Apr 08

Counting down to a Dehydra release

I hope to release Dehydra 0.9  within a couple of weeks. There is already a community of users, but there are still too many barriers to entry keeping potential bug hunters away.

In recent weeks there has been a lot of work on polishing rough areas. Now we have better error reporting, improved APIs for using libraries, etc. The remaining tasks are tracked in this bug.

There few big remaining TODOs are low-tech:

  • Need a better homepage than the current one.
  • Docs, tutorials and more docs. Currently, the plan is to puts more documentation on MDC and  have it also serve as a webpage. Any dehydra/treehydra guides or API doc contributions are welcome. For now if you need help, feel free to ask on the mailing list or #mmgc on irc.mozilla.org
  • Verify, document and maintain the OSX port. Vlad Sukhoy did a lot of heavy lifting to make this happen, now we need to cement his achievement by setting up a buildbot
  • Spread the word! I would like to see other large projects such as KDE, OpenOffice, etc adopt application-specific static analysis in the form of *hydra. I am interested in seeing people use *hydra to scan code for security vunerabilities. Ok, so this isn’t really needed to release Dehydra 0.9, but I am impatient!

RIP: Oink Dehydra

Between GCC Dehydra and Treehydra, there is nothing that pork Dehydra could do better, so I finally removed Dehydra from Pork. From now on Pork’s purpose is large-scale C/C++ refactoring. For everything else one should use Dehydra.

Apr 08

Static analyses: gadgets of Mozilla 2 James Bonds

When started on my static analysis quest just over a year ago. I imagined a perfect world in which I make tools and people use them to do awesome analyses. Since I did not want to be disappointed, I imagined this, but did not think it would come true.

Now we are at a point where static analysis use is growing rapidly, most analyses are done by people other than me as lately I barely have time to work on actual analyses. Treehydra and dehydra now have users and are well on their way to being released, which is taking up most of my time. Some of the most notable happenings:

  • Vlad Sukhoy appeared out of nowhere and ported Dehydra to GCC 4.2 on OSX. This is exciting because it showed that the plugin system is portable between GCC release, and it’s the biggest patch from a non-core dev.
  • We finished the paper on our static analysis work to be presented at the GCC summit. I am looking forward to meeting developers that built the GCC features that made the *hydras practical.
  • There is a lot finishing touches being done such that we can release Dehydra 0.9 and eventually 1.0. Bug.
  • Dave Mandelin implemented a proper testsuite for the *hydras. This is a massive step up from what we had before.
  • There is a massive amount of Treehydra work going on. Looks like it is boldly going where no static analysis has gone before, even faster than Dehydra did. So far it looks like Treehydra is going to be a bigger deal than Dehydra could ever be. It is turning out to be a very potent combination of GCC for features and JavaScript for ease of use.

I have elaborate plans on how to take over the world with static analysis, more on that later. In the meantime I’ve started compiling a tracking bug of ongoing analyses for Moz 2.

Apr 08


I will be presenting on the work we are doing on Mozilla 2 at FISL08. Chris posted an excellent breakdown of Mozilla plans for the conference.

If you are at all interested in ground-breaking development happening in Mozilla 2, the challenges of static analysis then look me up!

This is all very exciting as it’ll be a trip of many personal firsts: Brazil, the southern hemisphere and a conference of this scale.