Review unknown code with static analysis Zend con 2017
1 like177 views
The document discusses a code review session focusing on static analysis for PHP, highlighting the challenges of understanding an unknown codebase and methods for effective review. It emphasizes the importance of tools for analyzing PHP source code, presents automated code review techniques, and outlines performance metrics while analyzing PHP code across different versions. Additionally, it includes specific issues identified in the code as well as recommendations for best practices in PHP development.
![Semantics and definitions
Removes spaces, comments, documentations
Removes delimiters
( ) { } [ ] " ' ` ; :
Good network to link definition with usage](https://image.slidesharecdn.com/reviewunknowncodewithstaticanalysis-zendcon-171102193314/85/Review-unknown-code-with-static-analysis-Zend-con-2017-25-320.jpg)
![Checked 1402 files in 21.3 seconds
Syntax error found in 1 file
-------------------------------------------------
Parse error: melisplatform/melis-installer/etc/
MelisModuleConfig/app.interface.php:59
57| ),
58| ),
> 59| [:environment_configurations]
60| ),
61| ),
Parse error: parse error, expecting `']''
PHP LINT - 5.4 -> 7.3-dev](https://image.slidesharecdn.com/reviewunknowncodewithstaticanalysis-zendcon-171102193314/85/Review-unknown-code-with-static-analysis-Zend-con-2017-33-320.jpg)
![Variables
[$result] => 176
[$postValues] => 178
[$name] => 182
[$parameters] => 183
[$index] => 190
[$status] => 191
[$arrayParameters] => 197
[$melisTool] => 206
[$file] => 211
[$sl] => 214
[$textMessage] => 219
[$config] => 237
[$menu] => 245
[$results] => 247
[$translator] => 260
[$errors] => 261
[$idPage] => 268
[$val] => 288
[$value] => 302
[$melisKey] => 307
[$response] => 308
[$select] => 311
[$form] => 316
[$success] => 341
[$data] => 431
[$container] => 574
[$e] => 582
[$id] => 676
[$view] => 831
[$element] => 1172
Also :
91 used-once variables
40 used-once properties](https://image.slidesharecdn.com/reviewunknowncodewithstaticanalysis-zendcon-171102193314/85/Review-unknown-code-with-static-analysis-Zend-con-2017-38-320.jpg)
Review unknown code with static analysis Zend con 2017
- 1. Zend Con, Las Vegas, 2017 Code review U n k n o w n Code Base
- 2. Agenda Reviewing code Static analysis for PHP A session in which you are the hero
- 3. Review this code We don't know what it does We have never heard about it We don't run it We don't know the authors Can we form an opinion?
- 4. How to review code Reading code is humanly possible : its an art Unit test are not adapted for review Dynamic analysis is not fit for review We need to explore code We cannot only rely on the current state
- 5. Speaker Damien Seguy Exakat CTO Static analysis for PHP PHP doc author Retirement home for elephants
- 6. Source code is structured Source code is a structured database All we need is tools to query it This is static analysis
- 8. Appinfo() List PHP features Focus on PHP's specifics
- 9. PHP Features
- 14. Application favorites Many solutions to the same problem Impact on PHP is minimal Generate never-ending discussions Rule : choose one, stick to it
- 17. Automated code review Analyze code Report PHP related problems
- 19. Clean code for PHP Best practices Security, performance, clean code in-house, PSR, calisthenics, other inspirations Code mantras, code kata PHP Manual Migration guides
- 20. Results by files
- 21. Exakat : 350 analysis Analysis Freq. Here function foo($a, $a, $a) {} 2.0% 0 !!(expression) 2.0% 3 substr($a, 2, 4) == 'abc' 9.0% 0 $a ? $b ? $c : $d : $e 11% 0 foreach($a as &$b) {} 15% 0 $var + 0 31% 46 if (strpos($a, $b)) {} 46% 18 include('file.php') 74% 284
- 22. Zend Framework 3 -/ … /- -/ … /-
- 23. Automated code review Semantic read of the code Reports interesting issues Works with AST
- 24. Automated code review PHP 5 / 7 Calisthenics ClearPHP Performance Framework
- 25. Semantics and definitions Removes spaces, comments, documentations Removes delimiters ( ) { } [ ] " ' ` ; : Good network to link definition with usage
- 27. Flow Control Graph <?php $x = source(); if ($x < 10) { $y = $x + 1; $a = 3; $x = corrige($y); } else { $y = $x; } $x = source; if ($x < 10) $y = $x; $y = $x + 1; $x = corrige($y); end $a = 3; start
- 28. Data Dependency Graph <?php $x = source(); if ($x < 10) { $y = $x + 1; $a = 3; $x = corrige($y); } else { $y = $x; } $x = source; if ($x < 10) $y = $x;$y = $x + 1; $x = corrige($y); fin(); Depends onDepends on Depends on notDepends on Depends on $a = 3; Depends on
- 29. Various AST PHP7mar : nikic/php5-ast PHAN : ext/ast (PHP 7 only) Exakat : AST in a graph database SonarQube : Java-build AST PHPstorm : internal IDE AST Better Reflection
- 30. PHAN .../src/Module.php:26 PhanUndeclaredClassMethod Call to method getApplication from undeclared class ZendMvcMvcEvent Total : 7137 results / 41 types 4682 issues .../melis-cms-page-historic/src/Module.php:131 PhanUndeclaredVariable Variable $sm is undeclared 475 issues src/Controller/MelisCmsNewsController.php:940 PhanCommentParamWithoutRealParam Saw an @param annotation for folderId, but it was not found in the param list of function createFolder($id) : bool 31 issues ...src/Controller/FrontPluginsController.php:246 PhanTypeMismatchForeach null passed to foreach instead of array ...include/FtpClient.php:450 PhanParamTooMany Call with 1 arg(s) to FtpClient FtpWrapper::delete() which only takes 0 arg(s) defined at 10 issues 39 issues
- 31. PHP 7 helps static analysis Type hint, return type hint, scalar typehint Usage of PHPDOC Consistent behavior of PHP operators Dynamic code is very difficult to analyze
- 32. PHP LINT php -l <fichier.php> Paralell executions jakub-onderka/php-paralell-lint Various versions of PHP : 7.0, 7.1, 7.2, 7.3, 5.6, 5.5
- 33. Checked 1402 files in 21.3 seconds Syntax error found in 1 file ------------------------------------------------- Parse error: melisplatform/melis-installer/etc/ MelisModuleConfig/app.interface.php:59 57| ), 58| ), > 59| [:environment_configurations] 60| ), 61| ), Parse error: parse error, expecting `']'' PHP LINT - 5.4 -> 7.3-dev
- 34. 0 1.25 2.5 3.75 5 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 0 1.25 2.5 3.75 5 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 0 0.75 1.5 2.25 3 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 0 1.75 3.5 5.25 7 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
- 35. What does this app do? Inventories of the application Names for classes, methods, traits, variables, interfaces… List of literal in the code Integers, real, arrays, strings
- 36. Errors messages
- 37. Classes UserController => 1 UserProfileController => 1 Utf8 => 1 Utf8Num => 1 WidgetsController => 1 Wildcard => 1 Writer => 1 Xlsx => 1 imageLib => 1 Boolean => 2 CalendarController => 2 Filesystem => 2 Fuzzy => 2 InvalidArgumentException => 2 LanguageController => 2 MelisCmsSlider => 2 MelisCoreConfigServiceInterface => 2 MelisFieldCollection => 2 MelisFieldRow => 2 MelisLog => 2 MelisPasswordValidator => 2 MelisPlatform => 2 MelisPlatformTable => 2 MelisSelectFactory => 2 MelisTextFactory => 2 MultiTerm => 2 IndexController => 3 MelisGenericTable => 3 CaseInsensitive => 4 ExceptionInterface => 4 Phrase => 4 Term => 5 DashboardController => 6 Module => 18
- 38. Variables [$result] => 176 [$postValues] => 178 [$name] => 182 [$parameters] => 183 [$index] => 190 [$status] => 191 [$arrayParameters] => 197 [$melisTool] => 206 [$file] => 211 [$sl] => 214 [$textMessage] => 219 [$config] => 237 [$menu] => 245 [$results] => 247 [$translator] => 260 [$errors] => 261 [$idPage] => 268 [$val] => 288 [$value] => 302 [$melisKey] => 307 [$response] => 308 [$select] => 311 [$form] => 316 [$success] => 341 [$data] => 431 [$container] => 574 [$e] => 582 [$id] => 676 [$view] => 831 [$element] => 1172 Also : 91 used-once variables 40 used-once properties
- 39. Metrics Provides measures values about the code Cyclomatic complexity, LOC, Maintenance index
- 40. Directories 1010 Files 5167 Size Lines of Code (LOC) 675844 Comment Lines of Code (CLOC) 197531 (29.23%) Non-Comment Lines of Code (NCLOC) 478313 (70.77%) Logical Lines of Code (LLOC) 136607 (20.21%) Classes 120494 (88.20%) Average Class Length 25 Minimum Class Length 0 Maximum Class Length 1380 Average Method Length 4 Minimum Method Length 0 Maximum Method Length 211 Functions 718 (0.53%) Average Function Length 0 Not in classes or functions 15395 (11.27%) Cyclomatic Complexity Average Complexity per LLOC 0.31 Average Complexity per Class 9.50 Minimum Class Complexity 1.00 Maximum Class Complexity 292.00 Average Complexity per Method 2.57 Minimum Method Complexity 1.00 Maximum Method Complexity 165.00 PHPLOC
- 41. PHPMetrics
- 43. List of PHP analyzers Exakat Phan Phploc PHPmetrics https://github.com/exakat/ php-static-analysis-tools
- 44. Large application Main framework : Zend Framework 3 other component : imageLib, ZF2.. Low level of issues, up to date Generic platform
- 46. Thanks http://exakat.io/ - @exakat