Facebook Infer Bug Detection Tool Is Now Open Source - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:36 PM
Connect Directly

Facebook Infer Bug Detection Tool Is Now Open Source

For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.

6 Top Programming Languages For Mobile Development
6 Top Programming Languages For Mobile Development
(Click image for larger view and slideshow.)

In an effort to improve the overall security and stability of applications, Facebook has released Infer, a tool used to identify programming errors, under a BSD open-source license.

Infer is a static analyzer, software for finding bugs in other software without actually running the program in question. There are dozens of such tools available to scan code in a variety of programming languages; Infer, written in OCaml, can analyze Java (Android or otherwise), Objective-C, and C code.

For organizations focused on software-based products or services such as Facebook, Pinterest, and practically every other major Internet-oriented company, the ability to ship code quickly has become a competitive requirement. In a paper about its deployment practices, Facebook said it "operates in perpetual development mode, in which engineers continuously develop new features and make them available to users."

[ Need a small-scale database for your mobile apps? Read Filemaker 14: A Database For DIY Apps. ]

Facebook software engineers Cristiano Calcagno, Dino Distefano, and Peter O'Hearn explained in a blog post: "Each month, hundreds of potential bugs identified by Facebook Infer are fixed by our developers before they are committed to our codebases and deployed to people's phones. This saves our developers many hours finding and fixing bugs, and results in better products for people."

Infer was developed at a UK startup called Monoidics that Facebook acquired in 2013. Calcagno, Distefano, and O'Hearn co-founded the company.

Facebook has used Infer to improve the Facebook app for Android and iOS, Facebook Messenger, and Instagram by detecting null pointer access, resource leaks, and memory leaks -- errors that can lead to application crashes and can make programs vulnerable to exploits.

(Image: Facebook)

(Image: Facebook)

Using both static analysis and automated testing, Facebook is able to ship code as soon as it's ready, without waiting for the results of manual testing.

According to Calcagno, Distefano, and O'Hearn, the fix rate for issues identified by Infer in the past few months is about 80%, which they said is high for an automated tool. They said that Infer uses separation logic and bi-abduction to make inferences about how a large program will execute. These mathematical techniques allow Infer to consider only portions of an application, rather than the entirety of its code.

For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community, a constituency that provides value to its platform, and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.

In general, anything that improves code quality in an application reduces the potential for application crashes, lost data, and security vulnerabilities. And that benefits both the users and the developers of that application.

Commercial code analysis applications such as Coverity and Klockwork are widely used in many enterprises. However, these tools appear to be ill-suited for analyzing applications at the scale required by large Internet technology companies. In a paper about Google's internally developed static analysis tool Tricorder, Google software engineers Caitlin Sadowski, Jeffrey van Gogh, Ciera Jaspan, Emma Söderberg, and Collin Winter stated: "All of these tools have largely fallen out of use due to problems with workflow integration, scaling, and false positives."

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
6/15/2015 | 3:49:46 PM
Infer is a big contribution
Internal tools have displaced Coverity in the Linux kernel development process, as cited by Greg Kroah-Harman here: http://www.informationweek.com/software/enterprise-applications/8-linux-security-improvements-in-8-years/d/d-id/1320294. But use of Coverity's static analysis illustrated the value of such a tool and remains a kind of safeguard that the new internal tools are doing their job. Facebook's contribution of Infer as open spource is a significant move, one that helps developer communities at many organizations move closer to continuous integration of fresh code.
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll