Slack Open Sources Hakana, a Type Checker for Hack Language

MMS Founder
MMS Aditya Kulkarni

Article originally posted on InfoQ. Visit InfoQ

Slack has recently open-sourced its type checker, Hakana. Based on Psalm and written in Rust, Hakana’s main objective is to enforce good code quality. Additionally, Hakana can also perform security analysis.

Matt Brown, Senior Staff Engineer at Slack made the announcement in a blog post. Type safety refers to the extent to which language tools can assist in preventing type errors when executing code in a production environment. Following Slack’s migration from PHP to Hack, it became necessary to use a more rigorous type checker than the default PHP type checkers. To address this need, last year, Slack started developing Hakana internally.

Hakana, currently used in Slack, helps to prevent unused functions and private methods and also prevents unused assignments within closures. It can detect both impossible and redundant type-checks, warn the team about potential SQL injection attacks, and cross-site scripting vulnerabilities, and prevent misuse of internal Slack APIs.

Using the security analysis provided by Psalm as a foundation, Hakana analyzes how data moves between functions in a codebase, and verifies whether attacker-controlled data can appear in undesired places. Hakana’s security analysis uses interprocedural analysis, that enables detecting SQL injection by examining types at function boundaries.

The tech community on Reddit took a notice of this announcement. Brown interacted with the Reddit users through this post (Reddit user muglug in the comments), throwing some light on the decision to continue with Hack and answering some questions related to the pace of development.

As a side, Zend 2023 PHP Landscape Report highlighted that 46% of respondents deployed their PHP applications on AWS, dipping on-premised deployments by over 10% year-on-year. The survey also showed that during the survey period (October to December 2022), PHP 7.4 was the most used PHP version. PHP 7.4 reached end-of-life in November 2022.

From the performance aspect, Hakana runs five times faster than Psalm. Such performance is desirable at Slack, where the codebase size is about 5 million lines of code. Brown also mentioned that Hakana can be extended with plugins. As an example, Slack employs a customized plugin to inform Hakana that a method invocation on their internal Result object, $some_result->is_ok(), is similar to the more elaborate $some_result is ResultSuccess type check.

Brown acknowledged that while there are very few organizations using Hack language, open-sourcing Hakana may prove valuable to the broader programming language community. Since Hakana was built on the foundation of Psalm, making it open-source can be considered as a way of reciprocating the favor to the community.

About the Author

Subscribe for MMS Newsletter

By signing up, you will receive updates about our latest information.

  • This field is for validation purposes and should be left unchanged.