Scaling static analyses at Facebook

Distefano, Dino; Fähndrich, Manuel; Logozzo, Francesco; O’Hearn, Peter W.

doi:10.1145/3338112

Cited by 157 publications

(101 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…He characterizes the use of other, more heavyweight, formal techniques (e.g., bounded model checking) in similar continuous settings as an open scientific challenge. O'Hearn also highlights that reporting static analysis results during code review is crucial to achieving a higher fix rate [14], which is reaffirmed by our work (cf. Sec.…”

Section: Related Worksupporting

confidence: 85%

“…Over the last 16 years, automated reasoning techniques (e.g., model checking) have evolved significantly [10,15]. As a consequence, several software verification frameworks have emerged in the literature [5]; with many applications in the industrial setting [7,12,14,27]. Some papers [8,20,23] describe how human factors impact the adoption and integration of formal verification techniques into well-established software engineering process.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Code-level model checking in the software development workflow

Chong

Cook

Καλλάς

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice

View full text Add to dashboard Cite

This experience report describes a style of applying symbolic model checking developed over the course of four years at Amazon Web Services (AWS). Lessons learned are drawn from proving properties of numerous C-based systems, e.g., custom hypervisors, encryption code, boot loaders, and an IoT operating system. Using our methodology, we find that we can prove the correctness of industrial low-level C-based systems with reasonable effort and predictability. Furthermore, AWS developers are increasingly writing their own formal specifications. All proofs discussed in this paper are publicly available on GitHub. CCS CONCEPTS • Software and its engineering → Formal software verification; Model checking; Correctness; • Theory of computation → Program reasoning.

show abstract

Section: Related Worksupporting

confidence: 85%

Section: Related Workmentioning

confidence: 99%

Code-level model checking in the software development workflow

Chong

Cook

Καλλάς

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice

View full text Add to dashboard Cite

show abstract

“…This could be a result of a flattening trend of ASAT warning removal after some time which means the LLoC then becomes the dominating factor of the warning density equation. This can be seen as evidence of industry best practices like utilizing static analysis tools only on new code as reported by Google (Sadowski et al 2018) and Facebook (Distefano et al 2019). Further evidence of this best practice is shown in the results of short and long term impact of PMD.…”

Section: Discussionmentioning

confidence: 68%

“…Published industry reports share some findings regarding static analysis infrastructure and warning removal. Google (Sadowski et al 2018) and Facebook (Distefano et al 2019) both found that just presenting developers with a large list of findings rarely motivates them to fix all reported warnings. However, reporting the warnings as early as possible, or at latest at code review time, improves the adoption and subsequent removal of static analysis warnings.…”

Section: Introductionmentioning

confidence: 99%

A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in Apache open source projects

2020

View full text Add to dashboard Cite

Automated static analysis tools (ASATs) have become a major part of the software development workflow. Acting on the generated warnings, i.e., changing the code indicated in the warning, should be part of, at latest, the code review phase. Despite this being a best practice in software development, there is still a lack of empirical research regarding the usage of ASATs in the wild. In this work, we want to study ASAT warning trends in software via the example of PMD as an ASAT and its usage in open source projects. We analyzed the commit history of 54 projects (with 112,266 commits in total), taking into account 193 PMD rules and 61 PMD releases. We investigate trends of ASAT warnings over up to 17 years for the selected study subjects regarding changes of warning types, short and long term impact of ASAT use, and changes in warning severities. We found that large global changes in ASAT warnings are mostly due to coding style changes regarding braces and naming conventions. We also found that, surprisingly, the influence of the presence of PMD in the build process of the project on warning removal trends for the number of warnings per lines of code is small and not statistically significant. Regardless, if we consider defect density as a proxy for external quality, we see a positive effect if PMD is present in the build configuration of our study subjects.

show abstract

“…We introduce HackPPL, a probabilistic programming language that aims to bridge the gap between these paradigms with first-class integrations with language and developer productivity tools. HackPPL is built within the Hack programming language [33], a dominant web development language across large technology firms with over 100 million lines of production code [10]. Although Hack originated as an optionally-typed dialect of PHP, the Hack development team is discontinuing PHP support in order to open opportunities for sweeping language advancements [32].…”

Section: Introductionmentioning

confidence: 99%

HackPPL: a universal probabilistic programming language

Arora

Gokkaya

et al. 2019

Proceedings of the 3rd ACM SIGPLAN International Workshop on Machine Learning and Programming Languages

View full text Add to dashboard Cite

HackPPL is a probabilistic programming language (PPL) built within the Hack programming language. Its universal inference engine allows developers to perform inference across a diverse set of models expressible in arbitrary Hack code. Through language-level extensions and direct integration with developer tools, HackPPL aims to bridge the gap between domain-specific and embedded PPLs. This paper overviews the design and implementation choices for the HackPPL toolchain and presents findings by applying it to a representative problem faced by social media companies.

show abstract

Scaling static analyses at Facebook

Cited by 157 publications

References 19 publications

Code-level model checking in the software development workflow

Code-level model checking in the software development workflow

A longitudinal study of static analysis warning evolution and the effects of PMD on software quality in Apache open source projects

HackPPL: a universal probabilistic programming language

Contact Info

Product

Resources

About