listen and look at your php code

Download Listen and look at your PHP code

Post on 18-Dec-2014

1.416 views

Category:

Documents

3 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

Listen to your PHP CODE!

Listen and lookat your PHP CODE!

Gabriele Santini9/10/2010Gabriele SantiniArchitect/Consultant at SQLI

Contributor to PHP_CodeSnifferSo expect a special focus on this

Sonar PHP PluginI have to show you!

Ex-mathematician :love business modellinglove architectureslove quality assurance not an OS geek

Static AnalysisAll you can say about your program without actually execute the codeThe rest is also interesting, lets talk about it another time !

Examples ?Syntax check, coding style, anti-patterns, metrics, OO design analysis,

What must be done before executing the code ?

Levels of analysisLexical analysisRead sources linearly searching for known patternsConvert them to a sequence of tokens

Levels of analysisLexical analysisRead sources linearly searching for known patternsConvert them to a sequence of tokens

Syntactic AnalysisParse the tokens to find their logical structure

Levels of analysisLexical analysisRead sources linearly searching for known patternsConvert them to a sequence of tokens

Syntactic AnalysisParse the tokens to find their logical structure

Opcode (Bytecode) GenerationGenerates an intermediary code that the Zend Engine will be able to execute

Lexical AnalysisTokenizer

1 T_CLOSE_TAG

Syntactic AnalysisUseful to be seen as an ASTAbstract Syntax TreeDecompose code in a tree-like formCan be executed once a context is givenUsed in compilers

Syntactic Analysis

Opcodes GenerationMistery tool

line # * op return operands-------------------------------------------------- 2 0 > EXT_STMT 1 IS_SMALLER ~0 1, 2 2 > JMPZ ~0, ->6 3 3 > EXT_STMT 4 ECHO 'Hello' 4 5 > JMP ->6 6 6 > EXT_STMT 7 > RETURN 1

GIVE US THE TOOLS !

PHP_CodeSnifferBy Greg SherwoodPEAR libraryVenerable project

Code StyleBut also a lot more

Works at lexical analysis levelHeavily use the tokenizer extension

PHP_CodeSniffer

Hands on

PHP_CodeSnifferSniffsClasses that detect ViolationsOne or more type per class

Grouped in folders by subject:Commenting, Formatting, WhiteSpaceFiles, ControlStructures, Strings Functions, Classes, NamingConventionsCodeAnalysis, Metrics

You can create your own!

PHP_CodeSnifferStandardsSets of Sniffs that define your coding style

Installed : PEAR, Generic, Zend*, Squiz, MySource PHPCS

PHP_CodeSniffer 1.3Rulesets XML!

A variation of the PEAR coding standard. Please review spacing in function %s 2

Inside PHP_CodeSnifferSniff class main methodsregister()Make the sniff a listener for the declared tokensprocess($phpcsFile, $stackPtr)Called by the file during parsing when a declared token is found

FileRepresents a parsed fileHolds the tokens structure and offers convenience methods

Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff

Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff

public function register(){ return array(T_SEMICOLON);}public function process($phpcsFile, $stackPtr){ []Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff

Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff

$stackPtrInside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff

public function register(){ return array(T_SEMICOLON);}public function process($phpcsFile, $stackPtr){ $tokens = $phpcsFile->getTokens(); $previous = $phpcsFile->findPrevious();

if ($previous === false) { return; }// Continue => Inside PHP_CodeSnifferLife of a Sniff (2)

// Ignore multiple statements in a FOR condition. // First some gym for nested parenthesis [] if ($tokens[$owner]['code'] === T_FOR) { return; } [] // If the previous semicolon is on the same line we add an error // to this file if ($tokens[$previous]['line'] === $tokens[$stackPtr]['line']) { $error = 'Each PHP statement must be on a line by itself'; $phpcsFile->addError($error, $stackPtr); return; }}//end process()PHP_CodeSnifferAt SQLI we have some framework standardsZend FrameworkBased on Thomas Weidner workSymfonyIn collaboration with Fabien PotencierWaiting for a serious release after 1.3 release

PHP_CodeSnifferAt SQLI we have some framework standardsZend FrameworkBased on Thomas Weidner workSymfonyIn collaboration with Fabien PotencierWaiting for a serious release after 1.3 releaseThats nice, butWhere are the standards for the other tools ?Ild expect a Drupal, Wordpress, Cake official standard

PHP_CodeSnifferHow far a standard can go in detection ?

PHP_CodeSnifferHow far a standard can go in detection ?

