Listen and look at your PHP code
Download as PPTX, PDF0 likes1,142 views
This document discusses various static analysis tools for PHP code including PHP_CodeSniffer, PHPDepend, PHPMD, phploc, phpcpd, vld, Bytekit, Padawan, Phantm, phpUnderControl, Arbit, and plugins for Sonar. It provides descriptions of what each tool analyzes and outputs including code style checks, complexity metrics, dependency graphs, duplication detection, bytecode analysis, and continuous integration reporting. Screenshots are included showing output and integrations from Sonar, phpUnderControl, and Arbit. The document argues that Sonar is the state of the art but still has room for improvement in supporting PHP-specific needs and integrating with other tools.
Listen and look at your PHP code
- 1. Listen and lookatyour PHP CODE!Gabriele Santini9/10/2010
- 2. Gabriele SantiniArchitect/Consultant at SQLIContributor to PHP_CodeSnifferSo expect a special focus on this…Sonar PHP PluginI have to show you!Ex-mathematician :love business modellinglove architectureslove quality assurance… not an « OS geek »
- 3. StaticAnalysisAll youcansay about your program withoutactuallyexecute the codeThe restisalsointeresting, let’s talk about itanother time !Examples ?Syntax check, coding style, anti-patterns, metrics, OO design analysis, …What must bedonebeforeexecuting the code ?
- 4. Levels of analysisLexical analysisRead sources linearlysearching for known patternsConvertthem to a sequence of tokens
- 5. Levels of analysisLexical analysisRead sources linearlysearching for known patternsConvertthem to a sequence of tokensSyntacticAnalysisParse the tokens to findtheirlogical structure
- 6. Levels of analysisLexical analysisRead sources linearlysearching for known patternsConvertthem to a sequence of tokensSyntacticAnalysisParse the tokens to findtheirlogical structureOpcode (Bytecode) GenerationGenerates an intermediary code that the Zend Enginewillbe able to execute
- 8. SyntacticAnalysisUseful to beseen as an ASTAbstract SyntaxTreeDecompose code in a tree-likeformCan beexecuted once a contextisgivenUsed in compilers
- 11. GIVE US THE TOOLS !
- 12. PHP_CodeSnifferBy Greg SherwoodPEAR libraryVenerableprojectCode StyleBut also a lot moreWorks at lexical analysislevelHeavily use the tokenizer extension
- 13. PHP_CodeSnifferHands onPHP_CodeSnifferSniffsClasses thatdetect ViolationsOne or more type per classGrouped in folders by subject:Commenting, Formatting, WhiteSpaceFiles, ControlStructures, Strings Functions, Classes, NamingConventionsCodeAnalysis, MetricsYou cancreateyourown!
- 14. PHP_CodeSnifferStandardsSets of Sniffsthatdefineyourcoding styleInstalled : PEAR, Generic, Zend*, Squiz, MySourcePHPCS
- 16. Inside PHP_CodeSnifferSniff class main methodsregister()Make the sniff a listener for the declaredtokensprocess($phpcsFile, $stackPtr)Called by the file duringparsingwhen a declaredtokenisfoundFileRepresents a parsed fileHolds the tokens structure and offersconveniencemethods
- 17. Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff
- 18. Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff
- 19. Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff
- 20. Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff$stackPtr
- 21. Inside PHP_CodeSnifferLife of a SniffDisallowMultipleStatementsSniff
- 22. Inside PHP_CodeSnifferLife of a Sniff (2)
- 23. PHP_CodeSnifferAt SQLI we have some framework standardsZend FrameworkBased on Thomas WeidnerworkSymfonyIn collaboration with Fabien PotencierWaiting for a serious release after 1.3 release
- 24. PHP_CodeSnifferAt SQLI we have some framework standardsZend FrameworkBased on Thomas WeidnerworkSymfonyIn collaboration with Fabien PotencierWaiting for a serious release after 1.3 releaseThat’snice, but…Where are the standards for the othertools ?I’ldexpect a Drupal, Wordpress, Cake official standard
- 25. PHP_CodeSnifferHow far a standard can go in detection ?
- 26. PHP_CodeSnifferHow far a standard can go in detection ? Interestingly far for generic PHP Code
- 27. PHP_CodeSnifferHow far a standard can go in detection ? Interestingly far for generic PHP CodeVery far if you know yourtool’s structureImagine for example forcing PHP alternative syntax in Symfonyviews…Or checking for escaping in Zend Views !
- 28. PHP_DependBy Manuel PichlerFunctional port of JDependOO design analysisMetrics visualisationDependencyanalyzerWorks at the syntacticanalysislevel
- 29. PHP_DependHow itworksPHP_Depend first makes an AST off your codeA « personal » one, made by PHP objectsASTComment, ASTClosure, ASTEvalExpression, …This is made by the Builder/Parser componentUsing PHP Reflection
- 30. PHP_DependHow itworks (2)ThenPHP_Dependcananswer questions by « visiting » the ASTThis is the task for example of MetricsAnalyzers, thatextendAbstractVisitor IOC, the visitordecideswhat to do according to AST Class : visitMethod, visitForStatement(), …Analyzer canfirelistenersduringanalyze() callTo getongoing informations about the visitprocess
- 34. PHPMDBy Manuel PichlerDetectsrules violationsAnalog to PHP_CodesnifferWorks atsyntaxanalysislevelActually on the same ASTDepends on PHP_DependHas rulesets !
