[Owasp-orizon] Php parser and Mirage per language skeleton brainstorm...
Stephen Craig Evans
stephencraig.evans at gmail.com
Wed Feb 25 10:46:56 EST 2009
Hi Paolo,
> ... at the same time you work hard to improve PHP model...
Yes, this is not a high priority for me; I am going to leave it for
now and revisit it when it's necessary.
> So my opinion is, meanwhile we're working, to describe in pseudocode
> the CIR internals so that we can build the code behind that.
> I hope my English was good enough to make the point clear :)
Yes, I totally agree with everything you say about the CIR format.
I ran OSA on a small Java file that I wrote and managed to edit the
original CirDump file from 2500+ lines down to around 400 lines, and
the source code visualization in O2's CirViewer on the reduced file is
the same for my purposes (please see attached). With the reduced
CirDump file, it's not too difficult to see how it is implemented (the
SSA stuff looks tricky though)... I am trying to take a small PHP
sample program, convert it to CIR format, and view it in the
CirViewer.
Cheers,
Stephen
On Wed, Feb 25, 2009 at 1:05 AM, Paolo Perego <thesp0nge at owasp.org> wrote:
> On Tue, Feb 24, 2009 at 5:43 PM, Stephen Craig Evans
> <stephencraig.evans at gmail.com> wrote:
>> Hi Paolo,
> Hi Stephen..
>
> Thanks for your great feedback...
>> Do with it what you wish; I was playing around.
> Those days I'm working over Mirage classes defining abstract methods
> in order to have a consistent architecture.
> I defined a Modeler and a Collector class with a bunch of abstract
> methods than per language modelers and collectors will be supposed to
> implement.
>
> I'm going to merge your updates with the code base and then I'll
> commit in the repository.
>
>> Out of the PHP book samples - that I mentioned previously - from the
>> chapters, I inspected them and 20 out of 190 total did not pass; so in
>> my spare time on a rainy day :-) soon I will figure out what is wrong
>> with those.
> Great! :)
>
>> I still think the Ounce CIR XML format is the best to write to since
>> it is already defined and O2 can use it. It includes the AST, symbol
>> table, SSA stuff, call graph, and everything that is necessary (and
> Sure this is the way. But we have to write down the infos contained in the CIR.
> I mean, at the same time you work hard to improve PHP model we must
> build a list of information a modeler need to keep track for these
> reasons:
> * we need to implement the classes that manage those infos (the AST,
> the symbol table, ...)
> * we need to document it
> * we need to make it there for other Collectors.
>
> What do you think?
>
> So my opinion is, meanwhile we're working, to describe in pseudocode
> the CIR internals so that we can build the code behind that.
> I hope my English was good enough to make the point clear :)
>
> Cheers
> Paolo
>
> --
> "stay hungry, stay foolish"
>
> OWASP Orizon project, http://orizon.sourceforge.net
> "enjoy your code review experience"
> _______________________________________________
> Owasp-orizon mailing list
> Owasp-orizon at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-orizon
>
--
http://www.linkedin.com/in/stephencraigevans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CirDump7_esapi1b-reduced.zip
Type: application/zip
Size: 260231 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-orizon/attachments/20090225/db2a9768/attachment-0001.zip
More information about the Owasp-orizon
mailing list