Gabriele Santini, profile picture
Uploaded byGabriele Santini
PPTX, PDF803 views

Listen afup 2010

The document discusses various static analysis tools for PHP code including PHP_CodeSniffer, PHPDepend, PHPMD, phploc, phpcpd, vld, Bytekit, Padawan, and Phantm. It explains how each tool works at different levels like lexical analysis, syntactic analysis, and bytecode level. The document also presents tools for continuous integration and reporting of analysis results like phpUnderControl, Arbit, and plugins for Sonar to integrate static analysis of PHP code.

Embed presentation

Downloaded 26 times
LISTEN AND LOOK AT YOUR PHP CODE! Gabriele Santini Forum AFUP 2010
Gabriele Santini  Architect/Consultant at SQLI  Contributor to PHP_CodeSniffer  So expect a special focus on this…  Sonar PHP Plugin  I have to show you!  Ex-mathematician :  love business modelling  love architectures  love quality assurance
Static Analysis  All you can say about your program without actually execute the code  The rest is also interesting, let’s talk about it another time !  Examples ?  Syntax check, coding style, anti-patterns, metrics, OO design analysis, …  What PHP does before executing the code ?
Levels of analysis  Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens
Levels of analysis  Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens  Syntactic Analysis  Parse the tokens to find their logical structure
Levels of analysis  Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens  Syntactic Analysis  Parse the tokens to find their logical structure  Opcode (Bytecode) Generation  Generates an intermediary code that the Zend Engine will be able to execute
Lexical Analysis  Tokenizer 1 <?php T_OPEN_TAG 2 if T_IF 2 T_WHITESPACE ( 2 1 T_LNUMBER 2 T_WHITESPACE < 2 T_WHITESPACE 2 2 T_LNUMBER ) 2 T_WHITESPACE { 2 T_WHITESPACE 3 echo T_ECHO 3 T_WHITESPACE 3 "Hello" T_CONSTANT_ENCAPSED_STRING ; 3 T_WHITESPACE } 4 T_WHITESPACE 5 ?> T_CLOSE_TAG <?php if (1 < 2) { echo "Hello"; } ?>
Syntactic Analysis  Produces an AST  Abstract SyntaxTree  Decompose code in a tree-like form  Can be executed once a context is given  Used in compilers
Syntactic Analysis
Opcodes Generation  Mistery tool… line # * op return operands -------------------------------------------------- 2 0 > EXT_STMT 1 IS_SMALLER ~0 1, 2 2 > JMPZ ~0, ->6 3 3 > EXT_STMT 4 ECHO 'Hello' 4 5 > JMP ->6 6 6 > EXT_STMT 7 > RETURN 1 <?php if (1 < 2) { echo "Hello"; } ?>
GIVE US THE TOOLS !
PHP_CodeSniffer  By Greg Sherwood  PEAR library  Venerable project  Code Style  But also a lot more  Works at lexical analysis level  Heavily use the tokenizer extension
PHP_CodeSniffer  Hands on
PHP_CodeSniffer  Sniffs  Classes that detectViolations  One or more type per class  Grouped in folders by subject:  Commenting, Formatting,WhiteSpace  Files, ControlStructures, Strings  Functions, Classes, NamingConventions  CodeAnalysis, Metrics  You can create your own!
PHP_CodeSniffer  Standards  Sets of Sniffs that define your coding style  Installed :  PEAR,  Generic,  Zend*,  Squiz, MySource  PHPCS
PHP_CodeSniffer 1.3  Rulesets XML! <ruleset name="MyPEAR"> <description>A variation of the PEAR coding standard.</description> <!-- Include some additional sniffs from the Generic standard --> <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/> <message>Please review spacing in function ‘%s’</message> </rule> <rule ref="Generic.NamingConventions.UpperCaseConstantName"/> <!-- Lines can be 90 chars long, but never show errors --> <rule ref="Generic.Files.LineLength"> <properties> <property name="lineLimit" value="90"/> <property name="absoluteLineLimit" value="0"/> </properties> </rule> <!– Not so important for us --> <rule ref="Generic.PHP.DisallowShortOpenTag"> <severity>2</severity> </rule> </ruleset>
Inside PHP_CodeSniffer  Sniff class main methods  register()  Make the sniff a listener for the declared tokens  process($phpcsFile, $stackPtr)  Called by the file during parsing when a declared token is found  File  Represents a parsed file  Holds the tokens structure and offers convenience methods
