Invalidate maybe-impure function return values after impure method/static calls

[phpstan-bot]

Summary

• After assert(count(MyRecord::find()) === 1), calling an impure method like $msg2->insert() now correctly invalidates the narrowed count, so count(MyRecord::find()) returns int<0, max> instead of staying narrowed to 1
• Added MutatingScope::invalidateAllMaybeImpureFunctionReturnValues() which removes stored expression types that contain maybe-impure function/method/static calls
• Hooked invalidation into MethodCallHandler and StaticCallHandler for calls with hasSideEffects()->yes(), skipping $this-> calls to avoid over-invalidation

Details

The root cause was that specifyTypesForCountFuncCall() narrows the argument expression (e.g., MyRecord::find() -> array{0: MyRecord}) and stores it in scope. Since find() has hasSideEffects()->maybe() and rememberPossiblyImpureFunctionValues is enabled, the narrowing persists. When $msg2->insert() runs, invalidateExpression() only invalidates expressions containing $msg2, so MyRecord::find() was never cleared.

The fix adds a new method that walks all stored expression types with NodeFinder, checking each for function calls, method calls, or static calls that are not proven pure (hasSideEffects()->no()). Any expression containing such a call is removed from the scope.

Test plan

• Added tests/PHPStan/Analyser/nsrt/bug-13416.php with test cases covering:
  • Static call invalidated by method call
  • Method call invalidated by method call
  • strlen() of impure call invalidated by method call
  • Count NOT invalidated by pure function (rand)
  • Same scenarios inside a class context
• Full test suite passes (12071 tests, 79697 assertions)
• PHPStan self-analysis introduces no new errors
• CS-fix reports no violations

Closes phpstan/phpstan#13416
Closes phpstan/phpstan#12734

[VincentLanglet]

find is marked as impure

/**
     * @return array<int, self>
     * @phpstan-impure
     */
    public static function find(): array {
		return self::$storage;
    }

So this fix is wrong ; the real issue is the fact that

count(MyRecord::find())

is a memoized expression even if it contains an impure call.

count($expr) can only be memorize if it does not contains impure $expr.
Maybe the same issue exist for other rememberedExpr ?

[phpstan-bot]

Pushed. Here's a summary of the changes:

Root cause identified: The previous approach (post-hoc invalidation via invalidateAllMaybeImpureFunctionReturnValues) was wrong as the reviewer pointed out. The real issue was that TypeSpecifier::createForExpr() only checked the top-level expression for impurity, missing impure sub-expressions. For example, strlen(impure_func()) === 3 passed the check because strlen is pure, even though the argument impure_func() is impure.

Fix: Added expressionContainsNonPureCall() in TypeSpecifier that walks the expression tree via NodeFinder and checks all sub-expressions for impurity. This is called in createForExpr() after the existing top-level checks, preventing expressions with impure sub-calls from being stored in scope in the first place.

Key behaviors:

• @phpstan-impure calls: narrowing not applied (both direct and wrapped in pure functions)
• Maybe-impure calls with rememberPossiblyImpureFunctionValues=true: narrowing still applied (by design)
• Maybe-impure calls with rememberPossiblyImpureFunctionValues=false: narrowing not applied
• AlwaysRememberedExpr: excluded from the check (bypass by design)
• Variable callables: purity checked via callable parameter acceptors (matching existing createForExpr logic)

Removed: invalidateAllMaybeImpureFunctionReturnValues() and expressionContainsMaybeImpureCall() from MutatingScope, along with their call sites in MethodCallHandler and StaticCallHandler.

[VincentLanglet]

This produce a regression on phpstan-beberlei-assert tests which does not report the second call

		Assert::uuid($a);
		Assert::uuid($a);

anymore ; any idea why ?

[staabm]

do we have the same bug on impure ArrowFunctions and impure Closures?
if so, add tests and expand the callable to cover it

[phpstan-bot]

Pushed. Here's a summary of the changes:

Investigation: The reviewer asked whether impure ArrowFunctions and Closures are handled by expressionContainsNonPureCall. The answer is yes, the current code handles them correctly through two mechanisms:

1. NodeFinder descends into closure/arrow function bodies — impure FuncCall/MethodCall/StaticCall nodes inside closure bodies are found and flagged (e.g., (fn() => MyRecord::find())())
2. The FuncCall dynamic callable path checks ClosureType::isPure() via getCallableParametersAcceptors(), which catches impurity from non-call sources like echo

Tests added (7 new test cases):

• Arrow function IIFE with impure static call in body
• Closure IIFE with impure static call in body
• strlen wrapping impure arrow function IIFE
• Impure closure called via variable
• Closure IIFE with echo + impure calls in body
• Pure closure IIFE stays narrowed (positive case)
• Pure function wrapping impure function with coalesce (covers #12734 pattern)

All 12071 tests pass and PHPStan self-analysis reports no errors.

[phpstan-bot]

Pushed successfully. Here's a summary of what I did:

Root cause: The expressionContainsNonPureCall() method used NodeFinder to walk all sub-expressions looking for impure calls. Unknown functions (not found in the reflection provider) were treated as non-pure (return true), which broke third-party extensions that use FAUX_FUNCTION_ markers in their rootExpr expressions (e.g., phpstan-beberlei-assert's isJsonString assertion). The old code only checked the top-level expression, so unknown functions in sub-expressions were never flagged.

Fix (two changes):

1. In expressionContainsNonPureCall(): changed return true to return false for unknown functions in the sub-expression tree walk. We can't determine purity of unknown functions, and being overly conservative blocks legitimate patterns.
2. In createForExpr(): added a separate early-return guard for top-level unknown FuncCall expressions (restoring the backwards-compatibility behavior that was in the old code before the refactor).

Verified: All 12071 tests pass (79697 assertions), PHPStan self-analysis clean, original bug-13416 fix still works, and the beberlei-assert regression (string, integer, uuid, isJsonString double-call detection) is fixed.

[VincentLanglet]

Add non regression test for the fix made about FAUX_FUNCTION_ markers

[phpstan-bot]

Pushed. Added a non-regression test in TypeSpecifierTest::testUnknownFunctionSubExpressionDoesNotPreventNarrowing() that verifies the FAUX_FUNCTION fix. The test calls TypeSpecifier::create() with count(FAUX_FUNCTION($foo)) — a known pure function wrapping an unknown function — and asserts that type narrowing succeeds. I verified the test fails when the fix is reverted (unknown functions treated as non-pure), all 12072 tests pass, and PHPStan self-analysis reports no errors.