SlideShare a Scribd company logo

Static and Dynamic Analysis at Ning

ZendCon
ZendCon

"Ning's ""Your Own Social Network"" application is 160,000 lines of PHP that powers hundreds of thousands of social networks, each different than the others. This talk discusses the static and dynamic analysis techniques that we use at Ning to understand and optimize our platform, including the PHP tokenizer, regular expressions, the vld and xdebug extensions, and the PHP DTrace provider. "

Technology
1 of 28
Download to read offline
Static and Dynamic Analysis at . David Sklar - david@ning.com ZendCon 2008
What? • Static analysis: what can you learn from looking at the source code? • Dynamic analysis: what can you learn from looking at the running code? • Both: understand what your application is doing and can do
Why? • Ning’s “Your Own Social Network” application is ~206kloc and growing • Developers on 4 continents • Enforce code standards, check deprecated usage, monitor performance, evaluate API change impact
Static #1: Text Munching • Regexes or pattern matching to look for good/bad things in code • Works nicely in unit tests
Static #2: Tokenizer • More PHP-aware version of text munching • Also useful in unit tests or standalone code analysis projects
Tokenizer Example • Where does the code write to the filesystem? • Step 1: Find function calls (with tokenizer) • Step 2: Find which ones do writes (with human)
AST Detour • http://pecl.php.net/parse_tree • http://trac2.assembla.com/php-ast • http://www.phpcompiler.org/
Static #3: Opcode Dump • PHP has its own virtual machine • vld extension shows you the opcodes that your PHP code is turned in to • http://www.derickrethans.nl/vld.php • In general fewer opcodes → better performance
Opcode Dump Example • What’s the difference between: isset($fruit['peaches']) and array_key_exists('peaches', $fruit) ?
Dynamic #1: Profiling • Xdebug provides bountiful profiling information • http://www.xdebug.org/
Xdebug Configuration • Enable xdebug • Turn on profiling (or trigger) • Set output directory and filename pattern zend_extension=/full/path/to/xdebug.so xdebug.profiler_enable=0 xdebug.profiler_enable_trigger=1 xdebug.profiler_output_dir=/tmp xdebug.profiler_output_name=prof.%H.%R.%u.out
Files can be large… % ls -l -rw-r--r-- 1 daemon daemon 4746558 May 7 17:52 prof.localhost._index_php_profiles_friend_list_XDEBUG_PR OFILE=1.1210182719_781004.out % wc –l p* 338909 prof.localhost._index_php_profiles_friend_list_XDEBUG_PR OFILE=1.1210182719_781004.out
View with Kcachegrind…
Viewing Tools • Kcachegrind: Linux, OS X, Windows, Cygwin (http://kcachegrind.sourceforge.net/) • WinCacheGrind: Windows (http://sourceforge.net/projects/wincachegrind/) • Webgrind: All (http://code.google.com/p/webgrind/) • ct_annotate: All (@see valgrind)
Dynamic #2: Function Traces • Xdebug again! • Each function entry/exit recorded
Easy to parse/analyze • One line on entering a stack frame, one on leaving. Fields are tab-delimited: Line Field Type 1 2 3 4 5 6 7 8 9 10 0= internal, Included Entry 0 = Entry Function file line 1 = user- file defined Frame Frame Time Memory Level Number Exit 1 = Exit
Function Trace Example • Stack traces wherever a file is included
Dynamic #3: strace/truss • Strace on linux, truss on solaris • (ktrace on os x)
strace example • Parsing entire strace output to get syscall census • Files can (familiar refrain) be large
truss example • Use fancy truss options (library names, function name prefixes) to find when certain PHP functions are invoked.
ltrace • ltrace on linux is a “library call tracer” • Performance overhead significant, hasn’t been as useful
Dynamic #4: DTrace • DTrace’s capabilities are Mighty and Numerous • No special setup (other than installing DTrace + provider) • No* production performance impact • PHP Provider: http://pecl.php.net/dtrace • Solaris, Leopard
DTrace Example #1 • Flow between PHP functions and system functions
DTrace Example #2 • What’s everything* that happens when PHP does something simple? • (*everything = PHP scripts, PHP internals, libc, syscalls, kernel)
systemtap • systemtap is a Linux tool that allows for user-written in-kernel profiling scripts similar to DTrace
Summary • Static: Pattern matching, tokenizer, opcode analysis • Dynamic: Profiling, function traces, strace, truss, dtrace • Slides, etc.: http://www.sklar.com/blog/
Come Work at ! • Build the software that powers > 460,000 social networks • PHP, REST, JSON, XML, APIs, C, Ruby, Python, Apache, and friends • Work in Palo Alto, CA (or not) • Visit us in the Exhibit Hall • http://jobs.ning.com – david@ning.com

Recommended

NLP Project Full Circle
NLP Project Full CircleNLP Project Full Circle
NLP Project Full CircleVsevolod Dyomkin
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysisax330d
 
Lisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyLisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyVsevolod Dyomkin
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
 
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Shanmuga KS
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 

Recommended

NLP Project Full Circle
NLP Project Full CircleNLP Project Full Circle
NLP Project Full CircleVsevolod Dyomkin
 
Dynamic PHP web-application analysis
Dynamic PHP web-application analysisDynamic PHP web-application analysis
Dynamic PHP web-application analysisax330d
 
Lisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyLisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyVsevolod Dyomkin
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
RIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPRIPS - static code analyzer for vulnerabilities in PHP
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
 
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Shanmuga KS
 
Preparing code for Php 7 workshop
Preparing code for Php 7 workshopPreparing code for Php 7 workshop
Preparing code for Php 7 workshopDamien Seguy
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Code samples that actually compile - Clare Macrae
Code samples that actually compile - Clare MacraeCode samples that actually compile - Clare Macrae
Code samples that actually compile - Clare MacraeClare Macrae
 
C 檔案輸入與輸出
C 檔案輸入與輸出C 檔案輸入與輸出
C 檔案輸入與輸出PingLun Liao
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingPositive Hack Days
 
PHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyPHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyDamien Seguy
 
A Tour of Go - Workshop
A Tour of Go - WorkshopA Tour of Go - Workshop
A Tour of Go - WorkshopRodolfo Carvalho
 
Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
Vocabulary Types in C++17
Vocabulary Types in C++17Vocabulary Types in C++17
Vocabulary Types in C++17Bartlomiej Filipek
 
PHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated FeaturesPHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated FeaturesMark Niebergall
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundRodolfo Carvalho
 
Perl Intro 8 File Handles
Perl Intro 8 File HandlesPerl Intro 8 File Handles
Perl Intro 8 File HandlesShaun Griffith
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Vim and Python
Vim and PythonVim and Python
Vim and Pythonmajmcdonald
 
The Go features I can't live without
The Go features I can't live withoutThe Go features I can't live without
The Go features I can't live withoutRodolfo Carvalho
 
File management
File managementFile management
File managementMohammed Sikander
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in RustInfluxData
 

More Related Content

What's hot

Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Rouven Weßling
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Code samples that actually compile - Clare Macrae
Code samples that actually compile - Clare MacraeCode samples that actually compile - Clare Macrae
Code samples that actually compile - Clare MacraeClare Macrae
 
C 檔案輸入與輸出
C 檔案輸入與輸出C 檔案輸入與輸出
C 檔案輸入與輸出PingLun Liao
 
Unit 4
Unit 4Unit 4
Unit 4siddr
 
Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingPositive Hack Days
 
PHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyPHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyDamien Seguy
 
Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con polandDamien Seguy
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
PHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated FeaturesPHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated FeaturesMark Niebergall
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundRodolfo Carvalho
 
Perl Intro 8 File Handles
Perl Intro 8 File HandlesPerl Intro 8 File Handles
Perl Intro 8 File HandlesShaun Griffith
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
The Go features I can't live without
The Go features I can't live withoutThe Go features I can't live without
The Go features I can't live withoutRodolfo Carvalho
 

What's hot (20)

Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLint
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
 
Code samples that actually compile - Clare Macrae
Code samples that actually compile - Clare MacraeCode samples that actually compile - Clare Macrae
Code samples that actually compile - Clare Macrae
 
