![Page 1: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/1.jpg)
1
A Type System for Format Strings
Konstantin Weitz
Gene Kim
Siwakorn Srisakaokul
Michael D. Ernst
![Page 2: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/2.jpg)
2
Format String APIs
printf(“name: %s age: %d”, “Konstantin”, 25);
“name: Konstantin age: 25”
![Page 3: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/3.jpg)
3
Format String APIs
Problem: easy to misuse
printf(“name: %s age: %d”, “Konstantin”, 25);
“name: Konstantin age: 25”
![Page 4: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/4.jpg)
4
Implications of Misuse● Unintelligible Output
printf(“cannot open %s”);
> cannot open �oN��
![Page 5: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/5.jpg)
5
Implications of Misuse● Unintelligible Output● Program Crash
printf(“%d”, “str”);
![Page 6: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/6.jpg)
6
Implications of Misuse● Unintelligible Output● Program Crash● Security Vulnerability
printf(“%.*d%n”, attack_code, 0, return_addr);
![Page 7: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/7.jpg)
7
Root Causes of Misuse● Invalid Format String Syntax
printf(“%y”);
![Page 8: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/8.jpg)
8
Root Causes of Misuse● Invalid Format String Syntax● Wrong Number of Arguments
printf(“%d %s”, 42);
![Page 9: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/9.jpg)
9
Root Causes of Misuse● Invalid Format String Syntax● Wrong Number of Arguments● Wrong Type of Arguments
printf(“%d”, 7.0);
![Page 10: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/10.jpg)
10
Goal
Statically guarantee thatformat methods are not misused
![Page 11: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/11.jpg)
11
Goal
Statically guarantee thatformat methods are not misused
● Verify Format String Syntax
![Page 12: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/12.jpg)
12
Goal
Statically guarantee thatformat methods are not misused
● Verify Format String Syntax● Verify Number of Arguments
![Page 13: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/13.jpg)
13
Goal
Statically guarantee thatformat methods are not misused
● Verify Format String Syntax● Verify Number of Arguments● Verify Type of Arguments
![Page 14: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/14.jpg)
14
Goal
Statically guarantee thatformat methods are not misused
● Verify Format String Syntax● Verify Number of Arguments● Verify Type of Arguments● Ease of Use
![Page 15: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/15.jpg)
15
Types Prevent Errors
var fs;
printf(fs, 5);
![Page 16: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/16.jpg)
16
Types Prevent Errors
var fs;
fs = 42;
fs = “%y”;
fs = “%d %c”;
fs = “%f”;
fs = “%d”;
printf(fs, 5);
![Page 17: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/17.jpg)
17
Types Prevent Errors
var fs;
fs = 42;
fs = “%y”; // invalid syntax
fs = “%d %c”; // invalid number of args
fs = “%f”; // invalid type of args
fs = “%d”;
printf(fs, 5);
![Page 18: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/18.jpg)
18
Types Prevent Errors
String fs;
fs = 42;
fs = “%y”; // invalid syntax
fs = “%d %c”; // invalid number of args
fs = “%f”; // invalid type of args
fs = “%d”;
printf(fs, 5);
![Page 19: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/19.jpg)
19
Types Prevent Errors
@Format String fs;
fs = 42;
fs = “%y”; // invalid syntax
fs = “%d %c”; // invalid number of args
fs = “%f”; // invalid type of args
fs = “%d”;
printf(fs, 5);
![Page 20: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/20.jpg)
20
Types Prevent Errors
@Format(INT) String fs;
fs = 42;
fs = “%y”; // invalid syntax
fs = “%d %c”; // invalid number of args
fs = “%f”; // invalid type of args
fs = “%d”;
printf(fs, 5);
![Page 21: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/21.jpg)
21
Types Prevent Errors
@Format(INT) String fs;
fs = 42;
fs = “%y”; // invalid syntax
fs = “%d %c”; // invalid number of args
fs = “%f”; // invalid type of args
fs = “%d”;
printf(fs, 5);
Conversion Category
![Page 22: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/22.jpg)
22
Java Conversion Categories
={Byte, Short, Integer, Long}
printf(“%d”, (T)v );
T ∈
![Page 23: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/23.jpg)