Inside PHP_CodeSniffer  Life of a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?>
Inside PHP_CodeSniffer  Life of a Sniff  DisallowMultipleStatementsSniff public function register() { return array(T_SEMICOLON); } public function process($phpcsFile, $stackPtr) { […]
Inside PHP_CodeSniffer  Life of a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?>
Inside PHP_CodeSniffer  Life of a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?> $stackPtr
Inside PHP_CodeSniffer  Life of a Sniff  DisallowMultipleStatementsSniff public function register() { return array(T_SEMICOLON); } public function process($phpcsFile, $stackPtr) { $tokens = $phpcsFile->getTokens(); $previous = $phpcsFile->findPrevious(…); if ($previous === false) { return; } // Continue =>
Inside PHP_CodeSniffer  Life of a Sniff (2) // Ignore multiple statements in a FOR condition. // First some gym for nested parenthesis […] if ($tokens[$owner]['code'] === T_FOR) { return; } […] // If the previous semicolon is on the same line we add an error // to this file if ($tokens[$previous]['line'] === $tokens[$stackPtr]['line']) { $error = 'Each PHP statement must be on a line by itself'; $phpcsFile->addError($error, $stackPtr); return; } }//end process()
PHP_CodeSniffer  At SQLI we have some framework standards  Zend Framework  Based onThomasWeidner work  Symfony  In collaboration with Fabien Potencier  Waiting for a serious release after 1.3 release
PHP_CodeSniffer  At SQLI we have some framework standards  Zend Framework  Based onThomasWeidner work  Symfony  In collaboration with Fabien Potencier  Waiting for a serious release after 1.3 release  That’s nice, but…  Where are the standards for the other tools ?  I’ld expect a Drupal,Wordpress, Cake official standard
PHP_CodeSniffer  How far a standard can go in detection ?
PHP_CodeSniffer  How far a standard can go in detection ?  Interestingly far for generic PHP Code
PHP_CodeSniffer  How far a standard can go in detection ?  Interestingly far for generic PHP Code  Very far if you know your tool’s structure  Imagine for example forcing PHP alternative syntax in Symfony views…  Or checking for escaping in ZendViews !
PHP_Depend  By Manuel Pichler  Functional port of JDepend  OO design analysis  Metrics visualisation  Dependency analyzer  Works at the syntactic analysis level
PHP_Depend  How it works  PHP_Depend first makes an AST off your code  A « personal » one, made by PHP objects  ASTComment, ASTClosure, ASTEvalExpression, …  This is made by the Builder/Parser component  Using PHP Reflection
PHP_Depend  How it works (2)  Then PHP_Depend can answer questions by « visiting » the AST  Task of Metrics Analyzers, that extend AbstractVisitor  IOC, the visitor decides what to do according to AST Class : visitMethod, visitForStatement(), …  Analyzers can fire listeners during analyze() call  To get ongoing informations about the visit process
PHP_Depend  What it gives:  The Abstraction/Instability graph
PHP_Depend  What it gives:  The Abstraction/Instability graph
PHP_Depend  What it gives:  The Pyramid !!
PHPMD  By Manuel Pichler  Detects rules violations  Analog to PHP_Codesniffer  Works at syntactic analysis level  Actually on the same AST  Depends on PHP_Depend  Has rulesets !
PHPMD  What it gives:  Code Size Rules  complexities, lengths, too many, …  Design Rules  OO, exit, eval  Naming Rules  Too short/long identifiers, old constructors, …  Unused Code Rules  Methods, members, parameters
phploc  By Sebastian Bergmann  Simple tool to give basic metrics  Fast, direct to the goal  Works mostly on lexical level  But use bytekit for ELOC if it can
phpcpd  By Sebastian Bergmann  Simple tool to detect duplicated code  Works at lexical analysis level  Use the tokenizer to minimize differences  Comments, whitespaces, …  Takes a minimum number of lines and tokens  Encodes according to this  Uses an hash table to find duplicates
