Static Analysis is running an analysis of the source code without actually executing the code. For the most part, at Mozilla static analysis refers to the stuff we do with clang-tidy. It uses checkers in order to prevent different programming errors present in the code. The checkers that we use are split into 3 categories:
Firefox specific checkers. They detect incorrect Gecko programming patterns which could lead to bugs or security issues.
Clang-tidy checkers. They aim to suggest better programming practices and to improve memory efficiency and performance.
Clang-analyzer checkers. These checks are more advanced, for example some of them can detect dead code or memory leaks, but as a typical side effect they have false positives. Because of that, we have disabled them for now, but will enable some of them in the near future.
In order to simplify the process of static-analysis we have focused on integrating this process with Phabricator and mach. A list of some checkers that are used during automated scan can be found here.
This documentation is split into two parts: