 I'm here to talk about static analysis and how you would use it in your Drupal code. So thank you for coming, I barely made it here, I'm sorry I'm a little late. But I think we are all good starting up, just give me a minute here. So it's post lunch and the session gods have decided that I always have to get a post lunch session and well I'm up for the challenge, let's see if they're right today. So let me introduce myself, I'm Hussain Abbas like I've said once already. I work at Accelerant as an engineering manager and I have been you know involved in the community since a few years now and I met a lot of amazing people, learnt a lot of awesome stuff and I hope you learn something useful here today. You can find me later at Accelerant's booth, I think it's booth 603 or 613 I'm forgetting a little bit, in the exhibit hall. I commonly go on Twitter as Hussain web so if you feel that you have to make fun of me on Twitter do it properly, mention me. So yeah let's talk about static analysis and you know contrary to what the image says it's no we're not going to analyze that image. So let's look at a few code examples to understand what it means. Can anyone tell me, can anyone notice anything wrong with this code sample? Yes, yeah essentially yes. What about this one? Translation, you're right yeah. Okay so like a Drupal 8 example now? What do you think? I'm sorry? Yes exactly yeah it's a really fast. What about this? Any ideas? I'm sorry? Yes this? An easy one? Yes you're right you're right yeah. The title, the keys define again. What about this? Sure yeah that's one thing yeah. Yeah no I'm sorry who said that the passing by reference thing so you know you're passing by reference so and yeah I think well now I'm confused you know should this return or not? Well yeah like this is the general feeling you get you know there are so many even in this so well actually you know you guys defeated me over here. I was thinking that you would take more time on that but these were all simple examples and you know when it comes to actual code like you know like huge diffs that the kind of code that you review usually in your pull requests and you know especially in code reviews when you when you need to get something merged quickly it's difficult to keep track of what's what's wrong what could go wrong you know things like these you know like all of those different things that we discussed just now this and more you know there are many more kinds of logical errors in code that that we need to catch things could slip by and so we shouldn't be doing this at all you know we should let the computer do this so before we before we go on you know before we start talking about various tools and how do we actually do this with a computer let's broadly classify the various kinds of issues that we usually see in code. Code style issues is one of them and you know I consider this is one of the more important ones if you are you know even if a team of two two people you would have to work harmoniously together and code styles are one of the ways to do that there are very variety of code format for code formatting guidelines you know I mean I don't really care which one you use as long as you use one of them consistently when it comes to Drupal you know if you're building a Drupal site if you're writing Drupal modules you know just make it simple and use the Drupal code formatting style that would be my suggestion then there are of course things like PSR2 each framework has their own you know I think Zen has its own formatting guideline Symphony just uses PSR2 I think it's completely up to you but as long as you're consistent you're fine and I would definitely count this as an issue if a piece of code is not format following a particular formatting guideline it's going to create well confusion later on because somebody's going to maintain that code that somebody could be you then there are logical issues with the code you know some of the issues could be directly associated with the code you know like the issues that we saw that you know just now a few examples and some of them could you know have to do with the business logic of you know what your code is doing and those are I mean of course those are not our forte here we'll talk about it and finally we have runtime issues you know things like your database server going away or the API that you really rely on that goes away those kind of runtime issues so like again you know it's not a strict classification but very broadly you know for purposes of our discussion today let's say that these are the kind of issues and for in the style issues and the code formatting issues you know you just use static analysis it's it's a you know I mean in code reviews you should not really spend your time debating you know whether the formatting is correct or not just let you know let the tool do its job and logical issues related to code like we saw again you know all the examples that we saw in all the six examples all of them can be caught by code now sorry can be caught by those tools and the other issues you know the logical issues related to domain does the code fulfill your business objective or runtime issues you know now these are the domain of these are the forte of automated testing and this is really out of the scope for today's talk you know I mean there are other talks related to automated testing and you know I mean it doesn't make it any less important you know in my opinion both of them both of them are equally important usually you know the issues covered by static analysis and automated testing they form a Venn diagram something like this and you know you would notice that there is a kind of an overlap which is fine I guess you know I mean I don't get very pedantic about it you know it's it's fine if there's an overlap but ideally you would aim to reduce the overlap and the reason is simple you know you could say that the amount of the number of bugs in your code is directly proportional to the number of lines of code you write anyone writes you know not not you you write anyone writes you know there is always a chance of more and more bugs you know so just avoid the chances of bugs and you know here I should I feel I should include the argument for you know things like type painting you know I am in favor of type painting you know I mean I don't intend to start any flame was here I mean I know they're not as passionate as Vim versus Emacs but you know anyway so type hinting yeah so type hinting in my opinion catches a lot of I mean first of all it assists the tools that we're going to talk about you know so it makes it the tools can they have more information to go on when they analyze the code but it also improves readability to you can I get a quick show of hands you know how many of you have still like I mean how many of you have not worked with Drupal 8 yet okay so one of the things that you will see when you start working with Drupal 8 is that you know it might seem intimidating to you right now the whole object-oriented programming the whole object-oriented nature of code and everything it might seem into intimidating and I agree with you you know it's it's always difficult to learn something new but the benefits are you know are immense over here you know you should make that journey and think about think about all this the code that you write in terms of objects passing around messages and again I think I'm digressing a bit too much over here but you know coming like I just want to bring it back to the type printing topic this types if if all of your code can be represented as objects and your business flow can flow through as communication between various objects then there is very little you know very little that can go wrong from the business logic point of view you know I mean all of those all of those cases can be covered by automated testing and static analysis so yeah the objective is to I mean I won't stress too much on it but the objective is to make this overlap as minimum as possible so one thing is again the type-hinting argument from earlier if you if you type in your code that's that many less tests you have to write you don't have to write unit tests checking if this function works with different with different types of input or not you know if you have type hinted it and you know using PHP 7 which enforces this type-hinting type hints and the code won't even run you know like they like the equivalent of the code won't even compile so you can if your code works you can be sure it will work fine so moving on you know let's talk about some of these tools anyone familiar with any of these tools over here all of them okay a good number yeah so again you know I have a kind of a demonstration plan but I'm there's not enough time to go in depth into it my intention is to cover you know from cover all of these tools from a very on a very very broad level so we'll actually start with PHP code sniffer and this is one of the staples you know you have probably used this already it's it's I think I think Drupal installs it by default anyway I could be wrong so PHP code sniffer uses something called SNFs which is basically just a collection of rules you know so if you define your code formatting guideline as a collection of rules and you can do much more than that you know you could actually so as we'll see you know peer review can catch a lot of different kinds of errors different kind of issues so you can define all of these as SNFs and just have to run PHP CS along with that SNF against your code and there are I'm like you typically won't really need to write a SNF normally there are a lot of SNFs available once you install PHP CS you get a good bunch of them already you know things like PSR2 and PSR1 and Zen framework and all that Drupal the Drupal SNF is available as part of Coder the Coder module that includes the Drupal SNF and there are two more SNFs which are which are available as projects on Drupal.org so PHP CS is quite simple you probably can't read that I think you know we'll see a demo so that's that's fine then peer review so peer review it just uses PHP CS and you know the three SNFs I mentioned earlier it just runs them one after another you know the the Drupal SNF Drupal Secure and Drupal Practice it just runs them and it also does a few other checks which are really relevant to contributed modules so the the background is that this was written as a bot to check the quality of modules you're contributing do you remember like I think at least a year back you would have to go through a like like a vetting procedure before you can create full projects on Drupal.org anyone remembers that yeah so so this was the sorry this was a script that assisted in automated reviews so you know as soon as you create a project application in that on Drupal.org it will run this website this a bot will run this run your module code against this tool and it'll give a report you know what's missing so things like it actually checks a lot lot more things like you know is a readme file there or if you have included a license.txt by mistake things like that now it's this tool since it's it's like a scripted tool you know it's it runs PHP CS three times with different SNFs and everything it's not really that easy to use it in CI so the reason is simple you know it swallows the written code so if one of the PHP if one of the one of the runs fails you won't know it you know the CI build won't stop so it may basically it makes it useless in CI neurons but it's still very useful if you're running it locally you know when you're developing just run it you know it's a shortcut there is a project page on Drupal.org which explains how to install this Drupal.org slash project slash peer review SH so you have to install peer review tool and then you have to install PHP CS of course because it uses PHP CS and then you have to install these SNFs so one of the SNFs is by Coder module and the other two we'll again come back to a demo for this then there is PHP mesh detector it's not very commonly used and this is typically used for projects which has you know like which is which has a high degree of object oriented code use typically not something that you'd see in Drupal like now yeah you do but again most of the modules are still hooks and everything you know so it's it's not really that widely used but some of the cool features of this is it it can calculate things like code complexity you know cyclic complexity and n path and things like that anyone familiar with those terms okay few people I think it's it's little out of the scope to go in depth into those but these are just numbers that tell you how maintainable your code is and for example if n path is too high you might want to refactor your code and if you use PHP MD I mean of course these things you can't really figure out in like you can see the code and if you want you can do it on paper but nobody does that you would just use PHP MD and if the site if let's say if cyclic complexity is too great you don't allow comments you know CI pipeline fails then this is one of the newer ones PHP static analyzer PHP stand anyone use PHP stand okay with Drupal with Drupal okay so now this this gets little tricky to use with Drupal now this does not I mean as far as I know does not check for things like code complexity but it it checks a lot of other things like other variables of the right type you know is this class actually present you know it checks for best practices things like like did you really mean to use an identical operator instead of equal operator stuff like that so best practices and all that but because of how Drupal works you know particularly the module system and everything it's not very easy to use PHP stand you just you have to write a simple config file but it's not a drop-in thing you need to write a simple config file which we'll see again okay yeah sorry about that so it just needs a simple config file and you know again the benefits are the same it just gives you an idea of the different different issues that might be in your code that you're committing then style length it's it's for like you know all the tools that we saw so far where for where for PHP styling does the similar job for CSS it checks for things like you know are you using invalid properties or as a developer as a team lead you can say that I don't want to allow certain units in my CSS files you can you can you can stop that from happening things like you know the specificity of selectors you don't want to allow highly specific selectors for something I mean yeah it's a valid thing if you're using for example if you're using smack SS you don't want to increase the specificity beyond a certain limit so you can let this style in do all of those things and I think you know something happened and I lost ESLint over here but ESLint is something similar which checks for JavaScript you know like the same kind of same kind of checks logical checks static checks but for JavaScript so that's that's really the tools you know I mean these tools I have found that they are more than sufficient in you know regular Drupal work and even you know regular PHP work building web applications but I'd like to share a few tips on using before we actually see the demo it's it's highly trivial to run this locally so you know you can once for example if you have peer review installed just have to write peer review in your path and it checks for that but it's even more convenient if you're just putting it pre-commit and I think there are tools like BLT you know which directly install this hook so if you're using a project based on BLT BLT automatically creates those pre-commit hooks you can do them manually there's no reason why you can't so when you create a pre-commit hook get before it actually does the commit will run this test on all the files in the code base and if for example if you know if these if the files are not of sufficient quality commit won't happen and then finally they run it in a continuous integration pipeline so no surprise you know you can always overwrite pre-commit hooks right so always run it in a CI pipeline as well and again you don't have to you know there are no absolutes here you know like what works for what what works for you may not work for somebody else and what works for somebody else may not work for you as a team lead as a developer you have to take a conscious decision on what works for you what yeah there are a lot of so one thing you know like like an theoretical note with static analysis the chances of false negative are virtually inexistent you don't have false negatives but you will have false positives it's it's quite common so by false positives I mean that the code is actually correct it follows the coding standard but for some reason for some trivial reason the one of these tools will flag it as an error and so I mean there are different things you know like you