vld  Vulcan Logic Disassembler  By Derick Rethans  Works at bytecode level  Shows generated bytecodes  Calculates possible paths (CFG)  Find unreachable code  Could be used for code coverage path metrics
vld  Output
vld  Output
Bytekit  By Stefan Esser (SektionEins)  Works at … bytecode level  Similar to vld  Exposes opcodes to a PHP array  bytekit_disassemble_file($filename)  Can be used directly for a custom script
Bytekit  CFG visualisation
Bytekit-cli  By Sebastian Bergmann  PHP Interface to use bytekit to spot violation rules  Initial state  Implemented rules :  Check for disallowed opcodes (example eval, exit)  Check for direct output of variables  In svn, check for unescaped ZendView
Padawan  By Florian Anderiasch  Focus on anti-pattern detection  alpha (?)  Works on syntactic analysis level  Based on PHC (PHP compiler)  Use an XML dump of the AST PHC generates  Makes xpath searches on it
Padawan  Interesting approach  Rules are fairly simple to write  Already many interesting tests :  Empty constructs (if, else, try,..), unsafe typecasts, loop repeated calls, unused keys in foreach, …  PHC not easy to install  Risk on PHC manteinance
Phantm  By Etienne Kneuss  Highly experimental  Severe limitation on PHP dynamic features  False positives  Works on syntax analysis level  Based on Java tools (Jflex, CUP, Scala)  Reports violations  Non top-level declarations, call-time pass-by-ref, nontrivial include calls, assign in conditional, …  Exploring Type FlowAnalysis  Tries to infer types and check for type safety
Conclusion  Use the right tool for the right job  Coding style is better analysed at the lexical level  OO design is better viewed after syntactic analyses  Unreachable code after bytecoding  Contribute !  Plenty of things still to implement  Easy to have new ideas  At least use them (you should!) and give feedback
Restitution  Once all this is collected what to do with it ?  At least, show it in a suitable form  At best, integrate this in your CI system
phpUnderControl  By Manuel Pichler  CI for PHP  Based on CruiseControl  Integrates natively various tools :  PHPUnit (+XDebug for code coverage),  PHP_CodeSniffer  PHPDocumentor  PMD via PHPUnit (now PHPMD)
phpUnderControl  What it gives : metrics graphs
phpUnderControl  What it gives : report lists
phpUnderControl  What it gives : PHPCodeBrowser
Arbit  By Qafoo (with Manuel Pichler)  Basically a project multi-services tool  Ticketing system  Repository browser  Continuous integration  As Manuel is in it, some graphical presentations are unique for this tool  Still alpha
Arbit  What it gives : more metrics graphs
Arbit  What it gives : PHP_Depend overview
Arbit  What it gives : Annotated sources
Plugins Sonar for PHP  By me   Really by the Java guys at SQLI  Frédéric Leroy, Akram Ben Aissi, JérômeTama  Sonar is the state of the art for Open Source QA Reporting in Java  Thought for multilanguage  Can easely integrate all PHP reportings ported from Java tools  Junit => PHPUnit  JDepend => PHPDepend  Java PMD => PHPMD
Plugins Sonar for PHP  Ok, not always so easely  CheckStyle is not PHP_CodeSniffer  Formats are not identical  Multi-language doesn’t mean no work to add one  First release on May 2010  0.2 Alpha state, but workable  Easy to install : give it a try !  Last version demo : sonar-php.sqli.com  Ok, enough, here are the screenshots
Plugins Sonar for PHP  Dashboard
Plugins Sonar for PHP  Components : treemaps
Plugins Sonar for PHP  Time machine
Plugins Sonar for PHP  Hotspots
Plugins Sonar for PHP  Violations
Plugins Sonar for PHP  Editing Code Profile
Conclusion  Sonar really goes further  Best integrates with Hudson  Still is java…  But SonarSource really cooperates  How to interact with phpUnderControl, Arbit ?  (actually our solution – PIC PHP SQLI- is based on phpUC + Sonar)  This needs to evolve

More Related Content

PPT
Surprise! It's PHP :) (unabridged)
bySharon Levy
 
PPT
C Tutorials
bySudharsan S
 
PDF
Ida python intro
by小静 安
 
PPTX
Clean Code Principles
byYeurDreamin'
 
PPTX
Applying Compiler Techniques to Iterate At Blazing Speed
byPascal-Louis Perez
 
PDF
A few words about OpenSSL
byPVS-Studio
 
PDF
Ejemplo completo de integración JLex y CUP
byEgdares Futch H.
 
PDF
Machine learning in php php con poland
byDamien Seguy
 
Surprise! It's PHP :) (unabridged)
bySharon Levy
 
C Tutorials
bySudharsan S
 
Ida python intro
by小静 安
 
Clean Code Principles
byYeurDreamin'
 
Applying Compiler Techniques to Iterate At Blazing Speed
byPascal-Louis Perez
 
A few words about OpenSSL
byPVS-Studio
 
Ejemplo completo de integración JLex y CUP
byEgdares Futch H.
 
Machine learning in php php con poland
byDamien Seguy
 

What's hot

PDF
More about PHP
byJonathan Francis Roscoe
 
PPTX
CodeChecker summary 21062021
byOlivera Milenkovic
 
PDF
C++ idioms by example (Nov 2008)
byOlve Maudal
 
ODP
Clean code
byKnoldus Inc.
 
PDF
Wtf per lineofcode
byDavid Gómez García
 
ODP
PHP Tips for certification - OdW13
byjulien pauli
 
PDF
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
PPTX
Clean code
byifnu bima
 
PDF
Anti Debugging
byn|u - The Open Security Community
 
PDF
Insecure coding in C (and C++)
byOlve Maudal
 
PDF
PerlScripting
byAureliano Bombarely
 
PDF
RAII and ScopeGuard
byAndrey Dankevich
 
PDF
Anti-Debugging - A Developers View
byTyler Shields
 
PPT
Handling Exceptions In C &amp; C++[Part A]
byppd1961
 
PPTX
C#.net evolution part 2
byVahid Farahmandian
 
PDF
Testing untestable code - IPC12
byStephan Hochdörfer
 
PDF
Solid C++ by Example
byOlve Maudal
 
PPT
Handling Exceptions In C &amp; C++ [Part B] Ver 2
byppd1961
 
PDF
Compiler Construction | Lecture 3 | Syntactic Editor Services
byEelco Visser
 
PDF
Php 7 compliance workshop singapore
byDamien Seguy
 
More about PHP
byJonathan Francis Roscoe
 
CodeChecker summary 21062021
byOlivera Milenkovic
 
C++ idioms by example (Nov 2008)
byOlve Maudal
 
Clean code
byKnoldus Inc.
 
Wtf per lineofcode
byDavid Gómez García
 
PHP Tips for certification - OdW13
byjulien pauli
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
Clean code
byifnu bima
 
Anti Debugging
byn|u - The Open Security Community
 
Insecure coding in C (and C++)
byOlve Maudal
 
PerlScripting
byAureliano Bombarely
 
RAII and ScopeGuard
byAndrey Dankevich
 
Anti-Debugging - A Developers View
byTyler Shields
 
Handling Exceptions In C &amp; C++[Part A]
byppd1961
 
C#.net evolution part 2
byVahid Farahmandian
 
Testing untestable code - IPC12
byStephan Hochdörfer
 
Solid C++ by Example
byOlve Maudal
 
Handling Exceptions In C &amp; C++ [Part B] Ver 2
byppd1961
 
Compiler Construction | Lecture 3 | Syntactic Editor Services
byEelco Visser
 
Php 7 compliance workshop singapore
byDamien Seguy
 

Viewers also liked

PDF
Steer and/or sink the supertanker by Andrew Rendell
byValtech UK
 
PPT
CiklumJavaSat15112011:Alexey Trusov-Code quality management
byCiklum Ukraine
 
PPTX
Dev ecosystem v1.1
byAndrii Khaisin
 
PPT
Part5 - enforcing coding standard and best practices with jas forge v1.0
byJasmine Conseil
 
