Static Analysis

Current Status

  • Custom static analyses: We have a clang plugin with a number of Gecko-specific checks. There's terse documentation on the attributes we use to drive some of the checks here. Some checks are just good hygiene (e.g. MOZ_IMPLICIT), some checks exist to help you do the right thing (e.g. MOZ_MUST_OVERRIDE, MOZ_RAII, MOZ_MUST_USE), and some checks exist to prevent security bugs (e.g. MOZ_NON_MEMMOVABLE and related attributes). The checker currently runs on every push we do, on Windows, Mac, and Linux.
  • Coverity: Executed at review phase for every patch.
  • Compiler warnings: all of our compilers have a number of warnings. We try to turn on as many as we can, and make warnings on most Mozilla code fatal, i.e. your build will fail if the compiler warns. We generally turn off fatal warnings for third-party code, and sometimes attempt to get fixes for the warnings pushed upstream.