This sounds interesting!
But it's not analyzing patches that are not using MozReview. Will those
patches be analyzed after landing?
Nick
On Wed, Oct 4, 2017 at 6:17 PM, Jan Keromnes <j...@mozilla.com> wrote:
> TL;DR -- We wrote a static analysis bot for MozReview ("clangbot") and it's
> about to complain about any patches that would introduce new C/C++ code
> defects to Firefox.
>
> Please report any bugs with the bot here: https://bit.ly/2y9N9Vx
>
> In an effort to improve the quality of Firefox, we want to catch
> programming errors *before* they even make it into Nightly. To do this, we
> created a TaskCluster bot that runs clang static analysis on every patch
> submitted to MozReview. It then quickly reports any code defects directly
> on MozReview, thus preventing bad patches from landing until all their
> defects are fixed. Currently, its feedback is posted in about 10 minutes
> after a patch series is published on MozReview.
>
> Here is an example of an automated clangbot review:
> https://reviewboard.mozilla.org/r/171868/#review190602
>
> Our bot relies on three types of clang checkers:
>
> - Mozilla specific checkers
> <https://hg.mozilla.org/mozilla-central/file/tip/build/clang-plugin/>.
> They
> detect incorrect Gecko programming patterns which could lead to bugs or
> security issues.
>
> - Clang-tidy checkers
> <https://clang.llvm.org/extra/clang-tidy/checks/list.html>. They aim to
> suggest better programming practices and to improve memory efficiency and
> performance.
>
> - Clang-analyzer checkers
> <https://clang-analyzer.llvm.org/available_checks.html>. These checks are
> more advanced, for example some of them can detect dead code or memory
> leaks, but as a typical side effect they have false positives. Because of
> that, we have disabled them for now, but will enable some of them in the
> near future.
>
> The checkers that are currently enabled rarely generate false positives,
> and you can find the complete list of enabled checkers
> <https://hg.mozilla.org/mozilla-central/file/tip/
> tools/clang-tidy/config.yaml>
> in the tree. You can also run them on your own code with:
>
> > ./mach static-analysis check path/to/file.cpp
>
> This is only the first step. Next, we would like to catch more classes of
> programming errors.
>
> - If you know incorrect Gecko programming patterns which could be detected
> by static analysis, please send an email to release-m...@mozilla.com or
> report a bug in the Rewriting and Analysis
> <https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&;
> component=Rewriting%20and%20Analysis>
> component.
>
> - In parallel, if you see any additional clang-tidy checkers
> <https://clang.llvm.org/extra/clang-tidy/checks/list.html> which could be
> valuable for our code base if enabled, please let us know so that we can
> evaluate them.
>
> - Finally, we are looking into posting reviews to Phabricator in the near
> future as well.
>
> Feedback, questions or suggestions welcome.
>
> Thanks!
>
> Andi, Bastien, Jan and Sylvestre
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
