 Good morning, you are in the PHP conference Asia 2016 on the tutorial day on track 2. Before we start, let's thank the sponsors. Our goal sponsor, Amazon Web Services, they sponsored the food and the venue for today. And the goal sponsor, Pusha. The goal sponsor, Potomacic. Silver sponsors, Microsoft, Dynatrace, AlphaCamp. And support sponsor, Kusunagi, iCommerce, Xenios. We are privileged to have Damian today with us. PHP 7 is the latest and greatest version of PHP. And he will talk about how to keep your code conformant with PHP 7 to get all the benefits of the language. Thank you. Okay, I think I'll grab the screen. Yeah. Okay, so I'll try again the little stats, the little survey we did before. Who's using PHP 5.6? Or less? Everyone, okay, so almost everyone. And the one who are not raising their hand, what's left? PHP 7? 7. 7, okay, 7, the second one. 7-1, 7-2. Okay, I'm the only one, right? I'm the only one. Oh, you're 7-2? You compile your own PHP, great. And what else? Who hasn't raised their hand? There's a guy over there who's not raising. You think I don't see you? I'm not PHP 4. Anyway, so good, so if you're on 5 and you're planning to move to 7, that's exactly why you should be listening to this session. And what's wrong here? That should be all, that was automatic. We already have to call the assistants. Anyway, so this is exactly what we're going to do this morning. I'm going to give you the tools and the information to know first, yeah, that looks good. And to know, right, so 7-1. I'm going to give you all the tools you need to know what is new in PHP 7 and 7-1 and 7-2. We're also going to touch 7-2. They haven't done much work, but that's going to be useful. And we are going also to see how to deal with the backward incompatibilities, which is usually the thing that is preventing you from moving, okay? Anything that's going to break your codes, you don't want to see that. New features, well, if you're trying to move, then of course you want to use the new features, right? That will happen at the end, but basically the process we're going to follow to finding incompatibilities are going to be the same that the one we want to find the places is to apply the new features. So everything, between them, after that, from between the incompatibilities and the new features in between all those weird monsters hiding in the closet one way or another, we'll also try to find and track them down. So this is the work. We're going to follow one synopsis, one cycle, one loop all the time. First, learn what we want to look for because at that point, if you're still in five, you haven't get yourself accustomed to PHP 7, you don't know the monsters you're going to have to fight, right? So we first know what is going to break. Secondly, spot it in the code because that's going to be also the second thing you have to fight with. You don't know. You have a million line of code. You have five sorts to find and to change. Where are they? Okay, there are tools, there are techniques, there are ways to go fast to those spaces. Finally, and then we can start arguing with each other, what are you going to replace them with? Okay, what kind of new code? Once we're done with one feature, then we do it with the next. So we're going to repeat that all the time, all the time. First part, I tell you where to find the information, how to look for it. Then on the second part, we are going to list the features and that's where you're going to play, coming to play. I'm going to ask you how you look for the information in the code and you'll tell me then also how you want to change that. Okay, so that will be the more workshop part of the presentation. So, who doesn't know me yet? Oh, okay, well, I've been already bugging you with the elephant. What else do you want to know? I'm French-Canadian, Canadian-French. I did that yesterday, right? That's a good joke. You got it? Yeah, no one understand that. What else? I do live in Netherlands at the moment with the French passport and my Chinese license, so it's kind of difficult to follow, but whatever. And I, on a daily basis, work on static analysis, which we're going to cover during the session, which is a way to look into the code and be able to process millions of lines of code without actually running them. So making some automated code review, if you want. This is exactly the base for learning how to do the migration because, among other things, this is what I do on a regular basis. So, first, what's in the next version? Where in my code can I find those problems or those features? And then, third, how to replace them, right? So where can I find things in the next version? We need to get documentation. And I'm not using the word manual, okay? PHP has a manual. This is documentation because we're going to go way further than just the manual. Then, where do I find the codes? How do I find the issues? What are the different tools needed? And finally, fixed code, right? So migration to PHP 7.1, also just a few details on the session itself. We're going to cover 7.0, 7.1, and 7.2, or 8. I don't know what name they have because that's the problem at that point. They haven't decided the name. So we're maybe doing PHP 8 without knowing it. And we'll be moving from PHP 5.6, as every one of you know, PHP 5.5 is dead. So please don't use it anymore. At least do the migration as soon as possible. What else? I'm not going to cover any specific framework. If you're using it, that's good for you, but it's just, well, you have to ask to see with them with the framework you use if it's already moved to PHP 7.0 or not. Everything here is just bare bone PHP. Nothing more, nothing less. No libraries, no framework like that. And I'm going to mention a number of tools. All of them are open source. All of them can be grabbed online, downloaded, and used right after the session. So please feel free. The session, the slides, of course, will be given to my chief. And you can download them. We'll probably have no time to cover everything. I have way too many slides and went too many features. So if you have questions, do not wait for the end. Just raise your hand. That's a workshop. We're not a large crowd. Feel free to ask at the moment. Okay? I will cover that. Or I will tell you to wait because maybe you're ruining my dramatic effects. What else? I think that's good. Everyone's ready. Second brain is ready. Once the first is full, just switch it. And we said no pause, right? Yeah. I'm not keen on pauses. And I have lots of things to do. So if you need, just go away, but come back fast because you're going to miss a lot of things. First, where do we get information? Where do we get information on new PHP 7? The website. Yeah, of course. We start the website. That's going to be the lowest we can do, right? That's the lowest we can do. Of course, there is even a migration page. Okay? If you look for this migration for 7.1, I'm not sure it's already up. I don't think so. But on 7.1, 7 has been there for a long time. So yeah, go there. That's a good start. That's pretty complete. Pretty exhaustive. So that's a good start. Okay? It's probably translated also in different languages. Depends what you're using. So that's also interesting. There's also much better. There are books. Usually, people like to write books. So that's probably the same content than the one online, but with different examples or with some parts that are more inflated than the others. Okay? So that's also an interesting. It's also better organized, usually. I usually like to refer for PHP 7. Just PHP 7.0. There's one written by David Shafik, which is already on the conference. He should be here this morning. So we're going to echo him a lot this morning. But he should be here. He's also the reason master for the 7.1. So he's really the guy to know. And that's going to be also a really good source. Maybe we'll have some questions along the way. I have one. I actually have to bug him with that. But we may have some questions. He's the one who knows everything. So he's on the conference. Take your advantage. Go meet him. Ask him. Bug him. Okay? He's going probably to push some new bugs faster than the others. Of course, there are lots of blogs and articles, which are usually completely inexhaustive, but they may have some focus on things that you don't see anywhere else. So keep an eye on those because they are interesting. But most of the time, they will be reduced to five, eight, 10 different features or incompatibilities. So yeah, that's interesting. That's a short read, but it's not exhaustive. Just the important thing. So that's the H, right? For you, you're on 5.6. That's the H. Go further. Can we go even closer to the development phase? Yeah. We have lots of information. First, you can go on the GitHub source. Inside the source, please don't read it. This is C code. This is difficult to read at best. But there is an upgrading FAIR file, which is the one that collects all the information that will be the base for the migration to PHP 7.0. So the documentation online is based on the upgrading FAIR. So for PHP 7.1, for example, you can go there and get it. Okay? Even worse, even more detailed, there is another one that I use all the time, which is News. There's another file which is called News. And you go on the GitHub, every time there is a commit on the source, every time they fix a bug, every time they do a change, it's referenced here. It's more log, okay? If I'm complaining that the migration is not organized necessarily in, you know, interesting chapters, this is really log. Everything they do, it's one after each other. So it could be something as big as remove an extension, and next, a small bug fix, okay? Or even something that I submitted, like a change of phrasing in an error message. You know, really simple. But you get them here. So if you're looking for a specific bug, something that you're craving or you're waiting to be fixed, that will be here. Even worse, even worse, and bleeding even more, the RFC website. Who know the RFC website? One. Yeah. Two? Two and a half? One and a half, maybe. RFC is the request for comments. So anytime there's a new feature that will be built up into PHP 7, or 8, or whatever the new versions, it will be first presented, documented, exemplified, and put there for vote. I'm going to show you exactly how it works. And finally, the bugs, bugs itself, there's the list of bugs, bugs.pchp.net. If you reference a bug there, you can follow it, see if it's impacting your code or not. So the RFC is interesting. You can see it this way. This is current leaf of 7.1. This is the list of things that have been implemented. So you can see different names that are interesting. What do you know already about PHP 7.1 that has been done? What's famous? Class constant visibility? Where is it? It's not there because it's actually too low. It's even... There are so many things that it's actually hidden from there. Update and modernization of list, that's there. Oh, yeah. But it doesn't show. No, it's too weak. We're going to see nullable type. What's that? And this exception, too few argument exception, fatal error or things like that. This is everything that has been implemented in terms of features, and that will now be averaged into the documentation itself. So there is the 7.1 list. There is another list which I find amusing, which is things that people have voted for but not yet done. So that's another list of things, especially daylight-saving time transition. Pretty sure that's going to be a lot of work for Derek. Neural Colise, a goal operator, things like that. Even after that, there is in draft. So those are being talked about but not yet voted. Interesting things, consistent callables, automatic C-SERF protection. That sounds nice. That's something we can keep an eye on because hopefully it's going to do something. It was created in May. Probably it's a little early for us to have any implementation, but that's interesting. There is some work on that. Arrow Functions, Immutable Classes and Properties. And after that, you even have under description. That's completely science fiction. But you can learn about that. And I will finish with this. This is the beginning of PHP 7.2. This is the news website, the news file I mentioned. So you see it's broken down by extension in core, and this is Exif, and there are already a few of them. It's not a long if you want to take a look at the moment. It's pretty short because on the master, it's currently for 7.2. So if you want to check 7.1, you have to switch the branch and have a much longer file. But everything that is done is already there. You even know who is working. So here, Kali is apparently working a lot. And that's the only one. That's the only