XDebug Your Code

Tips and Tricks for Writing Bug-Free High

Impact Code

Brandon Savage, Applied Security, Inc

Thursday, July 23, 2009

 Who Am I?

• PHP Developer for Applied Security in

Reston, VA
• Former lead developer for The Pickens
Plan
• Very involved local community
member.

Thursday, July 23, 2009

 What We’ll Discuss

• What is Xdebug?
• Stack Traces
• Cool variable output
• Superglobal display
• Function traces
• Profiling your code

Thursday, July 23, 2009

 What Is Xdebug?
Xdebug is an extension for PHP that helps improve
your applications by providing lots of valuable
debgging information.

Thursday, July 23, 2009

 Xdebug offers three
core components:

1. Stack and function traces in error

messages.
2. Profiling information about the
execution of PHP scripts.
3. Advanced variable output options.

Thursday, July 23, 2009

 Xdebug For
Debugging

Thursday, July 23, 2009

 Xdebug provides lots of great tools for
debugging your scripts.

• Built-in stack traces with lots of

information.

• Improved var_dump() function.

Thursday, July 23, 2009

 Typical PHP
Stack Trace

Thursday, July 23, 2009

 Xdebug Enhanced
Stack Trace

Thursday, July 23, 2009

 Xdebug offers lots of
configuration options.

• xdebug.collect_includes (on) - Collect

and write the name of include files to
the trace log.
• xdebug.collect_params (off) - Collect
the parameters passed to functions and
write them to the logs.

Thursday, July 23, 2009

 Xdebug offers lots of
configuration options.
• xdebug.collect_vars (off) - collect the
variables in various scopes and write
them to the logs.
• xdebug.dump_globals (off) - dump the
superglobal arrays into the stack trace
logs.
• 15 total options for configuration.
(http://xdebug.com/docs/stack_trace)

Thursday, July 23, 2009

 Typical PHP
var_dump()
Thursday, July 23, 2009
 var_dump() Viewing Source
Thursday, July 23, 2009
 Xdebug-enhanced var_dump()

Thursday, July 23, 2009

 var_dump Configuration
Options

• Xdebug’s var_dump() overloads the

built-in var_dump() function in PHP.
This can be disabled with
xdebug.overload_var_dump=0.

Thursday, July 23, 2009

 var_dump Configuration
Options

• xdebug.var_display_max_children
(128) Number of children var_dump
will display (keys, properties, etc.)
• xdebug.var_display_max_depth (3)
How many levels deep Xdebug will
display. You should always make this
larger.

Thursday, July 23, 2009

 3 Children vs 25
Children
Thursday, July 23, 2009
 Viewing Superglobals

• Xdebug contains a built-in superglobal

output function.
• If you specify the superglobal using
xdebug.dump.* (POST, GET, SESSION,
etc.) this feature will output that
information.

Thursday, July 23, 2009

 Viewing Superglobals

• The feature is called by executing

xdebug_dump_superglobals().
• It can also be set to be output by default
during a stack trace.

Thursday, July 23, 2009

 Superglobal Output
Thursday, July 23, 2009
 Viewing ZVals

• XDebug offers the ability to view the

zval.
• This is better than debug_zval_dump()
function in PHP.
• xdebug_debug_zval([string varname])
• xdebug_debug_zval_stdout([string
varname])

Thursday, July 23, 2009

 Displaying Zvals
Thursday, July 23, 2009
 Xdebug For
Profiling

Thursday, July 23, 2009

 I don’t need to profile!

Everyone
Should
Profile!

Thursday, July 23, 2009

 Profiling Made Easy:
Function Traces

• Function traces are easy to set up and

run, and they create plain-text, human-
readable files you can review.
• Easy to see the path a script takes to
completion.
• Can be done in less than five minutes.

Thursday, July 23, 2009

 Function Trace
Thursday, July 23, 2009
 Lots of configuration
choices

• Can be configured to run at script

execution time through php.ini or
htaccess.
• Can be run for a period of time by
calling xdebug_start_trace() and
stopped with xdebug_stop_trace().

Thursday, July 23, 2009

 Function Trace Settings

• xdebug.auto_trace (0) Traces the file

automatically on startup. Useful if you
use auto_prepend.
• xdebug_collect_includes (1) Collect the
names of the files that are included and
include them in the trace.

Thursday, July 23, 2009

 Function Trace Settings

• xdebug.collect_params (0) Collect the

values passed (the function trace I
showed had this set to 1).
• xdebug.collect_return (0) Collect the
returns of various functions. Useful for
debugging.

Thursday, July 23, 2009

 Function Trace Settings

• Twelve total configuration setttings.

• Three execution functions.
• More information:
http://xdebug.org/docs/
execution_trace

Thursday, July 23, 2009

 Why Use Function
Traces?

• Faster to set up than traditional

profiling (personal opinion).
• Gives you an immediate outline of an
application’s logic.
• See how a variable passes through an
application.

Thursday, July 23, 2009

 True Profiling: Xdebug
Profiler

• Xdebug comes with a built-in profiling

tool that creates a true profile output
that can be visualized in CacheGrind.
• The profiler must be started with an INI
setting (either in php.ini or htaccess).

Thursday, July 23, 2009

 Execution Visualized
Thursday, July 23, 2009
 Execution Visualized
Thursday, July 23, 2009
 Xdebug profiler Options

• xdebug.profiler_enable (0) Enables the

profiler. Must be done as an INI setting.
• xdebug.profiler_append (0) Append the
file, rather than overwrite it when
profiling.

Thursday, July 23, 2009

 Other Xdebug Tools

• Code Coverage - Determine how much

of your code is actually executed.
Useful for unit testing.
• Remote Debugging - Debug scripts
remotely. Check with your IDE maker
for more.

Thursday, July 23, 2009

 XDebug Code
Coverage
Thursday, July 23, 2009
 Code Coverage

• Code coverage report shows what lines

were executed.
• For better (and graphical) code
coverage with your unit tests, try
PHPUnit.

Thursday, July 23, 2009

 How To Reach Me

• Website: www.brandonsavage.net
• Twitter: brandonsavage
• Email: brandon@brandonsavage.net

Thursday, July 23, 2009

 By the way,
We’re Hiring!

Thursday, July 23, 2009

 Questions?

Thursday, July 23, 2009