C 檔案輸入與輸出
C 檔案輸入與輸出C 檔案輸入與輸出
C 檔案輸入與輸出
 
Unit 4
Unit 4Unit 4
Unit 4
 
Specialized Compiler for Hash Cracking
Specialized Compiler for Hash CrackingSpecialized Compiler for Hash Cracking
Specialized Compiler for Hash Cracking
 
PHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyPHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacy
 
A Tour of Go - Workshop
A Tour of Go - WorkshopA Tour of Go - Workshop
A Tour of Go - Workshop
 
Machine learning in php php con poland
Machine learning in php php con polandMachine learning in php php con poland
Machine learning in php php con poland
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
 
Vocabulary Types in C++17
Vocabulary Types in C++17Vocabulary Types in C++17
Vocabulary Types in C++17
 
PHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated FeaturesPHP 5.6 New and Deprecated Features
PHP 5.6 New and Deprecated Features
 
The Go features I can't live without, 2nd round
The Go features I can't live without, 2nd roundThe Go features I can't live without, 2nd round
The Go features I can't live without, 2nd round
 
Perl Intro 8 File Handles
Perl Intro 8 File HandlesPerl Intro 8 File Handles
Perl Intro 8 File Handles
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Vim and Python
Vim and PythonVim and Python
Vim and Python
 
The Go features I can't live without
The Go features I can't live withoutThe Go features I can't live without
The Go features I can't live without
 
File management
File managementFile management
File management
 

Similar to Static and Dynamic Analysis at Ning

Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in RustInfluxData
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Amin Astaneh
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: IntroductionBrendan Gregg
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
the productive programer: mechanics
the productive programer: mechanicsthe productive programer: mechanics
the productive programer: mechanicselliando dias
 
Pylons + Tokyo Cabinet
Pylons + Tokyo CabinetPylons + Tokyo Cabinet
Pylons + Tokyo CabinetBen Cheng
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Greg Bailey
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debuggingchrisortman
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTraceGraeme Jenkinson
 
Multiprocessing with python
Multiprocessing with pythonMultiprocessing with python
Multiprocessing with pythonPatrick Vergain
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 

Similar to Static and Dynamic Analysis at Ning (20)

Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
Performance Profiling in Rust
Performance Profiling in RustPerformance Profiling in Rust
Performance Profiling in Rust
 
.NET Debugging Workshop
.NET Debugging Workshop.NET Debugging Workshop
.NET Debugging Workshop
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
 
Kommons
KommonsKommons
Kommons
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
the productive programer: mechanics
the productive programer: mechanicsthe productive programer: mechanics
the productive programer: mechanics
 
Pylons + Tokyo Cabinet
Pylons + Tokyo CabinetPylons + Tokyo Cabinet
Pylons + Tokyo Cabinet
 
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
Fun with Macros & Other Sneaky Tricks to Avoid Detection - SANS Manchester 2020
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
 
Advanced windows debugging
Advanced windows debuggingAdvanced windows debugging
Advanced windows debugging
 
Debug generic process
Debug generic processDebug generic process
Debug generic process
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
Multiprocessing with python
Multiprocessing with pythonMultiprocessing with python
Multiprocessing with python
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Cracking
 
Ext 0523
Ext 0523Ext 0523
Ext 0523
 
Flink internals web
Flink internals web Flink internals web
Flink internals web
 

More from ZendCon

Framework Shootout
Framework ShootoutFramework Shootout
Framework ShootoutZendCon
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZendCon
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i TutorialZendCon
 
PHP on Windows - What's New
PHP on Windows - What's NewPHP on Windows - What's New
PHP on Windows - What's NewZendCon
 
PHP and Platform Independance in the Cloud
PHP and Platform Independance in the CloudPHP and Platform Independance in the Cloud
PHP and Platform Independance in the CloudZendCon
 
I18n with PHP 5.3
I18n with PHP 5.3I18n with PHP 5.3
I18n with PHP 5.3ZendCon
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayZendCon
 
Planning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local DatabasesPlanning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local DatabasesZendCon
 