one. But anyway, sometimes some of them are more or less awake. And for example, we're going to see it removes SQL Safe Mode Directive. So we already know something that's going to be up in PHP 7. Who's using this Safe Mode? Yeah. Who mentioned you said you don't use PHP 3, right? Okay. Good. Anyway. So here is all the information. This is the information. This is where you first take a look, depending on how much time you want to spend on searching for these features or backward incompatibilities you want to look for in your code. Then you use the first elements I gave you and then you can go down and down and down. Okay? So at that point, you have a documentation. You have a number of features you want to look for. And we now have to review the codes to look for those inside. Right? So traditionally, PHP has two phases. The first one is reading the code itself and turning that into opcode. The second phase is sorting from this opcode and doing the execution. Okay? For the sake of the analysis we're doing, for the migration itself, I actually broken that into three parts. Okay? The first one is linting, which is checking the syntax, and then checking the definitions. Okay? And the third part is execution. So it's still overlapped with the previous model, but there are two phases here which are very different, and I'm going to explain it to you with the example right after there. Here. Here this is a very simple code. The first part of PHP is checking for syntax. Okay? Can anyone spot a syntax problem in this code? A syntax problem. Same variable name, Peter? Yes, same variable name. Is that a problem in PHP 5? Is this a problem in PHP 5? No, it's a feature. You can run that. That works. You can give the same name to 100 different arguments, and that works. We'll see later what it does. Yes, that's a syntax problem that appearing in PHP 7, because PHP 7 do not allow that anymore. So it's going to be really unhappy. Now, you may think it's really weird to have people, I mean, developers who actually give twice the same, or even three times the same name to an argument, right? Given the last survey, I did over 1,400 different open source projects. 2% of them were using this feature. Though you're right. I mean, we're not, we're like 30 of us, so it means that no one is using that at the moment. But maybe if we were like 50 of us, that would be someone who'd use that. So be careful. That happens sometimes to the best of us. So that's a syntax problem. A definition problem. What kind of definition is missing in this code? There's a definition missing. I don't want you to answer now that you've said something. Go ahead, give it a try. Give it a try, give it a try. I would make fun of you. Sorry? Yeah, okay, okay, okay. Yeah, you're right. But it's not a definition problem. This is shitty code. I agree with you. It doesn't do anything useful. I agree with you. But it's not a syntax problem. It's not a definition problem. There's a definition missing here. Type int. No, no. I mean, this is a feature of PHP 7, right? So I'm not going to show you that. There's something missing. What's split? Who knows what the hell is a split function? That's explode in PHP 7. That does not exist anymore. Gone. So that's a definition problem. That doesn't look like so. But this is a definition. This function does not exist anymore. We have to know that. But if we link it, if we pass PHP minus L, as we're going to show, that does not exist. It will say, oh, yeah, it looks good. Why? It's not in the native. It's not a native function anymore. But PHP will say, okay, I'm not going to yell at any missing definition when I linked, because maybe someone included the definition somewhere. So I look at that since, actually, all the words are doing something. Split is the name of a function. I don't know about it yet, but I'm not going to yell. Right? Otherwise, when you include a function that's actually standing in a class, that's extending something else, then you have to include everything at the same time. Okay? That's right for execution, not for definition. Finally, something that will break at execution time would be something you should cover with unit tests. In this side of the world, we all, of course, know that family name should go first and then last name. While, of course, probably some westerners decided to write that code and they have switched that. Right? I've been used to that, I mean, whatever. So that's execution. Execution, we cover that with unit tests. Syntax, we're going to cover that with linting. And in between, we're going to cover that with code review. There's no other way. Okay? So let's start initially. Here are the different tools we're going to use for migration and they will cover those three phases. Well, unit tests, we're not going to dwell on that because it's beyond our scope to deal with that and do PHP unique on your own side. But the first tool I suggest is your own experience. Okay? Usually, you know the code itself, right? Come on. Oh, it's time. It's time. If you want to go into botting, that's good. Yeah. Names and six. So if you know the codes, well, use this. Okay? This is going to be the fastest way for you to go inside the code and find something to fix or not, at least to check it. We're not going to be able to cover everything at all. Even with all the information I'm going to give you, you're going to end up with a few monsters you'll forget. Okay? And knowing something just by memory, you're going to miss a lot. So this is not exhaustive. This is probably just what you think about the code at the moment and you're forgetting huge amounts of code somewhere else. So you know that you're going to miss. But you can still be able to spot and zero on a few problems very fast. For example, on 7.1, you cannot give a name of a class that is void. Who has a class whose name void in his code? I had one. I knew about it. Okay? So the fix was long and difficult. But I knew about it. And even before linting, I knew that every time, as soon as I've seen the feature showing up, I knew I would have something to fix. And that didn't miss. Okay? So use your experience to check, to do the first initial checks. It's faster and you don't even have to load the code to know about it. But do not rely on it 100%. Rely on it on 100%. We're going to use other things. Linting, searching, and the logs. The logs is also like unit tests. For execution time, we can capture a number of information. That would be interesting. And static analysis. So linting, for those of you who are not used, linting is basically PHP minus l. Who's using that? Who's familiar with PHP minus l? One, two, two, three. That's all? That's common line. You go common line, PHP minus l, and you give one name of a file. And it will tell you if it compiles or not. Just linting. It will load the code, check if everything is fine, and then it will say, okay, no syntax error found. Simple like that. If you have more than one file in your application, please, hopefully, then you need something that's a little more expensive that will look in the hierarchy and find all the files. Composer has one. You can do your own. You can have a list of things. Do your way. But PHP linting is going to be working this way. So why is it interesting? One thing you have to know about PHP ever since PHP 5 is that the number of error messages inside PHP itself keeps on growing and growing every time. So PHP 5, you can see, basically, we had less than 300 different error messages. And at the current version, we have 2,000 of them. So there's a tremendous growth. And if you just take the distinct numbers, then it's always growing up and always growing up. So it means that PHP is doing more and more checks on your code at running, at linting time, any moment, is doing more checks on your code to make sure that it's going to run fine later. Okay? So that's an interesting thing to do. And that's why linting is more and more interesting. Here is, I don't exactly remember the application I was checking, but here is a summary of an application for which I checked all the different versions. So here you have the version, though the code was checked from 5.2 to 7.1. I didn't try 7.2, but 7.1 and 7.2 get the same results at that point. And you have the number of files, sorry, the list of files that failed and the kind of errors. Now, this is just a summary, so we don't have the exact breakdown of which file failed with which error. But we have the idea of what's wrong. What can we think about that? This looks like code that actually has some backward incompatibilities. Right? It means that probably they were working on 5.4, maybe 5.6, and they checked the linting and then they decided that they would not provide any more backward incompatibilities for 5.3 and 5.2. Can we guess why from there? Do you know what's happened to the backward incompatibility here? What is the main feature that appeared between 5.4 and 5.3? Yeah, short syntax array, and we can guess that from the syntax error here. The expected bracket. So at some point the PHP say, okay, I'm trying to understand why is this bracket there, and in 5.4 it's okay, but in 5.3 it's gone. I cannot support that. So it's probably at some point they decided to start using the array short syntax. You tell me where I can stand, but I'm moving a lot. I'm sorry. I thought you should be standing next to the screen. No, I move back a lot. The reason is like it may hide the screen for people sitting. So also, do you see everything or am I masking anything? Okay. Anyway, so here you can see on 5.2 it's probably too much. I mean, PHP doesn't even understand at all, and it's breaking a lot earlier. 5.3 it's a little better. At least we understand why it's breaking, and then after that it's all okay. So we have an application that's obviously an open source project because I got most of them as examples. And we have forward compatibility from 5.4 to 7.1. Everything has been checked. Okay? Another situation we can have once you check only the PHP linting is things like that. Code focused only on the current version. So maybe you end up with this situation for your personal code at that moment, I mean professional code in general. You can see here we still against find the error with the short error syntax. So this is not possible. So probably the version that people are working on at that moment. And then later we'll already see problems with 7.7.1. Okay? So we have some kind of a slope, right? Problems before, problem after, but on this just specific version, all is fine. Okay? So this means that they are not prepared to move to PHP 7. Okay? At least we know. Another situation we have with linting, things like that. This one is especially funny because at some point for some reason PHP 5.4 is not reporting the problem. Obviously there is something that is not working at all. Okay? So it's PHP 7.0 code and PHP 5.4 is not reporting it. So suddenly enough PHP linting is not going to be very consistent across the versions. That's all you have to be careful of. The last one I didn't show is sometimes you have the same error ranging from 5.2 to 7.1. When did that happen? The same error on the same file on the same line for every versions. This is someone who committed some incompatible file. He didn't check the compilation. Okay? Suddenly enough again that happens. That means that no one has that this repository has no systematic checking of compilation. As you can see it's PHP minus l. So it's very short. It's very easy to automate. Be ruthless with that. It's often that especially on professional code there is no check so some of the file hasn't been touched for years. It's still there in the repository. It's degrading because it's not compatible with a version but since no one's using it well it's still there. Remove it or compile it but I don't know but do something. So a few examples. So we already talked about this one. In PHP 5.5 what does that do? What does that print? Anyone guess? Who thinks it prints X? Who thinks it prints Y? Everyone thinks it prints Z? Raise hands please. Okay so we have a few people who are not really... What do you think it is going to show? XYZ on PHP 5.5? Okay it's going to be Z, right? PHP is just going to assign the same values over and over to the same... the different values to the same variable. So it's going to say okay I have three arguments the first one is X, I put it in A, good. The second one is Y, it's going to put to another variable called A and it just over writes. The last one is Z and then you print it, it goes. PHP 7, not possible anymore. You're going to get a fatal error. That has been upgraded. Another one that has been upgraded is this one. Those are really classic ones. What is the problem