Static analysis for PHP Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph. If all this seems far and remote from PHP, come and learn how they apply to your favorite language! We'll see how to combine all those aspects to build a useful auditing engine.

1. Understanding static
analysis
AmsterdamPHP 2018, The Netherlands

2. Agenda
What is static analysis
How does it work
How can you take advantage of it

3. Damien Seguy
CTO at Exakat
Static analysis engine for PHP
Ik ben een boterham

4. Code review
Reading on the IDE
Automated code
review
L'analyse statique, c'est quoi?
Manual
code review
Higher
abstraction
Simple review
Systématic

5. Synopsis
Convert PHP code into data
Add more knowledge
Query the internal database

6. Static analysis
Performences
Hosting
Sécurity
Migration 7.3
 
 

Tokenization
Memory
Source
Audits

7. An extra step
Opcode cache
Optimization
Text file
Tokens / syntax
Static analysis
Execution

8. PHP Tokens
token_get_all()
Comments, phpDoc, spaces
Delimiters : ' " () {} [] `
2 tokens out of 3 are ignored
[248] => Array
(
[0] => 382
[1] =>
[2] => 167
)
[249] => Array
(
[0] => 319
[1] => define
[2] => 167
)
[250] => (
[251] => Array
(
[0] => 323
[1] => 'EXT'
[2] => 167
)
[252] => ,
[253] => Array
(
[0] => 382
[1] =>
[2] => 167
)
<?php
//....
define('EXT', '.php');

9. AST
<?php
$a = 1;
echo foo($a);
function foo($b) {
if ($b % 2) {
return $b / 2;
} else {
return $b * 3 + 1;
}
}
Abstract
syntactic
tree

10. Playing in the tree
Spot PHP features
Variable, Function,
Addition, Multiplication,
Ifthen, Return

11. Jouons dans l'arbre
Parameters, Variables
Properties, array variable,
object variable, static
property name, global
variable, static variable
Everything is a T_VARIABLE

12. Parameter counts

13. Local variable counts
0,00
25,00
50,00
75,00
100,00
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

14. Play in the tree
Local patterns
$a = 1 + $b;
$a = $a + 1;
$z = $a + $b + $d - $b + $e;
Assignat
ion
$a Addition
LEFT RIGHT
$b
RIGHT
1
LEFT
Motif
Analyse
Analyse

15. PHP is not a tree
Link definitions with usage

16. Definitions and usage
Function and functioncalls
class X and instantiations
define('A') or const A and A or A
$variable and their hidden definition

17. AST
<?php
$a = 1;
echo foo($a);
function foo($b) {
if ($b % 2) {
return $b / 2;
} else {
return $b * 3 + 1;
}
}

18. Définitions et usages

19. Definitions and usage
Function definition
Parameters
Functioncall
Arguments
Context
foo($a)
DEFINITION
function
foo($b)
$a = 2 NEXT echo $a
Sequence
NEXT
BLOCK

20. Definitions and usage
Function definition
Parameters
Functioncall
Arguments
Context
foo($a[1])
DEFINITION
function
foo($b)
foo($b)
foo($a)
foo($a)
DEFINITION
DEFINITION
DEFINITION

21. Definitions and usage
Function definition
Parameters
Functioncall
Arguments
Context
foo($a[1])
DEFINITION
function
foo($b)

22. What is that?
One function call,
Multiple definition?
function
foo($b)
DEFINITION
foo($a)
function
foo($b)
function
foo($b)
function
foo($b)
DEFINITION
DEFINITION
DEFINITION

23. Dead Function
<?php
function morte($z) { }

24. Dead Function
A function without
outgoing DEFINITION
function
foo($b)

25. Dead Function
<?php
function morte($z) { }

26. Dead Function (hard)
<?php
function morte($z) { }

27. Dead Function (Hard)
The linear propagation of
death
function
foob($b)
function
fooa($b)
DEFINITION

28. Dead Function (very hard)
<?php
function morte($z) { }

29. Dead Function (very hard)
Fonctions récursives
function
foo($b)
foo($a)
BLOCK
DEFINITION
EXPRESSION
Sequence

30. Dead Function (hardest)
<?php
function morte($z) { }

31. Dead Function (hardest)
Recursive, level 2
Recursive, level 3
Recursive, level 4…
DEFINITION
function
foob($b)
function
fooa($b)
DEFINITION

32. Dead Function (hardest)
Recursive, level 2
Recursive, level 3
Recursive, level 4…
DEFINITION
function
foob($b)
function
fooa($b)
DEFINITION
function
fooc($b)
DEFINITION

33. Dead functions
No call to the function
Function called by dead functions
Recursive functions
Level 2+ recursive functions

34. What fresh hell is that?
Call to function without
definition ?
bar($a)

35. Functions without definition
PHP extensions
Components
Higher level of abstraction
Components
PHP Extensions
Code PHP

36. Identifying extensions
API
Functions, constants
Classes, interfaces, traits, namespaces
Configuration directives
Natives extensions, PECL, independent

37. Extension usage
Removed extensions
APC, posix
Added extensions
AST, libsodium
Extension evolution
Nouvelle classe, fonctions obsolètes, corrections…
APIExt
PHP
code

38. Recognizing extensions

39. Recognizing frameworks

40. Identify a component
Component
Versions
Classes
Méthods
Arguments

41. Identify a component
Code
repository
Versions
Static
analysis
Compatibility
phpJuicer

42. Compatibility
Check the API version
Check the correct usage of the API
Validate contextual usage :
error_reporting(E_ERROR | E_WARNING | E_PARSE)

44. Creating an analysis

45. Beyond the docs
Coach your users
Usage stats
Compatibility usage
Suggestions

46. Bedankt
@exakat / https://www.exakat.io/