Abu Zakaria's Blog

Test your PHP code and Find bugs with Static Analysis Tool for PHP - PHPStan

Abu Zakaria's photo
Abu Zakaria
·

4 min read

Test your PHP code and Find bugs with Static Analysis Tool for PHP - PHPStan

What’s static code analysis?

Static code analyzers simply read code and try to find errors. They are able to perform both very simple and straightforward tests (for example, for the existence of classes, methods, and functions), as well as ‘smarter’ tests (such as finding non-matching types, race conditions, or vulnerabilities in the code). The key is that analyzers do not run the code; rather, they analyze the program text and test it for typical (or not-so-typical) errors.

What is PHPStan?

PHPStan focuses on finding errors in your code without actually running it. It catches whole classes of bugs even before you write tests for the code. It moves PHP closer to compiled languages in the sense that the correctness of each line of the code can be checked before you run the actual line.

How to use it?

After you install it via composer, you can use it by running $ ./vendor/bin/phpstan analyse src index.php. You will then get a report of your codebase, for example, the src directory and index.php.

DrawKit Vector Illustration Project Manager (5).png

How to install it?

You can install it in your project by composer. Just run this command from your project.

$ composer require --dev phpstan/phpstan

After installing, you can use it by running

$ ./vendor/bin/phpstan analyse src

This command will analyze every PHP file in the src directory(for example). If there are any issues in your code, it will show those issues in the output.

Note

Running the command above, PHPStan doesn't execute your PHP scripts. It just reads your scripts as a file and analyzes the scripts.

DrawKit Vector Illustration Project Manager (16).png

Levels

There are various levels of analysis process. From level 0 to level 8. Here is a list of all levels and its descriptions.

Level 0 - basic checks, unknown classes, unknown functions, unknown methods called on $this, wrong number of arguments passed to those methods and functions, always undefined variables.

Level 1 - possibly undefined variables, unknown magic methods, and properties on classes with __call and __get.

Level 2 - unknown methods checked on all expressions (not just $this), validating PHPDocs.

Level 3 - return types, types assigned to properties.

Level 4 - basic dead code checking - always false instanceof and other type checks, dead else branches, unreachable code after return; etc.

Level 5 - checking types of arguments passed to methods and functions.

Level 6 - report missing typehints.

Level 7 - report partially wrong union types - if you call a method that only exists on some types in a union type, level 7 starts to report that; other possibly incorrect situations.

Level 8 - report calling methods and accessing properties on nullable types.

How to use levels?

It's very easy. Let's say you want to run analysis in level 4.
Just add --level 4 or -l 4 to the command and go.

Example:

$ ./vendor/bin/phpstan analyse src -l 4

DrawKit Vector Illustration Project Manager (13).png

Output format

There are various kinds of output formats in PHPStan. By default, output formatting is set to table.

Here's a list of output formats available:

table - Default. Grouped errors by file, colorized. For human consumption.

raw - Contains one error per line, with path to file, line number, and error description.

checkstyle - Creates a checkstyle.xml compatible output. Note that you’d have to redirect output into a file in order to capture the results for later processing.

json - Creates minified .json output without whitespaces. Note that you’d have to redirect output into a file in order to capture the results for later processing.

prettyJson - Creates human readable .json output with whitespaces and indentations. Note that you’d have to redirect output into a file in order to capture the results for later processing.

junit - Creates JUnit compatible output. Note that you’d have to redirect output into a file in order to capture the results for later processing.

github - Creates GitHub Actions compatible output.

gitlab - Creates format for use Code Quality widget on GitLab Merge Request.

teamcity - Creates TeamCity compatible output.

How to use an output format?

Just add --error-format= to your command and add the format value. Example:

$ ./vendor/bin/phpstan analyse src --error-format=json

Conclusion

PHPStan is a great tool for finding bugs in your codebase. It focuses on finding errors in your code without actually running it. PHPStan delivers better performance than Psalm and Phan.

I hope this article has helped you to get insights on PHPStan. Follow me and stay tuned for future updates. Have a great day!

PHPTestingBugs and Errorscoding100DaysOfCode