here before I actually run a linting on this one? Multiple defaults. Yeah, you're talking too much, right? That's why you say default. Yeah, yeah, yeah. But you can talk also, right? You're in front now. Okay so there are two different defaults. In PHP 5 this is... Okay, that works. The first one will be used, the second one will be ignored. Again, about 5% of open source project have several defaults by switch. That happens. I mean when you have a long list of them, that's very fast that at some point the default has been put somewhere in between and there's another one at the end and that's it, it's forgotten. Okay, so now it's checked by PHP. So that's nice, right? Do you think we can have the same for cases? If we have several cases that have the same value, then maybe PHP can yell and tell us that we have doubles and one of them is useless? No. He has no solution for that. What is the problem with the case? Sorry? E? It's a human problem. Well, PHP could help, I think. Okay, but the problem here is all the cases here are all the same and except the last one, which is pretty obviously the execution problem, I mean it depends on the actual value of y, then all of them has to be executed. PHP has to do the linting, check the values and then run it, 0 plus 1, it has to be running, it has to execute it later. So it will only know the exact value for which it's going to compare the x. It will know that at execution time and it doesn't want to solve that at linting time. So all of them, even though they are all the same, it will only do the comparison at execution time way too late. So either we help PHP by trying to understand if all those values can be solved earlier and mention that all of them are identical or we wait for execution and then that will be too late. Okay, but case is not going to be solved here. On the previous example, there was a case below the default. Yes, PHP doesn't care about that, about the order itself. The cases will be, it's not executed like in C where once you go the default, it's over. Okay, it will actually check all the cases and once all the cases have been checked, then it will stop. I think the cases itself are in the order. So if there is like two case one, for example, or two case gif that happens, then it will do the first one and not the second one. But otherwise, break wherever it is, it's really the last one. At least PHP is clever for that. Okay, so this one probably will need something a little more clever. Other things that we can detect easily with PHP are linting, deprecated features. Okay, and that will yell at you a lot. I think we have already talked about that this morning with who. I already talked about that. This is the most classic one. If you're using an external open source library and you've been using that since PHP 4 or early PHP 5, you probably end up with still this kind of syntax and PHP will be unhappy with that. Okay, so as you know, we've been using underscore underscore construct since PHP 5 and not the name of the class as the constructor, right? And now in PHP 7 that's going to be deprecated totally, so PHP will not going to look for the name of the class as a method first. There are still a number of situations where it's being used as a fallback so it's still compatible with all the code but it's really high time for you to clean that, okay? PHP linting is going to give you that very fast. I also like to remember that most of the time, as I say, PHP has more and more error messages so you get more and more interesting feedback on your PHP code when you lint it. There are also situations where an old message has been downgraded to a fatal error. That's exactly the case of this one, okay? So if running your PHP 5 code through PHP 7 helps you get it cleaner this is just going to be a fatal error. So in 5.6 you have this nice message and in 5.7 you just get a syntax error. I mean in 7, in PHP 7 this one has been a warning so depending on your error level you're probably not aware of it. Okay? When you go to PHP 7 that's going to be directly an error. Again, that's a very common mistake. Okay? Finally, my recommendation for that when you do the linting or if you want to organize your linting, maybe for migration or in general do the linting first by middle version. There's no really need to do to minor version. Okay? There's like 38 PHP 5.5 there's 25 PHP 5.6 one of them is sufficient. There's no need to lint by every middle version. It may happen once in a while that there is some regression that has been introduced that's really rare enough that you don't want to lint a thousand files with another thousand PHP versions. Okay? Middle version is completely sufficient. Use it, of course, on your current version. Use it on every subsequent version. So if we think we are on 5.6 try 7. 7.1, 7.2. They have different meanings. Okay? 7.2 is mostly the master version the current version whatever it means. Okay? So compile it on your own or download it somewhere and give it a try. Of course, you will know about things. You don't have to fix them right away, right? It depends on how fast you want to move but at least you'll know about that and maybe the newer version are going to give you some interesting advice on how to make your current code better. Okay? As we mentioned removing all those functions with several times the same argument that applies to PHP 5 and 7. Okay? You just know it in 7 but back port it in 5 and maybe you're going to understand 7 well, you're going to fix bugs without knowing them. Okay? Try also to check on older versions. Sometimes the research are a little better. That's very low level but also if you have an open source project or you have published the code then you have to make sure that it's also interesting before or if you want to fall back. Okay? Imagine the situation you prepare your code in PHP 5 you start moving to 7 but if you have a major problem you want to be back to PHP 5, right? So then keep making sure that the code is compilable then it could run and later when you're completely moved then you can drop it. 5.3, 5.2 is probably really overkill 5.4 and 5.5 while they're dead but if you really need it then maybe support it. And last one I will mention is be really ruthless with files that are completely incompatible across different versions. As I mentioned earlier there are sometimes code that is committed to the repository that stays there but is not used because of course it doesn't compile but it stays there. Just be ruthless remove those, okay? Fix it or remove but do something. Don't leave code that is not compilable in your current version on your repository. Good with that? Easy part? Good. That's already a lot of information automated that's very easy to grab. Next, so we said syntax definition, execution lint, that's what we did test, we won't cover and now we have to start with code review. Do we really want to review a million line of code? No. We need tools. So we're going to use static analysis. The prehistoric version of static analysis is going to be grep. Okay, let's move that so we're fast enough. The old version is grep or if you want any search facility anything that can allow you to search for a keyword inside the code is going to be good for it. So your ID is good for that any tool you want is interesting. Usually it's really high speed and if you can search by keyword that's going to be the fastest you get. So start with that it's always available. The convenient is usually it doesn't really rely on PHP semantics. So you may get a lot of things that are not interesting and it's also difficult at some point when you have lots of false positive that's kind of boring. Here is for an example if we want to check split. Remember split is a function that has no any more meaning. So I passed a grep on PHP MyAdmin which is a fairly large code base and I got 1300s report. The first interesting thing is the three ones. Well I made a small selection I don't want you to read all of them right. The first selection is that we get split in JavaScript code. We get split also into PO. So you know this for translation the only thing I don't understand is that's supposed to be Chinese. Although I do read that as English but maybe I'm wrong. And there's also Python code. Why the hell does MyAdmin includes Python code I don't know. I should ask Mark at least I got all those dusts that I have to sort and remove first. Secondly when I look into PHP code itself I got a number of other problems. I run into the parex split which is an other PHP native function which is completely valid and stays in PHP 7. There is functions that PHP MyAdmin itself created that are bearing the split name and there are comments because actually they were using they were using split but they moved everything to explode and now they're PHP 7 free. I mean there's PHP they're split free. In the end I got a lot of features I mean lots of fluff and nothing interesting. They also have done the job before so that gives you an idea of things that a search is going to find and that you don't really want to find. So we move to PHP static analysis and PHP static analysis is when you review the code or test it without executing it. So that's basically the old cousin or remote cousin from a unit test. Unit test is black box. Here is the situation initially here is what I expect and if I run whatever happens in there I expect the results to be fitting. Here we're going to review that just like you and I are going to be able to read the code. So we have the code itself we try to understand what it does where the data is going what is the control flow of the game how it's organized but we don't run it. That's going to give us a lot more abstraction we can solve problem that unit testing will actually have to build. That's a good thing but also we have to do a lot of thinking when we review it. How does static analysis start or works? It usually starts with the code itself so it just gather the wall code base analysis that based on the tokenizer. What was about the tokenizer extension? You don't speak much but you raise your head a lot, right? So tokenizer, who's using the tokenizer here? One, two, three that's all. Who's using PHP? Well, ok, you've been using the tokenizer. Ok, tokenizer is the first part of the engine that reads your code and then turns that into up code or it can done that in a huge array. I've got a raise of a million of tokens. But we just get it's actually an extension that's by default you just have to enable it in your PHP code and your PHP is executable and from there you have two extra functions one is token getName and token getAll token getAll you give it a huge string piece of code it will just break that into lots of things. You will get all the white spaces so everything that's separating all the extension, all instructions, you get all of them you get all the comments that's already two thirds of the value of a PHP code script and then you start having the actual tokens the tokens from there are not organized you have to organize them yourself and you end up with an AST abstract, steam tactic tree there are other representation of the code that can be done here I just have one of them there is a data flow there are other representation that are needed for static analysis but it is one of them at least the tokens are read from the code and put somewhere in the database the database is just semantic codes stored in a nice organized way from there just as we started with this session we need to find what we are looking for what I call a code reference what you want to be able to look and ask the database about so there are a lot of them migration is one of the subjects security, performance, code quality there is Kali I don't know how to pronounce that but the second one is supposed to be a reference to build good PHP code there is a number of speakers who is using that and they have a recommendation like do not use else I don't remember all of them there is a short list of 10 recommendations to do some good code it is a choice like another it is a set of rule that is another reference so we could get them understand the rules and look for that into the code so we need a kind of reference then we have the database and we get the report does that happens as I said it is a new field for PHP in general but there are already a number of them I have sourced 5 of them together so you have an idea of how it works and maybe a number of others will show up I know that it is not the only available PHP 7 more, PHP 7 CC are both focused on migration to PHP 7 that is going to help us right now FAN and EXACAT are the two most general current one and they are doing lots of different things and PHP inspection is the one that is integrated in PHP storm IDE so let's start with this one the two first one are actually not updated too much I am not sure they are going to follow up into PHP 7 1 but if you are still in PHP 5 then that is going to be a good base for you to start with they are going to report things so PHP 7 more, PHP 7 migration assistant report that is why there are more it is on GitHub, it works with RegEx so I mentioned earlier that using the tokenizer I passed to have the semantic value of different tokens inside the code this one works with RegEx so that would be PHP 3 old style just get the code, RegEx everything and find things that is interesting lots of keywords it produces an MD file and it looks like that so I passed all the tools on the same code on myself actually and here is a list of things that were found you can see processing time for about 25 of PHP codes 25 seconds you have 25 seconds to run the tool right and you get not so many of them 12 results that is way too low even though my code already works on PHP 7 I expect them to bring back lots of false positive things that are not a problem because I checked them but probably looks like especially at the bottom you can see the RegEx are failing because all of those are comments ok the only one that is really a problem is function getR that should be checked but it is fast, it actually found a number of results so it is interesting second one PHP 7 CC it was even faster it was started before this one is based on a parser as I mentioned from the tokens which is like basically Lego bricks that has been smashed down on the floor PHP 5, PHP parser from Nicky which is one of the main author of PHP 7 so it is already rebuilt into an AST so you don't have to build that you just have to query the AST this AST is only on memory so if you want to do a big file or big code base that is going to be a lot of memory that works but lots of memory anyway that works on PHP 5 and the result is also very fast actually it is faster we don't get any more MD file but we still get them online and I just got even a shorter number of results I counted about 27 analysis for migration function getR was consistent with the previous one and it found some other things so as usual with static analysis at that point all of the different projects are usually either for queuing or have a very specific set of rules that do not overlap with the other it is always interesting to mix and match feel free to use one but maybe add the others as a complement good enough you tell me again if I am blocking the view any questions at that point am I boring you or no ok so let's add an extra one fun is the brainchild by Erasmus so as usual it carries a lot of credibility and it has been taken over by someone at Etsy contrary to the previous one it is being worked on a very regular basis I think a lot of things every day so that is interesting it is working only on PHP 7 with an extension called AST that is very convenient because it builds yeah good but it means that you can only run it on PHP 7 it works on PHP 5 code it only runs on PHP 7 and you need the AST itself the advantage is that it is really fast and it is obviously open source so you can see a number of things it is kind of opinionated yeah I got I got a lot of feedback more than I expected let me give you a few details so if the first one were nice and we had some MD3 MD file and colors this one is just raw PHP power so it is like file of text and it doesn't actually do any effort to find the code the two first one you point them a folder and then they will find code inside fan says no you give me a file and if you don't give me a file you give me a list of files but you find them yourself anyway here is a number of things that has been found along the way as I said it is not specific on PHP migration so it will teach you about things that are not only on migration and it is most of the time looking for things that you can find inside a file ok so there are a few features now more on a project approach but it will find inconsistence inside a file like a local variable that has been used and not defined that's good but if it is a global one and the global is spread across several files then it is probably not going to find it here what happens for example there are class and I think the object of the class is initially with no so it can find this and then it is ok this is the object is no and then you are trying to call a method on that no of course in between there is an instantiation which has not been spotted what else undeclared variable is really nice and that works for property too and what else it is also using heavily the new return type so if you type in everything in your application so type in the argument type then you will do an extremely good job as checking oh you are using this variable you are calling this function which returns that type and then you try to put it here that doesn't work ok so that is the place that is interesting and it kind of defeats the fact that PHP initially was something that is completely type less because at that point we are doing type checking but it also helps a lot as you see it is the one that is the most complete it is still very fast and 300 results so I have a lot of things to check when I read this the last one is my own tool at that point ExaCAD is using yet another system for its own AST because we read the tokens and we rebuild everything into the database which means that we can contribute to the three first we can actually handle that PHP from 5.2 to 7.2 or the new ones there is no dependency on executing PHP specific version of PHP to be able to understand it it is able to run everything and it got a very nice HTML version so you can have you can have some good feedback it is also on text if you really want to see text or MDs it is doing the compatibility things again I say this is the base for this presentation it is doing a lot of other things so for example whenever there is a new PHP version like we got the 0, 7 or 10 last week right I get all the lists all the different bugs that are being fixed I check which function they affect the impact and there is a list of the different bugs that are actually impacting your code which means that every single version you can check is this may have an impact on my code or not you get a list of needed extensions so if you want to push that to DevOps that is an interesting inventory because the machine will see oh you are using those functions and those classes this means that these extensions are needed and the corresponding directive so it is doing a lot more than just compatibility it is also the slowest finally finally PHP inspection it is all the same as the previous one all the previous one work on a repository even if you just give it file names it works on a repository this one works inside an IDE that is yet another solution for you within the AST because PHP storm actually has its own representation in Java of the PHP code and from there the advantage is that you can directly do the fix inside the code so that looks like that and if you want to do it you download it directly from PHP storm it is automated then the first time it is a little slow and then you get all those feedbacks there is one part of the panel which has all the feedback with I would say a recipe a kind of category of analysis then you have the name of the file and you have the actual presentation on the other side explanation things that are obviously easy to fix you just say quick fix and it will fix everything for you it does not happen all the time so fixing pre-increment versus post-increment that is a no brainer it is easy if it is removing a die and replacing that with an exception thuring that is another problem it does not have a quick fix there finally if whatever I have listed here is not interesting or you have a bright idea you want to check coupling you want to check your MVC your MVC concepts in the code all the templates have no access to the database things like that if you want to watch your own there are different tools I have a list of them online this is just a list of different tools if you are using PHP 7 go directly to AST that is probably the fastest for everyone if you are on 5.5 there is the parser avoid regex in general but it works so I have to admit that it is a bad idea but it still works ok from there you probably just need an idea in your code what do you want to check in an automated way and that would be a good base then probably push it online to see what happens there is a lot of creativity at that moment people checking different coupling inside the application that is always an interesting thing to know and you don't want to spend too much time checking for that manually automating it is really important there now that is going to be for you to work that is the second part now that I have shown you where to find more information so when I am gone you can still go online you can learn about PHP 7.2, 7.3 whatever it is going to be up in I have told you how to look for that in the code I expect you now we are going to cover now all the features not all of them but a good number of features and backward incompatibilities from 5.6 to 7.1 to and things like that I will tell you about the feature and you are going to tell me how you find that in the code and what you are going to replace it with I will allow you to talk once and then after that you let the other guys talk everyone is awake I will point fingers be careful and the elephant is there with me to check every one of you so I have different categories of things we would like to find incompatible change we are going to treat new features in the same way and there is everything in between so lots of things to check and we are going to cover features from 5.6 to 7.2 a few of them will be tricky so what kind of answer I expect from you code knowledge we have already said code knowledge so your own knowledge of the code that could be an answer if it is not sufficient I will tell you linting, gripping, static analysis log or error reporting this one is when you run it and PHP tells you about it you can check in the logs and make sure that this error appears on art and unit test sometimes the problem will just appear in unit test so those are the different answers that I can expect of course you can elaborate just don't mention the third answer and expect me to believe that but elaborate the tools you can use everyone is fine with that good, let's start with incompatibilities incompatibilities itself could be could be sub-categorized again in three categories remove features so we mentioned split already that's a good candidate for a removed feature that's going to be a problem added features oh, how come added features are going to be a problem adding a feature should have a problem we're talking about incompatibilities that would be a new feature a new feature is something nice that doesn't have an impact yet on your code okay, we'll see later things that I call collateral damages things that change but you don't know about it and it still impacts your code remove features let's start with extensions there's a good list of extensions that have been removed from 5.6 to 7.1 eric, mssql, mysql, cybase and mycrypt no, it's mcrypt that's mcrypt, not mycrypt that does not exist who's using mssql good, so you're not impacted who's using mysql anyone still using mysql extension WordPress it's it's using mysql it's using mysql so okay yeah, that's legacy code right, okay so yeah, maybe what else, who's using mysql still again for what, WordPress? no, it's a legacy system, it's also using PHP 5.3 okay, so that's still compatible cybase no one is using that anymore mcrypt ooh, mcrypt is going to be more difficult, right? no so let's go how do you remove, how do you check your code has to be updated on, for example, mysql gripping? yeah, how come, what do you grip for? understar yeah, easy enough easy enough extension erag, how do you remove that, how do you check your code is not impacted by erag someone else once you're talked, you're free for 10 minutes someone else, how do you remove erag? you know what's erag, right? it's an old, regular expression in PHP, we have two of them, pcra which is the per regular expressions and the old erag, which is based on system 5, I think it's a system call or something like that the old one is not updated anymore while the per one are being upgraded and we have lots of new features and it's updated and secure so usually, whatever you can do with erag, you can do it with erag, you can do it with perag, so usually you drop that so how do you check if your code is erag come on that's an easy one, right? search, I think most of the eras functions