Code Robustness with Phan

Patrick Allaert (26.Jan.2019 at 11:40, 1 hr )
Talk at PHPBenelux Conference 2019 (English - US)

Rating: 4 of 5

Some languages (C, C++, Go, Java, C#, …) requires compiling your whole code base before being executed. This could be seen as a counter-productive required step, taking time and that must be performed for any single code change.
It has, however, the benefit of analyzing the whole code and may not complete because of many different kind of errors: insufficient number of arguments, wrong types, unknown methods/classes/constants/…, undefined variables, … In PHP, you may have the bad surprise of discovering those at runtime.

Phan is a static analyzer for PHP that can bridge that gap by analyzing the complete abstract syntax tree (AST) generated from your code, without having to execute any parts of it.

In this session, we will see the kind of errors that Phan can detect, and how Phan could be extended with plugins.

Who are you?

Claim talk

Talk claims have been moved to the new site.

Please login to the new site to claim your talk

Want to comment on this talk? Log in or create a new account or comment anonymously

Write a comment

Please note: you are not logged in and will be posting anonymously!
= zero plus three


Rating: 4 of 5

27.Jan.2019 at 14:48 by Koen Cornelis (41 comments) via Web2 LIVE

Very informative talk from Patrick, even though he didn't have a lot of time to prepare it.

My only point of criticism here is that the examples at the start of the different programming languages seemed like overkill. One example other than PHP seemed to be sufficient. Thankfully i had a chance to talk this over with him, and there was a good reason for it, which sadly wasn't in the talk yet. Hopefully in future iterations it will be there as it was a valid point.

Speaker comment:

28.Jan.2019 at 07:51 by Patrick Allaert (40 comments)

Thanks for your feedback Koen.

Indeed, I had the intention to compare what you can natively expect from gcc, javac, rust... and how it compares to PHP+Phan. Basically, rust and gcc does a great job while javac will only provide the most highly critical errors (classes, methods that does not exist,...).

Will improve that part or simply remove it in the future.


Rating: 4 of 5

28.Jan.2019 at 20:11 by Bert Van de Casteele (56 comments) via Web2 LIVE

Very interesting talk and well presented. Am likely to try it out in the near future. If I have to say one 'bad' thing about the talk : sometimes the comparison between PHP and other languages was taken too far to be really relevant anymore. Not to say it wasn't interesting, but it was perhaps too much. But for the rest a very good talk (and now I've read you didn't have much time in preparing it)

Rating: 3 of 5

28.Jan.2019 at 21:40 by Sietze van den Bergh (28 comments) via Web2 LIVE

A good talk on an important subject. I think Phan is an amazing tool but I'm not sure you conviced people in the audience. (if I hadn't known about it I wouldn't have been).

My main problem was that you were showing all kinds of errors phan detected but almost all of them are already detected by most IDE's (And I think most of the audience uses phpstorm). I think you would've made a bigger impression if you showed the more advanced checks Phan does on your code.

Still a solid talk with good info and an important subject. Thanks for giving it.

Speaker comment:

29.Jan.2019 at 19:07 by Patrick Allaert (40 comments) via Web2 LIVE

Thanks Bert and Sietze for your feedbacks.

@Sietze: Indeed, moreover, IDEs mostly show possible issues in the current/opened file while Phan will analyze the whole project. IDEs aren't that good for finding unused code (except for protected/private methods) and all of them *try* to understand PHP's syntax without using PHP, which always lead to some inconsistencies. IDEs knows the basic built-in functions, classes & methods, but not about the ones provided by less common extensions and will automatically lead to false-positives.
I also mentioned Continuous Integration, running Phan as part of your CI process is a must. PHPStorm isn't designed to be used in a head-less mode.

Cheers and thanks!

© 2019