PHP code->rules - Speaker Deck

Slide 1

Slide 1 text

Code -> Linter rules Pattern-based static analysis

Slide 2

Slide 2 text

Right into the action!

Slide 3

Slide 3 text

$last = $a[count($a)]; Step 1: ﬁnd the bad code example Off-by-one mistake

Slide 4

Slide 4 text

Step 2: extract it as a pattern $last = $a[count($a)]; That’s our pattern!

Slide 5

Slide 5 text

Step 3: apply the pattern

Slide 6

Slide 6 text

phpgrep by examples

Slide 7

Slide 7 text

@$_ Find all usages of error suppress operator 4.7s / 6kk SLOC / 56 Cores

Slide 8

Slide 8 text

in_array($x, [$y]) Find in_array calls that can be replaced with $x == $y 4.6s / 6kk SLOC / 56 Cores

Slide 9

Slide 9 text

$x ? true : false Find all ternary expressions that could be replaced by just $x 4.7s / 6kk SLOC / 56 Cores

Slide 10

Slide 10 text

$_ == null null == $_ Find all non-strict comparisons with null 4.5s / 6kk SLOC / 56 Cores

Slide 11

Slide 11 text

for ($_ == $_; $_; $_) $_ Find for loops where == is used instead of = inside init clause 4.6s / 6kk SLOC / 56 Cores

Slide 12

Slide 12 text

Just like Semgrep?

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

Semgrep NoVerify+phpgrep

Slide 15

Slide 15 text

● A brief phpgrep history Main topics for today

Slide 16

Slide 16 text

● A brief phpgrep history ● NoVerify dynamic rules Main topics for today

Slide 17

Slide 17 text

● A brief phpgrep history ● NoVerify dynamic rules ● AST pattern matching Main topics for today

Slide 18

Slide 18 text

● A brief phpgrep history ● NoVerify dynamic rules ● AST pattern matching ● Running rules efﬁciently Main topics for today

Slide 19

Slide 19 text

● A brief phpgrep history ● NoVerify dynamic rules ● AST pattern matching ● Running rules efﬁciently ● Dynamic rules pros & cons Main topics for today

Slide 20

Slide 20 text

phpgrep history

Slide 21

Slide 21 text

gogrep

Slide 22

Slide 22 text

gogrep gogrep is cool!

Slide 23

Slide 23 text

gogrep phpgrep

Slide 24

Slide 24 text

phpgrep CLI phpgrep lib php-parser A

Slide 25

Slide 25 text

phpgrep CLI phpgrep lib NoVerify php-parser A php-parser B Incompatible AST types :(

Slide 26

Slide 26 text

phpgrep CLI phpgrep lib NoVerify phpgrep lib fork php-parser A php-parser B

Slide 27

Slide 27 text

phpgrep CLI NoVerify phpgrep lib fork php-parser B

Slide 28

Slide 28 text

NoVerify dynamic rules

Slide 29

Slide 29 text

Concepts overview phpgrep noverify dynamic rules Structural PHP search using AST patterns

Slide 30

Slide 30 text

Concepts overview phpgrep noverify dynamic rules PHP linter capable of running dynamic rules

Slide 31

Slide 31 text

Concepts overview phpgrep noverify dynamic rules NoVerify format for the phpgrep-style rules

Slide 32

Slide 32 text

Concepts overview phpgrep noverify dynamic rules Written in

Slide 33

Slide 33 text

● Types info (NoVerify type inference) Dynamic rules vs phpgrep

Slide 34

Slide 34 text

● Types info (NoVerify type inference) ● Efﬁcient multi-pattern execution Dynamic rules vs phpgrep

Slide 35

Slide 35 text

● Types info (NoVerify type inference) ● Efﬁcient multi-pattern execution ● Logical pattern grouping Dynamic rules vs phpgrep

Slide 36

Slide 36 text

● Types info (NoVerify type inference) ● Efﬁcient multi-pattern execution ● Logical pattern grouping ● Documentation mechanisms Dynamic rules vs phpgrep

Slide 37

Slide 37 text

noverify PHP file PHP file PHP file rules1 rules2

Slide 38

Slide 38 text

rules2 noverify PHP file PHP file PHP file Dynamic rules are loaded rules1

Slide 39

Slide 39 text

noverify PHP file PHP file PHP file Then ﬁles are analyzed rules2 rules1

Slide 40

Slide 40 text

Dynamic rule example function ternarySimplify() { /** @warning rewrite as $x ?: $y */ $x ? $x : $y; }

Slide 41

Slide 41 text

Dynamic rule example function ternarySimplify() { /** @warning rewrite as $x ?: $y */ $x ? $x : $y; } Dynamic rules group name

Slide 42

Slide 42 text

Dynamic rule example function ternarySimplify() { /** @warning rewrite as $x ?: $y */ $x ? $x : $y; } Warning message

Slide 43

Slide 43 text

Dynamic rule example function ternarySimplify() { /** @warning rewrite as $x ?: $y */ $x ? $x : $y; } phpgrep pattern

Slide 44

Slide 44 text

Is this transformation safe? f() ? f() : 0 => f() ?: 0

Slide 45

Slide 45 text

Is this transformation safe? f() ? f() : 0 => f() ?: 0 Only if f() is free of side effects

Slide 46

Slide 46 text

Dynamic rule example (extended) function ternarySimplify() { /** * @warning rewrite as $x ?: $y * @pure $x */ $x ? $x : $y; }

Slide 47

Slide 47 text

Dynamic rule example (extended) function ternarySimplify() { /** * @warning rewrite as $x ?: $y * @pure $x */ $x ? $x : $y; } $x should be side effect free

Slide 48

Slide 48 text

Dynamic rule example (extended) function ternarySimplify() { /** * @warning rewrite as $x ?: $y * @pure $x * @fix $x ?: $y */ $x ? $x : $y; } auto ﬁx action for NoVerify

Slide 49

Slide 49 text

Dynamic rule example (@comment) /** * @comment Find ternary expr that can be simplified * @before $x ? $x : $y * @after $x ?: $y */ function ternarySimplify() { // ...as before } Dynamic rule documentation

Slide 50

Slide 50 text

function argsOrder() { /** @warning suspicious args order */ any: { str_replace($_, $_, ${"char"}, ${"*"}); str_replace($_, $_, "", ${"*"}); } }

Slide 51

Slide 51 text

function argsOrder() { /** @warning suspicious args order */ any: { str_replace($_, $_, ${"char"}, ${"*"}); str_replace($_, $_, "", ${"*"}); } } “any” pattern grouping

Slide 52

Slide 52 text

function bitwiseOps() { /** * @warning maybe && is intended? * @fix $x && $y * @type bool $x * @type bool $y */ $x & $y; }

Slide 53

Slide 53 text

function bitwiseOps() { /** * @warning maybe && is intended? * @fix $x && $y * @type bool $x * @type bool $y */ $x & $y; } Type ﬁlters

Slide 54

Slide 54 text

T T typed expression object Arbitrary object type T[] Array of T-typed elements !T Any type except T !(A|B) Any type except A and B ?T Same as (T|null) Type matching examples

Slide 55

Slide 55 text

function stringCmp() { /** * @warning compare strings with === * @fix $x === $y * @type string $x * @or * @type string $y */ $x == $y; }

Slide 56

Slide 56 text

function stringCmp() { /** * @warning compare strings with === * @fix $x === $y * @type string $x * @or * @type string $y */ $x == $y; } Or-connected constraints

Slide 57

Slide 57 text

1. Create a rules ﬁle 2. Run NoVerify with -rules ﬂag How to run custom rules $ noverify -rules rules.php target

Slide 58

Slide 58 text

AST pattern matching

Slide 59

Slide 59 text

“$x = $x” pattern string

Slide 60

Slide 60 text

“$x = $x” pattern string Parsed AST

Slide 61

Slide 61 text

“$x = $x” pattern string Parsed AST Modified AST (with meta nodes)

Slide 62

Slide 62 text

function match(Node $pat, Node $n) $pat is a compiled pattern $n is a node being matched Matching AST

Slide 63

Slide 63 text

● Both $pat and $n are traversed ● Non-meta nodes are compared normally ● $pat meta nodes are separate cases ● Named matches are collected (capture) Algorithm

Slide 64

Slide 64 text

● $x is a simple “match any” named match ● $_ is a “match any” unnamed match ● ${"str"} matches string literals ● ${"str:x"} is a capturing form of ${"str"} ● ${"*"} matches zero or more nodes Valid PHP Syntax! Meta node examples

Slide 65

Slide 65 text

$_ = ${"str"} matches $foo->x = "abc"; $x = '';

Slide 66

Slide 66 text

$_ = ${"str"} rejects $foo->x = f(); $x = $y;

Slide 67

Slide 67 text

f() matches f() F() Unless explicitly marked as case-sensitive

Slide 68

Slide 68 text

new T() matches new T() new t() Unless explicitly marked as case-sensitive

Slide 69

Slide 69 text

Pattern matching = $x $x += $a 10 Pattern $x=$x Target $a+=10

Slide 70

Slide 70 text

Pattern matching = $x $x += $a 10 Pattern $x=$x Target $a+=10

Slide 71

Slide 71 text

Pattern matching = $x $x = $a 10 Pattern $x=$x Target $a=10

Slide 72

Slide 72 text

Pattern matching = $x $x = $a 10 Pattern $x=$x Target $a=10

Slide 73

Slide 73 text

Pattern matching = $x $x = $a 10 Pattern $x=$x Target $a=10 $x is bound to $a

Slide 74

Slide 74 text

Pattern matching = $x $x = $a 10 Pattern $x=$x Target $a=10 $a != 10

Slide 75

Slide 75 text

Pattern matching = $x $x = $a $a Pattern $x=$x Target $a=$a

Slide 76

Slide 76 text

Pattern matching = $x $x = $a $a Pattern $x=$x Target $a=$a

Slide 77

Slide 77 text

Pattern matching = $x $x = $a $a Pattern $x=$x Target $a=$a $x is bound to $a

Slide 78

Slide 78 text

Pattern matching = $x $x = $a $a Pattern $x=$x Target $a=$a $a = $a, pattern matched

Slide 79

Slide 79 text

Trying to make pattern matching work faster...

Slide 80

Slide 80 text

“$x = $x” pattern string Parsed AST Modified AST

Slide 81

Slide 81 text

“$x = $x” pattern string Parsed AST Polish notation + stack

Slide 82

Slide 82 text

Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions Stack =

Slide 83

Slide 83 text

Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions Stack $a $a

Slide 84

Slide 84 text

Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions Stack $a

Slide 85

Slide 85 text

Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions Stack

Slide 86

Slide 86 text

● 2-4 times faster matching ● No AST types dependency ● More optimization opportunities Stack-based matching

Slide 87

Slide 87 text

Running rules efﬁciently

Slide 88

Slide 88 text

Imagine that we have a lot of rules... rule-1 ... rule-N PHP file PHP file

Slide 89

Slide 89 text

Imagine that we have a lot of rules... rule-1 ... rule-N PHP file PHP file

Slide 90

Slide 90 text

Imagine that we have a lot of rules... rule-1 ... rule-N PHP file PHP file

Slide 91

Slide 91 text

Imagine that we have a lot of rules... rule-1 ... rule-N PHP file PHP file N * M problem

Slide 92

Slide 92 text

● AST is traversed only once ● For every node, run only relevant rules We can tune the matching engine to work very fast N*M cure: categorized rules