start with eras so yeah, or that's a good idea so you try to get the same okay, you write that I'm sure you feel the trap here is the list of things that you should look for so modern functions usually modern extensions usually have a prefix so MySQL is one of them on the previous one mcrypt, every function is prefix with mcrypt so we can use this strategy of looking for the prefix, okay? we may end up with a few extra one but that's not good, except that erag is probably a PHP-FI extension or whatever that means at that point, right? which means that they have no consistency over naming, meaning that you have to rely on the full list of functions to check now, luckily enough, except for split, most of the others you don't know about because no one is using them at all, okay? so it's not so bad but it's worth checking if you have other extension and not rely only on the prefix especially on the old ones as far as I remember for example, it's not gone but LDAP extension which is also full of security problems, LDAP extensions has, I don't know, like 90 different functions and two of them do not have the prefix because it's encoding changing functions and they didn't want to link that to LDAP so they decided that those two would have, I don't know, unicode, decode or something like that and then you can get struck by that okay, so removing full extensions, yeah, the underscore the prefix is interesting but but do not rely only on that second one, remove extension remove functions now this is a short list of functions that have been removed by PHP 7 that you cannot use anymore how do you look for, I will search for them yeah, again, grep easy so what is the challenge here the grep is easy on obvious, keywords usually grep search but where is the challenge yeah, you need a list of functions you need to find the list of functions that have been disappearing to make sure you don't have any of them for that, usually the manual is pretty consistent so go there and you find a list of removed functions and then you can grep all of them one after each other what has been gone here, call user methods and call user method array who's using that that's PHP 4 code at least it has been renamed recently by call user funk to make it really short, I don't know but it used to be function method and now it's funk but the two of them have just been renamed you can also directly use them by putting the name of the function you want to call into a variable and call it with the parenthesis after so it's easy it's an easy one there were removed extensions there were removed functions what else can PHP remove from one version to the other they remove functions they remove extensions they can remove syntax ooh like short array is an extension they do not remove the old version the longer array call I'm interested actually I don't think I have any example in mind syntax could be dropped but most of the time it do not no they can remove variables well, there's only one example ok, but in PHP 5.5 HTTP row post data has been completely removed ok, this is usually you don't use that this looks like the old who's been using PHP 4 one, you're really good at raising your head this is the only one every time I ask a question I'll try to find something in PHP 4 we didn't use underscore get underscore post we used HTTP post force it was like huge name and then we got the same syntax and in 5 they decided to drop that and we just say underscore get underscore post and then they were kept because they were under the radar and that's one of the old dinosaurs that are still here row post data is actually the amount of information that the PHP script receives before it actually pours them and put them for your convenient use into those dollar underscore globals and cookies and environment if there are a few applications apparently PDF forms and I think action script also that relies on the actual input they get a huge blob of XML I'm not exactly sure about that if any one of you is a pro of those you can tell me but sometimes they do not want PHP to actually pours all of that and put that into the dollar underscore get and things like that but they want to get the blob of it and analysis that's what people used to have so they use this variable to access the incoming information and they will pour it on their own and now it's gone it's rebuilt and replaced with PHP input so you open it like a file F open and then you can read it it used to be more inconvenient to use but now it's really a file so you can open it go inside just move the cursor inside go back and rewrite again things like that but not rewrite but re-read it again things like that so just be careful it's unusual this is the only example I have and as far as we're moving toward PHP 7.2 and 3 I don't have that example anymore but it happens that sometimes a whole variable disappears another one another thing that disappears on a more regular basis is INI directives things you've been using but when that's configuring your PHP maybe you rely on it because you're checking that this option or not has been activated and now it's gone and especially in PHP 5.6 or 5.5 maybe we got 6 of them that disappeared that went into only one ok so everything and for embiss string and econ were turned into default core set now our question is how do you look for impacted code code that is impacted by a directive that disappears to just no no no idea no no no I was looking someone behind I know you're talking also a lot you're going to move so I can keep you checked anything else how do you check for those this is directive right it's going to change the way your PHP behave something like that in string and you don't default the charges in the function call if you change from Latin to UTF you just have to go manually all functions and either remove if there's the wrong charges and add it to the default charges I mean it's it's a lot of work oh it's a lot of work that's for sure I understand I'm not exactly sure to flow the process you mentioned well our million code line code base okay yeah classic on this okay so so what is your suggestion for checking the impact of those directives okay the first step you can go is what kind of functions or different structure is impacted by those directives the first one you can check is function that do manipulate them which are what what are the function that allows you to manipulate which means reads right I mean read or check check the value of directive I I set and I get and the others what are the others that's going to end up in your plate again we can go with all those I and I right I'm going to cheat a little bit you have all those I and I right and I set and I and I get and I get all right and there's another one along the way along the problems we met with Eric there's also config CFG get all which is the original configuration we also look for all the functions that are directly impacted by them which are the functions that are impacted by the corset we have a short list ah not sure icon for example you give it you give it the explicitly the the so they're not impacted there will be you have to explicit set them inside the code so those are not impacted that's actually very funny because those two directive here have no impact on the function that are linked to it there are others there are others that are a lot more hidden yeah are you looking at my screen I start to understand now why ok html entities has been the worst but it's not the only one you're right html entity decode html entity encode the worst we've seen is this one up to PHP 5 3 html entities has been using by default iso again those are the westerners doing the PHP code so of course everyone is impacted in 5.4 they decided that utf 8 was a much better idea so they switched it and all the german people came back complaining that all the code was now broken because some of the translation some of the characters they have in german language are not just a few of them are not compatible between iso and utf and then probably a little more stealthily in 5.6 they switched again the default value to default core set which was by default itself utf 8 so this change has actually pretty much unseen ok but it means in PHP 5.6 the value is not always the same the default value for core set is not always the same ok there are lots of problems for everyone handling with the encoding so where do we look for good for photo so for core set in general we look for all the functions that are dealing with the i9 any set, any get, any get all any restore which won't get any argument but is going to put back everything as normal and there is this one which do not start with i9 but is still in the list of them ok then you can search in your PHP i9 and access if they have an impact and there are 3 other ones that are impacted each dimensions decode and special cores so you start from the directive you try to understand where it has impact which are the different functions that may change their behavior depending on the directive and then you have to look for them from there we can start again with a keyword search so that's a grab that's sufficient especially with names long like that it does not happen to often that you have it as a variable name or a class name fair enough I think I'm going to put the next question on that side I see people nodding but not answering much good next one oh that's going to be an interesting challenge in this case parec replace with the infamous eoption everyone knows about it so the slash eoption means that when you do a replace the pattern matching will be done as usual but the replacement will be done with code that is actually provided as a second argument and it will be treated as PHP code compiled and run and the results it's supposed to return at least a string and this string will be the replacement which allows you to look for something do some calculation on it and then replace it in the initial string inconveniently it's also a place where people like to put super globals and values coming from the outside so at that point it means that basically you can run any PHP code from incoming from the incoming variable so to avoid those security problems the data has been completely shut down and removed and replaced by two of functions here parec replace callback well the callback is some PHP code that is also compiled and can include variables at execution time but it's less prone to errors and the other one when you have too many of them and you want to run several of them at the same time you can use parec replace callback that's a really nice feature to speed up your code if you have even just two parec replace callback one after each other and you want to speed up your code just move that and turn that into a parec replace callback array yeah they're not easy on speakers I guess and that will be fast good so now we have a good challenge that side of the room now how do we look for how do we look for this problem remember you have good answers which are your knowledge, PHP linting static analysis error logs unit testing and the sixth one is grep who wants to try I'll do the last row after that okay come on someone how do you look for that problem easy one search for the search for the search for the the parec replace itself that's going to be at least turn your million line of code into maybe a few thousand regex that's a good start that's probably not sufficient and it's going to bring you a lot of false positive can you go further than that can we grep on top of that on E no that's not going to because first parec replace as 3e itself so probably you're going to end up with something with the same names the other thing is the delimiter here you know looking for something like slash e which could be a good idea you have to know that any non alphanumeric character can be used as a delimiter and if you take a look even just like wordpress they are using probably 8 to 10 different delimiters into the regex so unless you have a good reference that says we need to do slash or we need to do pound or you're probably going to end up missing a lot of them so you cannot really go further than that you have to deal with a lot of false positive and match it against the second hyphen if you are good with regex and grep you can search for the first hyphen and then anything and then any alpha characters modifiers if there's e you can look for the string here try to guess the first slash you don't need to know the delimiters you just have to find e in the last alphabetic characters before the second hyphen you can try ok so you look for the e at the last knowing that there are about 15 different options that can be put there but it doesn't matter because you have something as the delimiter