can you can ignore a particular line or you can ignore a particular class but you really don't want to go there and again you may decide that this you know what this tool by default considers as an issue it is fine for you it works for you so feel free to you know adapt these configuration files for things like code formatting I don't really see a reason why you would but I mean that's a completely up to you I can't imagine a reason why you would override a code formatting but things like you know type checks for example you can there are a lot there could be a lot of false positives over here the way you work might just bring up a lot of false positives so feel free to customize them the all the tools I mentioned they are highly customizable I mean it takes a little bit of effort but the benefits pay off in the long term and you know I mean you may say that the project is small and you know it gets not worth it yeah you may be right on that but you can always use it for the next project it's a little initial investment it's the same thing as automated testing you know you invested little now and you reap the benefits practically forever so I'm just trying to get my screen up maybe mirror it okay okay so we'll just see a couple of tools I know that we have a little behind on time but very quickly you know what what the output looks like so this is you know I didn't really find a Drupal project I could use in a demo over here so I'm just going to use one of my PHP components okay good enough yeah okay so this is a PHP component I wrote sometime called date converter and yeah so all I'm going to do is PHP CS like you can install it as a composer dependency so which mean you know which puts it in vendor slash bin for me and you know I mean like if you have any doubts or installation you can always reach out to me in Twitter but it's fairly simple you know you just have to search for PHP CS it's it's fairly straightforward and this is how you use it Drupal standard is I'm not sure if it's installed yeah it's not installed I'm just going to use something like PSR 2 so anyway this is like I said it's a PHP component I'm not following Drupal coding standards over here I follow PSR 2 and I run it oh it's taking oops yeah that's my fault yeah and give the name of the directory of your code yeah and nothing happens which means that you know your code is fine so this is this is what you know all the tools that are meant for a CI pipeline this is what they look like you know if there is no output means things are good now but just to show you know like how it would look if it was not if it was not working so I'm just going to use a different standard like Zen and the code is not of course it's not does not follow Zen framework standards and I would get a list of these errors and if I look at the status code it's one which which means it would stop the CI build pipeline I realize that I mean that some of you might not really understand the CI pipeline reference and you know there are sessions after this that will probably explain it better to you I mean I think I'll just stick to the static analysis and you know hopefully by the end of this you know you'll get a complete picture so PHP CSS straightforward you know it gives you the gives you the file name the line number and you know if it's an error or a warning warning is you know that it'll it'll let it not give that error code of one it basically let the CI pipeline go but it'll it'll still show this warning and others are like their errors you know you have to fix them before you can you can go further PHP MD okay this is this is how you use PHP MD you pass in the directory of your code and the output the format of output so you can you can output it in XML format if you want you know if in a CI pipeline you want to read the XML later on you can do that but we'll just use text over here and you know just for demo I'm showing all these different so these are rules there is a rule called clean code and code size and design and unused so all of these and if I run it you know it shows that these are various rules now like I was saying earlier that all of these may not really apply to you so be judicious in applying that you know this may not really be applicable to you it's fine if you find that you know you may you don't want to use all of these just remove so for example I didn't I don't really need the controversial rule set so you know I've removed that I've removed that for my check so I don't use them by the way this project is continuously tested in Travis and I don't use that well I think I'm very close to end of time but there is another project I would like to mention before going and just few next steps these are few sessions that are going to follow you know which talk about continuous integration and one of them is right after me and you know I guess you know he's probably waiting for me to get off the stage the benefits of continuous integration you know he'll talk about continuous integration in depth today evening there is a session on automated automation at 5 p.m. and the other two sessions are tomorrow one at 1045 the other one is a 250 I don't remember the room numbers you can always find them on schedule and these are few links but I think Google is your friend over here you can you can find all of these links over there and I'm done please join us for contribution sprints on Friday if you have not contributed before that's completely fine there is a mentored course print there's a first-time sprinter workshop this will get you going and I hear there are a lot of tools that will make it even easier for you and yeah please do