Finding Inter-procedural Bugs at Scale with Infer Jules Villard - - PowerPoint PPT Presentation

finding inter procedural bugs at scale with infer
SMART_READER_LITE
LIVE PREVIEW

Finding Inter-procedural Bugs at Scale with Infer Jules Villard - - PowerPoint PPT Presentation

Dec 08, 2022 438 likes •657 views

Finding Inter-procedural Bugs at Scale with Infer Jules Villard <jul@fb.com> Facebook London Open-source static analyser Inter-procedural analyses + linters Infer For Java and C/C++/Objective-C Infer architecture PROJECT SOURCE CODE

slide-1
SLIDE 1

Facebook London

Jules Villard <jul@fb.com>

Finding Inter-procedural Bugs at Scale with Infer

slide-2
SLIDE 2

Infer

Inter-procedural analyses + linters

For Java and C/C++/Objective-C

Open-source static analyser

slide-3
SLIDE 3

SIL BACKEND SPECS REPORT

Infer architecture

FRONTEND PROJECT BUILD SYSTEM

+

SOURCE CODE

slide-4
SLIDE 4

Two Frontends: clang and Java

And quite a few build system integrations

SIL

clang

+ clang plugin CLANG AST to backend...

javac

JAVA BYTECODE REPORT PROJECT BUILD SYSTEM

+

SOURCE CODE SOURCE FILES +COMPILE COMMANDS

+ +

Capture calls to the compiler Java frontend C/C++/ObjC frontend linters

slide-5
SLIDE 5

SIL BACKEND SPECS REPORT

Infer architecture

FRONTEND PROJECT BUILD SYSTEM

+

SOURCE CODE

slide-6
SLIDE 6

"Allocates Memory" checker case study

Compositional, On-Demand Backend Architecture

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... foo(); ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12 void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

slide-7
SLIDE 7

"Allocates Memory" checker case study

Compositional, On-Demand Backend Architecture

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... foo(); ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Allocation via call to foo() line 10

void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Allocation via call to bar() line 3 Allocation line 3 ERROR

slide-8
SLIDE 8

Percentages of inter-procedural reports for different types of bugs

Interprocedural Analysis Case Study

One procedure One file Interprocedural One file Interprocedural Inter-file Allocates Memory 2 98 Null Dereference (Java) 43 9 48 Null Dereference (Objective-C) 73 5 24 RacerD 36 12 53 Bad Pointer Comparison (linter) 100

https://code.facebook.com/posts/1537144479682247/finding-inter-procedural-bugs-at-scale-with-infer-static-analyzer/

slide-9
SLIDE 9

DEVELOPER CI SYSTEM PHABRICATOR CODE REVIEWERS CI SYSTEM PRODUCT INFER PERFORMANCE 
 TESTS

slide-10
SLIDE 10

Difg comments fit into usual workflow

Only report when:

  • Warning is introduced by difg
  • Warning is in file changed by

difg

slide-11
SLIDE 11

PERFORMANCE 
 TESTS DEVELOPER CI SYSTEM PHABRICATOR CODE REVIEWERS CI SYSTEM PRODUCT INFER

slide-12
SLIDE 12

Analysing a Difg

"Allocates Memory" checker case study

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg

slide-13
SLIDE 13

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... foo(); ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Analysing a Difg

"Allocates Memory" checker case study

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg with difg

void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

slide-14
SLIDE 14

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... foo(); ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Allocation via call to foo() line 10 Allocation via call to bar() line 3 ERROR

Analysing a Difg

"Allocates Memory" checker case study

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg with difg

void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Allocation line 3

slide-15
SLIDE 15

Analysing a Difg

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg

"Allocates Memory" checker case study

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12 void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

Allocation line 3 base

slide-16
SLIDE 16

Analysing a Difg

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg

"Allocates Memory" checker case study

void foo() { ... Bar.bar(); ... } @NoAllocation void goo() { ... ... }

Foo.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12 void bar() { ... new MyObject(); ... } void baz() { ... }

Bar.java (SIL)

1 2 3 4 5 6 7 8 9 10 11 12

No allocation Allocation line 3 Allocation via call to bar() line 3 base

slide-17
SLIDE 17

Analysing a Difg

  • -- Foo.java

+++ Foo.java @NoAllocation void goo() { ... + foo(); ... }

difg

"Allocates Memory" checker case study

base difg No report ERROR foo() allocates memory on line 10 diff - base = ERROR foo() allocates memory on line 10

DIFFERENTIAL REPORT

slide-18
SLIDE 18

Difg-Based Deployment

Easy to deploy new checks Help developers move fast

slide-19
SLIDE 19

Current status

  • Infer runs on all Android + iOS difgs for Facebook,

Messenger, Instagram, and WhatsApp

  • 10ks of difgs analyzed per month
  • 1ks of issues fixed per month (~70% fix rate)

Action taken is ground truth for success

slide-20
SLIDE 20

Facebook London

Jules Villard <jul@fb.com>

Finding Inter-procedural Bugs at Scale with Infer