Use static analysis to detect new update functions, to reduce false positives in StagedDBUpdateValidator

Created on 10 December 2021, about 3 years ago
Updated 26 June 2023, over 1 year ago

Problem/Motivation

In #3252126: Do not apply updates during cron if there are DB updates in the staging area β†’ , we introduced detection of new or changed update functions in staged modules. Currently, we just use simple hashing of the .install and .post_update.php functions to check for changes, but this can produce incorrect results if comments, whitespace, or runtime code like hook_requirements changes in those files. We figured that's good enough for MVP, but it might be nice to introduce something smarter.

We should solve this for stable in Drupal core.

Proposed resolution

Use low-level built-in PHP parsing (token_get_all()) to detect new update functions in the .install and .post_update.php files.

This will NOT detect removed or changed update functions. That's on purpose. Changed update functions are irrelevant -- updates are only ever run once, so they're not really something you ever change. And removed update functions are also not relevant to our purposes -- they are gone, so they don't affect anything. We only really need to detect new updates.

πŸ“Œ Task
Status

Fixed

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Usability

    Makes Drupal easier to use. Preferred over UX, D7UX, etc.

  • needs profiling

    It may affect performance, and thus requires in-depth technical reviews and profiling.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024