Patch-For-Review.

Calling this done now, and tracking the release in T319538.

sbassett awarded a token.Oct 6 2022, 2:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL