Technology

Exakat 1.1.3 review

Posted on by dams

Exakat 1.1.3 reviewExakat 1.1.3 review

I always marvel at the power of small upgrades: improve 1% every day, and you’ll be 30 times better at the end of the year. Add a new analysis every week, and you’ll soon face 400 checks on your code. Since last review, we added the ‘Global Local Variable’ and the ‘Useless Reference Argument’ analysis, that reduce the risk level in the code. Also some improvements of the engine are under way, though it is less visible: unless you are the 2% using goto. Let’s walk the Exakat 1.1.3 review.

Global Local Variable

This analysis is a cognitive dissonance: it happens when variable is global, but is also used as a local variable, without the global keyword. As names are very important for our brain to keep track of things, there may be an easy collision of the real value of that variable.

<?php 
// an implicit global variable 
// with a special name 
$special = 1; 

function foo() { 
   $special = 'abc'; 

   // $special is now confused with its global value. 
   return 3 + $special; 
} 
?>

The situation may also be mistaken with an oversight: when a variable is always imported as global, but the keyword global was forgotten. This is a classic mistake when things get rushed. However, this is often easily detected by a quick manual test, so it actually mostly happens when the code is updated but not immediately tested.


<?php 
   function foo() { 
//forgotten global 
// $wpdb is supposed to be imported 

  return $wpdb->query('SELECT col FROM table');
}

?>

The analysis ‘Global Local Variable’ reports local variables that bear the same name as global variables. Such variables may be easily mistaken one for another, and that should simply be avoided.

Useless referenced argument

When defining an argument as a reference, this analysis checks if the reference is potentially modified. If the argument is never modified within the method, then there is no need to mark it as a reference.

<?php 
// $b is a reference
function foo($a, &$b) { 
   // $b is read, but not written 
   $a = $b + 3; 
   return $a; 
} 

?>

It may also prevent later bugs: leaving the reference in place means a later modification of the argument inside the function will impact the calling method.

Missing included files

Exakat now also reports missing included files. Nowadays, inclusions are mostly done with autoload. Though, inclusions are still being used: when loading functions and constants, to include views, to load dictionaries or configurations, to set up autoload itself.

Exakat checks the path for inclusions. Inclusions are detected with include, require, include_once and require_once. Attempts are made to solve the path : ., .., __DIR__ and __FILE__ are replaced by their own value.

<?php 
   require_once(__DIR__ . '/ConfigHandlerTestBase.php'); 
?>

This analysis omits any path it can’t solve, like concatenations that include variables. Such values are only known at execution time, so it is difficult to fix them. On the other hand, we are working on solving concatenations that include constants.

The error message inventory

Do you know the error messages that may be displayed by your application? Error messages are often used with exit, die or exceptions. Exakat collect all readable strings from those calls, and gathers them in the ‘error message inventory’.

Error messages are often left in the code, for later processing. They may be triggered by special situation, and escape testing strategies. Yet, when they happen in production, they stop the whole application in its track, and display a short message, such as:

  • Here be monsters
  • The impossible has happened
  • The database is dead
  • exception cause must be Exception, array, or PEAR_Error
  • Cannot clone the logger object
  • An error happened

The error inventory is a great place to start when grooming your code: updating the message to a better one, or upgrading the behavior from exit to an exception and its catch() clause makes the application more robust.

Check error messages at PHPMailer.

Of course, error messages also appear with echo or print, but those would yield too many false positive.

Happy PHP code reviews

Exakat 1.1.3 offers the largest library of analysis for PHP. We added some more last week, and also work on various framework, like Zend, CakePHP or slim. If your favorite framework is not here, join us on the slack: we’ll be happy to adapt our tools to it

All the 320+ analyzers are presented in the docs, including the zealous ‘Crc32() Might Be Negative‘, crc32() may return a negative number, on 32bits platforms (Rare bug, 2%)

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github: https://github.com/exakat/exakat.