Welcome to the official channel for Psalm, a PHP static analysis tool for finding errors and security vulnerabilities in PHP applications!
This channel will be used to post news regarding Psalm and other projects maintained by Daniil Gentili.
Feel free to also join my other channels as well!
- @MadelineProto - Official channel for MadelineProto, an async PHP client API for the telegram MTProto protocol
- @daniilgentili - Personal blog
Psalm discussion group: @psalmphp_community
Documentation: psalm.dev
Github: https://github.com/vimeo/psalm
This channel will be used to post news regarding Psalm and other projects maintained by Daniil Gentili.
Feel free to also join my other channels as well!
- @MadelineProto - Official channel for MadelineProto, an async PHP client API for the telegram MTProto protocol
- @daniilgentili - Personal blog
Psalm discussion group: @psalmphp_community
Documentation: psalm.dev
Github: https://github.com/vimeo/psalm
GitHub
GitHub - vimeo/psalm: A PHP static analysis tool for finding errors and security vulnerabilities in PHP applications
A PHP static analysis tool for finding errors and security vulnerabilities in PHP applications - vimeo/psalm
π1
Psalm 6.10.0 is out!
This is a smaller release, in preparation for some bigger feature releases, both on the v6 and v7 branches.
Features:
- Added rank to SARIF report
- Added forceJit and noCache configuration keys
7.0.0-beta4 was also released from the v7 branch with the same additions.
This is a smaller release, in preparation for some bigger feature releases, both on the v6 and v7 branches.
Features:
- Added rank to SARIF report
- Added forceJit and noCache configuration keys
7.0.0-beta4 was also released from the v7 branch with the same additions.
π3
Psalm 7.0.0-beta5 is out!
This beta release adds a major new feature to Psalm v7: combined analysis!
Combined analysis allows running normal analysis, security analysis and dead code analysis all at the same time, within a single run, greatly reducing overall runtimes!
Future beta releases will also enable taint analysis by default, given that now it can be run alongside normal analysis.
This beta release adds a major new feature to Psalm v7: combined analysis!
Combined analysis allows running normal analysis, security analysis and dead code analysis all at the same time, within a single run, greatly reducing overall runtimes!
Future beta releases will also enable taint analysis by default, given that now it can be run alongside normal analysis.
π₯8β‘1
Forwarded from Daniil Gentili's blog
Happy to announce I've launched a blog, where I'll be posting news about all my different projects, MadelineProto, Psalm, and much more: blog.daniil.it!
I now also have a newsletter, feel free to subscribe to receive all the latest news: blog.daniil.it/newsletter β€οΈ
All posts posted to my blog and newsletter will also be posted here (replacing the old @daniilgentili blog for technical reasons, as I do not have access to the owner account anymore).
You can now discuss posts news about *all* my projects in the linked discussion group: here!
I now also have a newsletter, feel free to subscribe to receive all the latest news: blog.daniil.it/newsletter β€οΈ
All posts posted to my blog and newsletter will also be posted here (replacing the old @daniilgentili blog for technical reasons, as I do not have access to the owner account anymore).
You can now discuss posts news about *all* my projects in the linked discussion group: here!
β€1
Forwarded from Daniil Gentili's blog
The first series of posts I'll be adding here will be some technical deep dives into the performance improvements I've made in Psalm v6, can't wait to share them all with you!
π₯1
Forwarded from Daniil Gentili's blog
Daniil Gentili's blog
The first series of posts I'll be adding here will be some technical deep dives into the performance improvements I've made in Psalm v6, can't wait to share them all with you!
And then, a long overdue post about my Autonomous System (AS198747), and an over more overdue MadelineProto v9 :D
Forwarded from Daniil Gentili's blog
Psalm v6 Deep Dive: Copy-on-Write + dynamic task dispatching
Psalm is one of the biggest and most powerful PHP Static analysis tools, featuring exclusive features like security analysis.
In Psalm 6.1, I implemented a major refactoring of multithreaded mode (automatically enabled on Linux/Mac OS) based on amphp/parallel, which greatly reduced analysis speeds!
But why was it so effective? To understand, one must first understand that in the vast majority of PHP multithreaded analysis tools, jobs are distributed statically between threads on startup, which means that towards the end of the analysis, a lot of workers just sit there doing nothing, just waiting for the other workers processing bigger and heavier files to finish.
However, the new multithreaded mode now allows Psalm to dynamically distribute jobs to workers immediately, as soon as they finish processing their current task, reducing idle worker time and maximizing CPU usage, thus reducing the overall runtime!
Implementation wasn't as easy as just plugging in amphp/parallel, because Psalm relies heavily on the copy-on-write semantics of fork(): indeed, Psalm's multithreaded mode was quite fast even before the refactoring because it doesn't have to copy all type information to all workers when spawning them, as when workers are spawned using the fork() syscall, the entire memory is not copied to the forked process.
Instead, it is copied only when a memory page is modified by the forked process, which means that unless workers start modifying large amounts of type information (which usually happens pretty rarely, as most of that data is immutable after Psalm's scan phase), most of the memory is not copied, leading to large performance improvements.
amphp/parallel does not support using fork() to spawn workers out of the box, however I managed to add support using a custom context class (taking care to avoid some edge cases around reused file descriptors, which can cause issues with the event loop).
The maintainer of amphp was kind enough to begin integration of Psalm's fork context inside of parallel itself after I pinged him, which means amphp users will soon be able to make use of Psalm's fork context to improve worker spawning performance with copy-on-write fork() semantics.
This release also adds an additional check to ensure VM overcommitting (the feature which allows copy-on-write optimizations) is enabled in the OS when running Psalm, by ensuring that the
~~~
This post is the first of a series of technical deep dives into Psalm v6's performance improvements, which will be released over the next weeks, subscribe to @danog_blog to always stay up to date on the latest Psalm news and developments!
Psalm is one of the biggest and most powerful PHP Static analysis tools, featuring exclusive features like security analysis.
In Psalm 6.1, I implemented a major refactoring of multithreaded mode (automatically enabled on Linux/Mac OS) based on amphp/parallel, which greatly reduced analysis speeds!
But why was it so effective? To understand, one must first understand that in the vast majority of PHP multithreaded analysis tools, jobs are distributed statically between threads on startup, which means that towards the end of the analysis, a lot of workers just sit there doing nothing, just waiting for the other workers processing bigger and heavier files to finish.
However, the new multithreaded mode now allows Psalm to dynamically distribute jobs to workers immediately, as soon as they finish processing their current task, reducing idle worker time and maximizing CPU usage, thus reducing the overall runtime!
Implementation wasn't as easy as just plugging in amphp/parallel, because Psalm relies heavily on the copy-on-write semantics of fork(): indeed, Psalm's multithreaded mode was quite fast even before the refactoring because it doesn't have to copy all type information to all workers when spawning them, as when workers are spawned using the fork() syscall, the entire memory is not copied to the forked process.
Instead, it is copied only when a memory page is modified by the forked process, which means that unless workers start modifying large amounts of type information (which usually happens pretty rarely, as most of that data is immutable after Psalm's scan phase), most of the memory is not copied, leading to large performance improvements.
amphp/parallel does not support using fork() to spawn workers out of the box, however I managed to add support using a custom context class (taking care to avoid some edge cases around reused file descriptors, which can cause issues with the event loop).
The maintainer of amphp was kind enough to begin integration of Psalm's fork context inside of parallel itself after I pinged him, which means amphp users will soon be able to make use of Psalm's fork context to improve worker spawning performance with copy-on-write fork() semantics.
This release also adds an additional check to ensure VM overcommitting (the feature which allows copy-on-write optimizations) is enabled in the OS when running Psalm, by ensuring that the
vm.overcommit_memory kernel setting is always set to 1. ~~~
This post is the first of a series of technical deep dives into Psalm v6's performance improvements, which will be released over the next weeks, subscribe to @danog_blog to always stay up to date on the latest Psalm news and developments!
