Fix phpstan/phpstan#14241: Cannot re-assign auto-global variable in parameters#5153
Open
phpstan-bot wants to merge 2 commits intophpstan:2.1.xfrom
Open
Fix phpstan/phpstan#14241: Cannot re-assign auto-global variable in parameters#5153phpstan-bot wants to merge 2 commits intophpstan:2.1.xfrom
phpstan-bot wants to merge 2 commits intophpstan:2.1.xfrom
Conversation
clxmstaab
force-pushed
the
create-pull-request/patch-lgqy7io
branch
from
a2ae368 to
ba7f36d
Compare
staabm
reviewed
Mar 9, 2026
VincentLanglet
approved these changes
Mar 9, 2026
Contributor
|
(requesting ondrejs review, as we are adding a new rule) |
VincentLanglet
force-pushed
the
create-pull-request/patch-lgqy7io
branch
from
ba7f36d to
e7b86ab
Compare
staabm
approved these changes
Mar 20, 2026
Collaborator
Author
|
Tests pass. The review from staabm is just an approval — no changes were requested. The PR is ready to merge as-is. |
…arameters
- Added SuperGlobalParameterRule to detect superglobal variable names used as function/method/closure parameters
- PHP throws a fatal error for this (e.g. `function doFoo($_FILES): void {}`), but PHPStan was not reporting it
- New regression test in tests/PHPStan/Rules/Functions/data/bug-14241.php
- Excluded test data file from Makefile lint step since PHP cannot parse files with superglobal parameters
staabm
force-pushed
the
create-pull-request/patch-lgqy7io
branch
from
e7b86ab to
dff450d
Compare
staabm
approved these changes
Mar 20, 2026
Contributor
staabm
left a comment
staabm
left a comment
There was a problem hiding this comment.
test bot reaction after rebase to latest action workflows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PHP throws a fatal error when a superglobal variable name (like
$_FILES,$_GET,$_POST, etc.) is used as a function, method, or closure parameter. PHPStan was not detecting this and only reported missing type hints, missing the more fundamental issue.Changes
src/Rules/Functions/SuperGlobalParameterRule.php— a new level-0 rule that checks allFunctionLikenodes for parameters named after superglobal variablestests/PHPStan/Rules/Functions/SuperGlobalParameterRuleTest.phpwith test covering all superglobal variables across functions, methods, closures, and arrow functionstests/PHPStan/Rules/Functions/data/bug-14241.php— test data fileMakefileto exclude the test data file from PHP lint (since PHP itself cannot parse files with superglobal parameters)Root cause
There was no rule checking whether function/method/closure parameters use superglobal variable names. PHP prohibits this at the parser level with "Cannot re-assign auto-global variable" fatal error, but PHPStan's parser (nikic/php-parser) successfully parses the code without error. A dedicated rule was needed to replicate this PHP compile-time check.
Test
The regression test
SuperGlobalParameterRuleTest::testRule()verifies that errors are reported for$_FILES,$_GET,$_POST,$_SERVER,$_SESSION,$_COOKIE,$_REQUEST,$_ENV, and$GLOBALSwhen used as parameters in functions, methods, closures, and arrow functions. Regular parameter names like$okproduce no error.Fixes phpstan/phpstan#14241