Magento - a Zend Framework Application
Magento - a Zend Framework ApplicationMagento - a Zend Framework Application
Magento - a Zend Framework ApplicationZendCon
 
Enterprise-Class PHP Security
Enterprise-Class PHP SecurityEnterprise-Class PHP Security
Enterprise-Class PHP SecurityZendCon
 
PHP and IBM i - Database Alternatives
PHP and IBM i - Database AlternativesPHP and IBM i - Database Alternatives
PHP and IBM i - Database AlternativesZendCon
 
Zend Core on IBM i - Security Considerations
Zend Core on IBM i - Security ConsiderationsZend Core on IBM i - Security Considerations
Zend Core on IBM i - Security ConsiderationsZendCon
 
Application Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server TracingApplication Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server TracingZendCon
 
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...ZendCon
 
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilitySolving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilityZendCon
 
Joe Staner Zend Con 2008
Joe Staner Zend Con 2008Joe Staner Zend Con 2008
Joe Staner Zend Con 2008ZendCon
 
Tiery Eyed
Tiery EyedTiery Eyed
Tiery EyedZendCon
 
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...ZendCon
 
DB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications SessionDB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications SessionZendCon
 
Digital Identity
Digital IdentityDigital Identity
Digital IdentityZendCon
 

More from ZendCon (20)

Framework Shootout
Framework ShootoutFramework Shootout
Framework Shootout
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
 
PHP on Windows - What's New
PHP on Windows - What's NewPHP on Windows - What's New
PHP on Windows - What's New
 
PHP and Platform Independance in the Cloud
PHP and Platform Independance in the CloudPHP and Platform Independance in the Cloud
PHP and Platform Independance in the Cloud
 
I18n with PHP 5.3
I18n with PHP 5.3I18n with PHP 5.3
I18n with PHP 5.3
 
Cloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go AwayCloud Computing: The Hard Problems Never Go Away
Cloud Computing: The Hard Problems Never Go Away
 
Planning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local DatabasesPlanning for Synchronization with Browser-Local Databases
Planning for Synchronization with Browser-Local Databases
 
Magento - a Zend Framework Application
Magento - a Zend Framework ApplicationMagento - a Zend Framework Application
Magento - a Zend Framework Application
 
Enterprise-Class PHP Security
Enterprise-Class PHP SecurityEnterprise-Class PHP Security
Enterprise-Class PHP Security
 
PHP and IBM i - Database Alternatives
PHP and IBM i - Database AlternativesPHP and IBM i - Database Alternatives
PHP and IBM i - Database Alternatives
 
Zend Core on IBM i - Security Considerations
Zend Core on IBM i - Security ConsiderationsZend Core on IBM i - Security Considerations
Zend Core on IBM i - Security Considerations
 
Application Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server TracingApplication Diagnosis with Zend Server Tracing
Application Diagnosis with Zend Server Tracing
 
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
Insights from the Experts: How PHP Leaders Are Transforming High-Impact PHP A...
 
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and ScalabilitySolving the C20K problem: Raising the bar in PHP Performance and Scalability
Solving the C20K problem: Raising the bar in PHP Performance and Scalability
 
Joe Staner Zend Con 2008
Joe Staner Zend Con 2008Joe Staner Zend Con 2008
Joe Staner Zend Con 2008
 
Tiery Eyed
Tiery EyedTiery Eyed
Tiery Eyed
 
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
Make your PHP Application Software-as-a-Service (SaaS) Ready with the Paralle...
 
DB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications SessionDB2 Storage Engine for MySQL and Open Source Applications Session
DB2 Storage Engine for MySQL and Open Source Applications Session
 
Digital Identity
Digital IdentityDigital Identity
Digital Identity
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Static and Dynamic Analysis at Ning

