Re: About static analyzers on some various projects

On 2015-09-28 2:10 AM, Philip Chee wrote: On 28/09/2015 02:29, Jörg Knobloch wrote: This showed up on the Thunderbird development mailing list: Hi. I want to inform you that Thunderbird was checked by PVS-Studio (static analyzer of C/C++ code). You can find summary of the check here

Re: About static analyzers on some various projects

On 28/09/2015 09:01, Jörg Knobloch wrote: How about this one? http://mxr.mozilla.org/mozilla-central/source/widget/windows/nsNativeThemeWin.cpp#924 That's https://bugzilla.mozilla.org/show_bug.cgi?id=1208906 Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=710966 So it's all goo

Re: About static analyzers on some various projects

On 2015-09-28 3:01 AM, Jörg Knobloch wrote: On 27/09/2015 23:22, Ehsan Akhgari wrote: Thanks! I submitted fixes for a number of these. Great. I saw these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1208905 https://bugzilla.mozilla.org/show_bug.cgi?id=1208904 https://bugzilla.mozilla.org

Re: About static analyzers on some various projects

On Sun, Sep 27, 2015 at 10:54 AM, Ehsan Akhgari wrote: > On 2015-09-25 7:35 PM, Robert O'Callahan wrote: > >> On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari > > wrote: >> >> On 2015-09-25 12:01 PM, Justin Dolske wrote: >> >> At Mozilla, it seems like pr

Re: About static analyzers on some various projects

On 27/09/2015 23:22, Ehsan Akhgari wrote: Thanks! I submitted fixes for a number of these. Great. I saw these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1208905 https://bugzilla.mozilla.org/show_bug.cgi?id=1208904 https://bugzilla.mozilla.org/show_bug.cgi?id=1208903 https://bugzilla.moz

Re: About static analyzers on some various projects

On 28/09/2015 02:29, Jörg Knobloch wrote: > This showed up on the Thunderbird development mailing list: > > > Hi. > I want to inform you that Thunderbird was checked by PVS-Studio (static > analyzer of C/C++ code). You can find summary of the check here > . T

Re: About static analyzers on some various projects

Thanks! I submitted fixes for a number of these. On 2015-09-27 2:29 PM, Jörg Knobloch wrote: This showed up on the Thunderbird development mailing list: Hi. I want to inform you that Thunderbird was checked by PVS-Studio (static analyzer of C/C++ code). You can find summary of the check h

Re: About static analyzers on some various projects

This showed up on the Thunderbird development mailing list: Hi. I want to inform you that Thunderbird was checked by PVS-Studio (static analyzer of C/C++ code). You can find summary of the check here . There is one false alarm as well as author's mistake (ge

Re: About static analyzers on some various projects

On 2015-09-25 7:35 PM, Robert O'Callahan wrote: On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari mailto:ehsan.akhg...@gmail.com>> wrote: On 2015-09-25 12:01 PM, Justin Dolske wrote: At Mozilla, it seems like previous discussions on this kind of thing (style and warnings come t

Re: About static analyzers on some various projects

That's great work! Fwiw, my personal use case would be to subscribe to be informed (through a RSS feed?) if new errors are detected in specific directories or specific files. Would this be feasible? Also, any chance we could also get Facebook Flow for JS code? Plenty of kudos, David ___

Re: About static analyzers on some various projects

On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari wrote: > On 2015-09-25 12:01 PM, Justin Dolske wrote: > >> At Mozilla, it seems like previous discussions on this kind of thing >> (style and warnings come to mind) have dealt with this at a >> file/directory/module level... Someone fixes up a thing

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 11:46 PM, Ehsan Akhgari wrote: > > Our static analysis builds can be easily triggered from the try server > (although I have been unable to get anyone interested to fix bug 1116518 to > make those builds happen on the try server by default, which makes it all > too easy for

Re: About static analyzers on some various projects

On 2015-09-25 12:01 PM, Justin Dolske wrote: On 9/25/15 7:06 AM, Robert O'Callahan wrote: [...]I'm not quite sure what it would take to get those build failures to appear in MozReview but it should be possible. The tricky bit is to determine which failures were introduced by the patch, and j

Re: About static analyzers on some various projects

On 9/25/15 7:06 AM, Robert O'Callahan wrote: [...]I'm not quite sure what it would take to get those build failures to appear in MozReview but it should be possible. The tricky bit is to determine which failures were introduced by the patch, and just display those, and display them in the con

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 10:46 AM, Josh Matthews wrote: > On 2015-09-25 10:06 AM, Robert O'Callahan wrote: > >> On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari >> wrote: >> >> Our static analysis builds can be easily triggered from the try server >>> (although I have been unable to get anyone inte

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 10:06 AM, Robert O'Callahan wrote: > On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari > wrote: > > Our static analysis builds can be easily triggered from the try server >> (although I have been unable to get anyone interested to fix bug 1116518 to >> make those builds happ

Re: About static analyzers on some various projects

On 2015-09-25 10:06 AM, Robert O'Callahan wrote: On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari wrote: Our static analysis builds can be easily triggered from the try server (although I have been unable to get anyone interested to fix bug 1116518 to make those builds happen on the try server b

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 12:19 AM, Robert O'Callahan wrote: > On Fri, Sep 25, 2015 at 5:41 AM, Sylvestre Ledru > wrote: > > > Any questions, comments? > > > > This whitepaper on Infer is an interesting read: > > https://fbcdn-dragon-a.akamaihd.net/hphotos-ak-xap1/t39.2365-6/10935986_9852840081636

Re: About static analyzers on some various projects

On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari wrote: > Our static analysis builds can be easily triggered from the try server > (although I have been unable to get anyone interested to fix bug 1116518 to > make those builds happen on the try server by default, which makes it all > too easy for p

Re: About static analyzers on some various projects

On 2015-09-25 12:19 AM, Robert O'Callahan wrote: On Fri, Sep 25, 2015 at 5:41 AM, Sylvestre Ledru wrote: Any questions, comments? This whitepaper on Infer is an interesting read: https://fbcdn-dragon-a.akamaihd.net/hphotos-ak-xap1/t39.2365-6/10935986_985284008163608_74391_n/Moving_Fast_

Re: About static analyzers on some various projects

On 2015-09-25 5:35 AM, Sylvestre Ledru wrote: Le 24/09/2015 23:29, Ehsan Akhgari a écrit : On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: = Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service i

Re: About static analyzers on some various projects

Le 25/09/2015 01:05, Robert O'Callahan a écrit : > Why not make scan-builds and infer results public? Those are public tools so > we should assume black-hats already have the resutls. > > When I presented these results on the sec ml a while back, I have been asked to hide them because they show p

Re: About static analyzers on some various projects

Le 24/09/2015 23:29, Ehsan Akhgari a écrit : > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: >> = Static analyzers = >> For now, we are running: >> * Coverity, a proprietary tool with a great (but slow) web interface. As >> Firefox is Free software, the service is provided for free >> but with a re

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 5:41 AM, Sylvestre Ledru wrote: > Any questions, comments? > This whitepaper on Infer is an interesting read: https://fbcdn-dragon-a.akamaihd.net/hphotos-ak-xap1/t39.2365-6/10935986_985284008163608_74391_n/Moving_Fast_with_Software_Verification.pdf (misleading title t

Re: About static analyzers on some various projects

On Friday, September 25, 2015 at 7:29:19 AM UTC+10, Ehsan Akhgari wrote: > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: > > = Static analyzers = > > For now, we are running: > > * Coverity, a proprietary tool with a great (but slow) web interface. As > > Firefox is Free software, the service is pr

Re: About static analyzers on some various projects

On Thu, Sep 24, 2015 at 4:23 PM, Nicholas Nethercote wrote: > On Thu, Sep 24, 2015 at 2:29 PM, Ehsan Akhgari > wrote: > > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: > >> > >> * Coverity, a proprietary tool with a great (but slow) web interface. > > > > Does anybody look at these regularly? I

Re: About static analyzers on some various projects

On Thu, Sep 24, 2015 at 2:29 PM, Ehsan Akhgari wrote: > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: >> >> * Coverity, a proprietary tool with a great (but slow) web interface. > > Does anybody look at these regularly? I would be interested to know if they > produce high quality results these da

Re: About static analyzers on some various projects

Why not make scan-builds and infer results public? Those are public tools so we should assume black-hats already have the resutls. Rob -- lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf toD selthor stor edna siewaoeodm or v sstvr esBa kbvted,t rdsme,aoreseoouoto o

Re: About static analyzers on some various projects

On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: = Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service is provided for free but with a restriction in term of number of build. Now, the analysis is l