PHP validity checker



  • Greetings,
    There seem to be a "never-ending" trickle of bugs that are found that are simply typos of function or variable names. The latest is https://github.com/pfsense/pfsense/commit/7fd38f44ba327ab1cd1cad3ac76ebb169ccb12e0
    Somehow when a module is loaded, the PHP parser does not go through the whole thing and find any function calls that are to unknown function names. So it waits until the particular code path is traversed before the error appears.
    Also there is the problem that in PHP a var does not have to be declared before being used, so a typo in a var name just results in the data being blank, and the code barrels on until something bad happens or the system does something, but not quite what was wanted.
    It would be good to find all these "dumb" errors and fix them.

    Are there some tools somewhere that can parse the whole system and report references to unknown function names, and suspect vars?



  • Some of the css files can also use some tidy-ing.
    I  put the pfsense_ng theme "all.css" and "login.css" through csstidy1.3 using a site called http://devilo.us/ and save them back in to my pfsense.
    advanced options:

    • Compression = Medium (balanced)

    • Optimise shorthand = Yes, common+fonts

    • Discard invalid properties = CSS 3 compatible

    • Preserve comments = On

    Not only are they smaller, but the browsers complain less.

    Some of the links to javascript and theme-files could use a fixed location instead of relative.
    In "system.inc" I change "./themes/" to "/themes/" for 3 instances.
    In "fbegin.inc" I change "javascript/domTT/" to "**/**javascript/domTT/" for 4 instances @ line 348.

    For the status page in unbound I change the status width to 88 from 101 to fit the pfsense_ng theme better.

    Alas I don't know of any tools to help with php development other than being carefull and maybe create a list of all the reused variable names so you use the correct naming convention.



  • Could move to a higher error reporting level and clean it up and leave that as the norm maybe

    http://php.net/manual/en/function.error-reporting.php

    A quick look around:

    http://phpcodechecker.com/

    http://www.icosaedro.it/phplint/phplint-on-line.html

    http://www.meandeviation.com/tutorials/learnphp/php-syntax-check/v5-3/syntax-check.php

    http://www.piliapp.com/php-syntax-check/

    
    Depends on error_reporting level
    
    php -l <filename></filename>
    

    Using an IDE that is aware of what you are doing would certainly make it harder to type in something wrong.



  • @Tikimotel:

    …the browsers complain less.

    How do you mean that? I didn't see any complain so far from my Firefox, however, I'm still interested of what I don't notice…



  • Unfortunatley, no.

    The only validator is php -l but it does not go through the code path.

    The alternative is to use unit testing but with php that is such a big mess.



  • @robi:

    @Tikimotel:

    …the browsers complain less.

    How do you mean that? I didn't see any complain so far from my Firefox, however, I'm still interested of what I don't notice…

    Chrome : Left mouse button "inspect element".
    Firefox: Left mouse button "Inspect element (Q)".

    Example of Devilo.us Parser log:

    
    99
    Removed invalid property: filter
    100
    Removed invalid property: -moz-opacity
    119
    Removed invalid property: -moz-opacity
    125
    Removed invalid property: filter
    126
    Removed invalid property: -moz-opacity
    140
    Removed invalid property: -moz-opacity
    146
    Removed invalid property: align
    459
    Removed invalid property: filter
    460
    Removed invalid property: -moz-opacity
    472
    Added semicolon to the end of declaration
    533
    Added semicolon to the end of declaration
    547
    Removed invalid property: filter
    548
    Removed invalid property: -moz-opacity
    1247
    Added semicolon to the end of declaration
    1368
    Removed invalid property: <--background-color
    1369
    Removed invalid property: thiscausinglightgrayrectanglestotherightofmanytablesingui--padding-right
    Optimised color: Changed '#990000' to '#900'
    Optimised color: Changed 'white' to '#fff'
    Optimised color: Changed '#FFD9D1' to '#ffd9d1'
    Optimised color: Changed '#000000' to '#000'
    Optimised color: Changed '#333333' to '#333'
    Optimised color: Changed '#FFFFFF' to '#fff'
    Optimised number: Removed unit 'px' from '0px'
    Optimised color: Changed '#550000' to '#500'
    Optimised color: Changed '#666666' to '#666'
    Optimised color: Changed '#eeeeee' to '#eee'
    Optimised color: Changed '#ffffff' to '#fff'
    Optimised color: Changed 'black' to '#000'
    Optimised color: Changed '#777777' to '#777'
    Optimised color: Changed '#DDDDDD' to '#ddd'
    Optimised color: Changed '#999999' to '#999'
    Optimised color: Changed '#FFFFC6' to '#ffffc6'
    Optimised color: Changed '#CC0000' to '#c00'
    Optimised color: Changed '#A0A0A0' to '#a0a0a0'
    Optimised color: Changed '#BBBBBB' to '#bbb'
    Optimised color: Changed '#D9DEE8' to '#d9dee8'
    Optimised color: Changed '#EEEEEE' to '#eee'
    Optimised color: Changed '#3366cc' to '#36c'
    Optimised color: Changed '#cccccc' to '#ccc'
    Optimised number: Removed unit 'em' from '0em'
    Optimised color: Changed '#B1B1B1' to '#b1b1b1'
    Optimised color: Changed '#CCCCCC' to '#ccc'
    Optimised number: Removed unit '%' from '0%'
    Fixed invalid color name: Changed 'LimeGreen' to '#32cd32'
    Optimised color: Changed 'LimeGreen' to '#32cd32'
    


  • I suspect if you cranked up PHP's logging you'd possibly find some such issues, but you'd have to parse through so much noise I'm not sure that would be effective.

    One would think there are static analysis tools that would find things along those lines, and there probably are. I haven't had a chance to look for that specifically. The static analysis I do on our code base is security-focused.


  • Rebel Alliance Developer Netgate

    At one time we talked about a git hook that would reject a push if it failed a simple "php -l" validation. It's not perfect, but it would catch common mistakes/obvious typos.