Code auditing

6 new PHP analyzers in Exakat 0.10.3

Posted on by dams

marble.3206 new PHP analyzers in Exakat 0.10.3

Exakat 0.10.3 shipped with 6 new PHP analyzers : see the changelog. Here is a short presentation of them :

Use array_column()

array_column() is a little known PHP native function. Read about the story : Ben Rasmey tells it himself : https://benramsey.com/projects/array-column/. When you plan to contribute to the PHP code with a new feature, that article is a must to interesting to read.

array_column() extracts one index in an array of array. You may recognize the pattern from the code :

<?php
$column = array() ;
foreach($array as $key => $array2) {
  $column[] = $array2['index'] ;
}

?>

This works on arrays of arrays, or arrays of objects. It also ignores any missing property, so if some of the elements are missing the requested ‘index’, you won’t see any error display.

Exakat reports code that may benefit from using array_column(). Go, use it, it’s faster as it is native.

__DIR__ must be concatenated with a directory separator

The magic constant __DIR__, and the dirname() function, provides a path without a final ‘/’. So, when prepending __DIR__ to a relative path, make sure that this path starts with a directory separator.

<?php
// Probably OK
$fullpath = __DIR__.'/relative/path.php' ;

// Probably Wrong : /a/b/crelative/path.php' ;
$fullpath = __DIR__.'relative/path.php' ;
?>

This analysis shall not yield many results, but will catch a bug. It will find errors in blindly modified code, or less tested part of it.

Parent, self or static outside a class

Parent, self and static may be used to reference the current class. They may be also mentioned outside a class, and PHP lint it without error. At execution time, unless the code is included in the class, the call fails. Strangely enough, PHP detects a wrong usage of self in a typehint, with an error message : Cannot use “self” when no class scope is active 

<?php

//No such class. as self ;
echo self::CONSTANT ;

// PHP lint detects this :
function foo(self $x) {}

?>

multiple aliases per class

This analysis reports when various aliases are used for the same namespace, in a use expression.

File1.php
<?php

use A\B\C as D ;

?>

File2.php
<?php

use A\B\C as E ;

?>

The use expressions are compared across the whole code source. This means that A\B\C is called D in a file, and E in another file. This is perfectly legal, and even, having several times the same namespace, aliased with different names in the same file is legal and useful (imagine upgrading code from an old class to a new one).

However, giving different aliases to the same class may complicate code maintenance, and lead to omissions when reviewing the code. This is a case where consistence is important.

Property used once

This is the ‘property’ version of the infamous ‘variable used once’ syndrom. The property is used once in a class : either for reading or for writing. But not twice, which could lead to one write and one read.

Now, properties may be used once is some situations : for example, to avoid littering the code with a literal (that should be a constant then), or to provide a value to a parent class. It is probably worth checking why a property is used only once in its class.

Property used only in one method

This analysis is a variation on the previous one. When a property is used only in one method, shouldn’t it be a local variable ? Note that the property may be used several times in one method, both for reading and writing : it is reported here because it is only used in this method.

The property may be turned into a static variable, so as to keep the code using only local variable.

<?php

class foo{
  private $count = 0 ;
  public function count() {
    return ++$this->count;
  }

  public function countWithoutProperty() {
    static $count = 0 ;
    return ++$count;
  }
}
?>

Download exakat now

Exakat 0.10.3 has a wide range of new analysis : some are guarding your back against overlooked errors, (see __DIR__ analysis) ; other may drag your attention to part of the code that look suspicious, (see the properties used in one method only). Exakat report files and line numbers, so all the hard work of searching is already done : happy code cleaning.