God of heat protection : exakat 1.0.8 review

exakat 1.0.8 review

Exakat 1.0.8 review

Exakat 1.0.8 is published during the #phpadvent 2017 event on twitter. Every day, get a new tip on how to make your PHP code better. For that, Exakat keeps improving, and we have a wealth of new analysis and bug fixes for this new version. Exakat doctor reports JAVA_HOME and JAVA_OPTIONS for tuning the installation. Analysis now have you covered for Symfony and WordPress undefined classes by version, for potential mistake concatenations and for identical variables on both sides of an operator. Time to detail the exakat 1.0.8 review.

Exakat doctor reports JAVA_HOME and JAVA_OPTIONS

Exakat is build with gremlin-server as a backend. Tokens are loaded in the graph database, and the various trees and diagrams are queries with the Gremlin traversal language. Gremlin server is build with Java. There are two important environment variables to know.

JAVA_HOME is the path to the java installation. By default it may be empty, and it should work fine. However, since Java is used by other tools, or with the version 9 coming up, another version may be referenced. So, just use this environment variable to configure the right java to use. Exakat is tested on Java 8. It may work on Java 7, but it is not monitored anymore.

JAVA_OPTIONS is the environment variable to use to allocate memory to Gremlin. Gremlin likes memory, and it is recommended to give it some room.

<?php
export JAVA_OPTION="-Xms32m -Xmx6512m"
?>

Xmx set the maximum amount of RAM that java may use. Xms is the starting amount of RAM. By default, java uses 32Mb to start, and 512Mb as a limit. This is already sufficient for the vast majority of audits.

When your code base reaches beyond 500 files, it is safe to upgrade Xmx to a few Gb.

Finally, as a remind, don’t forget to set the memory_limit of your cli PHP to -1, so it won’t be interrupted while building the database.

Symfony and WordPress version compatibility

Exakat already has version compatibility for Zend Framework and CakePHP. We extended the support of those analysis to Symfony and WordPress. For each middle version, ranging from Symfony 2.8 to 4.0, and WordPress 4.0 to 4.9, exakat reports the classes, traits and interfaces from the same framework, that don’t belong the mentioned version.

For example, you may recognize the two classes below. Both are from Symfony, but the first one is an old builder, while the Exception is valid in Symfony 4.

<?php
new Symfony\Component\Validator\Violation\\LegacyConstraintViolationBuilder( );

throw new Symfony\Component\Filesystem\Exception\InvalidArgumentException( );

?>

Symfony ships with around 1800 classes, traits or interfaces, and it may difficult to keep up. With exakat, it is now possible to spot every structures that goes extinct, and help at migration.

This is already the case for Zend Framework, Cake and several other frameworks are coming up, like Slim, Yii and Drupal. If you want your favorite framework listed here, just ping us.

Report mistaken scalar type

This week, Benoit Viguier reported this funny PHP error message :

PHP Fatal error: Uncaught TypeError: Return value of foo() must be an instance of integer, integer returned

This is due to an interesting difference between the error message and the typehint : the right PHP scalar type hint is int, not integer. You may very well name a class ‘integer’ and then, use it as return type.

You may also just make a mistake, and confuse integer and int.

Exakat has now a new analysis that report int and integer confusion. String is pretty safe, but real/float/double is and bool/boolean are both at risk.

This error will be easy to detect during execution : a fatal error kills the execution. Exakat tries harder to detect error even before the script is executed.

Besides, this kind of error is a classic human mistake : it may be fixed and committed before the unit tests are executed, because such a simple fix should pass without problems. We can find that kind of error in legacy code, with files that never compiled for the last few years.

Merci à Benoit!

Suspicious Concatenation in Array

Arrays are often used to build list of data. This is where a concatenation suddenly seems suspicious.

<?php
// This concatenation is suspicious
$letters = array('a', 'b', 'c'. 'd', 'e');

// This real number is suspicious
$letters = array(1, 2, 3.4, 5);

?>

Here, the dot is easily mistaken with the comma (. and ,). PHP and IDE won’t take notice of the problem, as both are valid syntax. 3.4 and ‘c’.’d’ are valid : actually, they may even be wanted. There is just no way to make the difference, while reading the code.

To reduce the amount of possible false positive, we focused on literal arrays : arrays that only include literal values, with a high level of consistency in the type being used.

This looks like a rare mistake : I don’t expect more than a couple of errors. We have already started running this error over our 1700 projects corpus, and it will be interesting to see the actual level of error for this analysis in the next EPIC report (Exakat PHP Index of Coding).

Indeed, knowing that PHP is the most efficient way to store and load data in an application, faster than reading and decoding JSON or INI, it is quite common for applications to have characters fonts, Chinese pinyin or country databases, including manually edited parts. We’ll see how this unfolds in the coming months.

Happy PHP code reviews

Exakat 1.0.8 received the contributions of several people, including Benoit Viguier, Philippe Gamache, Frédéric Magery. Many thanks to all of them for their insights. We are always looking for new ways to review PHP code and report code smells, so feel free to ping us on Twitter, or join the slack channel to send us a challenge.

All the 320+ analyzers are presented in the docs, including the permanent ‘For Using Functioncall‘, which slows any code by calling a function each loop. Download Exakat on exakat.io, upgrade it with ‘exakat.phar upgrade -u’ and like us on github: https://github.com/exakat/exakat.