Deploy Infer to Europe — Peter O'Hearn 🇬🇧 (Queen Mary London, ACM Turing Award 2023) + Cristiano Calcagno 🇮🇹 (Imperial College London), the Separation Logic Analyzer Behind Facebook's Safety Record, on EU Infrastructure in 2026

In February 2024, the ACM announced the 2023 Turing Award — the highest honour in computer science. The recipient was Peter O'Hearn, a professor who had spent sixteen years at Queen Mary University of London before Facebook recruited him to turn his academic research into production engineering infrastructure. The award citation named "foundational contributions to Separation Logic and Concurrent Separation Logic that have had broad impact on theory and industrial practice." The "industrial practice" part of that citation refers to one specific achievement: building Infer, a static analysis tool that runs on every code change submitted by every engineer at Meta — Facebook, WhatsApp, Instagram, and Messenger combined — catching null pointer dereferences, memory leaks, resource leaks, and data races before they reach users.

Every EU GDPR-compliant mobile app deployed by a Meta subsidiary — WhatsApp (billions of EU users), Instagram (hundreds of millions of EU users) — ships code that has been pre-screened by a formal analysis tool rooted in mathematical research conducted at a UK university. Infer is that tool. And the mathematical logic it implements — Separation Logic — was co-invented by O'Hearn during his time in London.

Peter O'Hearn 🇬🇧 was Professor of Computer Science at Queen Mary University of London from 1997 to 2013. During this period he co-developed Separation Logic with John C. Reynolds (Carnegie Mellon, 1935–2002) and introduced the key algorithmic breakthrough — Bi-abduction — jointly with Cristiano Calcagno 🇮🇹 (then at Queen Mary, later Professor at Imperial College London). Dino Distefano 🇮🇹 (Queen Mary University of London, now University College London) led the engineering team that turned these ideas into a shipping product. The foundational paper — "Compositional Shape Analysis by Means of Bi-abduction" — appeared at POPL 2009 (Principles of Programming Languages). Infer as a deployed tool was first publicly described at NFM 2011 (NASA Formal Methods Symposium). Facebook deployed Infer internally in 2013 and open-sourced it under Apache 2.0 in 2015.

Separation Logic: The Foundation

Classical Hoare logic has a frame problem: when reasoning about a function that modifies some part of the heap, how do you know it doesn't modify other parts? In a language with unrestricted pointers and aliasing, this question is undecidable in general — any pointer could potentially alias any other pointer.

Separation Logic solves this by introducing a new connective — the separating conjunction P * Q — which asserts that P and Q hold on disjoint parts of the heap. This simple change makes local reasoning possible: if a function's precondition talks about heap region P, its postcondition guarantees the frame rule — the unmentioned part of the heap Q is untouched.

{P * frame}  code  {Q * frame}

The frame rule holds unconditionally in Separation Logic. This means function specifications can be compositional: you verify code against {P} → {Q} once, and reuse that verification everywhere the function is called, with any frame *frame left unchanged. Classical Hoare logic requires re-doing the verification for each call site to establish what is and isn't modified.

For automated tools, this compositionality is transformative: instead of analyzing the whole program to verify a function (requiring full alias analysis of all reachable heap), you analyze each function locally against a local heap footprint — the separation logic precondition describes exactly which heap cells the function reads or writes.

Bi-abduction: The Algorithmic Key

The theoretical elegance of Separation Logic was known in the academic community for years before Infer. The missing piece was an algorithm that could automatically infer separation logic specifications — without requiring developers to annotate every function with pre- and post-conditions.

Bi-abduction, introduced by Calcagno, O'Hearn, and Hongseok Yang in their POPL 2009 paper, provides this algorithm. The problem it solves: given a function body code and a final heap state Q, find the minimal precondition P that makes {P} code {Q} hold, along with the frame F that code leaves unchanged.

Formally, bi-abduction solves:

P * H  ⊢  code  →  Q * F

for both H (the anti-frame — the missing heap that code needs but the caller hasn't provided) and F (the frame — the heap the code doesn't touch). Both are inferred simultaneously. This is a form of abduction (inferring missing premises, from Charles Sanders Peirce's logic) applied bidirectionally to the heap model.

The practical consequence: Infer can analyze a function, automatically infer its separation logic pre/post-condition, and then use that specification when analyzing callers — without any developer annotation. The analysis is:

• Compositional: each function analyzed once, in isolation
• Incremental: when a function changes, only its callers are re-analyzed
• Scalable: linear in the number of functions (not the heap size)

This scalability is what made Facebook deployment possible: Meta's mobile codebase contains hundreds of millions of lines of Java, Kotlin, C, C++, and Objective-C. A whole-program analysis would be computationally intractable. Bi-abduction's compositional approach makes the analysis tractable by design.

