TL;DR -- We wrote a static analysis bot for MozReview ("clangbot") and it's
about to complain about any patches that would introduce new C/C++ code
defects to Firefox.
Please report any bugs with the bot here:
https://bit.ly/2y9N9Vx
In an effort to improve the quality of Firefox, we want to catch
programming errors *before* they even make it into Nightly. To do this, we
created a TaskCluster bot that runs clang static analysis on every patch
submitted to MozReview. It then quickly reports any code defects directly
on MozReview, thus preventing bad patches from landing until all their
defects are fixed. Currently, its feedback is posted in about 10 minutes
after a patch series is published on MozReview.
Here is an example of an automated clangbot review:
https://reviewboard.mozilla.org/r/171868/#review190602
Our bot relies on three types of clang checkers:
- Mozilla specific checkers
<
https://hg.mozilla.org/mozilla-central/file/tip/build/clang-plugin/>. They
detect incorrect Gecko programming patterns which could lead to bugs or
security issues.
- Clang-tidy checkers
<
https://clang.llvm.org/extra/clang-tidy/checks/list.html>. They aim to
suggest better programming practices and to improve memory efficiency and
performance.
- Clang-analyzer checkers
<
https://clang-analyzer.llvm.org/available_checks.html>. These checks are
more advanced, for example some of them can detect dead code or memory
leaks, but as a typical side effect they have false positives. Because of
that, we have disabled them for now, but will enable some of them in the
near future.
The checkers that are currently enabled rarely generate false positives,
and you can find the complete list of enabled checkers
<
https://hg.mozilla.org/mozilla-central/file/tip/tools/clang-tidy/config.yaml>
in the tree. You can also run them on your own code with:
> ./mach static-analysis check path/to/file.cpp
This is only the first step. Next, we would like to catch more classes of
programming errors.
- If you know incorrect Gecko programming patterns which could be detected
by static analysis, please send an email to
releas...@mozilla.com or
report a bug in the Rewriting and Analysis
<
https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Rewriting%20and%20Analysis>
component.
- In parallel, if you see any additional clang-tidy checkers
<
https://clang.llvm.org/extra/clang-tidy/checks/list.html> which could be
valuable for our code base if enabled, please let us know so that we can
evaluate them.
- Finally, we are looking into posting reviews to Phabricator in the near
future as well.
Feedback, questions or suggestions welcome.
Thanks!
Andi, Bastien, Jan and Sylvestre