Exakat 1.1.7 review

Exakat 1.1.7 and 1.1.6 are reviewed together this week. Two new reports are introduced : Stats and Fitting PHP version. Several new analysis are added : suggestion to use arrayfillkeys(), 4 new PHP extensions, and a TOCTOU classic problem. It is time to walk the Exakat 1.1.7 review.

New Stats and Fitting PHP report

Exakat 1.1.7 features two new reports: stats and fitting PHP report.

Fitting PHP report

This report displays features with their compatibility across versions. For example, anonymous classes are valid since PHP 7.0, and defining multiple parameters with the same name in a method is not valid since PHP 7.0.

Exakat finds the incompatibilities in the audited code, and collect them in a single report. It gives a great overview of the code’s compatibility state: both what lies ahead and what is not possible to do anymore.

It was interesting to see that detecting the fitting PHP version is sometimes not possible: when the code checks the version and decide to include adapted code, the source ends up with files that are compatible with one version, and others that are compatible with another. The final result is an apparent paradox of code unusable.

The Stats report is a spin off from the Ambassador. It lists a number of elements from the code, along with the number of occurrences in the code. For example, we can see here that kliqqiincludes 20 classes and 272 functions but no namespaces.

{
    "Summary": {
        "Namespaces": 0,
        "Classes": 20,
        "Interfaces": 0,
        "Trait": 0,
        "Functions": 272,
        "Variables": 25979,
        "Constants": 288
    },
    "Structures": {
        "Ifthen": 3354,
        "Else": 724,
        "Switch": 31,
        "Case": 181,
        "Default": 18,
        "Fallthrough": 0,
        "For": 62,
        "Foreach": 267,
        "While": 52,
        "Do..while": 0,
        "New": 270,
        "Clone": 0,
        "Class constant call": 0,
        "Method call": 3936,
        "Static method call": 6,
        "Properties usage": 0,
        "Static property": 0,
        "Throw": 3,
        "Try": 1,
        "Catch": 1,
        "Finally": 0,
        "Yield": 0,
        "Yield From": 0,
        "?  :": 156,
        "?: ": 4,
        "Variables constants": 0,
        "Variables variables": 15,
        "Variables functions": 7,
        "Variables classes": 0
    }
    ....</code></pre>
</div>
<pre><code class="language-none">

 

Stats includes also counts for structures, classes. Stats gives information about the code structure and features usage. It is also great to store, commit after commit, to see the evolution in the code.

The Stats reports was introduce in 1.1.6 and the Fitting PHP report was introduced in 1.1.7.

Finally, we added a ‘All’ format, that produces every available format with the current Exakat version. That makes quite a lot of reports, so be cautious when asking for this specialty. On the other hand, it is a great way to surf all the reports, and find the one you like.

TOCTOU in PHP

TOCTOU is Time Of Check, Time Of Use. This applies to the silent cast that PHP may apply to values at various times in the code. For example, this code:

<?php 
  if ($a != 0) { 
    echo 4 / (int) $a; 
  } 
?> 

 

Although the variable $a is checked as non-zero, the following cast to integer may very well yield a 0, and lead to a DivisionByZero error. Try it with $a = 0.2; to understand the problem.

Exakat now reports those situations with the Test Then Cast report.

Support 4 new extensions

Exakat includes support for 4 new extensions : uopz, opencensus, varnish, xxtea.

ext/uopz stands for “User Operations for Zend”. It exposes Zend Engine functionality that are used at compilation and execution time, allowing to modification of the internal structures.

For example, it allows deletion of constants, copy, backup, rename of functions and methods, alteration of classes. This extension is particularly useful for testing frameworks, which may have to break some rules to make testing easier.

</pre><pre><code class="language-none">&lt;?php 
  define("MY", true); 
  uopz_undefine("MY"); 
  var_dump(defined("MY")); // false 
?&gt;
</code></pre><pre>
 

ext/opencensus is a stats collection and distributed tracing framework. It works with the opencensus.io library, that collect and trace metrics in the application, and send them to analysis tool. It also has integration library for Laravel, Symfony, WordPress, etc.

</pre>
<?php // load composer dependencies require_once('/path/to/vendor/autoload.php');

use OpenCensus\Trace\Exporter\StackdriverExporter; use OpenCensus\Trace\Tracer;

OpenCensus\Trace\Integrations\Wordpress::load(); $exporter = new StackdriverExporter(); Tracer::start($exporter);

?>
<pre>
 

ext/xxtea is a PECL extension that implements the XXTEA encryption algorithm. It is a simple algorithm, with a low footprint.

</pre>
<div>
<pre><code class="language-none"><?php
    require_once("xxtea.php");
    $str = "Hello World! 你好,中国!";
    $key = "1234567890";
    $encrypt_data = xxtea_encrypt($str, $key);
    $decrypt_data = xxtea_decrypt($encrypt_data, $key);
    if ($str == $decrypt_data) {
        echo "success!";
    } else {
        echo "fail!";
    }
?>
</code></pre>
<pre>

The array_fill_keys() suggestion

The Ambassador report, the default report from Exakat, includes a ‘Suggestions’ section. Those suggestions to upgrade the code with native PHP functions or better technics.

For example, it is classic to set up an array with a list of keys.

</pre>
<div>
<pre><code class="language-none"><?php

$keys = range('a', 'z');

// Fast way to build the array
$b = array_fill_key($keys, 0);

// Slow way to build the array
$b = array();
foreach($keys as $a) {
    $b[$a] = 0;
}

?></code></pre>
</div>
<pre>

The suggestions section has a lot of those improvements : Substring first which suggests to shorten a string before manipulating its content, Never Used Parameter that reports parameters in function definitions that are never used or Should Use array_column() to extract efficiently indices and properties from arrays of values.

Happy PHP code reviews

With Exakat 1.1.7, audit and improve your PHP code. Exakat is both able to help remove bugs and use efficient native PHP functions. You may use it to learn new tricks in your code.

All the 344 analyzers are presented in the docs, including the delightful preg_match_all() Flag :preg_match_all() has an option to configure the structure of the results : it is either by capturing parenthesis (by default), or by result sets. It’s a rare bug, rating at 5%, but it makes the code really cleaner.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github: https://github.com/exakat/exakat.