- 35. PHPMDWhatitgives:Code Size Rulescomplexities, lengths, toomany, … Design RulesOO, exit, evalNamingRulesToo short/long identifiers, oldconstructors, …Unused Code RulesMethods, members, parameters
- 36. phplocBy SebastianBergmannSimple tool to give basic metricsFast, direct to the goalWorks mostly on lexical levelBut use bytekit for ELOC if itcan
- 37. phpcpdBy SebastianBergmannSimple tool to detectduplicated codeWorks on syntaxanalysislevelUse the tokenizer to minimizedifferencesComments, whitespaces, …Takes a minimum number of lines and tokensEncodes according to thisUses an hash table to find duplicates
- 38. vldVulcan LogicDisassemblerBy Derick RethansWorks atbytecodelevelShows generatedbytecodesCalculates possible paths (CFG)Findunreachable codeCouldbeused for code coveragepathmetrics
- 39. vldOutput
- 40. vldOutput
- 41. BytekitBy Stefan Esser (SektionEins)Works at … bytecodelevelSimilar to vldExposes opcodes to a PHP arraybytekit_disassemble_file($filename)Can beuseddirectly for a custom script
- 43. Bytekit-cliBy SebastianBergmannPHP Interface to use bytekit to spot violation rulesInitial stateImplementedrules :Check for disallowedopcodes (exampleeval, exit)Check for direct output of variablesIn svn, check for unescapedZendView
- 44. PadawanBy Florian AnderiaschFocus on anti-pattern detectionalpha (?)Works on syntaxanalysislevelBased on PHC (PHP compiler)Use an XML dump of the AST PHC generatesMakesxpathsearches on it
- 45. PadawanInterestingapproachRules are fairly simple to writeAlreadymanyinteresting tests :Emptyconstructs (if, else, try,..), unsafetypecasts, looprepeated calls, unusedkeys in foreach, …PHC not easy to installRisk on PHC manteinance
- 46. PhantmBy Etienne KneussHighlyexperimentalSevere limitation on PHP dynamicfeaturesFalse positivesWorks on syntaxanalysislevelBased on Java tools (Jflex, CUP, Scala)Reports violationsNon top-leveldeclarations, call-time pass-by-ref, nontrivialinclude calls, assign in conditional, …Exploring Type Flow AnalysisTries to infer types and check for type safety
- 47. ConclusionUse the right tool for the right jobCoding style isbetteranalysedat the lexical levelOO design isbetterviewedaftersyntactic analysesUnreachable code afterbytecodingContribute !Plenty of thingsstill to implementEasy to have new ideasAt least use them (youshould!) and give feedback
- 48. RestitutionOnce all thisiscollectedwhat to do withit ?At least, show it in a suitableformAt best, integratethis in your CI system
- 49. phpUnderControlBy Manuel PichlerCI for PHPBased on CruiseControlIntegratesnativelyvarioustools :PHPUnit (+XDebug for code coverage), PHP_CodeSnifferPHPDocumentorPMD via PHPUnit (now PHPMD)
- 50. phpUnderControlWhatitgives : metrics graphs
- 51. phpUnderControlWhatitgives : report lists
- 53. ArbitBy Qafoo (with Manuel Pichler)Basically a projectmulti-servicestoolTicketing systemRepository browserContinuousintegrationAs Manuel is in it, somegraphicalpresentations are unique for thistoolStill alpha
- 54. ArbitWhatitgives : more metrics graphs
- 56. ArbitWhatitgives : Annotated sources
- 57. Plugins Sonar for PHPBy me Really by the Java guysat SQLIFrédéric Leroy, Akram Ben Aissi, Jérôme Tama Sonar is the state of the art for Open Source QA Reporting in JavaThought for multilanguageCan easelyintegrate all PHP reportingsportedfrom Java toolsJunit => PHPUnitJDepend => PHPDependJava PMD => PHPMD
- 58. Plugins Sonar for PHPOk, not alwayssoeaselyCheckStyleis not PHP_CodeSnifferFormats are not identicalMulti-languagedoesn’tmean no work to add one First release on May 20100.2 Alpha state, but workableEasy to install : giveit a try !Last version demo : sonar-php.sqli.comOk, enough, here are the screenshots
- 59. Plugins Sonar for PHPDashboard
- 60. Plugins Sonar for PHPComponents : treemaps
- 61. Plugins Sonar for PHPTime machine
- 62. Plugins Sonar for PHPHotspots
- 63. Plugins Sonar for PHPViolations
- 64. Plugins Sonar for PHPEditing Code Profile
- 65. ConclusionSonar reallygoesfurtherBest integrateswithHudsonStillis java…But SonarSourcereallywants to cooperateHow to interactwithphpUnderControl, Arbit ?(actuallyour solution – PIC PHP SQLI- isbased on phpUC + Sonar)This needs to evolve