NoVerify v0.5.3

👋 Small update with improvements and fixes.

Added

• #1177: new SonarQube rules (useExitOrDie, useEval, useSleep)
• #1180: added @filter for dynamic rules

Fixed

• #1173: added lost EmptyTkn in irconv for ExprEmpty
• #1175: added stdout report output
• #1178: fixed inheritDoc comment search

NoVerify v0.5.2

👋 Small update with improvements and fixes.

Changed

• #1149: Now we always parse stubs as PHP 8

Improved

• #1158: Improved UX for autofixes

Added

• #1153: Added @path-exclude restriction (by @ngkoshkin)
• #1155: Added test-rules command for testing dynamic rules
• #1161: Added initial support of literal as types in PHPDocs

Fixed

• #1151: Fixed handling of unused variable in arrow functions

KPHP

• #1148: Added normalization of special KPHP types for PHPDoc
• #1150: Added future_queue to KPHP types

NoVerify v0.5.1

👋 This small release improves PHP 8 support, includes improved deprecated checks, and bug fixes.

Checkers changes

• #1140: The deprecated check has been split into two new deprecated and deprecatedUntagged checks. The second check will give warnings about the use of symbols with empty @deprecated and no @see tags with qualification, or using the Deprecated attribute without text. The deprecated check will give warnings for all other deprecated symbols
• #1143: returnAssign, voidResultUsed, and parentNotFound are disabled by default and will be fixed and improved

Improved

• #1144: Improved support for attributes
• #1144: Improved the deprecated check, now if the @removed attribute is present, then its value will be displayed in the warning
• #1144: Internal stubs have been updated to upstream phpstorm-stubs

Added

• #1143: Added support for property promotion
• #1144: Added support for the Deprecated attribute

Fixed

• #1142: Fixed panic for catch without a variable and using the types.Map.Erase method
• #1144: Fixed undefined method warnings for Reflection classes

Installation via Composer, Playground and anonymous classes

👋 This update aims to correct known bugs as well as complete new documentation. Some of the checks have been modified or divided into several to better match what they are checking.

Finally, NoVerify can be installed via Composer, which will allow a much more convenient for new user to try it in action. Interactive Playground (not support Safari yet) has also been added to this update, in it users can immediately see how NoVerify works and what issues it finds.

We will always be happy to see new people in our telegram chat, come in if you have any questions.

Checkers changes

• #1091: phpdoc renamed to missingPhpdoc

• #1092: undefined is split into the following checkers:

  • maybeUndefined
  • undefinedConstant
  • undefinedFunction
  • undefinedMethod
  • undefinedProperty
  • undefinedType
  • undefinedVariable

• #1096: nestedTernary is enabled by default

• #1105: switchDefault, arrayAccess and complexity are disabled by default

• #1120: undefinedType split into two new checks: undefinedClass and undefinedTrait.

  This checkers checks the following places:

  • Type hints
  • PHPDoc @param, @return, and @var
  • Types inside array, shape (array{}), tuple, union, nullable

• #1121: The checks for undefinedVariable and maybeUndefined are now not given warning to variables if they are inside the expression ?? on the left or inside the isset function call:

  echo $undefinedVar ?? 100;   // ok
  if (isset($undefinedVar)) { ... } // ok

• #1130: phpdocLint renamed to invalidDocblock

• #1130: phpdocType renamed to invalidDocblockType

• #1130: phpdocRef renamed to invalidDocblockRef

• #1131: New parentNotFound checker

  class Foo {
    public function f() {
      parent::b(); // Class Foo has no parent.
    }
  }

Fixed

• #1090: Now if there is an invalid char in the top-level modifier group, then it is not parsed
• #1093: Output now only shows time, date and milliseconds removed
• #1094: Now if the file from the vendor folder cannot be parsed, then an error about this is not displayed
• #1102: Fixed quick fixes that not working properly
• #1094: Now if the vendor folder gets analyzed, then errors in it are not taken into account
• #1108: Now in non-strict mode, undefined method and property error will not be given also on null and stdClass
• #1109: Added @disabled attribute for dynamic rules to disable checking by default
• #1119: All variants of unused check set to Warning level
• #1120: Fixed a bug where self could not be used inside a trait
• #1125: Fixed panic on enum

Added

• #1114: Added installation via Composer

• #1099: Added support for anonymous classes

• #1089: Added Playground, web page where you can try NoVerify

• #1058: Improved type inference for complex expressions with instanceof in if-else

  /**
    * @param mixed $a
    */
  function f1($a) {
    if ($a instanceof Foo || $a instanceof Boo) {
       exprtype($a, "\Boo|\Foo");
    }
  }
  
  /**
    * @param Boo|Foo|Zoo $a
    */
  function f1($a) {
     if ($a instanceof Foo && $a instanceof Boo) {
       exprtype($a, "\Boo|\Foo");
     } else {
       exprtype($a, "\Zoo");
     }
  }

  And also added a narrowing of the type, as in the following example:

  /**
    * @param mixed $a
    */
  function f($a) {
     if (!$a instanceof Foo) {
        return;
     }
  
     exprtype($a, "\Foo");
  }

• #1097: NoVerify now understands union types in typehints

• #1103: Added documentation for diff mode

• #1106: Added CONTRIBUTING.md

• #1118: Updated README, added link to chat in telegram

• #1112: Added quick fix for old array syntax in function arguments

• #1120: Special scalar types from Psalm are now handled and turn into the closest common types

• #1120: Added type never

KPHP

• #1120: Types kmixed and future are now normalized to mixed

PHP 8 and new documentation

A lot of time has passed since the v0.2.0 (v0.3.0 was minor) release, so the list of changes is very long.

The goal of this release is to start a new development phase with scheduled releases and respecting backward compatibility.

Big features

• PHP 8 and PHP 8.1
• 40+ new checkers
• New CLI
• New documentation

Checkers

New checkers

• paramClobber
• printf
• offBy1
• argsOrder
• callSimplify
• discardVar
• strictCmp
• dupCatch
• catchOrder
• indexingSyntax
• trailingComma
• emptyStmt
• stripTags
• nestedTernary
• intNeedle
• angDeprecated
• emptyStringCheck
• oldStyleConstructor
• returnAssign
• strangeCast
• classMembersOrder
• badTraitUse
• varShadow
• invalidNew
• countUse
• unaryRepeat
• forLoop
• alwaysNull
• selfAssign
• errorSilence
• switchDefault
• switchSimplify
• switchEmpty
• implicitModifier
• invalidExtendClass
• methodSignatureMismatch
• argsReverse
• constCase
• reverseAssign
• concatenationPrecedence

Improved checkers

• Improved dupBranchBody checker, added handling switch cases
• Improved message for dupCond checkers for switch cases
• Improved strangeCast checker

New checks in existing checkers

• Added check for nullable syntax
• Added precedence rules for ??
• Added check for incorrect case of class names in type hints
• Added a check for casting to the real type and using the is_real function
• Added a check for calling array_key_exists with an object
• Added check for calls to the random_int function
• Added cases to callSimplify and ternarySimplify checkers
• Added finally return check for unreachable checker
• Added a check for array type hint
• Added check for parent typehint in typeHint checker
• Added check for repeated nullable
• Added a check for using void type in the type union or @param annotation
• Added check for class name case in const fetch
• Added a check that the return type is defined for the callable(...) annotation

Linter

Added

• Added type inferring for callback param type of array_map-like funcs
• Added multi-pattern rules support via "any" blocks
• Added handling of assignment operators (+=, -=, *=, .=)
• Added .= <<= >>=` assignments type inference
• Added type inference for magic constants
• Added name case checking for self, static and parent
• Added type inference for the null coalesce operator
• Added support for magic constants in constant folding
• Added arrow functions processing in linter
• Added support for @mixin annotation
• Added support for use [function] namespace\{A, B} syntax
• Added check for deprecated for static methods
• Added the ability to define a checker both in the code and in dynamic rules
• Added detection of suspicious PHPDoc comments
• Added support for @noinspection PhpUnreachableStatementInspection
• Added behavior when vendor folder is added to indexing list by default
• Added display of the number of non-critical errors
• Added check that null is assigned to not nullable property
• Added type inference for callable from PHPDoc
• Added handling of unknown types-with-dashes annotations in PHPDoc
• For iterable<T> now will be assume type array<T>
• Added handling of the case when a static method was called through a variable
• Added support for mixing key and non-key types in array{}
• Added initial support of complex instanceof for if/else and ternary operator
• Added support when no variable is specified for @var
• Added --strict-mixed flag

Changed

• Assume int|string array key types in foreach stmt
• Treat trigger_error($msg, E_USER_ERROR) as exit()
• Renamed nameCase to nameMismatch
• --rules flag can now accept folders, in which case all files from it will be added to the rules
• For embedded dynamic rules, all messages are capitalized
• For messages with variables, added $ before the variable name
• For messages related to an unused variable added mention of the --unused-var-regex flag
• Custom types are now taken into account when getting closures

Fixed

• Fixed --allow-checks filtering of rules
• Fixed bug where assign null coalesce gave discardExpr warning
• Fixed type inference for callback arguments if they have type hint
• Fixed a panic in git mode for binary files
• Fixed incorrect type inference for a tuple containing static, self or $this
• Fixed false positive of parentConstructor
• Fixed processing of variables in try-catch
• Fixed a bug with a tuple containing an array
• Fixed collisions for the late static binding
• Fixed panic when used parent typehint in class without parents
• Fixed suggest of --fix flag when the flag is already provided
• Fixed panic if file cannot be parsed
• Fixed a bug with @see CONSTANT_NAME
• Fixed error when calling the define function with a slash at the beginning
• Fixed bug in array quick fix
• Fixed bug with quick fix, now if the check is not enabled, quickfixes will not be applied for it
• Fixed bug with quick fix for autogenerated files, now for autogen files, quick fixes will not be applied if the flag --check-auto-generated is not provided
• Fixed bug, when typecast to an array does overwrite existing types
• Fixed autofix for langDeprecated.define rule
• Fixed PHPDoc for class with modifiers
• Fixed a bug, if the function starts with a backslash, then the type was incorrectly inferred based on meta information from phpstorm-stubs
• Fixed arrow function handling in custom walkers

Improved

• Improved assignOp tests
• Improved list(...) = $a type inference for arrays
• Improved checking for duplicate cases
• Improved type inference for multidimensional arrays when adding elements to them
• Improved closure and shape handling
• Improved context line in PHPDoc warnings
• Improved message for argCount checker

Removed

• Removed the deprecated way to run NoVerify, now, when run without commands, help will be displayed
• Removed langserver

Documentation

• Added a page with all checks
• Added Getting started document
• Added Configuration document
• Updated Install document
• Updated README
• Added documentation for baseline mode
• Added missing information to dynamic rules documentation

Improves in CLI

• Added the version command to replace the --version flag for the check command
• Added a new field for version, now the version command will also show the NoVerify version number
• Build time will now be shown with delimiters
• Added groups for flags
• Improved checkers command
• Fixed output if the flag is not found

Build from source

• Added build command to Makefile
• Splited the check command into test and lint commands
• Renamed build-release command with release

KPHP

• Interpret any type as mixed
• Added itype inferring for instance_deserialize
• Added type inferring for instance_cast
• Replaced array_first_element with array_first_value
• Added type inferring for array_filter_by_key and instance_cache_fetch
• Added type inferring for not_null, not_false and create_vector

The last release with good ol lang server

The master branch will lack lang server for some time.

When we'll refactor the code to use less global state, it should be easier to write a better language server that is more modular and does not go into the linter internals.

Right now it makes it very hard to change the code.

If you need a language server, this release is for you.
When it will be a time for the next release, maybe we'll get an alternative ready.

Better PHP7 support, more diagnostics, less false positives

The PHP7 support is still incomplete, but we're getting closer to fix that.

NoVerify works well in self-contained codebases that have all dependencies under their source root. It also requires all types to be resolvable and reports most usages of mixed-typed values as errors. We aware that it could be too strict for many users, perhaps there will be a flag that makes NoVerify more tolerant of untyped code in the future.

Feedback is appreciated.

How to get started

1. Download a binary for your platform.
2. Run NoVerify over your PHP project with noverify ./src/.

Try to avoid running NoVerify over a code that can include definition duplicates. It complicates running analysis over tests, but we're working on making this limitation go away.

More usage info: docs/linter-usage.md.

To list supported diagnostics run noverify --help. Example output:

Diagnostics (checks):
  accessLevel
    	Report erroneous member access.
  argCount
    	Report mismatching args count inside call expressions.
  arrayAccess
    	Report array access to non-array objects.
(+ more lines)

Recent changes

New checkers:

• regexpSimplify tells how to simplify patterns
• regexpVet finds suspicious pattern parts
• regexpSyntax reports syntax errors in patterns
• newAbstract forbids using abstract classes in new expressions
• nameCase requires the same spelling of classes and functions at definitions and usages
• unimplemented reports unimplemented interface/abstract methods
• misspell finds common misspellings in comments and some identifiers
• discardExpr reports "evaluated but not used" expressions
• voidResultUsed reports usage of void-typed expressions

Improvements:

• For simple use cases there is no need to set -cache now
• Linter now understand traits better
• isset/instanceof inside ternary expression condition is now respected (#288)
• Linter now collects info from @method and @property annotations
• Nullable types ?T are now supported
• function_exists() and method_exists() permit calling tested symbol inside if body
• Several improvements to a types inference
• UNUSED severity level is not used in non-LSP mode (#397)
• Case-insensitive symbols handling is improved

Performance:

• Directory traversal speed is increased significantly (#333)
• Lexing became 5-10% faster due to golex -> Ragel switch (#381)

Bug fixes:

• PHP7 style nowdoc/heredoc are now parsed correctly (#327)

Documentation:

• Added Finding the false-positive document

First stable release

Tested on a big PHP corpus, this NoVerify version can run on most code bases without major problems.

Support for modern PHP7 features is still incomplete and there can be issues with false positives for that code.

By the defailt, linter is very strict when it comes down to types, so it might be required to add more type hints/annotations to make it run properly.

In case if you have a lot of warnings in your code, consider switching to diff mode, where warnings are produces only for a new code (lines that were changed or added). It works only for git-versioned code though.

If you have any issues with this release, please file an issue and let us know!