Facebook Infer Bug Detection Tool Is Now Open Source - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:36 PM
Connect Directly

Facebook Infer Bug Detection Tool Is Now Open Source

For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.

6 Top Programming Languages For Mobile Development
6 Top Programming Languages For Mobile Development
(Click image for larger view and slideshow.)

In an effort to improve the overall security and stability of applications, Facebook has released Infer, a tool used to identify programming errors, under a BSD open-source license.

Infer is a static analyzer, software for finding bugs in other software without actually running the program in question. There are dozens of such tools available to scan code in a variety of programming languages; Infer, written in OCaml, can analyze Java (Android or otherwise), Objective-C, and C code.

For organizations focused on software-based products or services such as Facebook, Pinterest, and practically every other major Internet-oriented company, the ability to ship code quickly has become a competitive requirement. In a paper about its deployment practices, Facebook said it "operates in perpetual development mode, in which engineers continuously develop new features and make them available to users."

[ Need a small-scale database for your mobile apps? Read Filemaker 14: A Database For DIY Apps. ]

Facebook software engineers Cristiano Calcagno, Dino Distefano, and Peter O'Hearn explained in a blog post: "Each month, hundreds of potential bugs identified by Facebook Infer are fixed by our developers before they are committed to our codebases and deployed to people's phones. This saves our developers many hours finding and fixing bugs, and results in better products for people."

Infer was developed at a UK startup called Monoidics that Facebook acquired in 2013. Calcagno, Distefano, and O'Hearn co-founded the company.

Facebook has used Infer to improve the Facebook app for Android and iOS, Facebook Messenger, and Instagram by detecting null pointer access, resource leaks, and memory leaks -- errors that can lead to application crashes and can make programs vulnerable to exploits.

(Image: Facebook)

(Image: Facebook)

Using both static analysis and automated testing, Facebook is able to ship code as soon as it's ready, without waiting for the results of manual testing.

According to Calcagno, Distefano, and O'Hearn, the fix rate for issues identified by Infer in the past few months is about 80%, which they said is high for an automated tool. They said that Infer uses separation logic and bi-abduction to make inferences about how a large program will execute. These mathematical techniques allow Infer to consider only portions of an application, rather than the entirety of its code.

For Facebook, open-sourcing Infer represents a gesture of goodwill toward the developer community, a constituency that provides value to its platform, and advances the eventual goal of automated software verification. Doing so should also lead to improvements in Infer through external contributions.

In general, anything that improves code quality in an application reduces the potential for application crashes, lost data, and security vulnerabilities. And that benefits both the users and the developers of that application.

Commercial code analysis applications such as Coverity and Klockwork are widely used in many enterprises. However, these tools appear to be ill-suited for analyzing applications at the scale required by large Internet technology companies. In a paper about Google's internally developed static analysis tool Tricorder, Google software engineers Caitlin Sadowski, Jeffrey van Gogh, Ciera Jaspan, Emma Söderberg, and Collin Winter stated: "All of these tools have largely fallen out of use due to problems with workflow integration, scaling, and false positives."

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
6/15/2015 | 3:49:46 PM
Infer is a big contribution
Internal tools have displaced Coverity in the Linux kernel development process, as cited by Greg Kroah-Harman here: http://www.informationweek.com/software/enterprise-applications/8-linux-security-improvements-in-8-years/d/d-id/1320294. But use of Coverity's static analysis illustrated the value of such a tool and remains a kind of safeguard that the new internal tools are doing their job. Facebook's contribution of Infer as open spource is a significant move, one that helps developer communities at many organizations move closer to continuous integration of fresh code.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll