Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHP code->rules

5b8d20aa7d63c5d391b1c881e1764460?s=47 Iskander (Alex) Sharipov
October 24, 2020
Programming
1
5

PHP code->rules

5b8d20aa7d63c5d391b1c881e1764460?s=128

Iskander (Alex) Sharipov

October 24, 2020
Tweet

More Decks by Iskander (Alex) Sharipov

See All by Iskander (Alex) Sharipov
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
12
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
50
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
730
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
5
1.5k
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
120
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
100
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
170
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
110
5b8d20aa7d63c5d391b1c881e1764460?s=48 quasilyte
0
130

Other Decks in Programming

See All in Programming
E876ea77f9fb4d686befb6e69eec9a7e?s=48 miyayou
2
320
7fccfb690a818ed2f3a15fc21d426d5a?s=48 texmeijin
1
110
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
3
250
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
PRO
2
2.7k
3cfad86677c5966ecfe9b81955fa3489?s=48 inoue2002
0
720
96466365a9bf7e66990f2b9ba547b02f?s=48 yumu19
1
760
Ae276805027a01983503c3edafbdb6b2?s=48 martysuzuki
5
610
922f51d458d6ffee8578b9d3ab0a52b6?s=48 ug
1
180
33ef4c1ebe619115b552db9a9f9a3509?s=48 sadnessojisan
0
320
9489b8d6f2dbdc3e7d26b8702143b86e?s=48 thirion
1
110
91b03a57e0ef56fee59fbddc66a7f6fd?s=48 takasehideki
0
150
8ad4be5fb42a8fd88d68a9054d9eba8e?s=48 tamai_63
0
1.1k

Featured

See All Featured
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
446
29k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
289
47k
5b6a2bd86ef643786a381a212e0ef2f1?s=48 geoffreycrofte
44
3.7k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
262
37k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.3k
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
118
27k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
800
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.1k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
97
4k

Transcript

  1. Code -> Linter rules Pattern-based static analysis

  2. Right into the action!

  3. $last = $a[count($a)]; Step 1: find the bad code example

    Off-by-one mistake

  4. Step 2: extract it as a pattern $last = $a[count($a)];

    That’s our pattern!

  5. Step 3: apply the pattern

  6. phpgrep by examples

  7. @$_ Find all usages of error suppress operator 4.7s /

    6kk SLOC / 56 Cores

  8. in_array($x, [$y]) Find in_array calls that can be replaced with

    $x == $y 4.6s / 6kk SLOC / 56 Cores

  9. $x ? true : false Find all ternary expressions that

    could be replaced by just $x 4.7s / 6kk SLOC / 56 Cores

  10. $_ == null null == $_ Find all non-strict comparisons

    with null 4.5s / 6kk SLOC / 56 Cores

  11. for ($_ == $_; $_; $_) $_ Find for loops

    where == is used instead of = inside init clause 4.6s / 6kk SLOC / 56 Cores

  12. Just like Semgrep?

  13. None

  14. Semgrep NoVerify+phpgrep

  15. • A brief phpgrep history Main topics for today

  16. • A brief phpgrep history • NoVerify dynamic rules Main

    topics for today

  17. • A brief phpgrep history • NoVerify dynamic rules •

    AST pattern matching Main topics for today

  18. • A brief phpgrep history • NoVerify dynamic rules •

    AST pattern matching • Running rules efficiently Main topics for today

  19. • A brief phpgrep history • NoVerify dynamic rules •

    AST pattern matching • Running rules efficiently • Dynamic rules pros & cons Main topics for today

  20. phpgrep history

  21. gogrep

  22. gogrep gogrep is cool!

  23. gogrep phpgrep

  24. phpgrep CLI phpgrep lib php-parser A

  25. phpgrep CLI phpgrep lib NoVerify php-parser A php-parser B Incompatible

    AST types :(

  26. phpgrep CLI phpgrep lib NoVerify phpgrep lib fork php-parser A

    php-parser B

  27. phpgrep CLI NoVerify phpgrep lib fork php-parser B

  28. NoVerify dynamic rules

  29. Concepts overview phpgrep noverify dynamic rules Structural PHP search using

    AST patterns

  30. Concepts overview phpgrep noverify dynamic rules PHP linter capable of

    running dynamic rules

  31. Concepts overview phpgrep noverify dynamic rules NoVerify format for the

    phpgrep-style rules

  32. Concepts overview phpgrep noverify dynamic rules Written in

  33. • Types info (NoVerify type inference) Dynamic rules vs phpgrep

  34. • Types info (NoVerify type inference) • Efficient multi-pattern execution

    Dynamic rules vs phpgrep

  35. • Types info (NoVerify type inference) • Efficient multi-pattern execution

    • Logical pattern grouping Dynamic rules vs phpgrep

  36. • Types info (NoVerify type inference) • Efficient multi-pattern execution

    • Logical pattern grouping • Documentation mechanisms Dynamic rules vs phpgrep

  37. noverify PHP file PHP file PHP file rules1 rules2

  38. rules2 noverify PHP file PHP file PHP file Dynamic rules

    are loaded rules1

  39. noverify PHP file PHP file PHP file Then files are

    analyzed rules2 rules1

  40. Dynamic rule example function ternarySimplify() { /** @warning rewrite as

    $x ?: $y */ $x ? $x : $y; }

  41. Dynamic rule example function ternarySimplify() { /** @warning rewrite as

    $x ?: $y */ $x ? $x : $y; } Dynamic rules group name

  42. Dynamic rule example function ternarySimplify() { /** @warning rewrite as

    $x ?: $y */ $x ? $x : $y; } Warning message

  43. Dynamic rule example function ternarySimplify() { /** @warning rewrite as

    $x ?: $y */ $x ? $x : $y; } phpgrep pattern

  44. Is this transformation safe? f() ? f() : 0 =>

    f() ?: 0

  45. Is this transformation safe? f() ? f() : 0 =>

    f() ?: 0 Only if f() is free of side effects

  46. Dynamic rule example (extended) function ternarySimplify() { /** * @warning

    rewrite as $x ?: $y * @pure $x */ $x ? $x : $y; }

  47. Dynamic rule example (extended) function ternarySimplify() { /** * @warning

    rewrite as $x ?: $y * @pure $x */ $x ? $x : $y; } $x should be side effect free

  48. Dynamic rule example (extended) function ternarySimplify() { /** * @warning

    rewrite as $x ?: $y * @pure $x * @fix $x ?: $y */ $x ? $x : $y; } auto fix action for NoVerify

  49. Dynamic rule example (@comment) /** * @comment Find ternary expr

    that can be simplified * @before $x ? $x : $y * @after $x ?: $y */ function ternarySimplify() { // ...as before } Dynamic rule documentation

  50. function argsOrder() { /** @warning suspicious args order */ any:

    { str_replace($_, $_, ${"char"}, ${"*"}); str_replace($_, $_, "", ${"*"}); } }

  51. function argsOrder() { /** @warning suspicious args order */ any:

    { str_replace($_, $_, ${"char"}, ${"*"}); str_replace($_, $_, "", ${"*"}); } } “any” pattern grouping

  52. function bitwiseOps() { /** * @warning maybe && is intended?

    * @fix $x && $y * @type bool $x * @type bool $y */ $x & $y; }

  53. function bitwiseOps() { /** * @warning maybe && is intended?

    * @fix $x && $y * @type bool $x * @type bool $y */ $x & $y; } Type filters

  54. T T typed expression object Arbitrary object type T[] Array

    of T-typed elements !T Any type except T !(A|B) Any type except A and B ?T Same as (T|null) Type matching examples

  55. function stringCmp() { /** * @warning compare strings with ===

    * @fix $x === $y * @type string $x * @or * @type string $y */ $x == $y; }

  56. function stringCmp() { /** * @warning compare strings with ===

    * @fix $x === $y * @type string $x * @or * @type string $y */ $x == $y; } Or-connected constraints

  57. 1. Create a rules file 2. Run NoVerify with -rules

    flag How to run custom rules $ noverify -rules rules.php target

  58. AST pattern matching

  59. “$x = $x” pattern string

  60. “$x = $x” pattern string Parsed AST

  61. “$x = $x” pattern string Parsed AST Modified AST (with

    meta nodes)

  62. function match(Node $pat, Node $n) $pat is a compiled pattern

    $n is a node being matched Matching AST

  63. • Both $pat and $n are traversed • Non-meta nodes

    are compared normally • $pat meta nodes are separate cases • Named matches are collected (capture) Algorithm

  64. • $x is a simple “match any” named match •

    $_ is a “match any” unnamed match • ${"str"} matches string literals • ${"str:x"} is a capturing form of ${"str"} • ${"*"} matches zero or more nodes Valid PHP Syntax! Meta node examples

  65. $_ = ${"str"} matches $foo->x = "abc"; $x = '';

  66. $_ = ${"str"} rejects $foo->x = f(); $x = $y;

  67. f() matches f() F() Unless explicitly marked as case-sensitive

  68. new T() matches new T() new t() Unless explicitly marked

    as case-sensitive

  69. Pattern matching = $x $x += $a 10 Pattern $x=$x

    Target $a+=10

  70. Pattern matching = $x $x += $a 10 Pattern $x=$x

    Target $a+=10

  71. Pattern matching = $x $x = $a 10 Pattern $x=$x

    Target $a=10

  72. Pattern matching = $x $x = $a 10 Pattern $x=$x

    Target $a=10

  73. Pattern matching = $x $x = $a 10 Pattern $x=$x

    Target $a=10 $x is bound to $a

  74. Pattern matching = $x $x = $a 10 Pattern $x=$x

    Target $a=10 $a != 10

  75. Pattern matching = $x $x = $a $a Pattern $x=$x

    Target $a=$a

  76. Pattern matching = $x $x = $a $a Pattern $x=$x

    Target $a=$a

  77. Pattern matching = $x $x = $a $a Pattern $x=$x

    Target $a=$a $x is bound to $a

  78. Pattern matching = $x $x = $a $a Pattern $x=$x

    Target $a=$a $a = $a, pattern matched

  79. Trying to make pattern matching work faster...

  80. “$x = $x” pattern string Parsed AST Modified AST

  81. “$x = $x” pattern string Parsed AST Polish notation +

    stack

  82. Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions

    Stack <Assign> = <NamedAny x> <NamedAny x>

  83. Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions

    Stack <Assign> $a <NamedAny x> $a <NamedAny x>

  84. Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions

    Stack <Assign> $a <NamedAny x> <NamedAny x>

  85. Stack-based matching = $a $a Pattern $x=$x Target $a=$a Instructions

    Stack <Assign> <NamedAny x> <NamedAny x>

  86. • 2-4 times faster matching • No AST types dependency

    • More optimization opportunities Stack-based matching

  87. Running rules efficiently

  88. Imagine that we have a lot of rules... rule-1 ...

    rule-N PHP file PHP file

  89. Imagine that we have a lot of rules... rule-1 ...

    rule-N PHP file PHP file

  90. Imagine that we have a lot of rules... rule-1 ...

    rule-N PHP file PHP file

  91. Imagine that we have a lot of rules... rule-1 ...

    rule-N PHP file PHP file N * M problem

  92. • AST is traversed only once • For every node,

    run only relevant rules We can tune the matching engine to work very fast N*M cure: categorized rules

  93. rule PHP file ... Assign rule ... TernaryExpr

  94. rule PHP file ... Assign rule ... TernaryExpr Node categories

  95. rule PHP file ... Assign rule ... TernaryExpr Categorized rules

  96. • Local: run rules only inside functions • Root: run

    rules only inside global scope • Universal: run rules everywhere Extra registry layer: scopes

  97. rule PHP file ... Assign rule ... TernaryExpr Global scope

    rule ... Assign rule ... TernaryExpr Local scope

  98. rule PHP file ... Assign rule ... TernaryExpr Global scope

    rule ... Assign rule ... TernaryExpr Local scope Scoped group

  99. • Expression can’t contain a statement • Some statements are

    top-level only We don’t use this knowledge right now. Extra registry layer: expr vs stmt

  100. If any rule from a group matched, all other rules

    inside the group are skipped for the current node. • Helps to avoid matching conflicts • Improves performance Group cutoff

  101. // input: $a[0] = $a[0] + 1 function assignOp() {

    /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; }

  102. // input: $a[0] = $a[0] + 1 function assignOp() {

    /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; } Matched, ++$a[0] suggested

  103. // input: $a[0] = $a[0] + 1 function assignOp() {

    /** @fix ++$x */ $x = $x + 1; /** @fix $x += $y */ $x = $x + $y; } Skipped

  104. Dynamic rules pros & cons

  105. • No need to re-compile NoVerify Dynamic rules advantages

  106. • No need to re-compile NoVerify • Simple things are

    simple Dynamic rules advantages

  107. • No need to re-compile NoVerify • Simple things are

    simple • No Go coding required Dynamic rules advantages

  108. • No need to re-compile NoVerify • Simple things are

    simple • No Go coding required • Rules are declarative Dynamic rules advantages

  109. • No need to re-compile NoVerify • Simple things are

    simple • No Go coding required • Rules are declarative • No need to know linter internals Dynamic rules advantages

  110. • Not very composable • Too verbose for non-trivial cases

    • Hard to get the autocompletion working PHPDoc-based attributes

  111. • Hard to express flow-based rules • PHP syntax limitations

    • Recursive block search is problematic AST pattern limitations

  112. Comparison with Ruleguard

  113. None

  114. Rule group name

  115. gogrep pattern

  116. Type filter

  117. Auto fix action

  118. None

  119. Target language go-ruleguard Go NoVerify rules PHP NoVerify vs Ruleguard

  120. DSL core go-ruleguard Fluent API DSL NoVerify rules Top-level patterns

    + PHPDoc NoVerify vs Ruleguard

  121. Filtering mechanism go-ruleguard Go expressions NoVerify rules PHPDoc annotations NoVerify

    vs Ruleguard

  122. Type filters go-ruleguard Type matching patterns NoVerify rules Simple type

    expressions NoVerify vs Ruleguard

  123. • NoVerify - static analyzer (linter) • phpgrep - structural

    PHP search • phpgrep VS Code extension • Dynamic rules example • Dynamic rules for static analysis article • Ruleguard - dynamic rules for Go Links

  124. Code -> Linter rules Pattern-based static analysis