and the thing is the delimiter here is not really known and there may be a lot of letters here so if you're good with regex yeah you can reduce regex is going to work but it's just going to reduce the load so probably the best is just look for paragraph replace which is the only easy keyword going further is probably a lot of work static analysis may help static analysis here may be a little more clever because detecting the the delimiter is something possible you can understand that here it's just a literal but if it's a concatenation already by itself you can still spot it but even though it's also a lot of a lot of work just for that so the easy one just function name that's sufficient and after that your knowledge of the code will just clean that pretty fast as we are here you can use the pipe so double click so first you click replace and then break it and go a little further refining is a little yeah that will filter a little bit but it's difficult to go beyond that the first one so what we hear here is the way you call paragraph replace callback paragraph replace callback you put you put the list of patterns the patterns are the key and then on the other side you put the callback it works with function names so if you just put a string with the function name that it will call the function itself and the functional is supposed to return the values that will do the replacements what I don't like in this structure we can go into a huge piece of code ok that's what I don't like to much but on the other hand it's really convenient as you can see we try to replace abbbb by something else so we spot the a's and we return all the a's in uppercase so that's a very simple and compact way the other one here we actually use a static here and every time we return the b itself made into a per value and we add some extra static so we count the number of time we've been there and the spec is a value that is actually extracted from the context so it's still a very complex way of coding things we can grab information we can cycle on itself and that will be done in one call this is faster than just calling several times in a row the same paragraph replace callback one after each other so whenever you can this one is a good idea and I don't know why I have that the other one I want to remind you if you have simple replacements paragraph replace accept arrays as syntax again it's better to use only one paragraph replace rather than several calls the only thing I don't understand is that on this one it's an array of pattern and the matching array of replacements and if you remember what I just shown you on the other one this one is an array where the keys are the pattern and the replacement is the value no comment yes but otherwise that won't fit on the slide you're right for something that simple please don't use that maybe I should have did that I just tried to have code that compact and readable on the slide so that's probably a problem for me here what's next one problem for 7.1 I wish Davy was here I need more explanation on that in PHP 7.1 we've mentioned that call user function is the way to go now if you want to dynamically call a function you use that and here is a list of functions that in PHP 7.1 cannot be called dynamically itself let me try again you cannot put extract into a string and into a variable and call a name to make it a function call you can put Esther to lower into a string and then call it as a callable a rework array filter or operate replace callback that works but nowadays it is not possible to call directly those functions here to dynamically you cannot put them in a string and then call that again I think I haven't enough information about this one that's a new in PHP 7.1 so in 7.1 that will happen I don't think it's very useful to put those into variables to call them but it's more a security feature because those are exactly the tool that viruses whenever your website is infected by people trying to inject code they try to use those to get information okay to construct and compact especially to to overwrite variables is very convenient so that would be a good way to search for information parse asteria with one argument that's also a security feature if you just parse asteria is going to break down and parse a URL a query string and return that as an array but it will only return that as an array and that would fill the array with the value it finds if you just put one argument that's a security problem because it will actually directly put that into globals so always always use parse asteria with two arguments so the values are stored somewhere you control while on the other hand if you just put that on the other one with only one argument it will just put that in the global scope and overwrite everything else all of them I think are for security reasons now the question how do you spot that you're using dynamical calls on those functions okay let's do the last row because I haven't seen any answers from there then we'll be back to the table suggestions static analysis yeah that's probably the answer for everything right but what do you spot what do you try to for so static analysis we're not gripping we can do things like oh this is a concatenation that will end up being extract or something like that but how do we know what is going to be our focus with static analysis looking for them into inside a string and probably looking for them inside a string or a concatenation no because usually those viruses they try to hide the actual values by breaking the full keyword into smaller pieces that they rebuild okay so different strategies is instead of putting extract if we want to get this example they would say $s is x .tract and then of course that will rebuild the full name but most of the grep will fail because it cannot find extract as a one word other strategies is using all those sequence characters we're going to see a few of them later but for example if you want to if you use slash zero and then the octal representation of a character PHP will actually replace that into the string so let me think just by from the top of my head but if you write something like EX slash zero and I think it's like 72 or something like that that's a t and then that again will defeat any paragraph system but it will still write extract inside your string which at execution time will be extract and then you can call it so looking for the words here and static analysis here can take the literals and say okay there is something that could be actually preprocessed even before running the other code and I can decide that this extract or this complex sequence is actually extract and I will warn people so I think yeah static analysis can go further than just a peregr replace I mean regex searching anyway I don't think that those functions are very classically used inside callable so I really want some more information on that so we're back to a problem that we had before added features PHP is adding features and they have backward incompatibilities with our code how come yes that's a good one here is the evolution the table evolution of definitions and those are just cores PHP is adding roughly a few functions every version okay that's a rough mean another 10 classes and around 30 I would say as a mean 30 new constants which mean that if by bad luck you have the same name defined in your code then you're probably going to have a conflict and that will be wrong okay so here is a few examples get resources visitable mb scrub that's going to be interesting I'm not sure you have a chance if anyone try to have a name of a constant like Sparex just in time stack limit error this one we're pretty safe on the other hand for the old the old guys like me we had the famous fiasco of the date class someone in PHP 5 1 1 decided that it was interesting to have a date class who has a date class in their own code no someone is laying here everyone had a date class at that time okay results well which led to a lot of you know backward incompatibilities everyone has to change many things so they actually removed it and the 5 1 2 they fold back and get some extra new classes name they're not going to do to do that because I for example PHP 7 was tested against a number of frameworks and classic applications so they checked that everything was was okay on the other hand we haven't seen yet that yet but there's a new class called error which is kind of a classic name for for a class right so that may have an impact on your code it's on the global space if you're inside your name that's probably going to be safe but you have to know about it so let's see a few functions that are new int div integer division that's the contrary for the modulo we know the percentage we do for example a 7 percentage 3 and we get 1 okay that's the remainder from an integer division of 7 by 3 int div is going to give you the number it's... I don't remember what's his name the numerator so again if we start 7 int div 3 we'll end up with 2 because we do 2 multiply 3 plus the remainder 1 and we got the 7 we didn't have any ways to do that until we got actually int div okay gate resources is the list of resources you have open so resources being a resource in terms of PHP files, database connections PDF files document things like that if you want to know how many files you have open then you can go there the one that are being open at that moment will be listed here if you have closed it, it's gone error clear last remove the last error garbage collector clean caches we mentioned mbscrub multibytes scrub it's mbscreen function that will clean a string and remove everything that is not compatible with whatever encoding you are asking what else and the paragraph please go back away we have seen okay next collateral things that have changed that will have impact on the code features but just changed here is one here is one we got that made an update up to now invalid octal are just silently updated and turn into whatever PHP can do with them so here in PHP 5 this is 0 it's a complex way to write 0 there are shorter ways but if you really want to write it this way that's 0 PHP 5 will say okay that's a 0 so I start with an octal I know that everything later will be from 0 to 7 and that's all and then you end up starting with the 8 and 8 is not an octal that's too large, that should be 10 so it's 0, I stop I cannot understand that, I stop and then I got up to now 0 so that's a 0 it will analyze and parse the integer until so either at the end either something is wrong so that used to be completely silent and I know that has been upgraded to a fatal error meaning that if you have any incompatible or invalid octal in your code you're going to know that very fast question? how do you spot them in the code? testing? no no testing come on, that's an easy one there how do you spot errors with octals? linting linting it's a fatal error you lint with PHP 7 that will tell you the problem of octals you have okay that's an easy one so another invalid octal that will be for 7.1 and that's the same kind or the same problem that the previous one but inside string we mentioned the sequence okay everything that inside a sequence that PHP will actually turn into something else so here slash 0 and then the next character will be octally defined a character thing is PHP do not make any check of the first one okay so you can end up with the same because it will just say oh slash an integer let's start comparing the two and then the next ones and then we end up with two characters that are supposed to be different but are not the same which are actually the same the thing is yeah how do we spot that? and now it's not written on the screen so it's a little order how are we warned that this is invalid string previously I mentioned it was a fatal error or on the screen so if it's not a fatal error because it's too harsh it's going to be yeah probably then if it's a runtime error it's a yeah we check in the log it's a warning so we'll get a warning telling us that something is wrong and oh no we get a warning on the previous one next one still with numbers yeah in PHP 7.1 PHP 7.1 is going to raise a warning whenever it cannot perform an arithmetic operation and I've actually valid numbers so those are not valid numbers in PHP 5 it works, why? because just like we did for the octals it will say ok this is a first string good I need a plus ok backtrack one fine I know what that's the number space I don't understand that I stop I just get the one and then I do the same for bananas two I understand space I don't understand I keep the one and two and that's three and I end up with the result of three now in PHP 7.1 it's going to yell at us anytime you're using numbers that have you know you need like currency you need after Singapore I like the fact you have to think about it I've been in four different countries so I know that the chance but when it's your own country usually you know right who's from Singapore here one ok that good I have that next time before we start whatever ok so if you're doing e-commerce and you use to first put the unit currency unit after and then you think oh I have to do the grand total and then you do the update of that and the sum of all of them that will be good but PHP will yell if you manipulate physics units I mean every scientific unit usually the unit is after and you manipulate that after doing the formatting that will be too bad how can we spot those problems this is definitely an execution problem PHP is not going to yell at that it's a notice so just like you mentioned it's execution PHP will probably not well will not yell at that it's not a fatal error it's not going to compile that how do we spot this problem search for strings with a concatenation with a plus ok concatenation with a plus I mentioned it's ok I've corrected myself and said it's every arithmetic operation so plus minus, modulo and all of them and that also includes logical combinations and or XOR or things like that so that's a lot that's a lot but that's still possible what else the other things we have is currently I've given you two literals but everything is dynamical if you're kind of solving who said that saving on filtering and get a value and add it with a zero then it's going to yell ok here we cannot well this is an execution problem so we'll probably start with the logs that's probably the first good source in terms of static analysis besides literal we'll probably cannot do anything more than that we can spot if a variable is directly used in an addition but we need also to understand where it's coming from before deciding that it could raise an error or not and that's going to be completely dynamical ok on the other hand we can check most of the code all the literals and say ok this is with a number then we can mention at least it's going to be invalid and maybe raise an error at some point but there is nothing more than that yes it's very data centric so I don't think we can go further than checking the logs in terms of production fair enough do we need to clean all those notice and warning as long as not so that's a error well currently it's a warning we can shove it we can shove it under the rock but we've seen already other things that have been upgraded from a warning to a fatal error so it's probably better to get the good habits of cleaning that and then not be stuck because on PHP 8 it's going to be a backward incompatible challenge but you're right there is no rush for that and again if you're in 5, 6 at the moment as long as you're not moving to 7, 1 you're fine but it's part of the migration and you can still shove it under the rock this one is particular but I'm pretty sure this is going to raise a lot of hail I expect a number a lot of feedback and it may be just a hail that will start with oh we switched to 7, 1 and now the logs are filling up and I think that we're going to start with that from there people will go in the logs but this one is coming a lot, a lot, a lot, a lot we have to fix that first and that's going to be a lot of searching some more I told you you need a second brain, right if you want to switch that's the time reserve words that's incompatible we cannot use the old words and there's more and more of them that are uprooted bullion, integer floats, train, null, blue, false are not available anymore we can use the old class constants, interface, traits I was using straight yeah, welcome to the club I got that I have a very funny one later we'll see that mixed numeric object resources are not used yet they don't know really what they want to do with that but it's already reserved so you cannot use it also and in 7, 1 void is also reserved so you cannot as a void I actually learned that even before they documented it because I checked on master so in one morning I just upgraded re-compiled my PHP checked my linting and I got a lot of void so all of them are reserved on the other hand it's more a feature that you have to know you have to know though that on the other hand new keywords have been reserved but keywords have been relaxed inside a class that's a feature because you can still live without that but inside a class you can have a constant called instance off and use it, that's nice instance off is not the best example but in my API I have a lot of usage of as and as is not it's a keyword from PHP and inside a class it can be used as a method that's nice I mean at least it makes my own API more fluent but you can end up with a really nice sentence like that the only exception is class itself you cannot use class as a constant name because we already have the special syntax where you can get the name of the class by calling this special class constant that makes it difficult to explain otherwise well properties we don't care already it's already relaxed and constant and methods you can use most of the keywords which in terms of static analysis is really painful this is a feature but how can you apply this new feature in your code unless you are rating it unless you are rating it new previously it never worked yeah it worked but how do you how do you know how do you search for places in your code where you can use this new relaxed code that's probably new development it probably means that you have to rename a number of methods and constants so don't mess with that new development good the way it is at the moment ok we are in valid stuff even more in valid stuff that's collateral damage in psp7 we can have this new sequence slash u u for unicode and then after that we have a unicode code point I don't know if you're used to that but this is something that I've heard about the unicode code point is basically the sequence here that represents a special character that means that here in psp6 this old sequence doesn't work it just output it just normally and in psp7 it will actually display an element we are trying to force the unicode consortium to add the psp logo on the element they have been reluctant up to now anyway why is it interesting why is it interesting you can now have strings that will be compatible with every encoding and that will still be able to output some Chinese for example or emoticon or things like that why is it collateral damage this is going to impact your code how come previously if you are using such a string as a plain text now they will replace it that's the idea part of your previous strings may be invalid what happens is PHP will be very picky in psp7 and internally between the parentheses well the curly braces actually between the curly braces if it's not a valid code point it will be unhappy and it will make a parse error ok so the thing is the parts that PHP uses to start understanding the code point is just the two characters the two first characters this will be exactly this if in your code you have inside literals which means double quote strings this sequence slash u and opening curly it will try to understand the code point after and it will yell is that often that we have such a structure it does not apply it only applies to literals do not apply to execution code so meaning if you read a bunch of garbage code or maybe this old format not rfc, rtf rtf is using a lot of those structure I think but if you open it and use it PHP is not going to manipulate that it's only literals so it's at the parse level that it will try to understand the literal and turn the sequence into something else how do you check for that again with the linting it's a parse error so linting will tell you at once that you have literals that are not compatible easy one ok next how long do we have again 20, 19 minutes you hungry I have another 50 slides ok so you tell me if you know it and then we just switch to the next one but I have some more ok exadecimal strings also that may be a problem PHP 5 used to interpret strings as soon as it could it would try to interpret strings that looks like exadecimal characters so here you can see PHP 5 it will just say this is a number and this is a number inside a string I will deal the same ok on the other end PHP 7 will say oh this is a string I'm not going to try to understand what's inside that's a string that's a 0 and I use that as a 0 so if you're used to put your numbers or your md5 or things like that inside a string then it's going to be a problem because the comparison is not going to be the same it's actually coming from security problems and that's a very classic one because comparing two different md5 may end up being two different 0s even if the md5 have a string is different ok so this is exactly the security problem that's being solved here again this is for literals how do you spot for this problem someone who hasn't talked yet what's the best tool to find those problems we need literals literals are easily adapted I mean found by static analysis this one can understand the semantic and understand exactly which string starts actually with this kind of structure or not grep is going to be two wider nets for enough another warning for strings oh no this one we can skip this was the previous examples exceptions exceptions has been a problem has been an evolution also up to now exceptions has been very flat we used to have exception as the top level exception in PHP 5, 6 in 7 it's not anymore the case first exception itself implement throughable which is the most general common denominator for all the exceptions and there are a new exceptions type which appears which is error error is for everything linked to parse error we can actually you can see parse error which will be raised anytime you run an eval with code which is invalid but this is a reason why we have we can catch parse error inside PHP code which sounds weird because parse error is actually happening before the code is run right anyway so exception now is not at the top and there is exception itself runtime exception logic exceptions there are I don't know 70 of them at the moment so there's way too many of them for to fit on a such a screen but anytime you have a catch that is trying to catch all the exception by catching slash exception now you're going to miss a number of them that's exactly the kind of evolution that has an impact your code hasn't changed the way PHP deals with it has changed so your code is decaying because the platform has a new way of handling things okay so since exceptions before yeah it would yeah it would just stop but now yeah we couldn't get it before that's right so exception is not the top the top the top catch you have to review all your catch closes anytime you have slash exception by itself you have to understand and review it to see if it's really the top exception you want maybe replace it with throwable and the problem is especially on the exception handler because the exception handler will be fed by every errors exception that is being raised including the post errors if you set a type inting on the exception handler of exception then a part of them will not be filtered and it will actually be in a very strange place because this is a function the exception handler is called as a you know usual cleaning of PHP itself and it will suddenly be an exception and having another exception raised because it's trying to match the exception as an argument with the throwable throwable inside so that's really weird okay so those are the two different impact it has on the code check all your catch that's probably the easy one and the error handler is the second thing you have to check everything around exception usually revolve around the two of them and yeah I have to keep my code compatible between PHP 7 and the previous versions how do I do it? you have the two of them you put throwable because in PHP 5 the throwable is not in PHP 5 throwable is not defined and you can actually and that's dead code in PHP 5 you can make a catch on an exception that does not exist okay which means that PHP will just compare and say okay it's so I just skip it and the second one will be code by the exception so throwable first so PHP 7 code will have priority and you catch it and if it's PHP 5 then throwable will be ignored not defined and then it will go to the second one and then that will be code by exception yeah that's weird yeah this works but for exception handler no type inting until you have made the move that's the safest for you second one eval we already mentioned the problem well besides the security problem and performance problems and every other problem we have eval has now to be