What Infer Checks

Infer checks a range of memory safety and resource management properties:

NULL_DEREFERENCE

The most common category: accessing a pointer that may be null. Infer traces all paths through which a nullable value flows to a dereference site, including across function boundaries.

// Java — Infer detects: NULL_DEREFERENCE at line 4
String getName() { return null; }
void process() {
  String name = getName();
  System.out.println(name.length());  // null dereference
}

MEMORY_LEAK

Heap memory allocated but not freed on all paths. Infer's separation logic footprint precisely tracks which heap cells are owned by which pointer variable, detecting leaks on error paths.

// C — Infer detects: MEMORY_LEAK
char *process(int n) {
  char *buf = malloc(n);
  if (validate(n) < 0) return NULL;  // buf leaked on error path
  return buf;
}

RESOURCE_LEAK

File descriptors, database connections, sockets, and any resource with an open/close lifecycle. Infer models these as abstract heap cells with ownership semantics.

// Java — Infer detects: RESOURCE_LEAK
void readFile(String path) throws IOException {
  FileReader reader = new FileReader(path);
  // ... reader.close() missing on exception path
}

THREAD_SAFETY_VIOLATION (RacerD)

Infer includes RacerD, a race detector based on separation logic for concurrency. RacerD infers which fields are protected by which locks and reports accesses that occur without the expected lock held.

// Java — Infer detects: THREAD_SAFETY_VIOLATION
class Counter {
  int count = 0;
  void increment() { count++; }         // unprotected
  synchronized void get() { return count; }  // protected — inconsistent
}

USE_AFTER_FREE

C/C++ pointer use after free(). Infer's heap model removes ownership from a pointer on free() and flags any subsequent dereference.

Production at Meta: 500 Million Lines, Every Diff

Infer was deployed at Facebook in 2013. By the time of the 2015 open-source release, it was running on every code change across Facebook's mobile and server codebases. The scale is staggering: hundreds of thousands of code review diffs per day, across Java (Android), Objective-C/Swift (iOS), and C/C++ (server and React Native).

The deployment model is integrated into Facebook's code review tool (Phabricator, later Meta's internal fork). When an engineer submits a diff for review, Infer runs incrementally — analyzing only the changed functions and their callers — and posts findings as comments on the diff before any human reviewer sees it. The incremental analysis typically completes in minutes even for large diffs, making it practical as a blocking gate.

Meta's engineering team has reported that Infer finds thousands of bugs per month in production code, with a false positive rate low enough that engineers trust and act on the reports. This practical trust is the direct result of bi-abduction's precision: separation logic's local reasoning about the heap produces fewer false positives than flow-insensitive static analysis (which conflates all possible heap states).

Dino Distefano 🇮🇹, who led Infer engineering at Facebook, presented data at PLDI 2019 showing that Infer had fixed hundreds of bugs in the WhatsApp iOS app alone — including null pointer crashes that would have affected EU users subject to GDPR data processing obligations.

Beyond Meta: Spotify 🇸🇪 (Stockholm) uses Infer on its Android and backend Java codebases. Amazon has integrated Infer-adjacent separation logic techniques in its code review pipelines. Mozilla 🌍 (EU foundation) has used Infer on Firefox C++ components.

Running Infer

# Install via Docker
docker pull fbinfer/infer:latest

# Analyze a Java project (Maven)
docker run --rm -v $(pwd):/project fbinfer/infer:latest \
  infer run -- mvn -f /project/pom.xml compile

# Analyze a C/C++ project
docker run --rm -v $(pwd):/project fbinfer/infer:latest \
  infer run -- make -C /project

# Incremental analysis (only changed files)
infer run --reactive -- clang -c changed_file.c

A minimal Java example:

// NullExample.java
public class NullExample {
  public static String getUser(boolean loggedIn) {
    if (loggedIn) return "alice";
    return null;
  }
  public static void main(String[] args) {
    String user = getUser(false);
    System.out.println(user.toUpperCase());  // NULL_DEREFERENCE
  }
}

infer run -- javac NullExample.java
# Output:
# NullExample.java:9: error: NULL_DEREFERENCE
#   null dereference of `user` returned by `getUser(...)` at line 4

CI/CD Integration

# .github/workflows/infer.yml
name: Infer Static Analysis
on: [pull_request]
jobs:
  infer:
    runs-on: ubuntu-latest
    container: fbinfer/infer:latest
    steps:
      - uses: actions/checkout@v4
      - name: Build and analyze
        run: |
          infer run -- mvn compile
      - name: Check for errors
        run: |
          if [ -f infer-out/bugs.txt ] && grep -q "ERROR" infer-out/bugs.txt; then
            cat infer-out/bugs.txt
            exit 1
          fi
      - name: Upload report
        uses: actions/upload-artifact@v4
        with:
          name: infer-report
          path: infer-out/

# Dockerfile for Infer-as-a-Service on sota.io
FROM fbinfer/infer:latest
WORKDIR /analysis
COPY src/ ./src/
RUN infer run -- mvn -f src/pom.xml compile
CMD ["cat", "infer-out/bugs.txt"]

Regulatory Context: CRA 2027, NIS2, EU AI Act, GDPR

CRA 2027 — Cyber Resilience Act

The Cyber Resilience Act (effective 2027) requires manufacturers of products with digital elements to demonstrate "no known exploitable vulnerabilities" and implement "state of the art" security practices. The three categories Infer detects — null dereference (CWE-476), memory leaks (CWE-401), and use-after-free (CWE-416) — are in the top 25 CWE rankings. Infer's machine-checkable reports constitute auditable evidence that these classes were systematically screened in every component before release. For CRA compliance, the incremental CI integration means every diff is covered — not just periodic audits.

NIS2 — Article 21 (Cybersecurity Risk Management)

NIS2 Article 21 requires operators of essential services to implement "appropriate technical measures… proportionate to the risks." For services implemented in Java (Spring Boot microservices, Kafka consumers, database clients), Infer's resource leak and null safety detection directly addresses the most common causes of service degradation and availability failures. A resource leak in a connection pool handler or a null dereference in a request parser are NIS2-relevant vulnerabilities. Infer provides systematic detection before deployment.

EU AI Act — Article 9 (Risk Management)

For high-risk AI systems implemented in Java/Kotlin (Android on-device inference) or C/C++ (embedded AI accelerators), Infer's null dereference and memory safety checking constitutes documented risk management evidence. The separation logic approach provides a precision guarantee that classical abstract interpretation cannot: Infer's heap model tracks ownership precisely, minimizing false positives while maintaining soundness for the properties it checks.

GDPR — Article 25 (Data Protection by Design)

WhatsApp and Instagram — products whose GDPR compliance is under scrutiny from the Irish Data Protection Commission and CNIL — run Infer on every code change. For EU organisations processing personal data: deploying Infer as part of the development pipeline constitutes a documented technical measure for data protection by design. Memory leaks of heap-allocated personal data structures, null dereferences in data handling paths, and resource leaks of database connections used to process personal data are precisely the categories Infer detects.

The Separation Logic Lineage: London and Cambridge

The intellectual lineage of Infer runs through EU academic institutions:

• John C. Reynolds (CMU 🇺🇸, 1935–2002): co-invented Separation Logic, presented at LICS 2002. Reynolds spent research periods at Cambridge and Edinburgh.
• Peter O'Hearn 🇬🇧 (Queen Mary University of London 🇬🇧, 1997–2013): co-invented Separation Logic with Reynolds; introduced Concurrent Separation Logic; led the Infer project. ACM Turing Award 2023.
• Cristiano Calcagno 🇮🇹 (Queen Mary University of London → Imperial College London 🇬🇧): invented Bi-abduction (POPL 2009); co-founded Monoidics (Cambridge UK, 2009) — the startup acquired by Facebook in 2013 that became the Infer team.
• Dino Distefano 🇮🇹 (Queen Mary University of London → UCL London 🇬🇧): led Infer engineering at Meta; now Professor at UCL London working on next-generation program analysis.
• Hongseok Yang 🇰🇷 (Queen Mary → Oxford → Edinburgh): co-author of Bi-abduction paper; foundational work on probabilistic separation logic.

Monoidics — the UK startup founded by Calcagno and colleagues in Cambridge in 2009 — was acquired by Facebook in 2013. This made London and Cambridge the birthplace of the analysis tool now running inside the phones of two billion EU users. The Turing Award in 2023 completed the arc: from a maths paper at a London university to the largest deployed program analysis system in history.

Deploy Infer to EU Servers with sota.io

sota.io is the EU-native PaaS for deploying verification and analysis infrastructure. Run Infer as a continuous analysis service, a CI/CD gate, or an on-demand code review tool — all on European infrastructure, GDPR-compliant by default.

# sota.io deployment
sota deploy --image fbinfer/infer:latest \
  --run "infer run -- mvn compile" \
  --region eu-west-1

For EU organisations under NIS2 or CRA obligations, running Infer on EU-sovereign infrastructure ensures that the code being analyzed — which may include pre-release implementations of security-sensitive systems — never leaves the EU regulatory perimeter. No Cloud Act. No cross-Atlantic data transfer. No question of whether analysis artefacts containing partial source code fall under GDPR Article 44 transfer restrictions.

Free tier includes compute for medium Java/C++ projects. No DevOps overhead: sota.io manages the container orchestration, logging, and resource isolation. Managed PostgreSQL is available for storing analysis results and tracking defect trends across releases.

Meta Open Source 🌍. Peter O'Hearn 🇬🇧 (ACM Turing Award 2023). Cristiano Calcagno 🇮🇹. Dino Distefano 🇮🇹. Apache 2.0. github.com/facebook/infer.