Taint analysis

• $_REQUEST is now treated as a source, and taints now flow through trim and similar funcs
• @psalm-taint-specialize now works in static methods

Also @TysonAndre added a --debug-emitted-issues command line flag to help debug the route of a Psalm issue.

Bugfixes

• preg_replace_callback now supports arrays properly even when the closure is not well-documented (#3639)

Improved --diff behaviour

@bendavies pointed out an issue (#3367) in Psalm's behaviour when running --diff, where the caching would only take effect the third time you ran Psalm, not the second. This is now fixed.

Pathological-case switch statement speedups

switch statements with 100 case statements in a row like

switch ($i) {
  case 0:
  case 1:
  ...
  case 99:
    return;
}

Used to have polynomial complexity, but now they're evaluated in linear time.

sealAllMethods config

by default, if Psalm sees

/**
 * @method getString():string
 */
class Foo {
  public function __call(string $name, array $args) {}
}

(new Foo)->bar(); // UndefinedMagicMethod

it emits a UndefinedMagicMethod for the call to Foo::bar().

But if no @method annotation is given, nor a @psalm-seal-methods annotation, then the call is allowed:

class Foo {
  public function __call(string $name, array $args) {}
}

(new Foo)->bar(); // no issue

@olleharstedt added a new config option, sealAllMethods, that tells Psalm that this is always bad.

@mixin bugfixes

• @mr-feek fixed a bug in a @mixin annotation used with a final class (#3470)
• fix a crash when encountering a weird @mixin annotation (#3537)
• allow magic method call on @mixin (#3534)
• added back support for static @mixin calls (#3552)

Bugfixes

• @still-dreaming-1 added better type inference for __TRAIT__ and __FILE__ (#3464)

• allow wildcard references to builtin class constants (#3484)

• @orklah added a better return type for DateInterval::$days (#3493)

• @orklah added checks for duplicate @return/@param annotations (#3487)

• @0x450x6c added wildcard support for class constants inside generics (#3489)

• @orklah prevented division by explicit zero in bcdiv (#3494)

• @staabm fixed the type of mysqli_warning::$sqlstate (#3497)

• prevent crash on malformed @throws annotation (#3506)

• prevent incorrect mixed type with Amp when a @psalm-yield annotation is provided (#3418)

• @LeSuisse fixed signatures of stream_filter_append/prepend (#3514)

• prevent crash when a callable string is empty (#3519)

• fix a regression with the memoizeMethodCallResults option (#3522)

• expand @psalm-type aliases recursively (#3532)

• Language Server: @joehoyle added support for globally-defined functions (#3477)

• @andrei-petre fixed some config location resolution issues when setting baselines (#3521)

• @gharlan added PharData::offsetGet/offsetExists to callmap (#3557)

• @enumag improved ext-ds stubs (#3559)

• fix a crash when reconciling strings to template params (#3510)

• @tvdijen improved the return type for preg_grep (#3565)

• support complicated case expressions after switch (true) (#3563)

• make callable():void is valid for callable():?bool (#3571)

• always analyse cast expressions even when used in unknown context (#3577)

• @weirdan marked session_decode as impure (#3572)

• @andrei-petre added a check to prevent users extending final classes (#3037)

• @ostrolucky marked fgetcsv impure (#3582)

• prevent impure use of count (#3551)

• @Daeroni fixed the property type of tidyNode::$child (#3599)

• @jaikdean fixed some Redis:: signatures (#3597)

Features

Import @psalm-type annotations into classes

Added support for importing @psalm-type annotations from one class to another based on a suggestion from @malukenho (in #2924)

Given a class Phone that defines a @psalm-type annotation on a class:

<?php
/**
 * @psalm-type PhoneType = array{phone: string}
 */
class Phone {
    /**
     * @psalm-return PhoneType
     */
    public function toArray(): array {
        return ["phone" => "Nokia"];
    }
}

You can reference that type with the @psalm-import-type annotation:

/**
 * @psalm-import-type PhoneType from Phone
 */
class User {
    /**
     * @psalm-return PhoneType
     */
    function toArray(): array {
        return array_merge([], (new Phone)->toArray());
    }
}   

Other features

• Psalm now detects a number of unused magic methods (e.g. __get, __set) (#3236)
• Psalm now continues its analysis after encountering undefined variables (#3366)
• @dereuromark added a pretty-print option for JSON output
• Language Server: @joehoyle added variable assignment hover information (#3401)

Bugfixes

• Prevent crashes in method type parsing (#3340), when @mixin type can't be found (#3452), when throwing an exception without a known alias (#3465), and when yielded type tokenisation fails (#3430)
• Prevent notice due to empty function id (#3354)
• The Phar now doesn’t prefix any Psalm classes (#3152, #2904, #2652)
• @nobuf added support for inferring that an object can be cast after is_callable([$var, '__isString']) (#3372)
• Psalter: @orklah added a fix that avoids updating docblocks when no changes are made (#3374)
• @ragboyjr fixed return type inference (based on docblock return type) for arrow functions (#3376)
• Eliminate null after > 0 check (#3388)
• @SignpostMarv added numeric-string inference when casting a numeric type to a string (#3390)
• @EvgeniiR helped improve analysis of possibly-correct clone expressions (#3382)
• @orklah improved inference for array_sum (#3395)
• Language Server: @joehoyle fixed bugs around getting symbol information for array shapes (#3400)
• Remove possibly-undefined array keys when merging (#3393)
• Allow conditional return types with func_num_args() in namespaces (#3423)
• Don’t add null to return type as part of reflection when using docblock templates (#3419)
• Allow falsy reconciliation for templated params (#3426)
• Always treat $this as static-y (#3417)
• Flesh out static references in Closure():static return types (#3415)
• Prevent a function param typed with a "0"|"1" from accepting a numeric-string type (#3440)
• Allow isset checks on undefined static properties (#3460)
• Allow conditional return type inference with func_get_args() on instance methods (#3453)
• @still-dreaming-1 improved plugin handling for AfterAnalysisInterface (#3461)
• Improve handling of templated @mixin annotation (#3458)
• Improve handling of array_key_exists checks (#3463)

Use of unset inside a loop on variables initialised before the loop was entered resulted in a crash after a change in 3.11.3

Fixes #3133

A newly-introduced check caused a false-positive with perfectly valid code, so this is a small release to bump (#3007)

• improve handling of templated methods inherited from grandparent interface (#2928)
• @dq5studios fixed JUnit output validation issues
• @smelesh fixed an issue where where chained exception throwing wasn't handled correctly
• added support for bitwise class constant references (#2943)
• improved return type of array_splice to support lists better (#2942)
• allow class-string<self> to be fleshed out when comparing types (#2941)
• DateTimeZone is now treated as immutable (#2930)
• Improve handling of complex templated properties (#2935)
• Don’t crash when attempting to unpack a callable object-like array (#2932)
• Fix array offset assignment when using ??= (#2940)
• @leightonthomas fixed an issue where @return true actually returning false wasn't reported (#2914)
• Allow conditionally-defined traits where more than one is defined in a given file (#2951)

Change in behaviour

• accessing a not-previously-specified key of an object-like array is now a bug (#2787)
• any args passed to an unknown method must now be defined beforehand (#2909)

