TL;DR -- We wrote a static analysis bot for MozReview ("clangbot") and it's
about to complain about any patches that would introduce new C/C++ code
defects to Firefox.Please report any bugs with the bot here: https://bit.ly/2y9N9Vx In an effort to improve the quality of Firefox, we want to catch programming errors *before* they even make it into Nightly. To do this, we created a TaskCluster bot that runs clang static analysis on every patch submitted to MozReview. It then quickly reports any code defects directly on MozReview, thus preventing bad patches from landing until all their defects are fixed. Currently, its feedback is posted in about 10 minutes after a patch series is published on MozReview. Here is an example of an automated clangbot review: https://reviewboard.mozilla.org/r/171868/#review190602 Our bot relies on three types of clang checkers: - Mozilla specific checkers <https://hg.mozilla.org/mozilla-central/file/tip/build/clang-plugin/>. They detect incorrect Gecko programming patterns which could lead to bugs or security issues. - Clang-tidy checkers <https://clang.llvm.org/extra/clang-tidy/checks/list.html>. They aim to suggest better programming practices and to improve memory efficiency and performance. - Clang-analyzer checkers <https://clang-analyzer.llvm.org/available_checks.html>. These checks are more advanced, for example some of them can detect dead code or memory leaks, but as a typical side effect they have false positives. Because of that, we have disabled them for now, but will enable some of them in the near future. The checkers that are currently enabled rarely generate false positives, and you can find the complete list of enabled checkers <https://hg.mozilla.org/mozilla-central/file/tip/tools/clang-tidy/config.yaml> in the tree. You can also run them on your own code with: > ./mach static-analysis check path/to/file.cpp This is only the first step. Next, we would like to catch more classes of programming errors. - If you know incorrect Gecko programming patterns which could be detected by static analysis, please send an email to release-m...@mozilla.com or report a bug in the Rewriting and Analysis <https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Rewriting%20and%20Analysis> component. - In parallel, if you see any additional clang-tidy checkers <https://clang.llvm.org/extra/clang-tidy/checks/list.html> which could be valuable for our code base if enabled, please let us know so that we can evaluate them. - Finally, we are looking into posting reviews to Phabricator in the near future as well. Feedback, questions or suggestions welcome. Thanks! Andi, Bastien, Jan and Sylvestre _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
