Re: About static analyzers on some various projects

On 2015-09-28 3:01 AM, Jörg Knobloch wrote: On 27/09/2015 23:22, Ehsan Akhgari wrote: Thanks! I submitted fixes for a number of these. Great. I saw these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1208905 https://bugzilla.mozilla.org/show_bug.cgi?id=1208904

Re: About static analyzers on some various projects

On Sun, Sep 27, 2015 at 10:54 AM, Ehsan Akhgari wrote: > On 2015-09-25 7:35 PM, Robert O'Callahan wrote: > >> On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari > > wrote: >> >> On 2015-09-25 12:01 PM, Justin

Re: About static analyzers on some various projects

On 2015-09-28 2:10 AM, Philip Chee wrote: On 28/09/2015 02:29, Jörg Knobloch wrote: This showed up on the Thunderbird development mailing list: Hi. I want to inform you that Thunderbird was checked by PVS-Studio (static analyzer of C/C++ code). You can find summary of the check here

Re: About static analyzers on some various projects

On 27/09/2015 23:22, Ehsan Akhgari wrote: Thanks! I submitted fixes for a number of these. Great. I saw these bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1208905 https://bugzilla.mozilla.org/show_bug.cgi?id=1208904 https://bugzilla.mozilla.org/show_bug.cgi?id=1208903

Re: About static analyzers on some various projects

On 28/09/2015 02:29, Jörg Knobloch wrote: > This showed up on the Thunderbird development mailing list: > > > Hi. > I want to inform you that Thunderbird was checked by PVS-Studio (static > analyzer of C/C++ code). You can find summary of the check here > .

Re: About static analyzers on some various projects

On 2015-09-25 7:35 PM, Robert O'Callahan wrote: On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari > wrote: On 2015-09-25 12:01 PM, Justin Dolske wrote: At Mozilla, it seems like previous discussions on this kind of thing

Re: About static analyzers on some various projects

Thanks! I submitted fixes for a number of these. On 2015-09-27 2:29 PM, Jörg Knobloch wrote: This showed up on the Thunderbird development mailing list: Hi. I want to inform you that Thunderbird was checked by PVS-Studio (static analyzer of C/C++ code). You can find summary of the check

Re: About static analyzers on some various projects

That's great work! Fwiw, my personal use case would be to subscribe to be informed (through a RSS feed?) if new errors are detected in specific directories or specific files. Would this be feasible? Also, any chance we could also get Facebook Flow for JS code? Plenty of kudos, David

Re: About static analyzers on some various projects

On 2015-09-25 10:06 AM, Robert O'Callahan wrote: On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari wrote: Our static analysis builds can be easily triggered from the try server (although I have been unable to get anyone interested to fix bug 1116518 to make those builds

Re: About static analyzers on some various projects

On 9/25/15 7:06 AM, Robert O'Callahan wrote: [...]I'm not quite sure what it would take to get those build failures to appear in MozReview but it should be possible. The tricky bit is to determine which failures were introduced by the patch, and just display those, and display them in the

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 10:06 AM, Robert O'Callahan wrote: > On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari > wrote: > > Our static analysis builds can be easily triggered from the try server >> (although I have been unable to get anyone interested

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 11:46 PM, Ehsan Akhgari wrote: > > Our static analysis builds can be easily triggered from the try server > (although I have been unable to get anyone interested to fix bug 1116518 to > make those builds happen on the try server by default, which

Re: About static analyzers on some various projects

On Sat, Sep 26, 2015 at 7:34 AM, Ehsan Akhgari wrote: > On 2015-09-25 12:01 PM, Justin Dolske wrote: > >> At Mozilla, it seems like previous discussions on this kind of thing >> (style and warnings come to mind) have dealt with this at a >> file/directory/module level...

Re: About static analyzers on some various projects

On 2015-09-25 5:35 AM, Sylvestre Ledru wrote: Le 24/09/2015 23:29, Ehsan Akhgari a écrit : On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: = Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service

Re: About static analyzers on some various projects

Le 24/09/2015 23:29, Ehsan Akhgari a écrit : > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: >> = Static analyzers = >> For now, we are running: >> * Coverity, a proprietary tool with a great (but slow) web interface. As >> Firefox is Free software, the service is provided for free >> but with a

Re: About static analyzers on some various projects

On Sat, Sep 26, 2015 at 1:46 AM, Ehsan Akhgari wrote: > Our static analysis builds can be easily triggered from the try server > (although I have been unable to get anyone interested to fix bug 1116518 to > make those builds happen on the try server by default, which

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 12:19 AM, Robert O'Callahan wrote: > On Fri, Sep 25, 2015 at 5:41 AM, Sylvestre Ledru > wrote: > > > Any questions, comments? > > > > This whitepaper on Infer is an interesting read: > >

About static analyzers on some various projects

Hello, An update on the various static analyzers that we are running on the Firefox, Fennec, NSS, NSPR and Thunderbird code. Warning: these tools are not Silver bullets. Due to their nature, they are going to generate false positives. However, they do find some important and critical issues

Re: About static analyzers on some various projects

Why not make scan-builds and infer results public? Those are public tools so we should assume black-hats already have the resutls. Rob -- lbir ye,ea yer.tnietoehr rdn rdsme,anea lurpr edna e hnysnenh hhe uresyf toD selthor stor edna siewaoeodm or v sstvr esBa kbvted,t rdsme,aoreseoouoto

Re: About static analyzers on some various projects

On Thu, Sep 24, 2015 at 4:23 PM, Nicholas Nethercote wrote: > On Thu, Sep 24, 2015 at 2:29 PM, Ehsan Akhgari > wrote: > > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: > >> > >> * Coverity, a proprietary tool with a great (but slow) web

Re: About static analyzers on some various projects

On Thu, Sep 24, 2015 at 2:29 PM, Ehsan Akhgari wrote: > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: >> >> * Coverity, a proprietary tool with a great (but slow) web interface. > > Does anybody look at these regularly? I would be interested to know if they > produce

Re: About static analyzers on some various projects

On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: = Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service is provided for free but with a restriction in term of number of build. Now, the analysis is

Re: About static analyzers on some various projects

On Friday, September 25, 2015 at 7:29:19 AM UTC+10, Ehsan Akhgari wrote: > On 2015-09-24 1:41 PM, Sylvestre Ledru wrote: > > = Static analyzers = > > For now, we are running: > > * Coverity, a proprietary tool with a great (but slow) web interface. As > > Firefox is Free software, the service is

Re: About static analyzers on some various projects

On Fri, Sep 25, 2015 at 5:41 AM, Sylvestre Ledru wrote: > Any questions, comments? > This whitepaper on Infer is an interesting read: