We do both, but it's still very tideous. After a while the dynamic analysis only caught false postives (something on the stack looked like a pointer). The static analysis had to be updated when new potential hazardous cases became obvious. https://wiki.mozilla.org/Javascript:SpiderMonkey:ExactStackR...