: Etherpad users! We are developing an extension that will allow you to create pages from etherpads quickly and easily. Please visit our sandbox and help us test it.

Static Analysis

From MozillaWiki
Jump to: navigation, search

Mozilla Static analysis mailing list also available as m.d.static-analysis newsgroup

Applications for static analysis tools for Mozilla 2:

  • Develop code rewriting Pork tools.
  • Develop static analysis DXR tool, then:
    • Clean up uses of obsolete API. Gecko:Obsolete API
    • Automatically identify unused or hardly-used code.
    • Ownership analysis:
      • Strong/weak pointers.
      • Optional annotations for strong vs. weak pointer.
      • Finding raw pointers that should be weak or strong.
      • Static cycle detection.
      • Static reference-counting elimination.
    • "Who can point to" analysis.
  • Auto-generate traverse and unlink methods for the Cycle Collector
    • Oink finds outgoing pointers, generates iterators.
  • Check and enforce exception safety.
    • Find stack pointers to malloc'ed temporary hazards.
    • Refactoring opportunities arising from exceptions.
  • Control flow analysis
    • Find lock/unlock pairs that need try-catch.
    • A CUTE "plusplus" (CUTE++) on Pork
  • Generate patches to convert from nsresults to C++ exceptions.
  • Identify C++ to convert to JS2...
    • ... and translate it automatically.
    • C++ candidate code uses only scriptable interfaces, strings, primitives.
  • Canonicalization:
    • Replace XPCOM portability veneer with std-C++ equivalents.
    • Replace NSPR C portability veneer with std-C equivalents?
  • Enforce confidentiality properties:
    • Chrome never evals a content-tainted string.
    • C++ never snprintfs using a content-tainted string.
  • SpiderMonkey Exact-GC safety bugs. See the GC_SafetySpec page for the latest.
    • "Not stored in the heap" pointer dataflow analysis. Implemented in Oink: finding pointers to stack stored on heap/global is now a feature of Oink; have not tried it yet on Mozilla.
  • Dataflow enforcement of correct API usage (CQual++):
    • String character set encoding mistakes.
  • More dataflow enforcement (beyond the reach of CQual++):
    • Unit analysis (twips vs. pixels) for layout and rendering.
  • Code metrics, to compare to similar open source projects:
    • Virtual method declaration and call populations.
    • Cohesion, coupling, other modularity measures.

See also: Static Analysis/Installing the Oink Stack