Daniil Gentili's blog
Psalm v6 Deep Dive: Copy-on-Write + dynamic task dispatching - Daniil Gentili's blog
A deep dive into Psalm 6.1's performance improvements, powered by CoW optimizations, and dynamic task dispatching with amphp/parallel!
π₯7
Small overview of the new psalm-review tool I added in Psalm 6.3: https://blog.daniil.it/2025/05/18/psalm-review-tool-in-psalm-6-3/
Daniil Gentili's blog
Psalm review tool in Psalm 6.3 - Daniil Gentili's blog
Introducing the new psalm-review tool!
π4β€1
Forwarded from Daniil Gentili's blog
Psalm is one of the biggest and most powerful PHP Static analysis tools, featuring exclusive features like security analysis, and in Psalm 6.9, an official, hyperoptimized Docker image was introduced.
Psalmβs docker image uses a custom build of PHP built from scratch with a custom deepbind patch and the jemalloc allocator, running Psalm +30% faster on average than normal PHP (+50% faster if comparing to PHP without opcache installed).
Recently, my deepbind patch was also merged into PHP and will be available to all users (even those not using the Docker image) in PHP 8.5!
To use it right now, on PHP 8.4, simply run:
Issues due to missing extensions can be fixed by enabling them in psalm.xml and/or requiring them in composer.json, see here for more info.
Extensions not stubbed by Psalm itself (and thus not available as a psalm config option) may be stubbed using traditional PHP stubs.
Also posted on the blog: https://blog.daniil.it/2025/07/10/official-psalm-docker-image/
Psalmβs docker image uses a custom build of PHP built from scratch with a custom deepbind patch and the jemalloc allocator, running Psalm +30% faster on average than normal PHP (+50% faster if comparing to PHP without opcache installed).
Recently, my deepbind patch was also merged into PHP and will be available to all users (even those not using the Docker image) in PHP 8.5!
To use it right now, on PHP 8.4, simply run:
docker run -v $PWD:/app --rm -it ghcr.io/danog/psalm:latest /composer/vendor/bin/psalm --no-cache
Issues due to missing extensions can be fixed by enabling them in psalm.xml and/or requiring them in composer.json, see here for more info.
Extensions not stubbed by Psalm itself (and thus not available as a psalm config option) may be stubbed using traditional PHP stubs.
Also posted on the blog: https://blog.daniil.it/2025/07/10/official-psalm-docker-image/
GitHub
Do not use RTLD_DEEPBIND if dlmopen is available by danog Β· Pull Request #18612 Β· php/php-src
This pull request disables usage of RTLD_DEEPBIND if dlmopen is available.
Context:
Php8.1 with alternative malloc allocators #10670 - The issue this PR fixes, using RTLD_DEEPBIND with custom allo...
Context:
Php8.1 with alternative malloc allocators #10670 - The issue this PR fixes, using RTLD_DEEPBIND with custom allo...
π₯3
Forwarded from Daniil Gentili's blog
Also announcing the public beta of Psalm v7!
Psalm v7 brings huge performance improvements to security analysis, up to 10x thanks to a full refactoring of both the internal representation of taints, and optimization of the graph resolution logic.
A major new feature was also added: combined analysis!
Combined analysis, enabled by default in Psalm v7, allows running normal analysis, security analysis and dead code analysis all at the same time, within a single run, greatly reducing overall runtimes!
Future beta releases will also enable taint analysis by default, given that now it can be run alongside normal analysis.
Psalm v7 also brings performance improvements to dead code analysis, and fixes for list types.
Even more performance improvements and new features will be released soon!
Psalm v7 brings huge performance improvements to security analysis, up to 10x thanks to a full refactoring of both the internal representation of taints, and optimization of the graph resolution logic.
A major new feature was also added: combined analysis!
Combined analysis, enabled by default in Psalm v7, allows running normal analysis, security analysis and dead code analysis all at the same time, within a single run, greatly reducing overall runtimes!
Future beta releases will also enable taint analysis by default, given that now it can be run alongside normal analysis.
Psalm v7 also brings performance improvements to dead code analysis, and fixes for list types.
Even more performance improvements and new features will be released soon!
β€4π₯2