Working on deploying Infer inside Facebook has taught us how important it is to
have the analysis tool deeply embedded into the developers' workflow; see our
“Moving Fast with Software Verification” paper.
Infer runs as part of our continuous integration (CI) system, where it reports
issues on code modifications submitted for review by our engineers. We think
it's great when someone can hook up Infer to their workflow, and we're working
with several other companies to help integrate Infer into their own CI systems.
We've come far enough in a collaboration with Spotify to talk about it now!
Last July, shortly after Infer was open-sourced, we started talking with the
Marvin (Android Infrastructure) team at Spotify. They were interested in using
Infer on their Android app, but it did not work with their build system. They
were using the Gradle build system, but Infer's deployment
within Facebook is done using a different build system, Facebook's
Buck; we had only an initial, basic integration with
Gradle, which did not work with Spotify's app. A Spotify engineer, Deniz
Türkoglu, made improvements to our Gradle integration, which he submitted as a
pull request to Infer's codebase,
which is hosted on GitHub.
Then, in November 2015, two of our engineers, Dulma Churchill and Jules Villard,
traveled to the Spotify office in Stockholm to attend a Hack Week there. After
running Infer on the Spotify app, we discussed the analyzer reports with Spotify
engineers, and we agreed that they identified potential problems in the code.
Infer is now running as part of Spotify's CI system, and here is a quote from
Deniz on Spotify's perspective on Infer, which we include with his kind
permission.
“At Spotify we are continuously working on making our codebase better, and in
the Android infrastructure team we use a lot of tools: static analyzers,
linters, thread/address sanitizers, etc. In our quest to make our code even
better, we started using Infer. Infer found several legitimate issues that
other tools had missed. The Infer team was also very helpful in following a
few false positives that we encountered, and we now have it running on our
build servers.
Infer is a great add-on to a company's toolbox. It's not intrusive — you can
simply add it to your flow and it will tell you where you forgot to close that
cursor or leaked that context. If you find a false positive, just report it
or, even better, make a PR. With more users, it will just keep getting
better.”
This collaboration was truly a two-way street: Not only does Infer find issues
in Spotify, which helps improve its Android app, but feedback from Spotify led
to several improvements in Infer, including resolution of false positives and
improvements of Infer's UI and integration with Gradle. The better Gradle
integration will make it easier for other people to run Infer on lots of other
apps around the world.
We're excited to collaborate with other companies and individuals to help make
the world's software better. If you are interested in integrating Infer into CI
or otherwise hearing about our experience, drop us a line!