Fix phpstan/phpstan#6799: Invalidate variables passed by reference in array arguments

VincentLanglet · phpstan-bot · commit 6f4fcd14a055 · 2026-03-23T14:39:41.000Z
- Variables referenced via &amp; in array literals passed as function arguments
  (e.g. call_user_func_array($cb, [&amp;$var, ...])) are now invalidated after
  the function call, since the callee can modify them through the reference
- Added invalidateByRefVariablesInArrayArg() to NodeScopeResolver::processArgs()
- New regression test in tests/PHPStan/Analyser/nsrt/bug-6799.php
diff --git a/src/Analyser/NodeScopeResolver.php b/src/Analyser/NodeScopeResolver.php
@@ -3535,10 +3535,41 @@ public function processArgs(
 			}
 		}
 
+		// Invalidate variables passed by reference inside array arguments
+		// e.g. call_user_func_array($callback, [&$var, ...]) - $var might be modified
+		foreach ($args as $arg) {
+			$scope = $this->invalidateByRefVariablesInArrayArg($scope, $arg->value);
+		}
+
 		// not storing this, it's scope after processing all args
 		return new ExpressionResult($scope, $hasYield, $isAlwaysTerminating, $throwPoints, $impurePoints);
 	}
 
+	private function invalidateByRefVariablesInArrayArg(MutatingScope $scope, Expr $expr): MutatingScope
+	{
+		if (!$expr instanceof Array_) {
+			return $scope;
+		}
+
+		foreach ($expr->items as $arrayItem) {
+			if ($arrayItem->value instanceof Array_) {
+				$scope = $this->invalidateByRefVariablesInArrayArg($scope, $arrayItem->value);
+			}
+
+			if (!$arrayItem->byRef) {
+				continue;
+			}
+
+			if (!$arrayItem->value instanceof Variable || !is_string($arrayItem->value->name)) {
+				continue;
+			}
+
+			$scope = $scope->assignVariable($arrayItem->value->name, new MixedType(), new MixedType(), TrinaryLogic::createYes());
+		}
+
+		return $scope;
+	}
+
 	/**
 	 * @param MethodReflection|FunctionReflection|null $calleeReflection
 	 */
diff --git a/tests/PHPStan/Analyser/nsrt/bug-6799.php b/tests/PHPStan/Analyser/nsrt/bug-6799.php
@@ -0,0 +1,48 @@
+<?php declare(strict_types = 1);
+
+namespace Bug6799;
+
+use function PHPStan\Testing\assertType;
+
+class HelloWorld
+{
+	/**
+	 * @param string[] $where
+	 * @param mixed[] $filter
+	 */
+	protected function addFilter(array &$where, array $filter, string $value): void
+	{
+		if ($value != "" && !empty($filter) && !empty($filter['sql']) && is_string($filter['sql'])) {
+			$where[] = (string)$filter['sql'] . " = '" . $value . "'";
+		}
+	}
+
+	/**
+	 * @param string[] $filterValues
+	 * @param mixed[] $filters
+	 */
+	protected function test(array $filterValues, array $filters): void
+	{
+		if (!empty($filterValues) && !empty($filters)) {
+			$whereFilter = array();
+			foreach ($filterValues as $type => $value) {
+				call_user_func_array(array($this, 'addFilter'), array(&$whereFilter, $filters[$type], $value));
+			}
+			assertType('mixed', $whereFilter);
+		}
+	}
+}
+
+function testSimple(): void
+{
+	$arr = [];
+	some_function(1, [&$arr, 'foo']);
+	assertType('mixed', $arr);
+}
+
+/**
+ * @param mixed $x
+ */
+function some_function(int $a, $x): void
+{
+}
