PHP validity checker

phil.davis

Greetings,
There seem to be a "never-ending" trickle of bugs that are found that are simply typos of function or variable names. The latest is https://github.com/pfsense/pfsense/commit/7fd38f44ba327ab1cd1cad3ac76ebb169ccb12e0
Somehow when a module is loaded, the PHP parser does not go through the whole thing and find any function calls that are to unknown function names. So it waits until the particular code path is traversed before the error appears.
Also there is the problem that in PHP a var does not have to be declared before being used, so a typo in a var name just results in the data being blank, and the code barrels on until something bad happens or the system does something, but not quite what was wanted.
It would be good to find all these "dumb" errors and fix them.

Are there some tools somewhere that can parse the whole system and report references to unknown function names, and suspect vars?

Tikimotel

Some of the css files can also use some tidy-ing.
I  put the pfsense_ng theme "all.css" and "login.css" through csstidy1.3 using a site called http://devilo.us/ and save them back in to my pfsense.
advanced options:

• Compression = Medium (balanced)

• Optimise shorthand = Yes, common+fonts

• Discard invalid properties = CSS 3 compatible

• Preserve comments = On

Not only are they smaller, but the browsers complain less.

Some of the links to javascript and theme-files could use a fixed location instead of relative.
In "system.inc" I change "./themes/" to "/themes/" for 3 instances.
In "fbegin.inc" I change "javascript/domTT/" to "**/**javascript/domTT/" for 4 instances @ line 348.

For the status page in unbound I change the status width to 88 from 101 to fit the pfsense_ng theme better.

Alas I don't know of any tools to help with php development other than being carefull and maybe create a list of all the reused variable names so you use the correct naming convention.

bryan.paradis

Could move to a higher error reporting level and clean it up and leave that as the norm maybe

http://php.net/manual/en/function.error-reporting.php

A quick look around:

http://phpcodechecker.com/

http://www.icosaedro.it/phplint/phplint-on-line.html

http://www.meandeviation.com/tutorials/learnphp/php-syntax-check/v5-3/syntax-check.php

http://www.piliapp.com/php-syntax-check/

Depends on error_reporting level

php -l <filename></filename>

Using an IDE that is aware of what you are doing would certainly make it harder to type in something wrong.

robi

@Tikimotel:

…the browsers complain less.

How do you mean that? I didn't see any complain so far from my Firefox, however, I'm still interested of what I don't notice…

eri--

Unfortunatley, no.

The only validator is php -l but it does not go through the code path.

The alternative is to use unit testing but with php that is such a big mess.

Tikimotel

@robi:

@Tikimotel:

…the browsers complain less.

How do you mean that? I didn't see any complain so far from my Firefox, however, I'm still interested of what I don't notice…

Chrome : Left mouse button "inspect element".
Firefox: Left mouse button "Inspect element (Q)".

Example of Devilo.us Parser log:

99
Removed invalid property: filter
100
Removed invalid property: -moz-opacity
119
Removed invalid property: -moz-opacity
125
Removed invalid property: filter
126
Removed invalid property: -moz-opacity
140
Removed invalid property: -moz-opacity
146
Removed invalid property: align
459
Removed invalid property: filter
460
Removed invalid property: -moz-opacity
472
Added semicolon to the end of declaration
533
Added semicolon to the end of declaration
547
Removed invalid property: filter
548
Removed invalid property: -moz-opacity
1247
Added semicolon to the end of declaration
1368
Removed invalid property: <--background-color
1369
Removed invalid property: thiscausinglightgrayrectanglestotherightofmanytablesingui--padding-right
Optimised color: Changed '#990000' to '#900'
Optimised color: Changed 'white' to '#fff'
Optimised color: Changed '#FFD9D1' to '#ffd9d1'
Optimised color: Changed '#000000' to '#000'
Optimised color: Changed '#333333' to '#333'
Optimised color: Changed '#FFFFFF' to '#fff'
Optimised number: Removed unit 'px' from '0px'
Optimised color: Changed '#550000' to '#500'
Optimised color: Changed '#666666' to '#666'
Optimised color: Changed '#eeeeee' to '#eee'
Optimised color: Changed '#ffffff' to '#fff'
Optimised color: Changed 'black' to '#000'
Optimised color: Changed '#777777' to '#777'
Optimised color: Changed '#DDDDDD' to '#ddd'
Optimised color: Changed '#999999' to '#999'
Optimised color: Changed '#FFFFC6' to '#ffffc6'
Optimised color: Changed '#CC0000' to '#c00'
Optimised color: Changed '#A0A0A0' to '#a0a0a0'
Optimised color: Changed '#BBBBBB' to '#bbb'
Optimised color: Changed '#D9DEE8' to '#d9dee8'
Optimised color: Changed '#EEEEEE' to '#eee'
Optimised color: Changed '#3366cc' to '#36c'
Optimised color: Changed '#cccccc' to '#ccc'
Optimised number: Removed unit 'em' from '0em'
Optimised color: Changed '#B1B1B1' to '#b1b1b1'
Optimised color: Changed '#CCCCCC' to '#ccc'
Optimised number: Removed unit '%' from '0%'
Fixed invalid color name: Changed 'LimeGreen' to '#32cd32'
Optimised color: Changed 'LimeGreen' to '#32cd32'

cmb

I suspect if you cranked up PHP's logging you'd possibly find some such issues, but you'd have to parse through so much noise I'm not sure that would be effective.

One would think there are static analysis tools that would find things along those lines, and there probably are. I haven't had a chance to look for that specifically. The static analysis I do on our code base is security-focused.

jimp

At one time we talked about a git hook that would reject a push if it failed a simple "php -l" validation. It's not perfect, but it would catch common mistakes/obvious typos.