Static Analysis for PHP, from PHPDay Italy 2012

Static Analysis
for PHP
PHPDay Verona, Italy 2012
Nick Galbreath @ngalbreath nickg@etsy.com

http://slidesha.re/

KzTfLy
github.com/client9/hphp-tools

Nick Galbreath @ngalbreath PHPDay Verona, Italy 2012

Static Analysis
• Typically analyzes source code “at rest” for
bugs, security problems, leaks, threading
problems.
• We’ll cover simple checks and HpHp
• Some commercial tools exists too.
Veracode runs off of PHP byte code
http://www.veracode.com/products/static


Dynamic Analysis
Analysis of code while running

• valgrind http://valgrind.org/
• xdebug http://xdebug.org/
• xhprof http://pecl.php.net/package/xhprof

Great tools, but not for this talk.

The Littlest Static Analysis
php -l
• Syntax errors should never be committed.
• Syntax errors should never go to prod!
• Make sure dev and prod versions of PHP
are identical


PHP Leading Whitespace

pre-commit check that every ﬁle starts with
either #! or <?php exactly


PHP Trailing Whitespace
Check that ﬁle ends exactly with ?> or make
sure it doesn’t have a closing tag.


Anti-Virus
On Source Code

• It’s static analysis too!
• Not so concerned with PHP but do you
have Javascript, Flash, Word, PowerPoint,
PDFs, ZIPs in your source tree?


ClamAV
• http://www.clamav.net/
• Free anti-virus.
• Available on every OS.

ClamAV Performance

1G of Source Code / Minute
Why not do it?

Why not use... AST?
http://docs.php.net/manual/en/function.token-get-all.php

• token_get_all($file) takes a ﬁle and
returns an Abstract Syntax Tree in php.
• Orders of magnitude slower -- can’t use for
pre-commit check on large code bases
• Too low level -- need to turn it into an
intermediate representation.


Why not use...
CodeSniffer?
http://pear.php.net/package/PHP_CodeSniffer

• Excellent tool, but...
• Based on token_get_all
• SAX-style API
• Too slow for pre/post commit hooks


Why not use...
• php-SAT:Orphaned 2009
• php-AST: Orphaned 2008
• phc: active but doesn’t support... OBJECTS
• Every other PHP to Java translator or
converter is orphaned or has other
problems


Facebook’s HpHp
• A full re-implementation of Apache+PHP
• Compiles PHP to it’s own byte code format
and executes in own runtime.
• May also translate to C++ for other
compilation or use JIT
• Does type-inference for speed-ups
• Also includes a HTTP web server

Bad News #1
No action since
2011-12-06
Facebook appears to use “code drops”
instead of true “streaming” open source
model. BOO.


Bad News #2
Missing Many Common
Modules
• Has: apc, array, bcmath, bzip2, ctype,
curl,iconv, gd, imap, ipc, json, ldap,math,mb,
mcrypt,memcache, mysql, network,
openssl, pdo, posix, preg, process, session,
simplexml, soap, socket, slqite3, stream,
string, thread, thrift, url, xml*, zlib.
• That’s it! (No ﬁlter_var, no ftp, no ..)

Bad News #3
Doesn’t Track PHP 5.3
PHP 5.4? No way!
• Some functions signatures aren’t quite
right. e.g. debug_print_backtrace
• HpHp 2 arguments
• PHP 5.3.6 3 arguments
• PHP 5.4 4 arguments
• (End up needing to whitelist this to ignore
false positives)

Bad News #4
Seriously #*$%&!#
annoying to build
• My crappy CentOS build script
https://github.com/client9/hphp-tools
• Ubuntu users are slightly better off (see
HpHp wiki)
• Takes hours.

Bad News #5
Won’t help with
Dynamic Evaluation
$fn = “foo”;
$fn(1,2,3); // function not found
eval(“foo(1,2,3)”); // no

• This is more for runtime dynamic analysis.
• Try to avoid this anyways.

Conclusion

• You aren’t going to run your application
under HpHp (at least not as is)
• But, it has a great static analyzer that works
and ﬁnds real bugs really fast.
• Scans thousands of ﬁles in a few seconds


Step 1: Make a
constants ﬁle
• HpHp doesn’t know about hardwired constants
• Nifty script generates the constants
• May need to hand edit


Step 2: Make a stubs ﬁle

• HpHp doesn’t have many binary extensions
• But... the analyzer doesn’t care. Just make a
stub function.
// http://php.net/manual/en/function.filter-var.php
function filter_var($var, $filter=0, $options=NULL) {
return $var;
}

You can make stub classes as well.


Step 3: Create the file list
• Create a list of all php files to be analyzed
and include your constants and stubs file.
• Ignore phpunit and other tests
• HpHp implements much of PHP base
functionality as PHP code. (e.g. the
Exception class is written in PHP). You
need to add these system PHP as well


correction:
grep -v helper.idl.php | grep -v constants.php >> $JUNK

Step 4: Do it

Include paths are a bit mysterious.
You’ll have to play around to get it right.