Other bugfixes

• @Daeroni improved some builtin GD functions (#2851)
• @JaredCDN prevented a TypeError when generating xml reports (#2856)
• Psalter: fix MissingParamType replacement when for parameters passed by-reference (#2857)
• Prevent DuplicateArrayKey warning when unpacking multiple arrays without known key types (#2852)
• Allow comparison between different templated object-like arrays (#2849)
• Allow casting templated types (#2848)
• Allow class constants to contain array offset references for other class constants (#2844)
• Forbid passing in mutatable class to a mutation-free context (#2805)
• Allow "5.0" where numeric is expected (#2827)
• Only warn about deprecated classes where they're used explicitly (#2721)
• Warn when an immutable class depends on a mutable parent (#2242)
• Detect error when asserting on result of function call (#1684)
• Break apart a scalar type into constituent parts where necessary (#1311)
• Treat echo as impure (#2867)
• Prevent use of impure __toString (#2866)
• Prevent keyed arrays from being interpreted as callable (#2871)
• @ArSn fixed setting memory_limit artificially low when running Psalter (#2873)
• Allow @method as(string $s) (#2881)
• Handle templated intersections more equally (#2875)
• @pilif added a config skipChecksOnUnresolvableIncludes that you can disable to make Psalm more strict when it encounters includes for unknown files (#2817)
• @jdreesen improved the return type of range(...)
• Keep track of which argument a given template param was inferred from, to avoid overwriting the inference (#2900)
• Don't care about method case in the PhpStorm meta scanner (#2890)
• Rename stubs to prevent issues in PHPStorm (#2879)
• Trim carriage returns where necessary (#2859)
• Prevent ternaries from being considered a valid reference (#2910)
• @leightonthomas supported trailing commas in type aliases (#1799)
• Prevent contradiction with templated object equality (#2918)
• Don't emit MissingPropertyType where the property is defined in a third-party lib (#2388)

Version 3.9.0 essentially changed the default reporting level for a host of Mixed issues.

In retrospect this was not the best idea – people saw a (non-error-related) number go up (because of all the newly-reported mixed issues), and people don't like numbers going up.

So this reverts that behaviour – any project that had totallyTyped="false" before will show the same errors & info as it did in 3.8.

This also introduces new flag reportMixedIssues (documented here) that allows more fine-grained control than totallyTyped offers.

Turns out Travis has not been building phars since February 1. Now it does, again.

Features

• allow generation of stubs from the analysed files with a --generate-stubs=output.php command (#827)

Bugfixes

• Improve array function types (#2566)
• Improve remapping of template params (#2567. #2569)
• Prevent recursion infinite recursion when analysing @mixin in trait (#2565)
• Remove previous assertions after incrementing variable (#2574, #2591)
• Don't convert scalar terms in @method annotations like boolean (#2583)
• Allow null argument in DateTime when a second argument is passed (#2590)
• Don't crash when @param-out annotation is malformed (#2593)
• Allow list to be cast to array (#2577)
• Remove literal key values for known array shape when array_filter has a single arg (#2576)
• Improve isset checks on null values (#2594)
• Allow multiple inferred closure types (#2611)
• Prevent unnecessary crashes in language server mode
• Emit error on isset($someDefinedString) (#2614)
• numerous bugs around list and non-empty-array annotations

Features

Support for the @mixin docblock annotation, which allows a class to proxy the methods and properties of another.

I also made a slight change in how magic getters & setters are dealt with – Psalm will emit an UndefinedMagicProperty if you define a docblock @property string $foo and then request the unlisted property $bar. If you wanted this behaviour previously you had to also annotate your class with @psalm-seal-properties. This is now assumed if you provide a @mixin or @property annotation for the given class. In the event the property is missing, Psalm now emits an UndefinedMagicProperty issue that you can suppress in a more granular fashion.

Bugfixes

• Fix references to templates in other methods inside templated methods (#2532)
• Add better return types for PDOStatement::fetch - thanks @duskwuff (#2529 and #2553)
• Don't crash when attempting to analyse classes that weren't first scanned (#2505)
• Fix return types when return instances of anonymous classes (#2494)
• Allow unions inside array assertions (#2409)
• Preserve complex intersection templates (#2537)
• Prevent invalid argument issue when inheriting from a class_alias class (#2539)
• Verify variable variable assignment (#2541)
• Documentation updates from @mfn and @LeSuisse - thanks!
• Warn about posix inexistence before using threads (#2335)
• Register uses on variables set inside loops with break and continue (#2546)
• Refine type of (int) (bool) $foo – thanks @SignpostMarv (#2550)
• Improve reconciliation after assertion and function call in conditional (#2558)
• Fix templated class-string as a proper sub-type of class-string (#2554)
• Reconcile callable assertions better

Bugfixes

• resolve static inside trait appropriately (#2521)
• improve handling of generic type resolution from one templated function into another templated function (#2508)
• check for array assignment inside assignment operations (#2526)
• improve array_push handling around known array shapes

Improved type inference

I had a look at Psalm's type inference as part of addressing #2426.

Type inference in non-statically-typed languages is a bit of a beast, and a lot of Psalm‘s development time is devoted to ensuring that Psalm’s type inference is as good as it can possibly be.

This release should hopefully improve the accuracy a notch, with fewer false positives – and fewer false negatives too.

Other improvements

• @erunion improved the --help page (#2417)
• @TysonAndre added a full stack trace when Psalm runs into an error (#2418)
• Psalm now bails out of very long conditionals (#1943)
• Psalm now supports outputting reports in JUnit format, with help from @m50 (#2485)
• Psalm supports @phpstan-var, @phpstan-param etc. annotations (#2488)
• Psalm now supports a class-string-map<T as Foo, T> type which can be used for an array where the keys are class strings and the values are instances of those keys (#1969)

Bugfixes

• allow use of covariant params in templated array return value (#2411)
• fix an issue with class constant resolution (#2413)
• ignore passed-by-reference variables when removing unused code (#2423)
• improve handling of get_class() calls outside assertions (#2438)
• improve callmap for stream_bucket_new and ssh2* functions – thanks @pilif and @Daeroni ! (#2434, #2447)
• fix templating of property types inside those functions where the templates are applicable (#2436)
• properly template the result of calling someMethod on a string of type class-string<T> when someMethod returns static (#2439)
• make sure uasort is templated properly (#2440)
• narrow template types after is_* checks (#2432)
• fix templated static<T> values on already-templated classes (#2445)
• don’t suggest templated values when adding phpdoc types (#2443, #2437)
• find circular references in class constants (#2453)
• allow extending templated classes with nested parameterised types (#2454)
• ignore UnusedFunctionCall issues if the function has custom assertions (#2456)
• allow @psalm-type types to be used above return (#2457)
• memoize immutable calls (#2457)
• null coalesce shouldn't hide undefined var issues (#2464)
• allow inferred templated null in param default (#2431)
• fix inheritance of templated params without rewritten __construct (#2470)
• array_map now remembers array emptiness when passed callable strings (#2472)
• allow array_map to work with callables that return static (#2473)
• allow covariance for iterable (#2475)
• still analyse arguments even when function doesn’t exist (#2479)
• add better inference for array_map(null, $array1, $array2) (#2468)
• allow isset tests on known list offsets (#2408)
• add support for spaces in @psalm-assert-if-true types (#2484)
• add better behaviour when multiple interfaces define a method signature (#2483)
• trait issues are now reported where it makes most sense for the given project (#2491)
• allow overridding renamed trait methods in subclasses (#2490)
• don’t crash when a plugin-provided function doesn’t exist (#2493)
• use correct flag when checking for unused variables (#2506)
• add better return types for array_fill_keys - thanks @vudaltsov! (#2512)
• preserve params when subtracting Traversable from iterable (#2509)
• improve hexdec returned value (#2352)
• remove erroneous messages from Phar installation - thanks @bdsl! (#2514)

This brief release adds a long-requested feature: #701

Psalm will now tell you which issues it can fix automatically.

It also improves the param type additions to add into typehints wherever possible.

This also adds --shepherd support officially.

Features

• Add support for GitHub Actions CI for afterAnalysis hook
• improve templating of core generic classes - thanks @weirdan (#2389 and #2402)

Bugfixes

• allow isset to verify property initialisation (#2382)
• added better typing for array_key_first and array_key_last - thanks @vudaltsov (#2381)
• unalias trait names where necessary - thanks @weirdan (#2392)
• fix RarArchive signatures - thanks @alfredbez (#2385)
• make Generator TSend param invariant (#2386)
• fix some 7.4 signatures - thanks @ShiraNai7 (#2395)
• ensure docblock return types are checked and that covariant template params can’t be substituted for invariant ones (#2387)
• improve handling unions of class-string types (#2400)
• fix resolution of @param-out template types (#2384)
• don’t expect composer-designated class files to contain actual classes (#2368)

Features

PHP 7.4 is now fully supported — property types, arrow functions, return type covariance/param type contravariance, null coalescing assignment, and the array spread operator.

