Finding Inter-procedural Bugs at Scale with Infer Jules Villard <jul@fb.com> Facebook London
Open-source static analyser Inter-procedural analyses + linters Infer For Java and C/C++/Objective-C
Infer architecture PROJECT SOURCE CODE FRONTEND BACKEND + SPECS REPORT SIL BUILD SYSTEM
Two Frontends: clang and Java And quite a few build system integrations PROJECT Java frontend Capture calls to to backend... the compiler javac + SIL SOURCE CODE JAVA BYTECODE + clang + clang plugin + C/C++/ObjC frontend linters SOURCE FILES CLANG AST +COMPILE COMMANDS BUILD SYSTEM REPORT
Infer architecture PROJECT SOURCE CODE FRONTEND BACKEND + SPECS REPORT SIL BUILD SYSTEM
Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Bar.bar(); 3 ... 4 ... 4 } 5 } 5 6 6 void baz() { 7 @NoAllocation 7 ... 8 void goo() { 8 } 9 ... 9 10 foo(); 10 11 ... 11 12 } 12 Bar.java (SIL) Foo.java (SIL)
Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Allocation line 3 Bar.bar(); 3 Allocation via call to bar() line 3 ... 4 ... 4 } 5 } 5 6 6 void baz() { 7 @NoAllocation 7 ... 8 void goo() { 8 ERROR } 9 ... 9 10 foo(); 10 Allocation via call to foo() line 10 11 ... 11 12 } 12 Bar.java (SIL) Foo.java (SIL)
https://code.facebook.com/posts/1537144479682247/finding-inter-procedural-bugs-at-scale-with-infer-static-analyzer/ Interprocedural Analysis Case Study Percentages of inter-procedural reports for different types of bugs One procedure Interprocedural Interprocedural One file One file Inter-file Allocates Memory 0 2 98 Null Dereference 43 9 48 (Java) Null Dereference 73 5 24 (Objective-C) RacerD 36 12 53 Bad Pointer 100 0 0 Comparison (linter)
CODE REVIEWERS DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT PERFORMANCE TESTS INFER
Di fg comments fit into usual workflow Only report when: - Warning is introduced by di fg - Warning is in file changed by di fg
CODE REVIEWERS DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT PERFORMANCE TESTS INFER
Analysing a Di fg "Allocates Memory" checker case study --- Foo.java +++ Foo.java @NoAllocation void goo() { ... + foo(); ... } di fg
with di fg Analysing a Di fg "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Bar.bar(); 3 ... 4 ... 4 --- Foo.java } 5 } 5 +++ Foo.java 6 6 @NoAllocation void baz() { 7 @NoAllocation 7 void goo() { ... 8 void goo() { 8 ... } 9 ... 9 + foo(); 10 foo(); 10 ... 11 ... 11 } 12 } 12 di fg Bar.java (SIL) Foo.java (SIL)
with di fg Analysing a Di fg "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Allocation line 3 Bar.bar(); 3 Allocation via call to bar() line 3 ... 4 ... 4 --- Foo.java } 5 } 5 +++ Foo.java 6 6 @NoAllocation void baz() { 7 @NoAllocation 7 void goo() { ... 8 void goo() { 8 ERROR ... } 9 ... 9 + foo(); 10 foo(); Allocation via call to foo() line 10 10 ... 11 ... 11 } 12 } 12 di fg Bar.java (SIL) Foo.java (SIL)
base Analysing a Di fg "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Allocation line 3 Bar.bar(); 3 ... 4 ... 4 --- Foo.java } 5 } 5 +++ Foo.java 6 6 @NoAllocation void baz() { 7 @NoAllocation 7 void goo() { ... 8 void goo() { 8 ... } 9 ... 9 + foo(); 10 ... 10 ... 11 } 11 } 12 12 di fg Bar.java (SIL) Foo.java (SIL)
base Analysing a Di fg "Allocates Memory" checker case study void bar() { 1 void foo() { 1 ... 2 ... 2 new MyObject(); 3 Allocation line 3 Bar.bar(); 3 Allocation via call to bar() line 3 ... 4 ... 4 --- Foo.java } 5 } 5 +++ Foo.java 6 6 @NoAllocation void baz() { 7 @NoAllocation 7 void goo() { ... 8 void goo() { 8 ... } 9 ... 9 + foo(); 10 ... 10 No allocation ... 11 } 11 } 12 12 di fg Bar.java (SIL) Foo.java (SIL)
Analysing a Di fg "Allocates Memory" checker case study base No report --- Foo.java di fg ERROR foo() allocates memory on line 10 +++ Foo.java @NoAllocation void goo() { diff - base = ... + foo(); ERROR foo() allocates memory on line 10 DIFFERENTIAL ... REPORT } di fg
Help developers move fast Di fg -Based Deployment Easy to deploy new checks
Current status - Infer runs on all Android + iOS di fg s for Facebook, Messenger, Instagram, and WhatsApp - 10ks of di fg s analyzed per month - 1ks of issues fixed per month (~70% fix rate) Action taken is ground truth for success
Finding Inter-procedural Bugs at Scale with Infer Jules Villard <jul@fb.com> Facebook London
Recommend
More recommend
![1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and](https://c.sambuz.com/1024898/1-s.jpg)
