PHPackages phan/phan - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Testing & Quality](/categories/testing) 4. / 5. phan/phan ActiveProject[Testing & Quality](/categories/testing) phan/phan ========= A static analyzer for PHP 6.0.5(1mo ago)5.6k11.2M—3.4%370[759 issues](https://github.com/phan/phan/issues)[10 PRs](https://github.com/phan/phan/pulls)20MITPHPPHP ^8.1.0CI passing Since Jan 11Pushed 2mo ago98 watchersCompare [ Source](https://github.com/phan/phan)[ Packagist](https://packagist.org/packages/phan/phan)[ RSS](/packages/phan-phan/feed)WikiDiscussions v6 Synced 1mo ago READMEChangelog (10)Dependencies (33)Versions (528)Used By (20) Phan is a static analyzer for PHP that prefers to minimize false-positives. Phan attempts to prove incorrectness rather than correctness. Phan looks for common issues and will verify type compatibility on various operations when type information is available or can be deduced. Phan has a good (but not comprehensive) understanding of flow control and can track values in a few use cases (e.g. arrays, integers, and strings). [![Build Status](https://github.com/phan/phan/actions/workflows/main.yml/badge.svg?branch=v6)](https://github.com/phan/phan/actions/workflows/main.yml?query=branch%3Av6)[![Build Status (Windows)](https://camo.githubusercontent.com/58284f21e58200416abbcc83e725f1963d2a56eae77675b2c03680df0cb31554/68747470733a2f2f63692e6170707665796f722e636f6d2f6170692f70726f6a656374732f7374617475732f6769746875622f7068616e2f7068616e3f6272616e63683d7636267376673d74727565)](https://ci.appveyor.com/project/TysonAndre/phan/branch/v6)[![Gitter](https://camo.githubusercontent.com/19c7489a206355906070a06002f6d9cd755e8a827487404e810cc72f0062d05a/68747470733a2f2f6261646765732e6769747465722e696d2f7068616e2f7068616e2e737667)](https://gitter.im/phan/phan?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)[![Latest Stable Version](https://camo.githubusercontent.com/7a97caa2b57fe2d87b9a33b0f7a463ebfdfb8ee8407f962a00785355fa2d33ab/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7068616e2f7068616e2e737667)](https://packagist.org/packages/phan/phan)[![License](https://camo.githubusercontent.com/571803933ac2cc939e5df8d9993b9603f8aa8a0f361d057a41ae3f9e6c6ea115/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f7068616e2f7068616e2e737667)](https://github.com/phan/phan/blob/v6/LICENSE) Getting Started =============== [](#getting-started) The easiest way to use Phan is via Composer. ``` composer require phan/phan ``` With Phan installed, you can start analyzing your code immediately! Phan includes built-in stubs for enhanced type checking of PHP extensions. For new projects, use `phan --init` to create a `.phan/config.php` file with recommended settings and bundled stubs. You can also [manually create a config file](https://github.com/phan/phan/wiki/Getting-Started#creating-a-config-file) if you prefer. Once configured, you can run it via `./vendor/bin/phan`. Phan 6 requires PHP 8.1+ with the [php-ast](https://github.com/nikic/php-ast) extension (1.1.3+ is required for PHP 8.4+ support) and supports analyzing PHP version 8.1-8.5 syntax. Installation instructions for php-ast can be found [here](https://github.com/nikic/php-ast#installation). (Phan can be used without php-ast by using the CLI option `--allow-polyfill-parser`, but there are slight differences in the parsing of doc comments) - **Alternative Installation Methods** See [Getting Started](https://github.com/phan/phan/wiki/Getting-Started) for alternative methods of using Phan and details on how to configure Phan for your project. - **Incrementally Strengthening Analysis** Take a look at [Incrementally Strengthening Analysis](https://github.com/phan/phan/wiki/Incrementally-Strengthening-Analysis) for some tips on how to slowly ramp up the strictness of the analysis as your code becomes better equipped to be analyzed. - **Installing Dependencies** Take a look at [Installing Phan Dependencies](https://github.com/phan/phan/wiki/Getting-Started#installing-phan-dependencies) for help getting Phan's dependencies installed on your system. The [Wiki has more information about using Phan](https://github.com/phan/phan/wiki#using-phan). Tolerant parser dependency ========================== [](#tolerant-parser-dependency) Phan relies on [`phan/phan-tolerant`](https://github.com/phan/phan-tolerant) for the fallback parser and language-server mapping. The project is now consumed as a Composer dependency (`microsoft/tolerant-php-parser`, overridden to our fork via the repository entry in `composer.json`) rather than via a vendored subtree. To run the tolerant parser’s own PHPUnit suites, install its dev dependencies and invoke PHPUnit from the dependency directory: ``` composer install cd vendor/microsoft/tolerant-php-parser composer install php -d zend.assertions=1 -d assert.exception=1 vendor/bin/phpunit --testsuite invariants,api ``` When you need to refresh the parser to a newer commit, adjust the constraint in `composer.json` (or run `composer update microsoft/tolerant-php-parser`) and commit the resulting lockfile change. Features ======== [](#features) Phan is able to perform the following kinds of analysis: - Check that all methods, functions, classes, traits, interfaces, constants, properties and variables are defined and accessible. - Check for type safety and arity issues on method/function/closure calls. - Check for PHP 8.5/8.4/8.3/8.2/8.1 backward compatibility. - Check for features that weren't supported in older PHP 8.x minor releases (E.g. property hooks, `readonly` classes, enums, union types, match expressions, etc.) - Check for sanity with array accesses. - Check for type safety on binary operations. - Check for valid and type safe return values on methods, functions, and closures. - Check for No-Ops on arrays, closures, constants, properties, variables, unary operators, and binary operators. - Check for unused/dead/[unreachable](https://github.com/phan/phan/tree/v6/.phan/plugins#unreachablecodepluginphp) code. (Pass in `--dead-code-detection`) - Check for unused variables and parameters. (Pass in `--unused-variable-detection`) - Check for redundant or impossible conditions and pointless casts. (Pass in `--redundant-condition-detection`) - Check for unused `use` statements. These and a few other issue types can be automatically fixed with `--automatic-fix`. - Check for classes, functions and methods being redefined. - Check for sanity with class inheritance (e.g. checks method signature compatibility). Phan also checks for final classes/methods being overridden, that abstract methods are implemented, and that the implemented interface is really an interface (and so on). - Supports namespaces, traits and variadics. - Supports [Union Types](https://github.com/phan/phan/wiki/About-Union-Types). - Supports [Generic Types (i.e. `@template`)](https://github.com/phan/phan/wiki/Generic-Types). - Supports generic arrays such as `int[]`, `UserObject[]`, `array`, etc.. - Supports array shapes such as `array{key:string,otherKey:?stdClass}`, etc. (internally and in PHPDoc tags) This also supports indicating that fields of an array shape are optional via `array{requiredKey:string,optionalKey?:string}` (useful for `@param`). Multi-line forms of `@param`, `@var`, and `@return` annotations are normalized before being parsed, so docblocks can format nested arrays/generics over several lines. - Supports phpdoc [type annotations](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code). - Supports inheriting phpdoc type annotations. - Supports checking that phpdoc type annotations are a narrowed form (E.g. subclasses/subtypes) of the real type signatures - Supports inferring types from [assert() statements](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code) and conditionals in if elements/loops. - Supports [`@deprecated` annotation](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code#deprecated) for deprecating classes, methods and functions - Supports [`@internal` annotation](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code#internal) for elements (such as a constant, function, class, class constant, property or method) as internal to the package in which it's defined. - Supports `@suppress ` annotations for [suppressing issues](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code#suppress). - Supports [magic @property annotations](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code#property) (`@property `) - Supports [magic @method annotations](https://github.com/phan/phan/wiki/Annotating-Your-Source-Code#method) (`@method ( )`) - Supports [`class_alias` annotations (experimental, off by default)](https://github.com/phan/phan/pull/586) - Supports indicating the class to which a closure will be bound, via `@phan-closure-scope` ([example](tests/files/src/0264_closure_override_context.php)) - Supports analysis of closures and return types passed to `array_map`, `array_filter`, and other internal array functions. - Offers extensive configuration for weakening the analysis to make it useful on large sloppy code bases - Can be run on many cores. (requires `pcntl`) - Output is emitted in text, checkstyle, json, pylint, csv, codeclimate, html, or github formats. - Can run [user plugins on source for checks specific to your code](https://github.com/phan/phan/wiki/Writing-Plugins-for-Phan). [Phan includes various plugins you may wish to enable for your project](https://github.com/phan/phan/tree/v6/.phan/plugins#2-general-use-plugins). See [Phan Issue Types](https://github.com/phan/phan/wiki/Issue-Types-Caught-by-Phan) for descriptions and examples of all issues that can be detected by Phan. Take a look at the [\\Phan\\Issue](https://github.com/phan/phan/blob/v6/src/Phan/Issue.php) to see the definition of each error type. Take a look at the [Tutorial for Analyzing a Large Sloppy Code Base](https://github.com/phan/phan/wiki/Tutorial-for-Analyzing-a-Large-Sloppy-Code-Base) to get a sense of what the process of doing ongoing analysis might look like for you. Phan can be used from [various editors and IDEs](https://github.com/phan/phan/wiki/Editor-Support) for its error checking, "go to definition" support, etc. via the [Language Server Protocol](https://github.com/Microsoft/language-server-protocol). Editors and tools can also request analysis of individual files in a project using the simpler [Daemon Mode](https://github.com/phan/phan/wiki/Using-Phan-Daemon-Mode). See the [tests](https://github.com/phan/phan/blob/v6/tests/files) directory for some examples of the various checks. Phan is imperfect and shouldn't be used to prove that your PHP-based rocket guidance system is free of defects. Features provided by plugins ---------------------------- [](#features-provided-by-plugins) Additional analysis features have been provided by [plugins](https://github.com/phan/phan/tree/v6/.phan/plugins#plugins). - [Checking for syntactically unreachable statements](https://github.com/phan/phan/tree/v6/.phan/plugins#unreachablecodepluginphp) (E.g. `{ throw new Exception("Message"); return $value; }`) - [Checking `*printf()` format strings against the provided arguments](https://github.com/phan/phan/tree/v6/.phan/plugins#printfcheckerplugin) (as well as checking for common errors) - [Checking that PCRE regexes passed to `preg_*()` are valid](https://github.com/phan/phan/tree/v6/.phan/plugins#pregregexcheckerplugin) - [Checking for `@suppress` annotations that are no longer needed.](https://github.com/phan/phan/tree/v6/.phan/plugins#unusedsuppressionpluginphp) - [Checking for duplicate or missing array keys.](https://github.com/phan/phan/tree/v6/.phan/plugins#duplicatearraykeypluginphp) - [Checking coding style conventions](https://github.com/phan/phan/tree/v6/.phan/plugins#3-plugins-specific-to-code-styles) - [Others](https://github.com/phan/phan/tree/v6/.phan/plugins#plugins) Example: [Phan's plugins for self-analysis.](https://github.com/phan/phan/blob/3.2.8/.phan/config.php#L601-L674) Usage ===== [](#usage) After [installing Phan](#getting-started), Phan needs to be configured with details on where to find code to analyze and how to analyze it. The easiest way to tell Phan where to find source code is to [create a `.phan/config.php` file](https://github.com/phan/phan/wiki/Getting-Started#creating-a-config-file). A simple `.phan/config.php` file might look something like the following. ```