an empirical study of php feature usage a static analysis
play

An Empirical Study of PHP Feature Usage: A Static Analysis - PowerPoint PPT Presentation

Oct 02, 2023 •382 likes •857 views

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint, and Jurgen J. Vinju CWI, Software Analysis and Transformation (SWAT) ISSTA 2013 Lugano, Switzerland July 16-18, 2013 http://www.rascal-mpl.org

  1. An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint, and Jurgen J. Vinju CWI, Software Analysis and Transformation (SWAT) ISSTA 2013 Lugano, Switzerland July 16-18, 2013 http://www.rascal-mpl.org Thursday, July 18, 13

  2. PHP Thursday, July 18, 13

  3. PHP Analysis in Rascal (PHP AiR) • Big picture: develop a framework for PHP source code analysis • Domains: • Program analysis (static/dynamic) • Software metrics • Empirical software engineering • Developer tool support 3 Thursday, July 18, 13

  4. Why look at PHP applications? Thursday, July 18, 13

  5. Why look at PHP applications? Thursday, July 18, 13

  6. Why look at PHP applications? Thursday, July 18, 13

  7. Why look at PHP applications? Thursday, July 18, 13

  8. PHP applications are everywhere! 5 Thursday, July 18, 13

  9. Open Source Commits by Language (Ohloh.net) http://www.ohloh.net/languages/compare?measure=commits&percent=true 6 Thursday, July 18, 13

  10. Challenges in Tool Development Thursday, July 18, 13

  11. Example: Building a type inferencer 8 Thursday, July 18, 13

  12. Example: Building a type inferencer • Lots of di ff erent statements and expressions, are they all used? What do we need to implement first to get up and going? 8 Thursday, July 18, 13

  13. Example: Building a type inferencer • Lots of di ff erent statements and expressions, are they all used? What do we need to implement first to get up and going? • What if the code has evals? This could add new types. 8 Thursday, July 18, 13

  14. Example: Building a type inferencer • Lots of di ff erent statements and expressions, are they all used? What do we need to implement first to get up and going? • What if the code has evals? This could add new types. • What if the code has invocation functions? Can we tell what functions are called? 8 Thursday, July 18, 13

  15. Example: Building a type inferencer • Lots of di ff erent statements and expressions, are they all used? What do we need to implement first to get up and going? • What if the code has evals? This could add new types. • What if the code has invocation functions? Can we tell what functions are called? • What if the code contains variable variables? Can we tell which variables they refer to? 8 Thursday, July 18, 13

  16. Example: Building a type inferencer • Lots of di ff erent statements and expressions, are they all used? What do we need to implement first to get up and going? • What if the code has evals? This could add new types. • What if the code has invocation functions? Can we tell what functions are called? • What if the code contains variable variables? Can we tell which variables they refer to? • What if... 8 Thursday, July 18, 13

  17. Looking more generally • PHP is big, which language features should we focus on first? • PHP is dynamic, how much impact do these features have on real programs? • What kinds of assumptions (e.g., no evals, no writes through variable variables) can we safely make about code and still have good precision? • How can we build prototypes that work with real PHP code? 9 Thursday, July 18, 13

  18. Empirical studies have a long history... Thursday, July 18, 13

  19. Solution: Study PHP feature usage empirically • What does a typical PHP program (level of focus: individual pages) look like? • What features of PHP do people really use? • How often are dynamic features, which are hard for static analysis to handle, used in real programs? • When dynamic features appear, are they really dynamic? Or are they used in static ways? 11 Thursday, July 18, 13

  20. Which dynamic features? • Dynamic includes • Variable Constructs • Overloading • eval • Variadic Functions • Dynamic Invocation 12 Thursday, July 18, 13

  21. Setting Up the Experiment: Tools & Methods http://cache.boston.com/universal/site_graphics/blogs/bigpicture/lhc_08_01/lhc11.jpg 13 Thursday, July 18, 13

  22. Building an open-source PHP corpus • Well-known systems and frameworks: WordPress, Joomla, MediaWiki, Moodle, Symfony, Zend • Multiple domains: app frameworks, CMS, blogging, wikis, eCommerce, webmail, and others • Selected based on Ohloh rankings, based on popularity and desire for domain diversity • Totals: 19 open-source PHP systems, 3.37 million lines of PHP code, 19,816 files 14 Thursday, July 18, 13

  23. Methodology • Corpus parsed with an open-source PHP parser • Feature usage extracted directly from ASTs • Dynamic features identified using pattern matching • More in-depth explorations performed manually or using custom- written analysis routines • All computation scripted, resulting figures and tables generated • http://www.rascal-mpl.org/ 15 Thursday, July 18, 13

  24. Threats to validity • Results could be very corpus-specific • Large, well-known open-source PHP systems may not be representative of typical PHP code • Dynamic includes could skew results 16 Thursday, July 18, 13

  25. Interpreting the Results 17 Thursday, July 18, 13

  26. Zooming in • Feature usage and coverage • Dynamic includes • Variable variables • eval 18 Thursday, July 18, 13

  27. Feature usage and coverage • Goal: analysis prototypes should cover actual programs • Solution: compute which sets of features cover the most files • 109 features total • 7 never used (including goto), mainly newer features • casts, predicates, unary operations used rarely • 74 features cover 80% of all files, over 90% for some systems (CakePHP: 95.3%, Zend: 93.2%) 19 Thursday, July 18, 13

  28. Dynamic includes require_once( ¡ dirname ( ¡ __FILE__ ¡) ¡. ¡ '/Maintenance.php' ¡); $maintananceDir ¡ = ¡ dirname ( ¡ dirname ( ¡ dirname ( ¡ dirname ( ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ dirname ( ¡ __FILE__ ¡) ¡) ¡) ¡) ¡) ¡. ¡ '/maintenance' ; require( ¡ “$maintananceDir/Maintenance.php” ¡); • In PHP , may not know code that will run until runtime • Q1: How often are dynamic includes used? • Q2: How often can we resolve them to a specific file up front? 20 Thursday, July 18, 13

  29. Usage of dynamic includes • 19,816 files in corpus: 3,184 contain dynamic includes (16.1%) • 25,637 includes in corpus: 7,962 are dynamic (31.1%) • Some systems worse than others: CakePHP (120 of 124 includes are dynamic), CodeIgniter (69 of 69), Drupal (171 of 172), Moodle (4291 of 7744) • Some only use in limited way: Zend only 350 of 12,829 are dynamic, PEAR only 11 of 211 21 Thursday, July 18, 13

  30. Resolution of dynamic includes • After resolution, 864 files contain dynamic includes (27.1% of files with dynamic includes still contain them, 4.4% of total files) • After resolution, 1,439 dynamic includes remain (18.2% of original) • Based on current resolution analysis, dynamic includes usually not brought in through other includes • Results on major systems: Drupal (130 of 171 resolved), Joomla (200 of 352 resolved), MediaWiki (425 of 493), Moodle (3350 of 4291), WordPress (332 of 360), Zend (285 of 350) • Not always so good: 4 of 48 in Kohana resolved, 41 of 95 in Symfony, 0 of 11 in PEAR 22 Thursday, July 18, 13

  31. Variable variables $x ¡ = ¡3; $y ¡ = ¡ 'x' ; echo ¡ $x ; ¡ // ¡3 echo ¡ $y ; ¡ // ¡x echo ¡ $$y ; ¡ // ¡3 $$y ¡ = ¡4; echo ¡ $x ; ¡ // ¡4 • Reflective ability to refer to variables using strings • Often used as a code saving device • Problem: creates aliases using string operations 23 Thursday, July 18, 13

  32. Variable variables: findings • Question: How often can we statically determine to which names a variable variable can refer? • Method: use Rascal to find all locations of variable variables, manually inspect code • Restrictions: names statically determinable, no aliases, no other declarations • General: 61% of uses resolvable, 75% in newer systems • Best: 100% in Drupal & PEAR, 95% in CodeIgniter & Smarty • Worst: 0% in Joomla & osCommerce 24 Thursday, July 18, 13

  33. The eval expression (and create_function) eval( str_replace (array( '<?php', ¡'?>' ), ¡'' , ¡$result [ 'code' ])); create_function ( '$v', ¡ ¡ ¡'$v[\'title\'] ¡= ¡$v[\'title\'] ¡. ¡\'-­‑transformed\'; ¡return ¡$v;' ) • eval and create_function provide for runtime evaluation of arbitrary code • Used rarely in corpus: 148 occurrences of eval, 72 of create_function, many uses in testing and maintenance code • Uses truly dynamic, need string analysis and (in the general case) dynamic analysis to determine actually invoked code 25 Thursday, July 18, 13

  34. Occurrences of all dynamic features • 19,816 files in corpus: 3,386 contain dynamic features (17.1%) • Dynamic feature usage varies greatly over systems • PEAR: 50% of files have at least 1 dynamic feature • WordPress: 30.7% • MediaWiki: 14.6% • Symfony: 9.4% 26 Thursday, July 18, 13

  35. Summary 27 Thursday, July 18, 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Variable Feature Usage Patterns in PHP Mark Hills 30th IEEE/ACM International Conference on

Variable Feature Usage Patterns in PHP Mark Hills 30th IEEE/ACM International Conference on

Variable Feature Usage Patterns in PHP Mark Hills 30th IEEE/ACM International Conference on Automated Software Engineering November 9-13, 2015 Lincoln, Nebraska, USA http://www.rascal-mpl.org 1 Background &amp; Motivation 2 An Empirical Study

544 views • 30 slides
Benefit-cost analysis of phasing out coal in power and for household usage: An empirical analysis

Benefit-cost analysis of phasing out coal in power and for household usage: An empirical analysis

Comments on: Benefit-cost analysis of phasing out coal in power and for household usage: An empirical analysis of the Chinese Action Plan applied to Beijing (BCABC for short) Jin, Y., H. Andersson and S. Zhang Conference on The Economics of

272 views • 10 slides
Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript

Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript

Browser Feature Usage on the Modern Web Summary Analysis of how frequently javascript features are used Feature defined as browser capability accessed through JavaScript function or property. Considers only sites in Alexa

523 views • 11 slides
Usage Scenarios for a Common Feature Modeling Language Thorsten Berger and Philippe Collet

Usage Scenarios for a Common Feature Modeling Language Thorsten Berger and Philippe Collet

Usage Scenarios for a Common Feature Modeling Language Thorsten Berger and Philippe Collet feature modeling Feature Oriented Domain Analysis (FODA) by Kang et al. 1990 FODA succeeded for its simplicity searching for feature modeling alone

478 views • 13 slides
Outline Introduction M ulti-Channel Reliability and Spectrum Usage Experimental

Outline Introduction M ulti-Channel Reliability and Spectrum Usage Experimental

Outline Introduction M ulti-Channel Reliability and Spectrum Usage Experimental methodology Empirical study in homes in Real Homes Spectrum study of existing wireless signals Empirical Studies for Home-Area Sensor Networks

570 views • 7 slides
Using Data Fusion and Web Mining to Support Feature Location in Software SEMERU Feature: a

Using Data Fusion and Web Mining to Support Feature Location in Software SEMERU Feature: a

Using Data Fusion and Web Mining to Support Feature Location in Software SEMERU Feature: a requirement that user can invoke and that has an observable behavior. Feature Location Impact Analysis Existing Feature Location Work Static

881 views • 47 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
Evolution of Dynamic Feature Usage in PHP Mark Hills 22nd IEEE International Conference on

Evolution of Dynamic Feature Usage in PHP Mark Hills 22nd IEEE International Conference on

Evolution of Dynamic Feature Usage in PHP Mark Hills 22nd IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER 2015), ERA Track March 2-4, 2015 Montreal, Canada http://www.rascal-mpl.org 1 PHP Analysis in

516 views • 24 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static Analysis of Embedded Systems Xavier R IVAL rival@di.ens.fr Outline Case study

Static Analysis of Embedded Systems Xavier R IVAL rival@di.ens.fr Outline Case study

Static Analysis of Embedded Systems Xavier R IVAL rival@di.ens.fr Outline Case study Certification of embedded softwares Demo Static Analysisof Embedded Systems p.2/12 Ariane 5 Flight 501 Ariane 5: sattelite launcher

825 views • 12 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical studies of how developer decisions Irene Manotas, * Christian Bird, impact energy consumption (design patterns, web Lori Pollock, * and James

354 views • 32 slides
Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk

ITU Workshop Smart Sustainable Cities (Samarqand - Uzbekistan 1- 2 June 2017) Trustworthy ICT: The notion of Trust, Security, and Privacy Ramy Ahmed Fathy, PhD Vice Chairman of ITU-T SG20 Director, Digital Services Planning and Risk Assessment

758 views • 52 slides
Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing

Segurana em APIs REST Heitor Vital reas de Atuao o Cloud Computing twitter.com/heitorvital o Segurana Informao o Jogos slideshare.net/HeitorVital o Dispositivos Mveis o labs.siteblindado.com

412 views • 22 slides
Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM

Monthly Security Bulletin Briefing (July 2013) Teresa Ghiorzoe Security Program Manager LATAM Blog de Seguridad: http://blogs.technet.com/b/seguridad/ Twitter: LATAMSRC GBS Security Worldwide Programs 1 Security Advisories July 2013 New

413 views • 27 slides
DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor

DC GIS Steering Committee November 2014 10:00 AM 12:00 PM 200 I Street SE, 5 th Floor Washington, DC 20003 Conference Room: 5009 Agenda Introductions and Establish Quorum Approve Minutes 8/21/2014 DC GIS News OCTO GIS News

1.1k views • 93 slides
Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah

Securing Digital Fintech Platform Value Proposition and Security Challenges Agus F. Abdillah Jakarta - 28 th Nov, 2018 1 Securing Fintech 1 Introduction 2 What Being Platform Means? AGENDA What is Value Proposition for Digital 3

353 views • 18 slides
Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk

Crosstalk - How can we avoid it - Herv Grabas Mutual Inductance and Capacitance Crosstalk is the coupling of energy from one line to another via: Mutual capacitance (electric field) Mutual inductance (magnetic field) Mutual Inductance, L

967 views • 29 slides
CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon

CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon

CRediT Taxonomy of Contributor Roles: Early implementation at Cell Press Patrick Hannon Editorial Operations Manager, Cell Press EMUG, June 2016 CRediT: Background CRediT: Background The traditional author list CRediT: Background 2012 :

437 views • 19 slides
CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image

CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image

CMOS Image Sensor Simulation 2D and 3D Simulation Basic Structure and operation of CMOS Image Sensor CMOS Image Sensor CMOS Image Sensor cross section of (PD/TG_2/FD): equivalent circuit TG_1 TG FD PD TG_2 FD PD TG_3 TG_3 - 2 - CMOS

572 views • 17 slides

More recommend