PPTX
Suivi de qualité PIC afup2010
byGabriele Santini
 
PPTX
Suivi qualité avec sonar pour php
byGabriele Santini
 
Steer and/or sink the supertanker by Andrew Rendell
byValtech UK
 
CiklumJavaSat15112011:Alexey Trusov-Code quality management
byCiklum Ukraine
 
Dev ecosystem v1.1
byAndrii Khaisin
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
byJasmine Conseil
 
Suivi de qualité PIC afup2010
byGabriele Santini
 
Suivi qualité avec sonar pour php
byGabriele Santini
 

Similar to Listen afup 2010

PPTX
Listen and look at your PHP code
byGabriele Santini
 
PDF
PHP Internals and Virtual Machine
byjulien pauli
 
KEY
Php|tek '12 It's More Than Just Style
byLB Denker
 
PDF
Review unknown code with static analysis Zend con 2017
byDamien Seguy
 
PDF
Preparing code for Php 7 workshop
byDamien Seguy
 
PDF
Preparing for the next PHP version (5.6)
byDamien Seguy
 
PDF
Joomla Code Quality Control and Automation Testing
byShyam Sunder Verma
 
PDF
20 PHP Static Analysis and Documentation Generators #burningkeyboards
byDenis Ristic
 
PDF
PHP QA Tools
byrjsmelo
 
PDF
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
byRouven Weßling
 
PDF
Review unknown code with static analysis
byDamien Seguy
 
PDF
Dynamic PHP web-application analysis
byax330d
 
PPTX
Code analysis tools (for PHP)
byKarlen Kishmiryan
 
PDF
Dutch PHP Conference 2013: Distilled
byZumba Fitness - Technology Team
 
PDF
Code review workshop
byDamien Seguy
 
PDF
Php engine
byjulien pauli
 
PDF
PHP Static Code Review
byDamien Seguy
 
PPTX
Php Extensions for Dummies
byElizabeth Smith
 
ODP
PHP Code Quality
byUsman Zafar
 
PDF
Continuous Quality Assurance
byMichelangelo van Dam
 
Listen and look at your PHP code
byGabriele Santini
 
PHP Internals and Virtual Machine
byjulien pauli
 
Php|tek '12 It's More Than Just Style
byLB Denker
 
Review unknown code with static analysis Zend con 2017
byDamien Seguy
 
Preparing code for Php 7 workshop
byDamien Seguy
 
Preparing for the next PHP version (5.6)
byDamien Seguy
 
Joomla Code Quality Control and Automation Testing
byShyam Sunder Verma
 
20 PHP Static Analysis and Documentation Generators #burningkeyboards
byDenis Ristic
 
PHP QA Tools
byrjsmelo
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
byRouven Weßling
 
Review unknown code with static analysis
byDamien Seguy
 
Dynamic PHP web-application analysis
byax330d
 
Code analysis tools (for PHP)
byKarlen Kishmiryan
 
Dutch PHP Conference 2013: Distilled
byZumba Fitness - Technology Team
 
Code review workshop
byDamien Seguy
 
Php engine
byjulien pauli
 
PHP Static Code Review
byDamien Seguy
 
Php Extensions for Dummies
byElizabeth Smith
 
PHP Code Quality
byUsman Zafar
 
Continuous Quality Assurance
byMichelangelo van Dam
 

Recently uploaded

PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
How to Evaluate a High Performance Database
byScyllaDB
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 