made through exceptions any time you have eval you should be putting that into a try catch close okay so that's PHP 5 code PHP 7 code every eval has been upgraded and now is able to pass errors and you try to attempt the fix so anytime if you're still using eval which god forbid you try to use as little as possible then at least put the try catch around that's going to help you code okay more evolution in terms of exceptions this one there are a few classes that in case it would fail so if the constructor fail actually this new would not raise any parse exception it will just return no okay there is file info and that there are a few others which I cannot remember at the moment there are a few classes few core classes that were behaving like that now in PHP 7 all of them will emit a parse error whatever type you get so if you have new info then you can also put it in a try catch and catch something along the way okay so again your old code or if the old code file has been compared to no that was wrong you have to remove that last one it's a new function random byte and there is random byte there is random int that will provide you cryptographically to make your random values anytime you have to use random values for security reasons that may be session IDs that may be one time usage tokens thing like that use random byte and there is random int will provide you a hint random byte will just give you a string of garbage that you can use so that's really nice but this is cryptography and you want to keep that safe so the usual behavior of a function that fails in PHP is to return no or zero that could not happen here why? because then you do not get a string it's not safe it means that if for some reason random byte fails it will return zero and you start using zero as an identifier a fire for session that's a recipe for disaster so we need a special behavior for secure functions that will tell you that something is really wrong and you have to handle the behavior and so we got errors type errors so basically this single function can return through three different exceptions type error that's for you we probably shouldn't catch it but type error means you try to do random byte on the later and random byte say okay I cannot understand what you're telling me I expect you to push a number of characters you're telling me A that's probably a development problem the second one is invalid length so you ask for a random byte of minus 10 again it makes sense but not so much the last one is weird it's when a random byte couldn't find enough random values things from odd drive from microseconds in the clock from lots of different things but sometimes it just cannot get enough information from the physical hardware and it will decide it's not sufficient to be randomly secure and it will just emit an exception saying cannot get enough random values this is the one you want to catch to think maybe try it again or mention an error and say okay I'm sorry I cannot stop the session because there is not enough random data for that the important part here is when it's really important this function will emit an exception that you should read catch and then behave accordingly this is security here I can't expect this to be a precedent I'm thinking that the number of other functions will evolve and to be more secure more parser to avoid you to prevent you from using default behavior or default return value as a null and pushing that into places where it's not safe okay random bytes is a new function so it's more a new feature do I have to stop now no 8 minutes oh catching exceptions okay that's a standard one this is custom codes doing something and then there are several several catches the only thing that's repeated here is that whatever we get two different exceptions we do the same call so in PHP 7.1 you can actually have multiple catching exceptions it's not exactly a preceding code right anyway you can stack all the different exceptions you want to process the same way with a pipe so all those three exceptions will be caught by the he and then you can call the same one instead of making one class one catch for each of them okay which will prevent you from fixing one of them and not the other PHP 7.1 and what else yeah yeah whatever that's a joke negative offset also we can start generally we can start using negative offsets like that so if you want to access you know when you use substring you can mention that you want the offset of the substring to start from the beginning at the end of the string and use a negative number usually on string itself we cannot use negative number straight numbers and on 7.1 you can use both of them so here we have a string a short string minus three will look for the C and minus plus three will look for the D no that should be C also 0, 1, 2, 3 no that's D that's D the thing is this is still not compatible and I have to bug Davy again this is not compatible with this one negative numbers inside inside the string that will give us a parse error actually those are two different tokens inside the string when they're doing interpolation this should be one and this should be only one token and this is actually two any negative numbers it's actually two different value it's minus and two and PHP then at execution together so most of negative numbers and you will be able to use that most of the situation where you want to use 7.1 another interesting evolution least now accept keys least accept keys though least when you want to unpack an array it used to rely only on numeric integers 0, 1, 2, 3 and it will assign the first one to the first of the least and so on now it is possible this is the old way now we can mention that this index A will go in variable A the index C will go on C and the index B will go in variable B meaning that the order on the least is not important anymore all the three lines here are the same and everything that is in array let's say we have an index D here and not assigned by the least I just forgot it if it's required but it's not existing in the array that will assign no no error don't put me on this one but I think so so that's nice the other thing also for syntax least itself has been upgraded for short syntax so we can now use the short syntax array on the left side and instead of calling list just call the array itself without the upgraded version so the old version with just ABC between brackets again another array that will work as previously expected what I like also that's going to be really crazy is that you can nest the least now so imagine here we have an array another sub-array then you can build the array via the list itself in the right order and get nested value extract everything in the same time I'm probably sure that's crazy at least one level is good but I think it's nice anyway now this one is easy what else incompatible oh I like this one I like this one in PHP 5 you can call any method in a class statically even if you didn't decide that it was a static class so here it's an example class is defined here function f is not static but I can call it statically in PHP 5 it's going to tell me the name of the class fine in PHP 7 it will be unhappy and tell me that I cannot call a class that has not been defined statically that that is also a source of how to say that tiers and lamentations I never thought about that I mean it took me a long time when I realized that I didn't realize that but most of the project are using that anytime people don't know exactly how to grab the object to actually call their referencing before reaching whatever they want they usually rely on static and go directly there as long as the method is not using this it's fine it should actually be called static because it's not using this but as soon as it's using this the call will make it that this is now a lot of trouble behind that's a warning so you have to check with slugs execution time only that's the notice you also get oh yeah that's in the log change behavior I want to mention this one anytime you have complex variable calls beware that's going to be difficult for you PHP has changed its interpretation but it's a lot more consistent everything is read from left to right in that order in PHP 7 it was depending on the situation sometimes it would read one sometimes it would read from right to left it would be different ways basically the rule of thumb is anytime you have at least three of these operators in one call review it well first review the rest of the architecture also but if it's too complex at least three of them so you see here two index and two variables here there's also a property review it because the behavior may have changed that will be the real for unit test because suddenly it's going to yell and not have the good values okay if you use only small arrays or small calls that should be fine enough get arg how long do we have again? yeah it's 12 I'm going to do this one on the next and we stop function to get arg as well if you don't use it it's okay what change between PHP 5 and 7 is that function to get arg now always return the current values of the argument that have been provided so look at this function we get three arguments and we print them in PHP 5 that will always be the same okay one two three that's always the same it doesn't change even if we change the argument function to get arg will still be focused on this incoming argument in PHP 7 this will be the current values that is reported so depending if you usually there's only one call to function to get arg and that's sufficient but if you're using that later not at the beginning of the function but later and you expect to have the original values you're going to be in for a surprise and difficult to understand surprise okay I'll finish with U sort because this one is interesting U sort behavior has been changed well not the definition itself one a specific situation which is whenever there is execos, values that compare the same compare with the custom value then PHP the previous behavior was to reverse the order while in PHP 7 it's actually the same order that is kept this is undefined behavior so if you go in there if you go in bugs there's a lot of people complaining that the order is not the same between PHP 5 and 7 this is because the value they have at that point are not differentiated so if user if the comparison function always differentiates the value and make sure that one is above the other whatever it is that will be fine if two of them are the same inside those two execos they will be ordered in a different way this is not a bug because PHP manual mentioned that it's undefined behavior what it does is whatever PHP wants it's not specified and it should behave this way because the values are the same they compare the same but if you relearn that and I think pick week one of those big projects relied on that whenever it was comparing values the same and you had the wrong order it lost something so this is exactly the kind of things that you have to learn maybe going to bugs other people will get beaten by that kind of bugs and it will not be accepted as a bug by the PHP group itself undefined behavior but maybe you have to draw an experience from other people if you're not using U sort or UK sort it's fine with you so I'm going to let you go for lunch and just finish as a summary so check the manuals and PHP lint is your first friend if you're not using it at the moment on a regular basis on your code for just cleaning purpose start with that that's easy, that's very fast to set up that's going to help you prepare your migration a lot that's probably going to help you clean your code because PHP and newer versions is usually helping you cleaning code of the previous version okay the other one is start using static analysis it goes way further than that than just searching and gripping the code and it's going to bring us a lot more goodness in terms of clean code and maintainable code in the coming years I'll be here for the next day so if you want to ask me things specifically or things on the slide that I have not mentioned I will push that online I guess and I don't know where if you put that but on my twitter account I will mention where it's there bon appétit before I end it thanks a lot Damian, it was a pretty interesting session actually there are two things the tutorial day and the conference how many of you are attending just the tutorial day okay so please go to the reception for others you can contact at the conference all the sessions are recorded so go to the one that is interesting to you so you can switch between the sessions anytime you want to take a target take and I'll get you to the scope so you can watch those missing pieces you can proceed for that thank you