Hello, An update on the various static analyzers that we are running on the Firefox, Fennec, NSS, NSPR and Thunderbird code.
Warning: these tools are not Silver bullets. Due to their nature, they are going to generate false positives. However, they do find some important and critical issues early in the cycle. = Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service is provided for free but with a restriction in term of number of build. Now, the analysis is launched once a week on Monday. Supports C, C++ & Java. A few improvements will be made to silent some of the defects. * scan-build (aka clang-analyzer), a static analyzer integrated into Clang. This tool is executed every day. Support C & C++. The main issue with scan-build is that here is no history management and it is not really possible to ignore false positive. Ericsson started to work on a new (Python) tool based on clang-analyzer called Code Checker - https://github.com/Ericsson/codechecker to address that. * infer, the brand new Ocaml-based and Clang static analyzer developed by Facebook. Run every day. For now, supports C, Java and Objective-C. Mostly developed for their needs for mobile apps. I have been discussing with the developers on this. = About the reports = == Coverity == To see the Coverity reports, an account is needed and a Coverity admins (Dan Veditz or I) will have to approve the application. Only @mozilla.{com,org} email addresses will be accepted. https://scan.coverity.com/projects/firefox https://scan.coverity.com/projects/firefox-mobile - I don't trust the coverity results for Fennec yet.I think many Java files have not been processed I asked help to the editor of this software and on their forum ( https://communities.coverity.com/thread/3442 ) but no news. == Scan-builds == Scan-build reports are limited to Mozilla employees. Persona authentication is used login. Firefox: https://people.mozilla.org/~sledru/reports/fx-scan-build/ Thunderbird: https://people.mozilla.org/~sledru/reports/tb-scan-build/ NSS: https://people.mozilla.org/~sledru/reports/nss-scan-build/ NSPR: https://people.mozilla.org/~sledru/reports/nspr-scan-build/ == Infer == Firefox (just C code): https://people.mozilla.org/~sledru/reports/firefox-infer/bugs.txt Fennec (Java code): https://people.mozilla.org/~sledru/reports/fennec-infer/bugs.txt = Future = As a goal, I would like to see that integrated in our workflows. Any questions, comments? Technically, the jobs are managed by a Jenkins instance: http://relman-ci.mozilla.org/ - sources can be found here: https://github.com/sylvestre/relman-ci Sylvestre _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
