Stories
Slash Boxes
Comments

SoylentNews is people

How Facebook Catches Bugs in Its 100 Million Lines of Code

posted by Fnord666 on Friday August 23 2019, @10:44AM   Printer-friendly
from the static-code-analysis dept.

MrPlow writes:

Submitted via IRC for SoyCow2718

Facebook doesn't have the most stellar privacy and security track record, especially given that many of its notable gaffes were avoidable. But with billions of users and a gargantuan platform to defend, it's not easy to catch every flaw in the company's 100 million lines of code. So four years ago, Facebook engineers began building a customized assessment tool that not only checks for known types of bugs but can fully scan the entire codebase in under 30 minutes—helping engineers catch issues in tweaks, changes, or major new features before they go live.

The platform, dubbed Zoncolan, is a "static analysis" tool that maps the behavior and functions of the codebase and looks for potential problems in individual branches, as well as in the interactions of various paths through the program. Having people manually review endless code changes all the time is impractical at such a large scale. But static analysis scales extremely well, because it sets "rules" about undesirable architecture or code behavior, and automatically scans the system for these classes of bugs. See it once, catch it forever. Ideally, the system not only flags potential problems but gives engineers real-time feedback and helps them learn to avoid pitfalls.

"Every time an engineer makes a proposed change to our codebase, Zoncolan will start running in the background, and it will either report to that engineer directly or it will flag to one of our security engineers who's on call," says Pieter Hooimeijer, a security engineering manager at Facebook. "So it runs thousands of times a day, and found on the order of 1,500 issues in calendar year 2018."

Source: https://www.wired.com/story/facebook-zoncolan-static-analysis-tool/?verso=true

Original Submission

 
This discussion has been archived. No new comments can be posted.
How Facebook Catches Bugs in Its 100 Million Lines of Code | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by Anonymous Coward on Friday August 23 2019, @03:05PM (8 children)

    by Anonymous Coward on Friday August 23 2019, @03:05PM (#884143)

    Am I the only one wondering how the fuck they have 100M lines of code?

    Starting Score:    0  points
    Moderation   +3  
       Insightful=1, Interesting=2, Total=3
    Extra 'Interesting' Modifier   0  
    Total Score:   3  

  • (Score: 2) by digitalaudiorock on Friday August 23 2019, @03:53PM (1 child)

    by digitalaudiorock (688) on Friday August 23 2019, @03:53PM (#884172) Journal

    I was just about to ask the same! That is patently fucking absurd.

    • (Score: 2) by DannyB on Friday August 23 2019, @05:37PM

      by DannyB (5839) Subscriber Badge on Friday August 23 2019, @05:37PM (#884255) Journal

      I bet the NSA doesn't think it is so absurd. It seems ideally suited for placing backdoors and other goodies.

      --
      The lower I set my standards the more accomplishments I have.

  • (Score: 2) by DannyB on Friday August 23 2019, @04:56PM

    by DannyB (5839) Subscriber Badge on Friday August 23 2019, @04:56PM (#884229) Journal

    In dynamic languages with loose type discipline, it is hard to refactor a large code base. Where one would normally see common patterns and refactor out the commonality, this may not be so easy to do in a large project using a dynamic language. In a strongly typed language with a good IDE, the tools do a lot of this work and analysis for you.

    Thus, a lot of reinventing of similar wheels probably happens.

    Speculation: Since the typing is loose, probably a lot of other semantics are loose as well. Probably functions that obviously seem to do something, have weird edge or corner cases and are poorly documented as to parameters and results. It's easier to just roll your own version of this function to be sure it is done 'right'.

    --
    The lower I set my standards the more accomplishments I have.

  • (Score: 2) by Megahard on Friday August 23 2019, @06:20PM (2 children)

    by Megahard (4782) on Friday August 23 2019, @06:20PM (#884274)

    Apollo 11: 145K lines of code
    Mars Curiosity Rover: 500K lines of code
    Facebook: 100M lines of code

    Something is seriously wrong here.

    • (Score: 2) by krishnoid on Friday August 23 2019, @09:22PM

      by krishnoid (1156) on Friday August 23 2019, @09:22PM (#884361)

      You got a problem with that? Then invent your own Facebook! With blackjack, and hookers! And send it to the moon!

    • (Score: 2) by DannyB on Monday August 26 2019, @03:27PM

      by DannyB (5839) Subscriber Badge on Monday August 26 2019, @03:27PM (#885670) Journal

      For Apollo 11, a "line" of code was probably one machine instruction.

      --
      The lower I set my standards the more accomplishments I have.

  • (Score: 2) by krishnoid on Friday August 23 2019, @09:21PM

    by krishnoid (1156) on Friday August 23 2019, @09:21PM (#884360)

    I can't answer how, but I can answer why. This way the bugs get confused, trapped, and just plain exhausted when trying to get anywhere, and can never make it out into the real world.

  • (Score: 0) by Anonymous Coward on Saturday August 24 2019, @02:05AM

    by Anonymous Coward on Saturday August 24 2019, @02:05AM (#884500)

    100M across *all* of their stuff: The web site, mobile apps on Android & iOS, desktop apps for Windows & Mac, etc. And for each of those, translations in most(?) of the world's major languages.