1. Listen and lookatyour PHP CODE! Gabriele Santini9/10/2010
2. Gabriele Santini Architect/Consultant at SQLI Contributor to PHP_CodeSniffer So expect a special focus on this… Sonar PHP Plugin I have to show you! Ex-mathematician : love business modelling love architectures love quality assurance … not an « OS geek »
3. StaticAnalysis All youcansay about your program withoutactuallyexecute the code The restisalsointeresting, let’s talk about itanother time ! Examples ? Syntax check, coding style, anti-patterns, metrics, OO design analysis, … What must bedonebeforeexecuting the code ?
4. Levels of analysis Lexical analysis Read sources linearlysearching for known patterns Convertthem to a sequence of tokens
5. Levels of analysis Lexical analysis Read sources linearlysearching for known patterns Convertthem to a sequence of tokens SyntacticAnalysis Parse the tokens to findtheirlogical structure
6. Levels of analysis Lexical analysis Read sources linearlysearching for known patterns Convertthem to a sequence of tokens SyntacticAnalysis Parse the tokens to findtheirlogical structure Opcode (Bytecode) Generation Generates an intermediary code that the Zend Enginewillbe able to execute
8. SyntacticAnalysis Useful to beseen as an AST Abstract SyntaxTree Decompose code in a tree-likeform Can beexecuted once a contextisgiven Used in compilers
12. PHP_CodeSniffer By Greg Sherwood PEAR library Venerableproject Code Style But also a lot more Works at lexical analysislevel Heavily use the tokenizer extension
16. Inside PHP_CodeSniffer Sniff class main methods register() Make the sniff a listener for the declaredtokens process($phpcsFile, $stackPtr) Called by the file duringparsingwhen a declaredtokenisfound File Represents a parsed file Holds the tokens structure and offersconveniencemethods
23. PHP_CodeSniffer At SQLI we have some framework standards Zend Framework Based on Thomas Weidnerwork Symfony In collaboration with Fabien Potencier Waiting for a serious release after 1.3 release
24. PHP_CodeSniffer At SQLI we have some framework standards Zend Framework Based on Thomas Weidnerwork Symfony In collaboration with Fabien Potencier Waiting for a serious release after 1.3 release That’snice, but… Where are the standards for the othertools ? I’ldexpect a Drupal, Wordpress, Cake official standard
26. PHP_CodeSniffer How far a standard can go in detection ? Interestingly far for generic PHP Code
27. PHP_CodeSniffer How far a standard can go in detection ? Interestingly far for generic PHP Code Very far if you know yourtool’s structure Imagine for example forcing PHP alternative syntax in Symfonyviews… Or checking for escaping in Zend Views !
28. PHP_Depend By Manuel Pichler Functional port of JDepend OO design analysis Metrics visualisation Dependencyanalyzer Works at the syntacticanalysislevel
29. PHP_Depend How itworks PHP_Depend first makes an AST off your code A « personal » one, made by PHP objects ASTComment, ASTClosure, ASTEvalExpression, … This is made by the Builder/Parser component Using PHP Reflection
30. PHP_Depend How itworks (2) ThenPHP_Dependcananswer questions by « visiting » the AST This is the task for example of MetricsAnalyzers, thatextendAbstractVisitor IOC, the visitordecideswhat to do according to AST Class : visitMethod, visitForStatement(), … Analyzer canfirelistenersduringanalyze() call To getongoing informations about the visitprocess
34. PHPMD By Manuel Pichler Detectsrules violations Analog to PHP_Codesniffer Works atsyntaxanalysislevel Actually on the same AST Depends on PHP_Depend Has rulesets !
36. phploc By SebastianBergmann Simple tool to give basic metrics Fast, direct to the goal Works mostly on lexical level But use bytekit for ELOC if itcan
37. phpcpd By SebastianBergmann Simple tool to detectduplicated code Works on syntaxanalysislevel Use the tokenizer to minimizedifferences Comments, whitespaces, … Takes a minimum number of lines and tokens Encodes according to this Uses an hash table to find duplicates
38. vld Vulcan LogicDisassembler By Derick Rethans Works atbytecodelevel Shows generatedbytecodes Calculates possible paths (CFG) Findunreachable code Couldbeused for code coveragepathmetrics
41. Bytekit By Stefan Esser (SektionEins) Works at … bytecodelevel Similar to vld Exposes opcodes to a PHP array bytekit_disassemble_file($filename) Can beuseddirectly for a custom script
43. Bytekit-cli By SebastianBergmann PHP Interface to use bytekit to spot violation rules Initial state Implementedrules : Check for disallowedopcodes (exampleeval, exit) Check for direct output of variables In svn, check for unescapedZendView
44. Padawan By Florian Anderiasch Focus on anti-pattern detection alpha (?) Works on syntaxanalysislevel Based on PHC (PHP compiler) Use an XML dump of the AST PHC generates Makesxpathsearches on it
45. Padawan Interestingapproach Rules are fairly simple to write Alreadymanyinteresting tests : Emptyconstructs (if, else, try,..), unsafetypecasts, looprepeated calls, unusedkeys in foreach, … PHC not easy to install Risk on PHC manteinance
46. Phantm By Etienne Kneuss Highlyexperimental Severe limitation on PHP dynamicfeatures False positives Works on syntaxanalysislevel Based on Java tools (Jflex, CUP, Scala) Reports violations Non top-leveldeclarations, call-time pass-by-ref, nontrivialinclude calls, assign in conditional, … Exploring Type Flow Analysis Tries to infer types and check for type safety
47. Conclusion Use the right tool for the right job Coding style isbetteranalysedat the lexical level OO design isbetterviewedaftersyntactic analyses Unreachable code afterbytecoding Contribute ! Plenty of thingsstill to implement Easy to have new ideas At least use them (youshould!) and give feedback
48. Restitution Once all thisiscollectedwhat to do withit ? At least, show it in a suitableform At best, integratethis in your CI system
49. phpUnderControl By Manuel Pichler CI for PHP Based on CruiseControl Integratesnativelyvarioustools : PHPUnit (+XDebug for code coverage), PHP_CodeSniffer PHPDocumentor PMD via PHPUnit (now PHPMD)
53. Arbit By Qafoo (with Manuel Pichler) Basically a projectmulti-servicestool Ticketing system Repository browser Continuousintegration As Manuel is in it, somegraphicalpresentations are unique for thistool Still alpha
57. Plugins Sonar for PHP By me Really by the Java guysat SQLI Frédéric Leroy, Akram Ben Aissi, Jérôme Tama Sonar is the state of the art for Open Source QA Reporting in Java Thought for multilanguage Can easelyintegrate all PHP reportingsportedfrom Java tools Junit => PHPUnit JDepend => PHPDepend Java PMD => PHPMD
58. Plugins Sonar for PHP Ok, not alwayssoeasely CheckStyleis not PHP_CodeSniffer Formats are not identical Multi-languagedoesn’tmean no work to add one First release on May 2010 0.2 Alpha state, but workable Easy to install : giveit a try ! Last version demo : sonar-php.sqli.com Ok, enough, here are the screenshots
65. Conclusion Sonar reallygoesfurther Best integrateswithHudson Stillis java… But SonarSourcereallywants to cooperate How to interactwithphpUnderControl, Arbit ? (actuallyour solution – PIC PHP SQLI- isbased on phpUC + Sonar) This needs to evolve