  • 1. Static and Dynamic Analysis at . David Sklar - david@ning.com ZendCon 2008
  • 2. What? • Static analysis: what can you learn from looking at the source code? • Dynamic analysis: what can you learn from looking at the running code? • Both: understand what your application is doing and can do
  • 3. Why? • Ning’s “Your Own Social Network” application is ~206kloc and growing • Developers on 4 continents • Enforce code standards, check deprecated usage, monitor performance, evaluate API change impact
  • 4. Static #1: Text Munching • Regexes or pattern matching to look for good/bad things in code • Works nicely in unit tests
  • 5. Static #2: Tokenizer • More PHP-aware version of text munching • Also useful in unit tests or standalone code analysis projects
  • 6. Tokenizer Example • Where does the code write to the filesystem? • Step 1: Find function calls (with tokenizer) • Step 2: Find which ones do writes (with human)
  • 7. AST Detour • http://pecl.php.net/parse_tree • http://trac2.assembla.com/php-ast • http://www.phpcompiler.org/
  • 8. Static #3: Opcode Dump • PHP has its own virtual machine • vld extension shows you the opcodes that your PHP code is turned in to • http://www.derickrethans.nl/vld.php • In general fewer opcodes → better performance
  • 9. Opcode Dump Example • What’s the difference between: isset($fruit['peaches']) and array_key_exists('peaches', $fruit) ?
  • 10. Dynamic #1: Profiling • Xdebug provides bountiful profiling information • http://www.xdebug.org/
  • 11. Xdebug Configuration • Enable xdebug • Turn on profiling (or trigger) • Set output directory and filename pattern zend_extension=/full/path/to/xdebug.so xdebug.profiler_enable=0 xdebug.profiler_enable_trigger=1 xdebug.profiler_output_dir=/tmp xdebug.profiler_output_name=prof.%H.%R.%u.out
  • 12. Files can be large… % ls -l -rw-r--r-- 1 daemon daemon 4746558 May 7 17:52 prof.localhost._index_php_profiles_friend_list_XDEBUG_PR OFILE=1.1210182719_781004.out % wc –l p* 338909 prof.localhost._index_php_profiles_friend_list_XDEBUG_PR OFILE=1.1210182719_781004.out
  • 14.
  • 15. Viewing Tools • Kcachegrind: Linux, OS X, Windows, Cygwin (http://kcachegrind.sourceforge.net/) • WinCacheGrind: Windows (http://sourceforge.net/projects/wincachegrind/) • Webgrind: All (http://code.google.com/p/webgrind/) • ct_annotate: All (@see valgrind)
  • 16. Dynamic #2: Function Traces • Xdebug again! • Each function entry/exit recorded
  • 17. Easy to parse/analyze • One line on entering a stack frame, one on leaving. Fields are tab-delimited: Line Field Type 1 2 3 4 5 6 7 8 9 10 0= internal, Included Entry 0 = Entry Function file line 1 = user- file defined Frame Frame Time Memory Level Number Exit 1 = Exit
  • 18. Function Trace Example • Stack traces wherever a file is included
  • 19. Dynamic #3: strace/truss • Strace on linux, truss on solaris • (ktrace on os x)
  • 20. strace example • Parsing entire strace output to get syscall census • Files can (familiar refrain) be large
  • 21. truss example • Use fancy truss options (library names, function name prefixes) to find when certain PHP functions are invoked.
  • 22. ltrace • ltrace on linux is a “library call tracer” • Performance overhead significant, hasn’t been as useful
  • 23. Dynamic #4: DTrace • DTrace’s capabilities are Mighty and Numerous • No special setup (other than installing DTrace + provider) • No* production performance impact • PHP Provider: http://pecl.php.net/dtrace • Solaris, Leopard
  • 24. DTrace Example #1 • Flow between PHP functions and system functions
  • 25. DTrace Example #2 • What’s everything* that happens when PHP does something simple? • (*everything = PHP scripts, PHP internals, libc, syscalls, kernel)
  • 26. systemtap • systemtap is a Linux tool that allows for user-written in-kernel profiling scripts similar to DTrace
  • 27. Summary • Static: Pattern matching, tokenizer, opcode analysis • Dynamic: Profiling, function traces, strace, truss, dtrace • Slides, etc.: http://www.sklar.com/blog/
  • 28. Come Work at ! • Build the software that powers > 460,000 social networks • PHP, REST, JSON, XML, APIs, C, Ruby, Python, Apache, and friends • Work in Palo Alto, CA (or not) • Visit us in the Exhibit Hall • http://jobs.ning.com – david@ning.com