Listen afup 2010

  • 1.
    LISTEN AND LOOK ATYOUR PHP CODE! Gabriele Santini Forum AFUP 2010
  • 2.
    Gabriele Santini  Architect/Consultantat SQLI  Contributor to PHP_CodeSniffer  So expect a special focus on this…  Sonar PHP Plugin  I have to show you!  Ex-mathematician :  love business modelling  love architectures  love quality assurance
  • 3.
    Static Analysis  Allyou can say about your program without actually execute the code  The rest is also interesting, let’s talk about it another time !  Examples ?  Syntax check, coding style, anti-patterns, metrics, OO design analysis, …  What PHP does before executing the code ?
  • 4.
    Levels of analysis Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens
  • 5.
    Levels of analysis Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens  Syntactic Analysis  Parse the tokens to find their logical structure
  • 6.
    Levels of analysis Lexical analysis  Read sources linearly searching for known patterns  Convert them to a sequence of tokens  Syntactic Analysis  Parse the tokens to find their logical structure  Opcode (Bytecode) Generation  Generates an intermediary code that the Zend Engine will be able to execute
  • 7.
    Lexical Analysis  Tokenizer1 <?php T_OPEN_TAG 2 if T_IF 2 T_WHITESPACE ( 2 1 T_LNUMBER 2 T_WHITESPACE < 2 T_WHITESPACE 2 2 T_LNUMBER ) 2 T_WHITESPACE { 2 T_WHITESPACE 3 echo T_ECHO 3 T_WHITESPACE 3 "Hello" T_CONSTANT_ENCAPSED_STRING ; 3 T_WHITESPACE } 4 T_WHITESPACE 5 ?> T_CLOSE_TAG <?php if (1 < 2) { echo "Hello"; } ?>
  • 8.
    Syntactic Analysis  Producesan AST  Abstract SyntaxTree  Decompose code in a tree-like form  Can be executed once a context is given  Used in compilers
  • 9.
  • 10.
    Opcodes Generation  Misterytool… line # * op return operands -------------------------------------------------- 2 0 > EXT_STMT 1 IS_SMALLER ~0 1, 2 2 > JMPZ ~0, ->6 3 3 > EXT_STMT 4 ECHO 'Hello' 4 5 > JMP ->6 6 6 > EXT_STMT 7 > RETURN 1 <?php if (1 < 2) { echo "Hello"; } ?>
  • 11.
    GIVE US THETOOLS !
  • 12.
    PHP_CodeSniffer  By GregSherwood  PEAR library  Venerable project  Code Style  But also a lot more  Works at lexical analysis level  Heavily use the tokenizer extension
  • 13.
  • 14.
    PHP_CodeSniffer  Sniffs  Classesthat detectViolations  One or more type per class  Grouped in folders by subject:  Commenting, Formatting,WhiteSpace  Files, ControlStructures, Strings  Functions, Classes, NamingConventions  CodeAnalysis, Metrics  You can create your own!
  • 15.
    PHP_CodeSniffer  Standards  Setsof Sniffs that define your coding style  Installed :  PEAR,  Generic,  Zend*,  Squiz, MySource  PHPCS
  • 16.
    PHP_CodeSniffer 1.3  RulesetsXML! <ruleset name="MyPEAR"> <description>A variation of the PEAR coding standard.</description> <!-- Include some additional sniffs from the Generic standard --> <rule ref="Generic.Functions.FunctionCallArgumentSpacing"/> <message>Please review spacing in function ‘%s’</message> </rule> <rule ref="Generic.NamingConventions.UpperCaseConstantName"/> <!-- Lines can be 90 chars long, but never show errors --> <rule ref="Generic.Files.LineLength"> <properties> <property name="lineLimit" value="90"/> <property name="absoluteLineLimit" value="0"/> </properties> </rule> <!– Not so important for us --> <rule ref="Generic.PHP.DisallowShortOpenTag"> <severity>2</severity> </rule> </ruleset>
  • 17.
    Inside PHP_CodeSniffer  Sniffclass main methods  register()  Make the sniff a listener for the declared tokens  process($phpcsFile, $stackPtr)  Called by the file during parsing when a declared token is found  File  Represents a parsed file  Holds the tokens structure and offers convenience methods
  • 18.
    Inside PHP_CodeSniffer  Lifeof a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?>
  • 19.
    Inside PHP_CodeSniffer  Lifeof a Sniff  DisallowMultipleStatementsSniff public function register() { return array(T_SEMICOLON); } public function process($phpcsFile, $stackPtr) { […]
  • 20.
