Facebook Infer Bug Detection Tool Is Now Open Source
For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.
6 Top Programming Languages For Mobile Development
(Click image for larger view and slideshow.)
In an effort to improve the overall security and stability of applications, Facebook has released Infer, a tool used to identify programming errors, under a BSD open-source license.
Infer is a static analyzer, software for finding bugs in other software without actually running the program in question. There are dozens of such tools available to scan code in a variety of programming languages; Infer, written in OCaml, can analyze Java (Android or otherwise), Objective-C, and C code.
For organizations focused on software-based products or services such as Facebook, Pinterest, and practically every other major Internet-oriented company, the ability to ship code quickly has become a competitive requirement. In a paper about its deployment practices, Facebook said it "operates in perpetual development mode, in which engineers continuously develop new features and make them available to users."
Facebook software engineers Cristiano Calcagno, Dino Distefano, and Peter O'Hearn explained in a blog post: "Each month, hundreds of potential bugs identified by Facebook Infer are fixed by our developers before they are committed to our codebases and deployed to people's phones. This saves our developers many hours finding and fixing bugs, and results in better products for people."
Infer was developed at a UK startup called Monoidics that Facebook acquired in 2013. Calcagno, Distefano, and O'Hearn co-founded the company.
Facebook has used Infer to improve the Facebook app for Android and iOS, Facebook Messenger, and Instagram by detecting null pointer access, resource leaks, and memory leaks -- errors that can lead to application crashes and can make programs vulnerable to exploits.
Using both static analysis and automated testing, Facebook is able to ship code as soon as it's ready, without waiting for the results of manual testing.
According to Calcagno, Distefano, and O'Hearn, the fix rate for issues identified by Infer in the past few months is about 80%, which they said is high for an automated tool. They said that Infer uses separation logic and bi-abduction to make inferences about how a large program will execute. These mathematical techniques allow Infer to consider only portions of an application, rather than the entirety of its code.
For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community, a constituency that provides value to its platform, and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.
In general, anything that improves code quality in an application reduces the potential for application crashes, lost data, and security vulnerabilities. And that benefits both the users and the developers of that application.
Commercial code analysis applications such as Coverity and Klockwork are widely used in many enterprises. However, these tools appear to be ill-suited for analyzing applications at the scale required by large Internet technology companies. In a paper about Google's internally developed static analysis tool Tricorder, Google software engineers Caitlin Sadowski, Jeffrey van Gogh, Ciera Jaspan, Emma Söderberg, and Collin Winter stated: "All of these tools have largely fallen out of use due to problems with workflow integration, scaling, and false positives."
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.