Bugfixes

• Add --find-unused-variables option on the command line, to match documentation (#2354)
• Psalter: Don’t remove actually-used variables with the UnusedVariable fixer (#2355)
• Always analyse new XXX declarations, even when method is not known (#2358)
• Always scan classes referenced in shape properties - thanks @weirdan (#2331)
• Catch possible class-not-found errors when fetching method (#2363)
• Add support for single literal in docblocks (#2362)
• Allow installation alongside symfony/console v5 - thanks @LeSuisse (#2366)
• Fix signature of imagepng - thanks @k2rn (#2373)
• Improve output of @list(...) (#2374)
• Allow a more generic iterable when yielding (#2353)
• Allow using a covariant template param in a mutation-free context (#2361)
• Refine list types with object-like array assertions (#2357)
• Fix typo in InfiniteIterator type definition - thanks @lstrojny (#2378)
• Improve return type inference for array_column, array_pad, array_chunk, array_map - thanks @ShiraNai7 (#2377)
• Prevent string docblock param type from matching for a callable signature param type (#2380)

• fix substitution of @return static<Foo, Bar> (#2326)
• ignore unused vars preceded by $_ (#2325)
• don’t crash on if ($foo[$bar[0]->baz]) (#2328)
• detect unused variable when used as offset to nested mixed array (#2336)
• fix handling of covariant template params (#2346)
• don’t stub functions unnecessarily (#2340)
• allow empty checks against numeric (#2330)
• don't create array offsets after empty check (#2333)
• allow InvalidReturnType to suppress no-return issues (#2349)
• make sure all functions and methods declare a mixed return type (#2348)

Bugfixes

• Psalm now treats try {...} catch (...) {...} blocks more accurately (#2204, #2197, #2177)
• Treat class with __invoke as a callable for the purposes of templated return types (#2177)
• Ensure templated spread param is properly bound (#2273)
• Improve templating where there's a class between templated trait and templated interface (#2312)
• Allow templated param capture from Traversable to iterable (#2315)
• Infer key type after array_key_exists check on constant array (#1830)
• detect invalid use of parent - thanks @weirdan (#2320)
• Prevent template coercion (#2321)
• Improve handling of elseif when asserting property values (#2322)
• Prevent fatal error when using self string in a callable that's involved in a templating calculation (#2324)

Features

• Psalm now prevents destructuring of non-arrays (#2220)

Bugfixes

• Prevent fatal error when templated var has static return (#2192)
• Load functions declared in a trait when a class using that trait is used (#2228)
• Refine closure type even when a param type was declared, as long as they're compatible (#2215)
• treat continuous assertions on interfaces as redundant (#2234, #2237)
• Prevent fatal error when yielding from class with too many template params
• Do better inference when yielding from lists (#2251)
• Unused code detection fix false positive when incrementing var inside do-while condition (#2244)
• Add better list type compatibility for array_merge and array_slice (#2235, #2246)

• variadic args are now lists (#2221)
• check for @throws docblock interface inheritance (#2222)
• ensure lists are handled in more places (#2223)
• improve handling of literal templated strings (#2224)
• iterator_to_array can return a list (#2225)

Features

List types

This release introduces a new list type that represents continuous, integer-indexed arrays like ["red", "yellow", "blue"] .

These arrays have the property $arr === array_values($arr), and represent a large percentage of all array usage in PHP applications.

A list type is of the form list<SomeType>, where SomeType is any permitted union type supported by Psalm.

• list is a subtype of array<int, mixed>
• list<Foo> is a subtype of array<int, Foo>.

List types show their value in a few ways:

/**
 * @param array<int, string> $arr
 */
function takesArray(array $arr) : void {
  if ($arr) {
     // this index may not be set
    echo $arr[0];
  }
}

/**
 * @psalm-param list<string> $arr
 */
function takesList(array $arr) : void {
  if ($arr) {
    // list indexes always start from zero,
    // so a non-empty list will have an element here
    echo $arr[0];
  }
}

takesArray(["hello"]); // this is fine
takesArray([1 => "hello"]); // would trigger bug, without warning

takesList(["hello"]); // this is fine
takesList([1 => "hello"]); // triggers warning in Psalm

Bugfixes

Improved array refinement

Fixes #2156 - given a function that takes some user input (e.g. from $_GET) Psalm can now fully typecheck the result

/**
 * @param array<string, scalar> $arr
 * @return array{id: int, name: string}
 */
function refine(array $arr) {
  if (isset($arr['id'])
    && is_int($arr['id'])
    && isset($arr['name'])
    && is_string($arr['name'])
  ) {
    return $arr;
  }
  
  throw new \Exception('Bad format');
}

Previously Psalm would infer the returned array above as array<scalar>. Now it's inferred as a special type (that you cannot currently use in annotations) as array{id: int, name: string}<scalar> - that is, an array where an arbitrary element is typed as scalar, but where the specific offsets id and name have corresponding types.

You can play with the code here: https://psalm.dev/r/444930649e - change any of the strings to see what errors appear.

Other bugfixes

• more impure functions added - thanks @bugreportuser! (#2179, #2203))
• prevent class template types being wiped by creation of anonymous class (#2181)
• improve type handling of __invoke methods (#2184)
• fix handling of do...while(true) with a break inside the do (#2183)
• allow modification of cloned objects inside an immutable class (#2182)
• fix class aliasing bug (#2186)
• fixed argument order of rar_entry_get - thanks @villfa (#2189)
• fixed arguments for mysqli_real_connect - thanks @jaydiablo (#2210)
• fix bugs in templated property type support (#2208)
• Unused code elimination allow UnusedPsalmSuppress to operate on exception issues - thanks @bugreportuser! (#2211)
• allow array_diff etc to have more than five params - thanks @Guuzen (#2201)
• fix handling of callables that return self, static (#2217)

Features

• Psalter you can now automatically remove unnecessary @var annotations with
  vendor/bin/psalter --issues=UnnecessaryVarAnnotation (#2173)

Bugfixes

• Allow @method annotations to override presumed-immutable methods (#2170)
• Always use most immediate function storage when analysing preloaded functions (#2169)
• Only complain about missing array offset if it's properly missing (#2172)
• Support empty arrays in late-resolved constants (#2175)

Features

Allow errors when string offsets may not exist

Given the code

/**
 * @param array<string, Exception> $arr
 */
function shouldTakeArrayOfExceptions(array $arr) : void {
  echo $arr['foo']->getMessage();
}

shouldTakeArrayOfExceptions(
  ["bar" => new Exception('hello')]
);

Psalm by default doesn't see the error, but now with the config flag ensureArrayStringOffsetsExist="true" Psalm will complain when calling $arr['foo']->getMessage();.

It's not on by default because too much existing code would be broken.

