On 2015-09-24 1:41 PM, Sylvestre Ledru wrote:
= Static analyzers = For now, we are running: * Coverity, a proprietary tool with a great (but slow) web interface. As Firefox is Free software, the service is provided for free but with a restriction in term of number of build. Now, the analysis is launched once a week on Monday. Supports C, C++ & Java. A few improvements will be made to silent some of the defects.
Does anybody look at these regularly? I would be interested to know if they produce high quality results these days. My past experience with Coverity has been that it's full of false positivies.
* scan-build (aka clang-analyzer), a static analyzer integrated into Clang. This tool is executed every day. Support C & C++. The main issue with scan-build is that here is no history management and it is not really possible to ignore false positive. Ericsson started to work on a new (Python) tool based on clang-analyzer called Code Checker - https://github.com/Ericsson/codechecker to address that.
FWIW I am planning to stand this up for us at some point (hopefully soon.)
== Infer == Firefox (just C code): https://people.mozilla.org/~sledru/reports/firefox-infer/bugs.txt Fennec (Java code): https://people.mozilla.org/~sledru/reports/fennec-infer/bugs.txt
Neat! I did not know about this one. Has anyone looked at the results? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