Step 5: Analyze it

• /tmp/hphp/Stats.js contains some...
statistics in JSON format.
• /tmp/hphp/CodeError.js is were the
good stuff is.
• JSON format, includes:
Error type, ﬁle, line number, code snippet


UseUndeclaredVariable

• #1 bug.
• Typically typos, scoping or cut-n-paste
errors
• Found frequently in error handling cases
if (!$ok) {
error_log(“$user_id has a problem”);


TooManyArgument
TooFewArgument
Too Many Arguments typically indicates the
caller is confused and has logic errors (bug).
Too Few Arguments is frequently a serious
bug as PHP silently fails and defaults to null.

hash_hmac(‘sha1’, ‘foo’); // ooops no key


BadDefine
UsesEvaluation
define($k, $v);
eval(“1+1”);

• “Bad” since HpHp can’t compile it, but likely
legal PHP.
• Avoid using dynamic constant generation.
Use conﬁguration ﬁle instead.


UseUndeclaredGlobalVariable

• HpHp only deﬁnes certain globals.
• Used only by Smarty?
• $GLOBALS['HTTP_SERVER_VARS']

• $GLOBALS['HTTP_SESSION_VARS']

• $GLOBALS['HTTP_COOKIE_VARS']


UseVoidReturn
Some function returns “nothing” but the
value is used
function foo() {
if (time() % 60 == 0) { return true; }
// oops void
}

$now = foo(); // error


RequiredAfterOptionalParam
function foo($first, $second=2, $third) {

• IMHO should be a PHP syntax error
• Confusing
• (Oops, I haven’t investigated behavior)


DeclaredConstantTwice

• Probably not invalid PHP, but HpHp
analyzes all files at once.
• Best to have one file that defines constants
or just not use them.


UnknownFunction
UnknownObjectMethod
UnknownClass
UnknownBaseClass

• Is your ﬁle list complete?
• Do you need to make stubs?


BadPHPIncludeFile

Likely a PHP ﬁle trying to include/require
itself or invalid ﬁle name or your autoloader
is ambiguous.


PHPIncludeFileNotFound

• Really common
• Probably unique to your autoloader.
• Not sure I quite understand how HpHp
computes ﬁle names and loads includes,
requires, require_once... yet


Every Commit
• Every commit gets checked in real-time
• “try-server” also allows developers to test
before committing.
• Finds and prevents bugs before
they go live every day.
• Almost no false positives (!!)
• Developers love it (especially the Java
groups)

Analysis
• CodeError.js is processed through a
custom script.
• Has a large blacklist of checks or ﬁles we
don’t care about (3rd party, known bad,
etc).
• File and line info pass through to git blame
to ﬁnd author and date/time.


hphp-try runs in Jenkins

oops

Console Output
gives details


Work in Progress
• It took a lot of work to get the code base in
shape so we could add pre-commit hook.
• Over 200 real problems first identified.
• We still have blacklisted some checks since
we are still cleaning up legacy code (and
figuring out how HpHp works)


Checks aren’t that
complicated
• HpHp’s runtime type-inference isn’t used for
static analysis (good since type-inference is
hard)
• All checks are fairly simple book-keeping.
• All could be done in CodeSniffer/AST but
too slow


Slice off HpHp?

• The HpHp Runtime is nice, but really
complicated and a moving target.
• Can we slice out the analysis part of HpHp?
• Much simpler to build, easier to hack on.


Or Build New?

• Can this run off “byte code” or hook into
the parsing step of PHP?
• Exec a snippet of PHP for the loading script
ﬁles ?
• Seems feasible


Acknowledgments
and References

Thanks
• The Facebook Team!
• Sebastian Bergman who ﬁrst blogged about
using HpHp for static analysis
• Rasmus who ﬁrst hacked up a version of
HpHp in house at Etsy
• The QA and DevTools teams at Etsy
• All the Etsy developers who had some
painful weeks getting the code in shape!

Facebook References
• https://github.com/facebook/hiphop-php
Main source repo + wiki
• http://developers.facebook.com/blog/post/
2010/02/02/hiphop-for-php--move-fast/
Main announcement, 2010-02-02
• https://www.facebook.com/note.php?
note_id=416880943919
Update 2012-08-13


Notes from
Sebastian Bergman
• http://sebastian-bergmann.de/archives/894-
Using-HipHop-for-Static-Analysis.html
Static Analysis Intro, 2010-07-27
• http://sebastian-bergmann.de/archives/918-
Static-Analysis-with-HipHop-for-PHP.html
Tool to help process output, 2012-01-27


Misc References
• http://arstechnica.com/business/2011/12/
facebook-looks-to-ﬁx-php-performance-
with-hiphop-virtual-machine/
ArsTechnica overview, 2011-12-13
• http://www.serversidemagazine.com/news/
10-questions-with-facebook-research-
engineer-andrei-alexandrescu/
Lots of good stuff in here, 2012-01-29


This Talk
• These slides are posted at
http://slidesha.re/KzTfLy
• Tools for building on CentOS
https://github.com/client9/hphp-tools
• More about Nick Galbreath
http://client9.com/


Nick Galbreath nickg@etsy.com @ngalbreath
PHPDay Verona Italy May 19, 2012
http://2012.phpday.it/

Static Analysis for PHP, from PHPDay Italy 2012

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (6)

Plus de Nick Galbreath

Plus de Nick Galbreath (15)

Dernier

Dernier (20)

Static Analysis for PHP, from PHPDay Italy 2012

Notes de l'éditeur