Detecting unnecessary @var annotations

Thanks to an idea from @iluuu1994, Psalm now catches unnecessary @var annotations when unused code detection is turned on (with --find-unused-variables or --find-unused-code).

function getString() : string {
  return "hello";
}

/** @var string */
$a = getString(); // now UnnecessaryVarAnnotation is emitted

echo $a;

Bugfixes

• Allow immutable manipulation inside unserialize methods (#2116)
• Fix some signatures - thanks @villfa and @LeSuisse (#2119, #2122)
• Don’t coerce callmap args to types unless declare(strict_types=1); is used (#2125)
• Allow Xdebug stubs to be used - thanks @SignpostMarv (#2118)
• Do better at inferring class const types (#1551, #2139)
• Fix unused @psalm-suppress discovery in threaded mode (#2127)
• Make byref params passed to closures mixed after the fact (#2145)
• Prevent crash when analysing count call with no args (#2146)
• Coerce false/null to 0 when used as array offset (#2155, #2165)
• Improve handling of elseif reconciliation on object properties (#2159)
• Make builtin constructers mutation-free (#2114)
• Allow @psalm-assert string[] $foo and @psalm-assert array<int, string> $foo syntaxes (#2121, #2148)
• Complain when inheriting from immutable classes/interfaces without also the same annotations (#2138)
• Don’t allow union closure parameter types when combining (#2157)
• Loose equality should not imply type equivalence (#2158)
• Allow docblock inheritance from grandparents (#2166)

• Static methods inside classes marked @psalm-immutable are treated as impure (#2109)
• treat assert() as pure (#2113)
• allow immutable objects to be cloned (#2111)
• allow functions that use callables to be counted as pure (#2112)
• don’t worry if the baseline file cannot be found when updating (#2108)

Features

• Psalm now warns about properties without types that haven't been initialised prior to use in a constructor
• A @readonly annotation is now supported for properties. Psalm will complain when trying to manipulate a property with that annotation from outside the class.
• Psalm now warns if @throws classes are invalid (#2015, #2019)
• Psalm now complains about unused function calls e.g. ; strpos("foo", "o");
• Add support for @psalm-scope-this annotation when analysing view files (#2032)
• Psalm can now detect unused @psalm-suppress annotations with the --find-unused-psalm-suppress flag (#1444)
• Unnecessary use of the null coalesce operator ?? now causes Psalm emit an issue (#2035)

Potential issues

• in anticipation of PHP 7.4's deprecation, Psalm now prevents swapping the arguments of implode
• given $some_array['foo'] of an unknown type, after an isset($some_array['foo']['bar']) check $some_array['foo'] will be typed to array|ArrayAccess. In code that's fully typed this shouldn't be an issue (because $some_array['foo'] will always have a known type) but some code may be newly problematic e.g.

function foo(array $a) : void {
  if (isset($a["b"]["c])) {
 array_pop($a["b"]); // previously MixedArgument, now PossiblyInvalidArgument
 }
}

Bugfixes

• analyse static property variable names (#1996)
• make @psalm-assert-if-true work for properties on $this (#1994)
• fix reconciliation of arrays and traversables (#1997)
• reduce false-positives when parsing of callable strings (#2006)
• properties with defaults should work with the static type annotation (#2010)
• improve unused variable detection in always-entered loops (#2007)
• allow count on an array previously checked to be callable (#2012)
• prevent UnusedVariable complaint when a method using it as a param is not defined (#2023)
• prevent fatal error on class_aliased reference (#2018)
• improve handling of preg_match, thanks @ShiraNai7! (#2022)
• allow static::SOME_CONST to have a non-mixed type in a final class (#2020)
• fix improperly-retained !callable check when modifying (#2027)
• add better understanding of method_exists checks (#2026)
• allow mixed assignment when explicitly annotated - thanks @lhchavez! (#1374)
• prevent defined(...) check from affecting class constant fetching (#2031)

Features

• Psalter: Undefined Variables can now be removed automatically (#1967) - thanks @jeffreyyoo!
• Psalm now warns about missing interface return types (#1846) and bad default types for static properties (#1974)

Bugfixes

• Improve DOM property types (#1951), thanks @ShiraNai7!
• Allow comparisons to templated param classes (#1970)
• Language Server: fix erroneous property not initialised issues (#1973)
• Fix handling of setcookie (#1972)
• Prevent fatal error with empty @template-extends docblock (#1963)
• No false positives about unused variables after continue (#1980)
• Prevent PHP Notice with malformed docblock type (#1563)
• ComplicatedExpressionException should no longer cause a fatal error on elseif (#1985)
• Support fully-qualified param types in @method annotations (#1989)
• Psalter: Allow full replacements to take precedence over minor alterations, avoiding corrupted output (#1991)
• Fix setlocale param types (#1988), thanks @BackEndTea!

Bugfixes

• Improve refinement of templated types (#1886, #1927, #1931, #1932)
• prevent a LogicException when scanning files nested class_exists checks (#1925)
• invalidate cached grandchild of stubbed class (#1935)
• fix evaluation of a/b/c/d/../../../../ (#1940)
• @inheritdoc leads to @throws being inherited - thanks @smelesh (#1945)
• allow assertions on templated values (#1937)
• support use of a third arg in explode that can lead to empty output (#1953)
• Language Server add support for completing built-in class names (#1863)
• Language Server allow signature help to kick in for root functions without proper scope
• Allow templated assertions on already-templated values (#1956)
• Improve detection of unused private properties - thanks @2e3s (#1962)
• Improve file path resolution on Windows

Fixes an issue with negated iterable/array assertions introduced in 3.4.8 (#1922)

Bugfixes

Fixes an issue (#1859) introduced in 3.4.3 where conditional definitions of functions e.g.

if (!function_exists("some_function")) {
  function some_function() {...}
}

would result in a crash some_function does exist in the runtime, and it's internal.

Also fixes a similar issue (#1860) where Psalm could crash while analysing blocks surrounded by a if (class_exists(Foo::class)) if Psalm thinks Foo always exists.

Features

• makes Psalm 20% faster by reducing object cloning
• added a SonarQube report type - thanks @lewinski! (#1808)
• trailing commas are now supported in object-like array docblocks (#1802)
• add documentation for the assertion syntax (#1810)
• Language server: improve autocompletion of methods and properties - thanks @iluuu1994 (#1831, #1834)
• Language server: improve legibility of on-hover definitions - thanks @iluuu1994 (#1833)
• Language server: add jump-to-definition of docblock types (#1832)
• Language server: jump between parentheses having autocompleted method name - thanks @iluuu1994 (#1839)
• warn when running Psalm with pcre.jit=1 on Macs with PHP 7.3

Bugfixes

• improve treatment of if (class_exists(Foo::class)) {...} when the class doesn’t exist in Psalm's world (#1801)
• complain about DeprecatedClass when using a deprecated class's constants (#1803, #1814)
• psalm-refactor: ensure directory exists before moving file (#1802)
• fix expected argument count message when too-few params are provided (#1811)
• object&Foo is converted to Foo when resolving templates (#1813)
• the effect of array_filter($arr, 'is_numeric') (and related is_... functions) is now interpreted correctly (#1816)
• allow comparison to static with instanceof static (#1458)
• handle intersection when expanding template (#1818)
• improve behaviour of callable reconciliation (#1825)
• don’t allow object-like array to be unioned with mixed (#1826)
• resolve docblock self references in the scanning phase (unless inside traits) (#1827)
• Language Server always show references to method, even if arguments are incomplete (#1835)
• prevent invalid templated returns - thanks (#1842, #1845)
• allow static class strings to be compared (#1848)
• improve messaging about invalid types with hyphens in (#1852)
• allow MethodParamsProvider to accept an empty array - thanks @Daeroni (#1854)

Features

• psalm-language-server: --enable-autocompletion is now enabled by default, after a ton of great work by @joshdifabio
• psalm-refactor: allow multiple class renames at once
• psalm-refactor: allow multiple method renames when the methods reference one another
• there's now a non-zero exit code when a config file is not found (#1779)
• PHP 7.4: nullable typed properties e.g. public ?int $foo are now also checked for initialisation (#1787)
• DeprecatedFunction is now emitted when using a deprecated function (#1793)
• slightly improved readability for object-like array output in error messages, thanks @Kocal (#1708)

Bugfixes

• interface @template-extends wasn't being inherited properly (#1766)
• get rid of notice with a by-ref array assignment with an unmet var-id (#1770)
• T<true> or T<false> are now acceptable as standins for of T<bool> (#1775)
• --report-show-info=false now works as advertised (#1773)
• psalm-language-server fixed erroneous behaviour on save seen in Vim and Sublime (#1780)
• allow scalar type in sprintf (#1792)
• missing static class constants are now complained about (#1791)
• allow uksort to accept version_compare (and improve handling of multiple-signature callmap options) (#1781)
• UndefinedFunction no longer causes analysis to stop in the given block (#1790)
• Missing docblock brackets are now detected (#1784)

This minor release adds inference of property types from simple constructors. It can be turned off with inferPropertyTypesFromConstructor="false" in the config.

