Scaling static analyses at Facebook

Dino Distefano, Manuel Fähndrich, Francesco Logozzo, Peter W. O'Hearn
2019 Communications of the ACM  
key insights ˽ Advanced static analysis techniques performing deep reasoning about source code can scale to large industrial codebases, for example, with 100-million LOC. ˽ Static analyses should strike a balance between missed bugs (false negatives) and un-actioned reports (false positives). ˽ A "diff time" deployment, where issues are given to developers promptly as part of code review, is important to catching bugs early and getting high fix rates.
doi:10.1145/3338112 fatcat:dlr5pddvozge3e5qxiktz3emmi