Exakat 1.2.1 review : Fu Yi

Exakat 1.2.1 review

Exakat 1.2.1 brings several new analysis, and a boost of speed with improved concurrency. Analysis now suggest simplifying chr() calls, mistaking increment operator and reducing complexity of expressions. The Favorites report displays properties declarations style. So, without transition, here is the Exakat 1.2.1 review.

Fastest Exakat version ever

At the heart of Exakat is the Gremlin Server, a graph database running with the Gremlin traversal language. This is the database that has to be installed when downloading Exakat. The database handles all the queries, and exakat made progress to handle multiple queries at the same time. This means taking full advantage of modern architecture, and reporting results faster.

Now, the code has been stabilized, and we are monitoring it in production. We are now satisfied with the situation, and are finishing the last bugs, before moving to the next architecture change.

Mistaking the incremental operator

Here is one pattern that is hard to detect with a proof-read : $a = +$b;. The second + has been forgotten. It turns the increment operator into a simple + operator, which has no impact here.

This is the youngest brother of a growing family of typo that tends to cost a lot of time and frustration. They are very rare, hitting us often at less than 1% rate, but when they do, you can be sure to learn new abuses. Here is a short presentation of the whole family :

  • foreach($a as $b) ; ++$c; : Note the extra ;
  • foreach($a as $b->b) ++$c; : Note the -> instead of => ;
  • $array = ['a', 'b'. 'c', 'd', ]; : Note the . inside
  • if ($a = 1) { ... : Although, iffectations are valid and mostly well used
  • include 'a' or die(); : that won’t include a boolean
  • $a = $b and $c : $a is $b, not $b and $c;

All of those typos have been found in real code (although, names have been changed to protect the culprits). Do you know other frustrating code typos ? Drop us a note on twitter or github and we’ll add it to the exakat coding reference! This is where static analysis shines : capitalizing experience, and relentlessly checking the code even when it is rare.

Too many Native calls

The longer they are, the harder the expression are to read. While we strive to keep our methods short, it happens that some expression get wild and grow tremendously.

Think about concatenations, for example. Up to seven variables, they may be still readable. You may even find ways to keep them readable even past that number, though it may not be for everyone.

On the other hand, when the same-sized concatenation includes as many PHP native calls, that makes a really difficult to read expression. Take this

@unlink(getcwd( ) . substr($fileFrom, strlen($unzip_dir), strlen($fileFrom)))

It only includes 5 PHP native calls : unlink, substr, getcwd and strlen (twice). Although, the accumulation of those makes the whole expression difficult to read, and very little errors are handled.

After a first check, it appears that most expressions include up to 4 PHP native function calls. Expressions using more than 5 native functions calls are getting very rare, and may be reported safely. It also appears that a lot of them are printing data, like this code :

@print (preg_replace('#/\*\s*\*/\s*#', '', str_replace('url(\'\')', 'none', str_replace('url("")', 'none', preg_replace('#\{\$[^\}]*\}#', '', file_get_contents($FILE_BASE . '/themes/default/css/global.css'))))))

Exakat is now reporting those expressions, in order to help with readability.

Simplifying chr() calls

It has came to our attention that many applications are using chr(123) calls to create special characters while keeping the code compatible with varying encoding. This is the case, for example, for tabulation chr(9). They often appear in filtering functions to remove them.

Now, PHP has lots of methods to specify characters directly inside a string, with character sequences. Those are compiled into opcodes. Their usage prevents the calling of the chr() function. chr() is only executed at call time, and should be reserved for dynamic character generation, with variables or other kind of containers.

Here is a short remainder of character sequences in PHP, applied to ‘horizontal tabulation’.

  • “\t” : special sequence
  • “\011” : in octal
  • “\u{9}” : in Unicode codepoint
  • “\x9”; in hexadecimal

Happy PHP code reviews

All the 344 analyzers are presented in the docs, including the agreeable Failed Substr Comparison: always check that extracted string must be of the size of the compared string. It’s a general PHP bug, rating at 11% : it actually leads to dead code.

You can check all of the exakat reports at the gallery : exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.