Bugfixes

• adds psalm-refactor binary to composer so vendor/bin/psalm-refactor actually works...

This bumps requirements so Psalm can be installed in Symfony 4.3

The support for enum-like constructs with key-of and value-of in 3.3.1 was undercut by the fact that Psalm's string comparison checks were case-insensitive.

This fixes that issue.

Thanks to @bdsl for pointing it out!

Features

• Psalter: Backwards-incompatible changes in Psalter can now be prevented with a --allow-backwards-incompatible-changes=false - thanks @iluuu1994 for suggesting and implementing! (#1622)
• Language Server: Completion (which you can enable with --enable-autocomplete) reliability has been improved, thanks to input from @joshdifabio (#1653, #1654, #1655, #1656)
• Covariant templated params are now prevented from being used as input to a function (#1609, #1610)
• You can use @psalm-internal Some\Namespace to specify a specific nested namespace that functions using this feature must be in. Existing @internal annotations are equivalent to @psalm-internal <CurrentNamespaceRoot>. Thanks @bdsl for suggesting and implementing! (#1623)
• Previously a misspelled/missing class in a docblock would result in a UndefinedClass issue emitted, as would a missing class in PHP code. Now anything stemming from a docblock is an UndefinedDocblockClass issue.

Bugfixes

• Psalter won't add phpdoc-incompatible @return empty[] annotations anymore (#1636)
• Unused code: fixed some false positives around try/catch statements (#1464, #1128)
• A more specific error ImplementedParamTypeMismatch is emitted when a docblock param type deviates from a parent's docblock (previously MoreSpecificImplementedParamType was emitted (#1633)
• no-return-returning functions inside try/catch blocks are now treated properly (#1580)
• Checkstyle format no longer over-escapes characters (#1639)
• Fix caching issue with autoloaded functions (#1646)
• Totally-templated intersections are now allowed (#1652)
• interface_exists now generates a class-string type (#1657)

Changes

This release also bumps the minimum PHP version to PHP 7.1, and updates a number of packages accordingly.

This release also removes a recently-added TSqlSelectString type that was being used for an internal Vimeo plugin. I deemed the type unnecessary, especially as it added an extra 1.4MB in dependencies to Psalm's core. I've added a plugin hook for you to make your own, if you find that functionality useful.

Features

• if psalm --init doesn't see a folder labeled src, it now looks at your composer.json to see what autoloaded directories you've configured in Composer, and adds them to Psalm's config
• unused variable detection improved (#1626, #1391)

Bugfixes

• escape characters in checkstyle.xml output (#1620)
• return type fixes from @voku
• prevent an autoloaded function from overriding a function that's already been autoloaded (#1627)
• prevent Psalter updating return types overridden elsewhere (#1622)
• improve behaviour of unset on arrays with known keys

Features

• Psalm now prevents users from using --threads=X on Macs with PHP ini setting pcre.jit=1, due to widely-known crash on PHP > 7.3 (#1601)
• psalm --find-unused-code can now be used as an alternative to psalm --find-dead-code (#1586)
• checkstyle format can now be used for reports (#1616)

Bugfixes

• Psalm can now infer param types from array_map and array_filter closures where none were provided, preventing an unnecessary MissingClosureParamType issue (#664)
• Psalm can also now infer param types for templated callables (#1600)
• it now inherits docblock signature when child has a PHP return type and the parent does not (#1593)
• methods that just exit are now treated the same, type-system-wise, as methods that throw an exception (#1592)
• some previously-broken yoda conditional comparisons now work (#1591)
• ternary else statements now only know about the first condition expression's evaluation (#1597)
• prevent UnusedVariable issues from being caught by a try statement inside a loop (#1598)
• fix a crash when calling is_subclass_of with a possibly-undefined variable
• prevent invalid covariant template classes from being passed (#1603)

This adds slightly better support for dead code detection when running with --diff.

Also splits TypeCoercion into three new issues - ArgumentTypeCoercion, PropertyTypeCoercion and ReturnTypeCoercion, with similar treatment for MixedTypeCoercion. Existing config suppressions for TypeCoercion and MixedTypeCoercion should still work.

Bugfixes

• Allows --shepherd to be used with the Phar
• Detect changes to the first statement's docblock in a given method when using --diff-methods (#1574)
• Prevent fatal error with templates and complicated inheritance (#1578)

The previous code coverage removal didn't adequately check that a method or property hadn't been called in a variable manner on a parent class or implemented interface. This fixes that.

Features

• using --shepherd is supported for public GitHub projects using https://shepherd.dev
• function map updates from @voku, pulling in changes from JetBrains/PHPstorm-stubs

Bugfixes

• improve handling of negated binary ops (#1545)
• catch more impossible comparison to true and false (#1546)
• use correct comparison for callable param types (#1540)

Features

This release allows you to run Psalm's language server from a phar with the --language-server command.

It also allows you to annotated static variables with their expected types, thus discovering bugs e.g.

function foo() : void {
  /** @var int */
  static $a = 0;

  if (++$a === 3) {
    echo '3 times';
  }

  $a = "hello"; // this is now a bug
}

The release also contains fixes from @SignpostMarv allowing tests to be run under Windows without errors.

Bugfixes

• calls to static interface methods are now prevented (#1514)
• process inheritance properly in builtin classes (#1515)
• improve comparison of templated trait parameters (#1513)
• make return type of mktime conditional on its arguments (#1512)
• make expected params of PDOStatement::setFetchMode conditional on its first argument (#1496)
• introduce TraitMethodSignatureMismatch issue that can be suppressed (#1499)
• analyse array offsets on mixed values (#1510)

3.2.1 (released 15 minutes ago) introduced a bug because I didn't read the documentation for array_reverse carefully enough. Oh well.

Includes those bugfixes:

• Preserve count with array_reverse (#1470)
• Improve null checks (#1459, #1451)
• Fix regression added in 3.1.0 when analysing negated assertions (#1460)
• Prevent traits from being treated like valid classes (#1453), though they could be sort of added back in #1478
• Always inherit docs from parents (#1447)
• Support templated union types (#1418)
• Fix mixed message formatting (#1368)
• Allow class-string<T> types to be interpreted correctly (#1457)
• Allow self-named params in traits (#1475)
• Fix internal errors caused by bad generic param counts (#1474)
• Exclude tests dir from packagist (#1477)
• @weirdan fixed #1387, preventing API use of Codebase::classExists before everything has been populated
• Allow interface method calls in abstract class methods (#1461)
• Update callmap to include some false returns (#1448, #1469)
• Use relative path for config xsd (#1472)
• Combine closure types in union (#1462)
• Prevent invalid casts inside string (#1471)

This fixes templated param inheritance so that no @param T $t is needed on functions that extend/implement classes or interfaces that already defined that templated param type.

This fixes a slight showstopper which prevented the Phar from working properly with SQL-like strings.

