Finding Inter-procedural Bugs at Scale with Infer
Jules Villard
Inter-procedural analyses + linters Infer For Java and C/C++/Objective-C Infer architecture PROJECT
SOURCE CODE FRONTEND BACKEND + SIL SPECS REPORT
BUILD SYSTEM Two Frontends: clang and Java And quite a few build system integrations
PROJECT Java frontend
Capture calls to to backend... the compiler javac SOURCE CODE + JAVA SIL BYTECODE + clang + clang plugin + C/C++/ObjC frontend linters SOURCE FILES CLANG AST +COMPILE COMMANDS BUILD SYSTEM REPORT Infer architecture PROJECT
SOURCE CODE FRONTEND BACKEND + SIL SPECS REPORT
BUILD SYSTEM Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 new MyObject(); 4 ... 4 ... 5 } 5 } 6 6 7 @NoAllocation 7 void baz() { 8 void goo() { 8 ... 9 ... 9 } 10 foo(); 10 11 ... 11 12 } 12
Foo.java (SIL) Bar.java (SIL) Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3 BarAllocation.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... 5 } 5 } 6 6 7 @NoAllocation 7 void baz() { 8 void goo() { 8 ... 9 ... ERROR 9 } 10 foo();Allocation via call to foo() line 10 10 11 ... 11 12 } 12
Foo.java (SIL) Bar.java (SIL) https://code.facebook.com/posts/1537144479682247/finding-inter-procedural-bugs-at-scale-with-infer-static-analyzer/ Interprocedural Analysis Case Study Percentages of inter-procedural reports for different types of bugs One procedure Interprocedural Interprocedural One file One file Inter-file
Allocates Memory 0 2 98
Null Dereference 43 9 48 (Java)
Null Dereference 73 5 24 (Objective-C)
RacerD 36 12 53
Bad Pointer 100 0 0 Comparison (linter) CODE REVIEWERS
DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT
PERFORMANCE TESTS INFER Dif comments fit into usual workflow
Only report when: - Warning is introduced by dif - Warning is in file changed by dif CODE REVIEWERS
DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT
PERFORMANCE TESTS INFER Analysing a Dif "Allocates Memory" checker case study
--- Foo.java +++ Foo.java @NoAllocation void goo() { ... + foo(); ... } dif with dif Analysing a Dif "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 new MyObject(); 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ...... 9 ... 9 } + foo(); 10 foo(); 10 ... 11 ... 11 } 12 } 12 dif Foo.java (SIL) Bar.java (SIL) with dif Analysing a Dif "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3 Allocation Bar.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ...... ERROR 9 ... 9 } + foo(); 10 foo(); 10 ... Allocation via call to foo() line 10 11 ... 11 } 12 } 12 dif Foo.java (SIL) Bar.java (SIL) base Analysing a Dif "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ...... 9 ... 9 } + foo(); 10 ... 10 ... 11 } 11 } 12 12 dif Foo.java (SIL) Bar.java (SIL) base Analysing a Dif "Allocates Memory" checker case study
1 void foo() { 1 void bar() { 2 ... 2 ... 3Allocation Bar.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ...... 9 ... 9 } + foo(); 10 ... 10 ... 11 } No allocation 11 } 12 12 dif Foo.java (SIL) Bar.java (SIL) Analysing a Dif "Allocates Memory" checker case study
base No report
--- Foo.java +++ Foo.java dif ERROR foo() allocates memory on line 10 @NoAllocation void goo() { ... diff - base = + foo(); ERROR foo() allocates memory on line 10 ... DIFFERENTIAL } REPORT dif Help developers move fast
Dif-Based Deployment Easy to deploy new checks Current status
- Infer runs on all Android + iOS difs for Facebook, Messenger, Instagram, and WhatsApp - 10ks of difs analyzed per month - 1ks of issues fixed per month (~70% fix rate)
Action taken is ground truth for success Finding Inter-procedural Bugs at Scale with Infer
Jules Villard