US and Canada based company "Klocwork" is currently evaluating popular Open Source packages with their source-code analysis tool "K7". One of their projects was to have a look at Firefox:
Overall it is clear that Firefox is a very well written and high quality piece of software. Several builds were performed on the code, culminating in the final analysis of version 184.108.40.206. The analysis resulted in 655 defects and 71 potential security vulnerabilities. The Firefox team has been given the analysis results, and they will determine if or how they will deal with the issues.
The results in a more detailed view: [g2zero.com...]
For me it seems most of the issues are of theoretical nature. I also have trust in the core developers to check and fix these issues pretty fast. A similar analysis on the sourcecode of IE would be interesting though, but I doubt we will ever see results of such an analysis.
From my experience using similar static analysis tools on my company's code, I suspect that many of the null pointer dereference issues will never result in a crash -- automatic code analysis overlooks the inherent constraints that the code runs under. I doubt more than 1 or 2 of all of these errors are actually exploitable, in practice.
That's not to say this kind of analysis isn't useful - if this kind of tool raises a warning, it's usually indicative of either a minor bug or programmer laziness.
655 bugs actually struck me as being on the low side for code this size. They must have either severely constrained the kinds of warnings the tool could produce, or most issues typically found by static analysis must have been removed by other, similar tools.