Firefox (C++) Support: target integration, Firefox-specific prompts, and CSA scan-build pipeline

[yijan4845]

Summary

• Implemented firefox support in CSA backends.
• Firefox-specific prompts are added: patch2pattern(.md), pattern2plan(.md), plan2checker(.md), plus knowledge/{utility,suggestions,template}.md
• Commit lists: commits/commits-firefox*.txt with real Firefox commits + bug labels for evaluation.
• Toolchain & container are updated to support firefox build.

How to use

Add target_type and firefox_dir to config.yaml. An example of config.yaml for generation:

LLVM_dir: /app/llvm
checker_nums: 2
key_file: /app/llm_keys.yaml
firefox_dir: /app/firefox
target_type: firefox
model: o3-mini
result_dir: /app/result-generate-debug

Notes

• To handle compatibility, I currently choose a rustc toolchain based on the commit date, but only pick one version per year. For some commits, if Rust compatibility issues persist, we need to expand the set of candidate versions to try/switch between. Now we only support commits after 2020, because the environment change before this year might be too large(we need to switch to python2)
• I now first check whether this commit has already been fully built. If not, I do a full build; only when a full build exists do I run an incremental build.
• When running scan-build with custom CSA across different Firefox commits, the C++ toolchain sometimes doesn’t match the commit (libstdc++ versions), and scan-build sometimes doesn’t pass the plugin to c++-analyzer. That triggers C++17/wasm compile errors that look like checker failures but are actually infrastructure mismatches. I'll try to fix that later to cover most of the commits.

[gemini-code-assist]

Summary of Changes

Hello @yijan4845, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates Firefox C++ support into the existing static analysis framework, providing a specialized environment for identifying and addressing C++ vulnerabilities within the Firefox codebase. It includes new prompt templates and example checkers designed to recognize common Firefox-specific bug patterns, alongside a significantly enhanced scan-build pipeline that intelligently manages build environments and toolchains for more effective and reliable analysis.

Highlights

• Firefox C++ Support Integration: This pull request introduces comprehensive support for Firefox C++ projects within the CSA backend, enabling specialized analysis and checker generation tailored for the Firefox codebase.
• Firefox-Specific Prompt Templates: New prompt templates have been added under prompt_template/firefox/ for patch2pattern, pattern2plan, and plan2checker, along with knowledge base articles (utility, suggestions, template), to guide the generation of more accurate and relevant CSA checkers for Firefox-specific C++ patterns.
• Enhanced Scan-Build Pipeline for Firefox: The scan-build analysis pipeline for Firefox has been significantly upgraded to include robust environment management, dynamic Rust toolchain selection based on commit dates, conditional full/incremental builds, and detailed logging, ensuring more reliable and efficient static analysis.
• Example CSA Checkers for Common C++ Bugs: Several example Clang Static Analyzer checkers have been included, demonstrating detection of critical C++ bug patterns such as double-free of devm_* allocated memory, null-pointer dereferences from devm_kasprintf without checks, and kernel information leaks due to uninitialized kmalloc memory.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces Firefox support to the CSA backend, adding Firefox-specific prompts, evaluation commits, and a significantly improved analysis pipeline for scan-build. The changes are a major step forward, especially the robust Firefox build and analysis logic in src/backends/csa.py.

My review has identified a critical typo in src/agent.py that needs to be fixed. Additionally, there are several medium-severity suggestions to improve code quality, maintainability, and correctness across the new Python scripts and C++ checker examples. Key areas for improvement include refactoring a very long function in csa.py, addressing hardcoded values, and enhancing the provided checker examples.

It's also worth noting that the new checker examples under the prompt_template/firefox/ directory are based on Linux kernel bugs, not Firefox bugs, which could be confusing. Similarly, src/checker-initial.cpp and src/checker-repaired.cpp appear to address different bugs, which is misleading given their names. These points are for your consideration and are not included as specific review comments.

[YangChenyuan]

It would be better to create a new file Dockerfile-firefox with those changes and leave the original unchanged

[YangChenyuan]

Why do we have this file?