Incorporate an SCCP check

[rlerdorf]

Phan's -x (dead code detection) mode is quite simplistic and basically only looks for functions and methods that are never called. Starting with PHP 7.2, but much more so in PHP 7.3 the opcache optimizer does pretty advanced DCE & SCCP. Take this example:

<?php
class C { 
	public $i;
}

function fn(int $x) {
	$c = new C;
	$c->i = 1;
	if($x) {
		$a = [1, 2, 3];
	} else {
		$a = [3, 2, 1];
	}
	return $a[$c->i];
	$c->i++;
	return $x;
}
fn(1);

This is obviously horrible code, but phan -x has no complaints. Not even for the 2nd return in the function. If we run it through the optimizer like this:
php -d opcache.optimization_level=-1 -d opcache.opt_debug_level=0x20020000 -l script.php (using PHP 7.3) we get:

SCCP Values for "fn":
    #4.X3 = {}
    #5.CV1($c) = {}
    #6.CV1($c) = {"i" => int(1)}
    #7.CV2($a) = array(...)
    #8.CV2($a) = array(...)
    #9.CV2($a) = [1 => int(2)]
    #10.X4 = int(1)
    #11.X3 = int(2)

$_main: ; (lines=4, args=0, vars=0, tmps=0)
    ; (after optimizer)
    ; script.php:1-19
L0:     INIT_FCALL 1 96 string("fn")
L1:     SEND_VAL int(1) 1
L2:     DO_UCALL
L3:     RETURN int(1)

fn: ; (lines=2, args=1, vars=1, tmps=0)
    ; (after optimizer)
    ; script.php:6-17
L0:     CV0($x) = RECV 1
L1:     RETURN int(2)
No syntax errors detected in d6

The big block of SCCP values for the fn function tells us that the Sparse Conditional Constant Propogation pass kicked in big time on this code and we see from the final opcodes that the entire fn function was reduced to the equivalent of:

function fn($x) {
    return 2;
}

We should figure out some way to surface this from Phan. The opcache debug output has a range of line numbers on each block of opcodes, but it isn't showing it on a per-opcode basis even though each opcode does have a line number internally. We might need to change that debug output, or at least add an option to make it more verbose so we can provide more specific warnings from Phan on code like this. But since it also rewrites the code (replacing $c->i with 1 in the return call in this case) we can't easily exactly describe what the code was reduced to unless we write some translator to go from opcodes back to PHP code. The easiest is to just indicate that the block of code indicated by the script.php:6-17 range contains dead/redundant code.

[TysonAndre]

This is obviously horrible code, but phan -x has no complaints. Not even for the 2nd return in the function. If we run it through the optimizer like this:

UnreachableCodePlugin can be used to detect this, but plugins aren't advertised well.

Maybe -x should enable https://github.com/phan/phan/blob/master/.phan/plugins/UnreachableCodePlugin.php and suggest downloading https://github.com/TysonAndre/PhanUnusedVariable / https://github.com/mattriverm/PhanUnusedVariable

The easiest is to just indicate that the block of code indicated by the script.php:6-17 range contains dead/redundant code.

That might run into a lot of false positives. The variables are used, and constant expressions may have been written verbosely for code style, or to organize thoughts.

E.g. the below is redundant code, but not dead code

$secondsPerHour = 60 * 60;
$secondsPerDay = $secondsPerHour * 24;
return $secondsPerDay;

as well as

function foo(array $args, bool $enableFoo) { /* implementation */ }
$enableFoo = false;
foo($args, $enableFoo);

Maybe some special cases, such constructing objects when those objects are determined to have no side effects (e.g. __destruct() for RAII), are worth warning about (or unused array elements)

[TysonAndre]

Functions that boil down to a return constant ((receive args, return value unrelated to args) might be a special case. (PhanComplexFunctionReturnsConstant)

• That might be a false positive when running 64-bit phan on code that can also be 32-bit.
• That might also be a false positive depending on constants (e.g. if (PHP_VERSION_ID > 70103) { return null; } /* ...statements */ could be reduced? (Not sure which constants PHP 7.3 will optimize out)

[TysonAndre]

https://gist.github.com/TysonAndre/9690564a8f9f6a98102f35b1e689103e is a prototype checker (standalone CLI script). It works with php 7.3 alphas

Things which could be done to improve on that:

• Will using the "SCCP Values" section given by the high bit of opcache.opt_debug_level=0x20020000 help when checking for dynamic behavior (can't link them to a line number right now)

• If opcache dumped a machine readable format such as JSON instead of a text format, that'd make extraction of opcodes more reliable.

• It should handle the ASSIGN opcode as well. $x = null; return $x; isn't worth warning about.

• Check if ranges of line numbers get simplified from conditionals, object creation, function calls, etc. into nothing or a simple assignment. This would roughly correspond to blocks of code, e.g. within a loop or if statement.

  I'm not how well that that strategy will work.

---

I expect that things that would pass Phan's --unused-variable-detection but fail SCCP would be fairly rare in practice (Again, checking for blocks of code instead of the whole function may help there)

[TysonAndre]

The SCCP plugin from that gist was added to https://github.com/phan/PhanPrototypes as a more permanent location