Some languages (C, C++, Go, Java, C#, …) requires compiling your whole code base before being executed. This could be seen as a counter-productive required step, taking time and that must be performed for any single code change.
It has, however, the benefit of analyzing the whole code and may not complete because of many different kind of errors: insufficient number of arguments, wrong types, unknown methods/classes/constants/…, undefined variables, … In PHP, you may have the bad surprise of discovering those at runtime.

Phan is a static analyzer for PHP that can bridge that gap by analyzing the complete abstract syntax tree (AST) generated from your code, without having to execute any parts of it.

In this session, we will see the kind of errors that Phan can detect, and how Phan could be extended with plugins.

Comments

Please login to leave a comment

Rated 4

Koen Cornelis at 14:48 on 27 Jan 2019

Very informative talk from Patrick, even though he didn't have a lot of time to prepare it.

My only point of criticism here is that the examples at the start of the different programming languages seemed like overkill. One example other than PHP seemed to be sufficient. Thankfully i had a chance to talk this over with him, and there was a good reason for it, which sadly wasn't in the talk yet. Hopefully in future iterations it will be there as it was a valid point.

Thanks for your feedback Koen.

Indeed, I had the intention to compare what you can natively expect from gcc, javac, rust... and how it compares to PHP+Phan. Basically, rust and gcc does a great job while javac will only provide the most highly critical errors (classes, methods that does not exist,...).

Will improve that part or simply remove it in the future.

Thanks!

Very interesting talk and well presented. Am likely to try it out in the near future. If I have to say one 'bad' thing about the talk : sometimes the comparison between PHP and other languages was taken too far to be really relevant anymore. Not to say it wasn't interesting, but it was perhaps too much. But for the rest a very good talk (and now I've read you didn't have much time in preparing it)

A good talk on an important subject. I think Phan is an amazing tool but I'm not sure you conviced people in the audience. (if I hadn't known about it I wouldn't have been).

My main problem was that you were showing all kinds of errors phan detected but almost all of them are already detected by most IDE's (And I think most of the audience uses phpstorm). I think you would've made a bigger impression if you showed the more advanced checks Phan does on your code.

Still a solid talk with good info and an important subject. Thanks for giving it.

Patrick Allaert (Speaker) at 19:07 on 29 Jan 2019

Thanks Bert and Sietze for your feedbacks.

@Sietze: Indeed, moreover, IDEs mostly show possible issues in the current/opened file while Phan will analyze the whole project. IDEs aren't that good for finding unused code (except for protected/private methods) and all of them *try* to understand PHP's syntax without using PHP, which always lead to some inconsistencies. IDEs knows the basic built-in functions, classes & methods, but not about the ones provided by less common extensions and will automatically lead to false-positives.
I also mentioned Continuous Integration, running Phan as part of your CI process is a must. PHPStorm isn't designed to be used in a head-less mode.

Cheers and thanks!