Finding Inter-procedural Bugs at Scale with Infer Jules Villard <[email protected]> Facebook London Open-source static analyser Inter-procedural analyses + linters Infer For Java and C/C++/Objective-C Infer architecture PROJECT SOURCE CODE FRONTEND BACKEND + SIL SPECS REPORT BUILD SYSTEM Two Frontends: clang and Java And quite a few build system integrations PROJECT Java frontend Capture calls to to backend... the compiler javac SOURCE CODE + JAVA SIL BYTECODE + clang + clang plugin + C/C++/ObjC frontend linters SOURCE FILES CLANG AST +COMPILE COMMANDS BUILD SYSTEM REPORT Infer architecture PROJECT SOURCE CODE FRONTEND BACKEND + SIL SPECS REPORT BUILD SYSTEM Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 new MyObject(); 4 ... 4 ... 5 } 5 } 6 6 7 @NoAllocation 7 void baz() { 8 void goo() { 8 ... 9 ... 9 } 10 foo(); 10 11 ... 11 12 } 12 Foo.java (SIL) Bar.java (SIL) Compositional, On-Demand Backend Architecture "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3 BarAllocation.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... 5 } 5 } 6 6 7 @NoAllocation 7 void baz() { 8 void goo() { 8 ... 9 ... ERROR 9 } 10 foo();Allocation via call to foo() line 10 10 11 ... 11 12 } 12 Foo.java (SIL) Bar.java (SIL) https://code.facebook.com/posts/1537144479682247/finding-inter-procedural-bugs-at-scale-with-infer-static-analyzer/ Interprocedural Analysis Case Study Percentages of inter-procedural reports for different types of bugs One procedure Interprocedural Interprocedural One file One file Inter-file Allocates Memory 0 2 98 Null Dereference 43 9 48 (Java) Null Dereference 73 5 24 (Objective-C) RacerD 36 12 53 Bad Pointer 100 0 0 Comparison (linter) CODE REVIEWERS DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT PERFORMANCE TESTS INFER Dif comments fit into usual workflow Only report when: - Warning is introduced by dif - Warning is in file changed by dif CODE REVIEWERS DEVELOPER CI SYSTEM PHABRICATOR CI SYSTEM PRODUCT PERFORMANCE TESTS INFER Analysing a Dif "Allocates Memory" checker case study --- Foo.java +++ Foo.java @NoAllocation void goo() { ... + foo(); ... } dif with dif Analysing a Dif "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 new MyObject(); 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ... ... 9 ... 9 } + foo(); 10 foo(); 10 ... 11 ... 11 } 12 } 12 dif Foo.java (SIL) Bar.java (SIL) with dif Analysing a Dif "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3 Allocation Bar.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ... ... ERROR 9 ... 9 } + foo(); 10 foo(); 10 ... Allocation via call to foo() line 10 11 ... 11 } 12 } 12 dif Foo.java (SIL) Bar.java (SIL) base Analysing a Dif "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3 Bar.bar(); 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ... ... 9 ... 9 } + foo(); 10 ... 10 ... 11 } 11 } 12 12 dif Foo.java (SIL) Bar.java (SIL) base Analysing a Dif "Allocates Memory" checker case study 1 void foo() { 1 void bar() { 2 ... 2 ... 3Allocation Bar.bar(); via call to bar() line 3 3 newAllocation MyObject(); line 3 4 ... 4 ... --- Foo.java 5 } 5 } +++ Foo.java 6 6 @NoAllocation 7 @NoAllocation 7 void baz() { void goo() { 8 void goo() { 8 ... ... 9 ... 9 } + foo(); 10 ... 10 ... 11 } No allocation 11 } 12 12 dif Foo.java (SIL) Bar.java (SIL) Analysing a Dif "Allocates Memory" checker case study base No report --- Foo.java +++ Foo.java dif ERROR foo() allocates memory on line 10 @NoAllocation void goo() { ... diff - base = + foo(); ERROR foo() allocates memory on line 10 ... DIFFERENTIAL } REPORT dif Help developers move fast Dif-Based Deployment Easy to deploy new checks Current status - Infer runs on all Android + iOS difs for Facebook, Messenger, Instagram, and WhatsApp - 10ks of difs analyzed per month - 1ks of issues fixed per month (~70% fix rate) Action taken is ground truth for success Finding Inter-procedural Bugs at Scale with Infer Jules Villard <[email protected]> Facebook London.