Interestingly far for generic PHP Code

PHP_CodeSnifferHow far a standard can go in detection ?

Interestingly far for generic PHP Code

Very far if you know your tools structureImagine for example forcing PHP alternative syntax in Symfony viewsOr checking for escaping in Zend Views !

PHP_DependBy Manuel Pichler

Functional port of JDependOO design analysisMetrics visualisationDependency analyzer

Works at the syntactic analysis level

PHP_DependHow it works

PHP_Depend first makes an AST off your codeA personal one, made by PHP objectsASTComment, ASTClosure, ASTEvalExpression, This is made by the Builder/Parser component Using PHP Reflection

PHP_DependHow it works (2)

Then PHP_Depend can answer questions by visiting the ASTThis is the task for example of Metrics Analyzers, that extend AbstractVisitor IOC, the visitor decides what to do according to AST Class : visitMethod, visitForStatement(), Analyzer can fire listeners during analyze() callTo get ongoing informations about the visit process

PHP_DependWhat it gives:The Abstraction/Instability graph

PHP_DependWhat it gives:The Abstraction/Instability graph

PHP_DependWhat it gives:The Pyramid !!

PHPMDBy Manuel Pichler

Detects rules violationsAnalog to PHP_Codesniffer

Works at syntax analysis levelActually on the same ASTDepends on PHP_DependHas rulesets !

PHPMDWhat it gives:

Code Size Rulescomplexities, lengths, too many, Design RulesOO, exit, evalNaming RulesToo short/long identifiers, old constructors, Unused Code RulesMethods, members, parameters

phplocBy Sebastian Bergmann

Simple tool to give basic metricsFast, direct to the goal

Works mostly on lexical level But use bytekit for ELOC if it can

phpcpdBy Sebastian Bergmann

Simple tool to detect duplicated code

Works on syntax analysis levelUse the tokenizer to minimize differencesComments, whitespaces, Takes a minimum number of lines and tokensEncodes according to thisUses an hash table to find duplicates

vldVulcan Logic DisassemblerBy Derick Rethans

Works at bytecode levelShows generated bytecodesCalculates possible paths (CFG)Find unreachable codeCould be used for code coverage path metrics

vldOutput

vldOutput

BytekitBy Stefan Esser (SektionEins)

Works at bytecode levelSimilar to vldExposes opcodes to a PHP arraybytekit_disassemble_file($filename)

Can be used directly for a custom script

BytekitCFG visualisation

Bytekit-cliBy Sebastian Bergmann

PHP Interface to use bytekit to spot violation rulesInitial state

Implemented rules :Check for disallowed opcodes (example eval, exit)Check for direct output of variablesIn svn, check for unescaped ZendView

PadawanBy Florian Anderiasch

Focus on anti-pattern detectionalpha (?)

Works on syntax analysis levelBased on PHC (PHP compiler)Use an XML dump of the AST PHC generatesMakes xpath searches on it

PadawanInteresting approachRules are fairly simple to writeAlready many interesting tests :Empty constructs (if, else, try,..), unsafe typecasts, loop repeated calls, unused keys in foreach,

PHC not easy to installRisk on PHC manteinance

PhantmBy Etienne KneussHighly experimentalSevere limitation on PHP dynamic featuresFalse positivesWorks on syntax analysis levelBased on Java tools (Jflex, CUP, Scala)Reports violationsNon top-level declarations, call-time pass-by-ref, nontrivial include calls, assign in conditional, Exploring Type Flow AnalysisTries to infer types and check for type safety

ConclusionUse the right tool for the right job

Coding style is better analysed at the lexical levelOO design is better viewed after syntactic analysesUnreachable code after bytecoding

Contribute !Plenty of things still to implementEasy to have new ideasAt least use them (you should!) and give feedback

RestitutionOnce all this is collected what to do with it ?

At least, show it in a suitable form

At best, integrate this in your CI system

phpUnderControlBy Manuel Pichler

CI for PHP

Based on CruiseControlIntegrates natively various tools :PHPUnit (+XDebug for code coverage), PHP_CodeSniffer PHPDocumentorPMD via PHPUnit (now PHPMD)

phpUnderControlWhat it gives : metrics graphs

phpUnderControlWhat it gives : report lists

phpUnderControlWhat it gives : PHPCodeBrowser

ArbitBy Qafoo (with Manuel Pichler)

Basically a project multi-services toolTicketing systemRepository browserContinuous integrationAs Manuel is in it, some graphical presentations are unique for this toolStill alpha

ArbitWhat it gives : more

Recommended

View more >