    Inside PHP_CodeSniffer  Lifeof a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?>
  • 21.
    Inside PHP_CodeSniffer  Lifeof a Sniff  DisallowMultipleStatementsSniff <?php echo $y; $x = 10; echo $y; for ($i = 1; $i < $length; $i++) { echo 'x'; } echo $x; $y = 2;; $this->wizardid = 10; $this->paint(); echo 'x'; ?> $stackPtr
  • 22.
    Inside PHP_CodeSniffer  Lifeof a Sniff  DisallowMultipleStatementsSniff public function register() { return array(T_SEMICOLON); } public function process($phpcsFile, $stackPtr) { $tokens = $phpcsFile->getTokens(); $previous = $phpcsFile->findPrevious(…); if ($previous === false) { return; } // Continue =>
  • 23.
    Inside PHP_CodeSniffer  Lifeof a Sniff (2) // Ignore multiple statements in a FOR condition. // First some gym for nested parenthesis […] if ($tokens[$owner]['code'] === T_FOR) { return; } […] // If the previous semicolon is on the same line we add an error // to this file if ($tokens[$previous]['line'] === $tokens[$stackPtr]['line']) { $error = 'Each PHP statement must be on a line by itself'; $phpcsFile->addError($error, $stackPtr); return; } }//end process()
  • 24.
    PHP_CodeSniffer  At SQLIwe have some framework standards  Zend Framework  Based onThomasWeidner work  Symfony  In collaboration with Fabien Potencier  Waiting for a serious release after 1.3 release
  • 25.
    PHP_CodeSniffer  At SQLIwe have some framework standards  Zend Framework  Based onThomasWeidner work  Symfony  In collaboration with Fabien Potencier  Waiting for a serious release after 1.3 release  That’s nice, but…  Where are the standards for the other tools ?  I’ld expect a Drupal,Wordpress, Cake official standard
  • 26.
    PHP_CodeSniffer  How fara standard can go in detection ?
  • 27.
    PHP_CodeSniffer  How fara standard can go in detection ?  Interestingly far for generic PHP Code
  • 28.
    PHP_CodeSniffer  How fara standard can go in detection ?  Interestingly far for generic PHP Code  Very far if you know your tool’s structure  Imagine for example forcing PHP alternative syntax in Symfony views…  Or checking for escaping in ZendViews !
  • 29.
    PHP_Depend  By ManuelPichler  Functional port of JDepend  OO design analysis  Metrics visualisation  Dependency analyzer  Works at the syntactic analysis level
  • 30.
    PHP_Depend  How itworks  PHP_Depend first makes an AST off your code  A « personal » one, made by PHP objects  ASTComment, ASTClosure, ASTEvalExpression, …  This is made by the Builder/Parser component  Using PHP Reflection
  • 31.
    PHP_Depend  How itworks (2)  Then PHP_Depend can answer questions by « visiting » the AST  Task of Metrics Analyzers, that extend AbstractVisitor  IOC, the visitor decides what to do according to AST Class : visitMethod, visitForStatement(), …  Analyzers can fire listeners during analyze() call  To get ongoing informations about the visit process
  • 32.
    PHP_Depend  What itgives:  The Abstraction/Instability graph
  • 33.
    PHP_Depend  What itgives:  The Abstraction/Instability graph
  • 34.
    PHP_Depend  What itgives:  The Pyramid !!
  • 35.
    PHPMD  By ManuelPichler  Detects rules violations  Analog to PHP_Codesniffer  Works at syntactic analysis level  Actually on the same AST  Depends on PHP_Depend  Has rulesets !
  • 36.
    PHPMD  What itgives:  Code Size Rules  complexities, lengths, too many, …  Design Rules  OO, exit, eval  Naming Rules  Too short/long identifiers, old constructors, …  Unused Code Rules  Methods, members, parameters
  • 37.
    phploc  By SebastianBergmann  Simple tool to give basic metrics  Fast, direct to the goal  Works mostly on lexical level  But use bytekit for ELOC if it can
  • 38.
    phpcpd  By SebastianBergmann  Simple tool to detect duplicated code  Works at lexical analysis level  Use the tokenizer to minimize differences  Comments, whitespaces, …  Takes a minimum number of lines and tokens  Encodes according to this  Uses an hash table to find duplicates
  • 39.
    vld  Vulcan LogicDisassembler  By Derick Rethans  Works at bytecode level  Shows generated bytecodes  Calculates possible paths (CFG)  Find unreachable code  Could be used for code coverage path metrics
  • 40.
  • 41.
  • 42.
    Bytekit  By StefanEsser (SektionEins)  Works at … bytecode level  Similar to vld  Exposes opcodes to a PHP array  bytekit_disassemble_file($filename)  Can be used directly for a custom script
  • 43.
  • 44.
    Bytekit-cli  By SebastianBergmann  PHP Interface to use bytekit to spot violation rules  Initial state  Implemented rules :  Check for disallowed opcodes (example eval, exit)  Check for direct output of variables  In svn, check for unescaped ZendView
  • 45.
    Padawan  By FlorianAnderiasch  Focus on anti-pattern detection  alpha (?)  Works on syntactic analysis level  Based on PHC (PHP compiler)  Use an XML dump of the AST PHC generates  Makes xpath searches on it
  • 46.
    Padawan  Interesting approach Rules are fairly simple to write  Already many interesting tests :  Empty constructs (if, else, try,..), unsafe typecasts, loop repeated calls, unused keys in foreach, …  PHC not easy to install  Risk on PHC manteinance
  • 47.
    Phantm  By EtienneKneuss  Highly experimental  Severe limitation on PHP dynamic features  False positives  Works on syntax analysis level  Based on Java tools (Jflex, CUP, Scala)  Reports violations  Non top-level declarations, call-time pass-by-ref, nontrivial include calls, assign in conditional, …  Exploring Type FlowAnalysis  Tries to infer types and check for type safety
  • 48.
    Conclusion  Use theright tool for the right job  Coding style is better analysed at the lexical level  OO design is better viewed after syntactic analyses  Unreachable code after bytecoding  Contribute !  Plenty of things still to implement  Easy to have new ideas  At least use them (you should!) and give feedback
  • 49.
    Restitution  Once allthis is collected what to do with it ?  At least, show it in a suitable form  At best, integrate this in your CI system
  • 50.
    phpUnderControl  By ManuelPichler  CI for PHP  Based on CruiseControl  Integrates natively various tools :  PHPUnit (+XDebug for code coverage),  PHP_CodeSniffer  PHPDocumentor  PMD via PHPUnit (now PHPMD)
  • 51.
    phpUnderControl  What itgives : metrics graphs
  • 52.
    phpUnderControl  What itgives : report lists
  • 53.
    phpUnderControl  What itgives : PHPCodeBrowser
  • 54.
    Arbit  By Qafoo(with Manuel Pichler)  Basically a project multi-services tool  Ticketing system  Repository browser  Continuous integration  As Manuel is in it, some graphical presentations are unique for this tool  Still alpha
  • 55.
    Arbit  What itgives : more metrics graphs
  • 56.
    Arbit  What itgives : PHP_Depend overview
  • 57.
    Arbit  What itgives : Annotated sources
  • 58.
    Plugins Sonar forPHP  By me   Really by the Java guys at SQLI  Frédéric Leroy, Akram Ben Aissi, JérômeTama  Sonar is the state of the art for Open Source QA Reporting in Java  Thought for multilanguage  Can easely integrate all PHP reportings ported from Java tools  Junit => PHPUnit  JDepend => PHPDepend  Java PMD => PHPMD
  • 59.
    Plugins Sonar forPHP  Ok, not always so easely  CheckStyle is not PHP_CodeSniffer  Formats are not identical  Multi-language doesn’t mean no work to add one  First release on May 2010  0.2 Alpha state, but workable  Easy to install : give it a try !  Last version demo : sonar-php.sqli.com  Ok, enough, here are the screenshots
  • 60.
    Plugins Sonar forPHP  Dashboard
  • 61.
    Plugins Sonar forPHP  Components : treemaps
  • 62.
    Plugins Sonar forPHP  Time machine
  • 63.
    Plugins Sonar forPHP  Hotspots
  • 64.
    Plugins Sonar forPHP  Violations
  • 65.
    Plugins Sonar forPHP  Editing Code Profile
  • 66.
    Conclusion  Sonar reallygoes further  Best integrates with Hudson  Still is java…  But SonarSource really cooperates  How to interact with phpUnderControl, Arbit ?  (actually our solution – PIC PHP SQLI- is based on phpUC + Sonar)  This needs to evolve