On 2015-09-25 5:35 AM, Sylvestre Ledru wrote:
Le 24/09/2015 23:29, Ehsan Akhgari a écrit :
On 2015-09-24 1:41 PM, Sylvestre Ledru wrote:
= Static analyzers =
For now, we are running:
* Coverity, a proprietary tool with a great (but slow) web interface. As
Firefox is Free software, the service is provided for free
but with a restriction in term of number of build. Now, the analysis is
launched once a week on Monday. Supports C, C++ & Java.
A few improvements will be made to silent some of the defects.
Does anybody look at these regularly?
I am looking at the weekly reports. I am reporting the issue I can confirm.
However, to be honest, I am not technically able to analyze every one of them.
I am also tagging false positive to keep a clean database.
FYI, at some point, we might have someone to help on this full time.
That would be nice, although I'm not sure if we need one full time
position just for this purpose! But having someone who tracks these
issues is definitely good.
I would be interested to know if they produce high quality results these days.
My past experience with Coverity has been that it's full of false positivies.
Several answers:
* I think the results are still pretty much the same
* false positives can be silent. This is a work to be done either in our code
(you reviewed some of my patches for this in the past)
or in coverity
* some checkers have a small false positives ratio, some other, an higher.
Yeah. My point was that if we find out that for example codechecker
gives us higher quality results, we should focus on that more.
* scan-build (aka clang-analyzer), a static analyzer integrated into
Clang. This tool is executed every day. Support C & C++.
The main issue with scan-build is that here is no history management and
it is not really possible to ignore false positive.
Ericsson started to work on a new (Python) tool based on clang-analyzer
called Code Checker - https://github.com/Ericsson/codechecker
to address that.
FWIW I am planning to stand this up for us at some point (hopefully soon.)
Could you share some details? I am on the process of deploying code checker.
I haven't started any actual work yet, that was on my list. If you're
in the process of doing this, I will eagerly wait. :-) Is there a bug
# or something else that I can use to keep track of this work? (And
thanks for making it happen!)
== Infer ==
Firefox (just C code):
https://people.mozilla.org/~sledru/reports/firefox-infer/bugs.txt
Fennec (Java code):
https://people.mozilla.org/~sledru/reports/fennec-infer/bugs.txt
Neat! I did not know about this one. Has anyone looked at the results?
This bug https://bugzilla.mozilla.org/show_bug.cgi?id=1175203 has been reported
but no activity.
Those are Java issues which should probably be discussed more with the
Android team. After having a cursory look over a few of the C++ ones,
most looked like false positives (the leak in
xpcom/tests/TestJemalloc.cpp was real but that's a test...)
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