If you use the Phar, you can now use Psalter too - run psalm.phar --alter followed by Psalter args (e.g. --issues=MissingReturnType)

Bugfixes

• Fix tracking dead code when aliasing trait methods (#1412)
• Allow non-empty-array in namespaces (#1416)
• Prevent false positive error comparing covariant trait abstract method return types (#1414)
• Allow property constructor checks across file inclusion boundaries (#1417)
• Allow comparison to empty arrays to inform emptiness (#1419)
• Fix variadic param counts (#1421, #1422)
• Allow templated covariance checks (#1411)
• Fix get_class return types when called on new (#1397)
• @param-out now allows types to be changed (#1379)
• Complain about implementing static interface methods with non-static (#1383)

Features

This release adds plugin hooks that allow you to have more control over how Psalm treats functions, properties and methods:

• Psalm\Plugin\Hook\PropertyExistenceProviderInterface
  allows you to control whether a property exists or not
• Psalm\Plugin\Hook\PropertyVisibilityProviderInterface
  allows you to control whether a property is visible in a given Context
• Psalm\Plugin\Hook\PropertyTypeProviderInterface
  allows you to control a property's type
• Psalm\Plugin\Hook\MethodExistenceProviderInterface
  allows you to control whether a method exists or not
• Psalm\Plugin\Hook\MethodVisibilityProviderInterface
  allows you to control whether a method is visible in a given Context
• Psalm\Plugin\Hook\MethodParamsProviderInterface
  allows you to control a method's parameters
• Psalm\Plugin\Hook\MethodReturnTypeProviderInterface
  allows you to control a method's return type
• Psalm\Plugin\Hook\FunctionExistenceProviderInterface
  allows you to control whether a function exists or not
• Psalm\Plugin\Hook\FunctionParamsProviderInterface
  allows you to control a function's parameters
• Psalm\Plugin\Hook\FunctionReturnTypeProviderInterface
  allows you to control a function's return type

Much of this functionality is already possible using stub files and Psalm's existing plugin architecture, but this gives you more fine-grained control over the process.

Additional features

• Psalm now detects when you pass undefined variables to a function that expects a typed by-reference param
• Better checks for invalid template param names (#1288, #1403)
• Docblock params that don't match an actual param variable name are now flagged if you have a param that's missing some type information (#1382)
• You can now add docblocks for non-empty-array<int, string> and get warnings when the passed argument is empty, or might be empty (#1393)

Bugfixes

• Remove self/static from array_map return type (#1361)
• Improve handling of array offset checks (#1366, #1356)
• Improve treatment of namespaced functions in define - thanks @bugreportuser (#1375)
• Allow stdClass[]|Generator in PhpStorm-compat mode (#1370)
• Extended getIterator calls now use proper types (#1364)
• Always evaluate array offsets when passed as arguments (#1382)
• Fixed a crash on ""[0] (thanks @bugreportuser)
• Callable param and return types should now be treated as docblock types (#1395)
• Allow scalar to be compared to literal values, then negated (#1399)
• Continue analysis after undefined static call (#1402)
• Improve string casting rules for union of resource|array (#1398)
• Fix parsing of @template of type with spaces (#1406)
• Fix return type of apc_add - thanks @weirdan (#1409)

Features

• Types can now be compared in plugins - thanks @weirdan (#1357)

Bugfixes

• Allow restricted string keys to be compared to object-like arrays (#1329)
• Allow $_SESSION to be checked in isset (#1335)
• Don't check for redundant conditions when checking property initialisation (#1338)
• Don't crash when encountering method that uses __call during property initialisation checks (#1337)
• Prevent crash for callable(static|self|parent) type (#1339)
• Fix array_unique return type - thanks @bugreportuser! (#1347)
• Allow UnusedClass to be suppressed via docblocks - thanks @weirdan! (#1353)
• Fix notice when combining some traversables and iterables and arrays together (#1350)
• Check for bad iterable arg params (#1359)
• Allow MissingThrowsDocblock to be suppressed (#1325)
• Allow in-trait static property comparison (#1332)

Features

• Switched to using https://github.com/amphp/amp for the Language server - thanks @trowski and @kelunik for your contributions!
• Psalm can now check specific versions of PHP if you pass it a --php-version=7.x argument in the command line (#1191)
• @SignpostMarv and @weirdan helped improve docs around templates
• Thanks to @maludecks, running --update-baseline will tell you how many errors were removed
• Add MixedFunctionCall issue, emitted when totallyTyped="true" in the config and Psalm cannot infer what's being called (#1313)
• Improve strictness of ReflectionClass (thanks @SignpostMarv)

Bugfixes

• fix handling of templated intersection (#1287)
• only match the most specific template param in a union (#1290)
• fix issue reconciling an isset command that includes a class constant array key (#1297)
• load functions defined in a class's PSR-4-compatible file whenever that class is used (#1300)
• vars defined in catches that end in a throw/return should be conditionally available in finally (#1299)
• yield from $myArray should infer types properly (#1307)
• Prevent same-named template params in extended classes from confusing inheritance (#1310)
• No PropertyNotSetInConstructor false positive warnings for grandchild classes without constructors (#1309)
• Improve behaviour of is_iterable and is_callable (#1316)
• Always preload reflection data for Callable if we're using a closure somewhere in the codebase (#1314)

Features

Missing param types can now be added with Psalter by using the --issues=MissingParamType option (#204)

Also:

• Support wildcards e.g. <referencedClass name="*Foo" /> - thanks @andrew-demb for additional help (#1225)
• detects illegal closure param use (#1256)
• improve analysis of automatically-invoked ArrayAccess methods offsetGet and offsetSet
• analysis of large arrays is now much faster - thanks @TysonAndre for the suggestion (#1279)

Bugfixes

• add template params for SplObjectStorage (#1259)
• support $this and static returns in @method annotations (#1196, #1257, #1258)
• fix redundant conditions when eliminating object after assertion (#1262)
• fix malformed class-string after certain assertions (#1263)
• allow <referencedMethod> issue suppression to be a warning (#1265)
• fix handling of @var self on static properties (#1267)
• fix handling of second variadic arg when used with explicit param types (#1273)
• improve combination of types resulting from get_class call and class-string (#1275)
• fix calls to a templated parent method when using @template-extends (#1274)
• fix handling of generic self and static return objects (#1282)

Features

Solidifies support for @template with support for @template-use for traits, and numerous extra checks for bad usage (#1232, #1234, #1236, #1238, #1240, #1243, #1244, #1245, #1248, #1250, #1072). Thanks @sserbin, @weirdan and @SignpostMarv for pointing out errors and omissions in my implementation!

Other features:

• Invalid @var annotations are now checked (#1246)
• Class-specific issues (e.g. UndefinedClass) can now be suppressed with wildcard class names (#1225)
• Generic params are now allowed in @psalm-assert calls (#1227)
• Add support for floats in enums e.g. @var 0.1|0.2 (#1099 and #1253)

Bugfixes

• Fix config value for allowStringToStandInForClass - thanks @andrew-demb (#1222)
• MissingClosureParamType can now be suppressed from a parent function @psalm-suppress (#1223)
• Classes with __invoke can be transformed via Closure::fromCallable to appropriate closure (#760)
• Improve error message when a type cannot be inferred for a packed arg (#1110)
• Fix confusion when namespaced function shared name with namespaced class in same scope (#1235)
• Check for undefined class before comparing to class/interface (#1229)
• Allow negative offsets on strings (#1241)
• Iterable should subsume array|Traversable (#1242)
• Allow instanceof comparisons to class strings (#1251)
• iterator_to_array now understands objects with getIterator() methods (#1249)
• Union of literal string and class-string now treated as string (#1254)

Features

• Improved handling of template constraints so that more errors are found (#1068, #1207)

• Adds support for object{foo:string, bar:int} annotation to describe runtime-generated objects like stdClass (#390)

• Initial support for @param-out, though the @param-out values are currently not verified (#1088)

• @property can now override parent param types, though that use case is not massively encouraged (#1214)

• Added @extends and @inherits as alternate syntax for @template-extends

• Catch invalid string/array parameters passed to functions expecting a typed callable (#1109 and #1218) so Psalm can see the bug in this:

  $a = [["hello"], ["goodbye"]];
  usort($a, 'strcmp');

  Thanks @weirdan for the issues and suggestions to help make this happen!

Bugfixes

• Disallow undefined class constants in enums (#1202)
• Prevent fatal error with array_map checks after unresolvable file include (#1200)
• Allow traits to override inheritance checks (#1205)
• Inheritance is now always respected when combining object types (#1208)
• Allow $_SERVER type to be set in a docblock. Foreach @var annotations are also now applied before evaluation of the iterable (#1211)
• Prevent type contradiction errors in catch and finally blocks (#1221)
• Allow namespaced constant refs everywhere (#1220)
• Allow class-string<Foo&Bar> (and Psalm to be able to infer that type) (#1219)
• Allow a protected property to be set by its parent constructor (#1217)

This release brings support for the @template-extends annotation.

You can use this when you have a templated class/interface that extends another templated class/interface.

Bugfixes

• Fix password_hash signature - thanks @weirdan (#1188)
• Fix issues with baseline file paths when generated on Windows (#1192)
• Evaluate assignment arguments when parameters are passed by reference (#1195)
• Treat all class_alias commands as acting globally to the project (#1113)
• Namespace classes in @psalm-assert docblock (#987)
• Evaluate phantom/mock-class method params (#1129)
• Warn for more invalid operands (#833)
• Support private trait method aliasing (#909)
• Allow constant arrays to be refined with isset (#813)

Release 3.0.9 contained a fix for #1141 that erroneously highlighted symlinked files as being analyzable. That's fixed in this release.

Features

• Added is a plugin hook that's called when Psalm has analysed a class, AfterClassLikeAnalysisInterface (#1183)
• Improved callmap from PHPStan's changes (thanks @voku)
• Made the language server more robust (fixed a bunch of potential crashes)

Other bugfixes

• Also fixed a potential OOM error with large conditionals in #1181 and some bad maths in #1180
• Allowed scalar to be coerced to numeric (#1178)
• Allow assignments in mixed method calls (#1176)
• Take note of trait method visibility overrides (#1175)
• Prevent RedundantCondition issues bleeding to unrelated callsites (#1177)

Features

As explained here, I've changed how class strings are typed, so as to discriminate between literal string values (e.g. Foo::class) and strings which we know to contain either Foo::class or SomeChildOfFoo::class which, in Psalm's type system, I'm calling class-string<Foo>.

Bugfixes

• Exception::getCode()/ Throwable::getCode() can return a string (#1148)
• IntlDateFormatter::format() can return false (#1147)
• Allow empty check on iterable (#1149)
• Don’t crash when calling parent::bar() with undefined parent class (#1154)
• Don't complain about self::class comparisons inside traits (#1152)
• Add better checks for new $foo() and $foo::bar() (#1143 and #1142)
• Prevent language server crashes when copying methods and classes (#1150)
• Fix handling of filter_var (#1163, thanks @andrew-demb)
• Fix inheritance of hard-to-resolve constants (#1165)

Fixes #1135, where a user had problems with a Laravel-based project that made heavy use of class_alias. Also fixed an issue (in the same ticket) reasoning about arrays that had been passed by reference to a function. Thanks to @josephzidell for his enormous patience as I tracked down the various Psalm bugs he stumbled upon.

Also fixed an issue where Psalm would not properly inherit a param type if a signature type was also given, e.g. here:

interface I {
  /** @param string[] $f */
  function foo(array $f) : void {}
}

class C implements I {
  /** @var string[] */
  private $f = [];
  
  /**
 * {@inheritdoc}
 */
  public function foo(array $f) : void {
    $this->f = $f; // Psalm thought $f was array<mixed, mixed>
  }
}

Psalm will now bypass the signature check if @inheritdoc is present in the docblock.

Features

Better analysis of when dealing with unknown types

Prior to this release, Psalm wouldn't see any problems with the following:

class A {}

function foo($bar) : void {
    if (rand(0, 1)) {
        $bar = new A();
    }
  
    $bar->bat();
}

That's because $bar would always be treated as mixed. mixed is a special type that basically says "we don't know anything", but if we look at the code above it's clear that it might fail.

I changed Psalm's type system so that mixed no longer subsumes any other possible type, and now the above reports a PossiblyUndefinedMethod issue.

New compact output

@erunion resolved #967, which asked for a more concise output format.

Use --output-format=compact to see the new format.

class_alias support

It used not to be supported. Now it is (as long as the class_alias calls are in your bootstrap file). Fixes #1102.

@method improvements

As per #999, @method annotations can now override parent method return/param types.

@psalm-misspelled-annotation warnings

If you use an annotation beginning with @psalm- that's not recognised, Psalm will now warn you (#490).

@Internal warnings

Psalm will now emit issues if you're using code marked @internal in a different namespace (#689).

Bugfixes

• Improved handling of long switch statements (#1103)
• Add support for referencedFunction in UndefinedFunction config issue suppression blocks (#1108)
• Fixed automatic inference of assert*-named function for complicated logic (#1095)
• Emit PossiblyUndefinedArrayOffset in more places (#1107)
• Many method trait method aliases can now map to the same method (#1104)
• Allow function docblocks with ...$some_var to imply variadic input (#945)
• Allow @throws annotation to capture subclasses of the given Exception class (#1115)
• Improve handling of callables with generic-param intersection return types (#1119)

Changes

• Psalm will now emit a TypeDoesNotContainType issue when comparing get_class($foo) to a string. Use class constants instead!

Features

Improves handling of intersection types somewhat so that docblocks can add intersections to an existing type e.g. @return SomeInterface&static will evaluate to SomeInterface&SomeOtherInterface&Foo when $this is typed to SomeOtherInterface&Foo.

If none of that makes any sense, basically I had to add improve some stuff so that Psalm could support a new Mockery plugin.

Bugfixes

• Phars work on Windows, and cache is not shared between non-Phar Psalm runs (#1074, #1094)
• Scan @throw classes in case they're not used elsewhere (#1093, thanks @aidantwoods for identifying)
• Improve typing of iterators and getIterator calls (#1036)
• Re-fix support for magic properties (#1074, thanks @TysonAndre for finding the regression)

The VS Code Language Server plugin was not tested on Windows, and therefore had a couple of bugs. With this update, and an accompanying one in VS Code plugin land, the plugin is Windows-safe.

Features

Baseline creation/updating

Thanks to @ErikBooijCB, the Psalm's config file is now updated automatically when using --set-baseline. The baseline XML file now includes snippets of the bad code, where possible, to reduce false positives when Psalm finds more errors in that file (because you can sometimes be directed to the wrong error site).

Non-empty array type inference

Psalm has improved slightly better understanding of when an array is non-empty.

Bugfixes

• improved treatment of the special class-string type (#1055)
• fix issue some were running into processing include paths (#1059)
• fix parsing of nested callables (#1063)
• fix return results of modulo arithmetic (PHP always returns ints, unlike JS) (#1069)

New features

Error Baselines

#1049 introduced support for creating baselines - thanks @ErikBooijCB!

If you have a big project and want to use Psalm, but don't want to fix all the possible errors right away, you previously had one option - adopt an incredibly lenient config and incrementally make it more strict.

Now there's another way - you can create a stricter config and generate a baseline with --set-baseline=[path/to/baseline.xml]. Psalm will scan your codebase and create a file with the current number of errors of each type in each file, so developers cannot add more issues of that given type in those files.

You currently have to then add errorLevel="path/to/baseline.xml" in your Psalm config for Psalm to use that baseline file, but that step will be automated in a future release.

Over time, as issues are fixed, you can call --update-baseline and Psalm will trim the baseline to represent the current error counts in your codebase.

LSP onChange support

Psalm now has support for onChange events in Language Server mode (previously only onOpen and onSave events were supported).

This allows for more seamless editing in IDEs that support LSP, and also means Psalm now supports hover events and go-to-definition.

Bugs fixed

• improved handling of malformed docblock @property types (#1026)
• fix fatal errors when dealing with inexistent intersection types exist (#1045, #1044)
• fix fatal errors when dealing with extension methods that aren't in the callmap (#1035)
• fix LSP mode method invalidation when adding/removing use statements (#1039)
• understand a lot of filter_var arguments (#1024)
• handling of -i (#1047) - thanks @DaveLiddament!

The banner feature is support for Language Server Protocol (using the vendor/bin/language-server-protocol binary).

It's still awaiting documentation for every single IDE, but if you use VS Code and want to hack around, I've included a VS Code plugin below.

Bugfixes

The last release prevented last-ditch scanning of files in the analysis phase, once scanning is assumed to be done. This introduced a couple of bugs (or rather, it highlighted them):

• Fix scanning of object casts (#1016)
• Fixed scanning of non-docblock return types (#1017)

For more information: https://github.com/vimeo/psalm/releases/tag/2.0.9

Fixes bugs:

• improves filtering of subclasses based on parent clauses (#856)
• improves handling of nested clauses based on same object (#857)
• fixed analysis of polyfilled classes (#862)
• downgraded issue type from LessSpecificReturnStatement to MixedTypeCoercion when returning an array of mixed where a typed array is expected (#863)
• Fixed handling of constants with different values across different operating systems (#867)
• Improved return types of version_compare, gettimeofday and parse_url (#868, #871 and #875)
• Improved handling of complex param types for @magic methods (#870)
• Issues in vendor are now suppressed by default for newly-created configs (#872)
• Allow is_iterable to filter out non-iterable types (#874)
• Allow any iterable to be unpacked when calling functions (#873)

This updates the PHP 5.6-compatible branch with all the new features & bugfixes in the 2.x branch, minus the API changes in 2.x.

See the Releases page for details of the 2.x additions/fixes.

This release improves handling of stubbed files, allowing you to override methods of a class without including the whole class. It's in anticipation of a library of stubs and plugins for different 3rd-party packages.

Other changes

• Improved handling of class constants (#837 and #840)
• Issues are now triggered when impossible assertions made outside of a conditional (#838)
• Improved dead code detection after method_exists call (#836)
• Unresolvable method args are now checked where possible (#839)
• Remove hard memory limit when calling with --use-ini-defaults (#842)
• Fix callmap issues (#843 and #835, thanks @fkooman)
• Fix division-by-zero issue (#844)
• Improve array_reduce return type (#846)
• Improved handling of autoloaded files with function definitions (#848)
• Fixed handling of null|object|T when simplifying types (#851)
• Allow is_numeric check to refine scalar types (#850)
• Fix handling of variables set in do {} while($a = rand(0, 1)) conditionals (#852)

New feature

Finally added support for detecting missing @throws annotations: #15

You have to explicitly enable this feature in your psalm.xml by adding a config flag checkForThrowsDocblock="true". You can also choose which exceptions to ignore with <ignoreExceptions>. Missing @throws docblocks emit a MissingThrowsDocblock issue.

Bugfixes

• Improve handling of array_filter and array_map (#811 and #810)
• Improve bad docblock handling (#808, #812, #816 and #818, #826)
• Improve literal type handling (#814)
• Allow some more @method names (#820)
• Improve dead code detection (#822, #475 and #805)
• Fix bug where erroneous !== false checks were ignored (#823, #825)
• Improve handling of self in is_a checks (#819)
• Improve selection of callmap args when function is overloaded (#831)
• Fixed bug with erroneous inference of splatted input (#830)

2.0.2 introduced a bug where it would complain about missing function storage in some cases. This is now fixed.

Other issues:

• Fix issues analysing anonymous classes without constructors (#795)
• Psalm now understands assignments in if statements that also have repeated falsy assertions (#801)
• Psalm allows (by ignoring for the moment) union types in @method params (#802)
• Better treatment of isset for ArrayAccess offsets (#800)
• Magic methods are now correctly invoked within classes when properties are missing (#798)
• Invalid selectively-overloaded trait methods are now understood better (#803)
• Type ...$var can now be documented with @param Type[] $var without complaint (#792)
• Improved docblock handling for nullable closure return types in (#791)
• Templated parameter types on class methods where the templated type has already been set are now bound to that set type so that arguments can be checked against those types (#794)
• Improved handling of $this outside of a class (#378)
• Improved dead code detection in traits (#416)

• Added wildcard pattern matching for files in the config e.g. <file name="src/Project/*Bar.php" />
• Fixed treatment of union types in @method docblock params
• Improved analysis of XML classes

• Adds support for three new docblock annotations
• Fixed treatment of xor when passed boolean operands
• Psalm now adopts the nullability of the return typehint, if present
• Prevent a situation where InvalidDocblock only appeared on first run in some situations
• Fixed a false positive when analysing array keys with occasional explicit offsets
• Improved Psalm's handling of dependent files - when analysing a file, Psalm will also now report errors in traits that file uses. The same goes for errors found in parent classes and require'd files.
• Fixed handling of self::instanceMethod() calls when performed from a non-static context
• @weirdan added support for array_columns inference - #719

The big feature in this release is support of string & int enumerations in @param and @return statements.

Enumeration types allow you to specify a range of possible values for a given input or output, and allow you to write a little less code while still satisfying the type-checker.

For example, in the following Psalm understands that the function foo always returns a string, and only the last call, foo('bad'), is forbidden.

class A {
  const FOO = 'foo';
  const BAR = 'bar';
}

/**
 * @psalm-param A::FOO|A::BAR|'bat' $s
 */
function foo(string $s) : string {
  switch ($s) {
    case A::FOO:
      return 'hello';

    case A::BAR:
      return 'goodbye';
      
    case 'bat':
      return 'hello again';
  }
}

foo('foo');
foo(A::BAR);
foo('bat');
foo('bad');

Also included in this release are improvements to the templating engine, and fixes to how Psalm stores string values.

Includes support for value types (also in 1.x). Impetus comes from PHPStan, which has added this in dev-master.

This allows Psalm to find bugs in code like this (coincidentally the lone bug this new analysis found in Vimeo's codebase).

Also includes various fixes, including better analysis of expressions in disjunctive normal form

($a && $b) || ($c && $d) || ($e && $f)

Small bugfixes

Breaking changes:

• Uses PHP Parser 4 (and thus requires PHP 7)
• Issue type MoreSpecifcImplementedReturnType has been renamed LessSpecificImplementedReturnType
• Issue type PossiblyUndefinedArrayOffset is triggered for possibly undefined array keys (previously bucketed into PossiblyUndefinedVariable)

  $foo = rand(0, 1) ? ['a' => 1, 'b' => 2] : ['a' => 3];
  echo $foo['b'];

• removed stopOnFirstError <psalm /> config attribute, which hasn't been used in ages
• removed UntypedParam issue type, which also hasn't been used (MissingParamType is the replacement)

Fixed issues comparing variables - #677 for get_class vs ::class, and $a !== $b now fails if $a can never equal $b.

Fixed #676 - bit manipulations were getting typed to mixed, now string or int depending.

Fixed #673 where cached class names could pollute class lookups on case-sensitive OSes like Linux

@srsbiz fixed Windows directory handling in #655 and changed Psalm to use .dist files by default in #644

Bugfix release:

• Fixed bugs parsing docblock types in #614, #617, #630, #619, #629 and #560
• Improved type handling for #615, #626, #631, #635 and #637
• Improve handling of var_export and implode for #636 and #610 respectively

Fixes a couple of bugs with intersection types and nested trait resolution.

Thanks to the great work of @weirdan, this release has a Phar that you can use on any existing Psalm project.

Other changes:

• fixes #569 where trait function name maps got corrupted
• improves analysis of error-suppressed functions (#570)
• improves analysis of array_merge where ... is used (#571)
• improves analysis of strpos and abs calls (#576 and #577)
• improves handling of iterable types when negated (#574 and #579)
• added better checks to compare trait abstract methods to classes that use the traits

You can now specify that parameters that take fully-qualified class names must be passed a ::class constant. The docs have more info.

This release also brings more robustness to class-filename resolution, relying on composer's autoloader class where available to get the class name without using reflection. Thanks @weirdan for the ticket that led to this improvement.

This release also removes a dependency on composer/composer, using the much smaller composer/xdebug-handler instead. Thanks to @felixfbecker for the idea, and @johnstevenson for the legwork on the composer side, and @weirdan for integrating it with Psalm.

I introduced a new issue type of OverriddenPropertyAccess to fix #547. While this is technically a change in the API, it's also an issue that is very unlikely to occur in your codebase, so I felt it was acceptable to violate SemVer.