Slide 93

Slide 93 text

rule PHP file ... Assign rule ... TernaryExpr

Slide 94

Slide 94 text

rule PHP file ... Assign rule ... TernaryExpr Node categories

Slide 95

Slide 95 text

rule PHP file ... Assign rule ... TernaryExpr Categorized rules

Slide 96

Slide 96 text

● Local: run rules only inside functions ● Root: run rules only inside global scope ● Universal: run rules everywhere Extra registry layer: scopes

Slide 97

Slide 97 text

rule PHP ﬁle ... Assign rule ... TernaryExpr Global scope rule ... Assign rule ... TernaryExpr Local scope

Slide 98

Slide 98 text

rule PHP ﬁle ... Assign rule ... TernaryExpr Global scope rule ... Assign rule ... TernaryExpr Local scope Scoped group

Slide 99

Slide 99 text

● Expression can’t contain a statement ● Some statements are top-level only We don’t use this knowledge right now. Extra registry layer: expr vs stmt

Slide 100

Slide 100 text

If any rule from a group matched, all other rules inside the group are skipped for the current node. ● Helps to avoid matching conﬂicts ● Improves performance Group cutoff

Slide 101

Slide 101 text

// input: $a[0] = $a[0] + 1 function assignOp() { /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; }

Slide 102

Slide 102 text

// input: $a[0] = $a[0] + 1 function assignOp() { /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; } Matched, ++$a[0] suggested

Slide 103

Slide 103 text

// input: $a[0] = $a[0] + 1 function assignOp() { /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; } Skipped

Slide 104

Slide 104 text

Dynamic rules pros & cons

Slide 105

Slide 105 text

● No need to re-compile NoVerify Dynamic rules advantages

Slide 106

Slide 106 text

● No need to re-compile NoVerify ● Simple things are simple Dynamic rules advantages

Slide 107

Slide 107 text

● No need to re-compile NoVerify ● Simple things are simple ● No Go coding required Dynamic rules advantages

Slide 108

Slide 108 text

● No need to re-compile NoVerify ● Simple things are simple ● No Go coding required ● Rules are declarative Dynamic rules advantages

Slide 109

Slide 109 text

● No need to re-compile NoVerify ● Simple things are simple ● No Go coding required ● Rules are declarative ● No need to know linter internals Dynamic rules advantages

Slide 110

Slide 110 text

● Not very composable ● Too verbose for non-trivial cases ● Hard to get the autocompletion working PHPDoc-based attributes

Slide 111

Slide 111 text

● Hard to express ﬂow-based rules ● PHP syntax limitations ● Recursive block search is problematic AST pattern limitations

Slide 112

Slide 112 text

Comparison with Ruleguard

Slide 113

Slide 113 text

No content

Slide 114

Slide 114 text

Rule group name

Slide 115

Slide 115 text

gogrep pattern

Slide 116

Slide 116 text

Type ﬁlter

Slide 117

Slide 117 text

Auto ﬁx action

Slide 118

Slide 118 text

No content

Slide 119

Slide 119 text

Target language go-ruleguard Go NoVerify rules PHP NoVerify vs Ruleguard

Slide 120

Slide 120 text

DSL core go-ruleguard Fluent API DSL NoVerify rules Top-level patterns + PHPDoc NoVerify vs Ruleguard

Slide 121

Slide 121 text

Filtering mechanism go-ruleguard Go expressions NoVerify rules PHPDoc annotations NoVerify vs Ruleguard

Slide 122

Slide 122 text

Type ﬁlters go-ruleguard Type matching patterns NoVerify rules Simple type expressions NoVerify vs Ruleguard

Slide 123

Slide 123 text

● NoVerify - static analyzer (linter) ● phpgrep - structural PHP search ● phpgrep VS Code extension ● Dynamic rules example ● Dynamic rules for static analysis article ● Ruleguard - dynamic rules for Go Links

Slide 124

Slide 124 text

Code -> Linter rules Pattern-based static analysis