23
Java Conversion Categories
={Float, Double}
={Byte, Short, Integer, Long}
printf(“%f”, (T)v );
T ∈
![Page 24: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/24.jpg)
24
Java Conversion Categories
= {Object, ...}
={Float, Double}
={Byte, Short, Integer, Long}
printf(“%s”, (T)v );
T ∈
![Page 25: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/25.jpg)
25
Java Conversion Categories
= {Object, ...}
={Float, Double}
={Byte, Short, Integer, Long}
![Page 26: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/26.jpg)
26
Java Conversion Categories
= {Object, ...}
={Float, Double}
={Byte, Short, Integer, Long}
![Page 27: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/27.jpg)
27
Java Conversion Categories
![Page 28: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/28.jpg)
28
Subtyping
@Format(FLOAT) String fs;
printf(fs, 3.14);
![Page 29: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/29.jpg)
29
Subtyping
@Format(FLOAT) String fs;
printf(fs, 3.14);
fs = “%f” // okfs = “%s” // ok: %s weaker than %ffs = “ ” // ok: argument ignored
![Page 30: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/30.jpg)
30
Subtyping
@Format(FLOAT) String fs;
printf(fs, 3.14);
fs = “%f” // okfs = “%s” // ok: %s weaker than %ffs = “ ” // ok: argument ignored
![Page 31: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/31.jpg)
31
Subtyping
@Format(FLOAT) String fs;
printf(fs, 3.14);
fs = “%f” // okfs = “%s” // ok: %s weaker than %ffs = “ ” // ok: argument ignored
![Page 32: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/32.jpg)
32
Polymorphism
void log(String fs, Object... args) { printf(fs, args);}
log(“%f”, 3.14);log(“%d”, 1337);
![Page 33: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/33.jpg)
33
Polymorphism
void log(@FormatFor(“args”) String fs, Object... args) { printf(fs, args);}
log(“%f”, 3.14);log(“%d”, 1337);
![Page 34: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/34.jpg)
34
Complex Format Strings
@Format(FLOAT,GENERAL) String fs = “%2$s = %1$+10.4f”;
printf(fs, 3.14, “pi”);
![Page 35: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/35.jpg)
35
Type System Instantiation● C's printf API“%s”
● Go's fmt module “%[1]s”
● Java's i18n API“{0}”
● Java's Formatter API “%1$s”
![Page 36: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/36.jpg)
36
Goal
Statically guarantee thatformat methods are not misused
● Verify Format String Syntax● Verify Number of Arguments● Verify Type of Arguments● Ease of Use
![Page 37: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/37.jpg)
37
Goal
Statically guarantee thatformat methods are not misused
✔ Verify Format String Syntax● Verify Number of Arguments● Verify Type of Arguments● Ease of Use
![Page 38: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/38.jpg)
38
Goal
Statically guarantee thatformat methods are not misused
✔ Verify Format String Syntax
✔ Verify Number of Arguments
✔ Verify Type of Arguments● Ease of Use
![Page 39: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/39.jpg)
39
Goal
Statically guarantee thatformat methods are not misused
✔ Verify Format String Syntax
✔ Verify Number of Arguments
✔ Verify Type of Arguments● Ease of Use ?
![Page 40: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/40.jpg)
40
Evaluation
Project LoC Bugs
Submit Fixed
Hadoop 678k 3 2
Hive 538k 1 0
Lucene 664k 0 0
HBase 569k 2 2
Daikon 205k 95 95
FindBugs 122k 3 3
TotalTotal 2777k 104 102
![Page 41: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/41.jpg)
41
Evaluation - Usage EffortProject Format
CallsType Annotations False Positives Bugs
@Format @FormatFor @SuppressWarnings
Hadoop 332 20 6 22 3
Hive 213 0 1 7 1
Lucene 148 2 0 0 0
HBase 96 0 0 1 2
Daikon 1583 0 30 7 95
FindBugs 133 7 1 3 3
TotalTotal 2505 29 38 40 104
![Page 42: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/42.jpg)
42
Evaluation - Usage EffortProject Format
CallsType Annotations False Positives Bugs
@Format @FormatFor @SuppressWarnings
Hadoop 332 20 6 22 3
Hive 213 0 1 7 1
Lucene 148 2 0 0 0
HBase 96 0 0 1 2
Daikon 1583 0 30 7 95
FindBugs 133 7 1 3 3
TotalTotal 2505 29 38 40 104
Annotation Burden 107
![Page 43: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/43.jpg)
43
Evaluation - Usage EffortProject Format
CallsType Annotations False Positives Bugs
@Format @FormatFor @SuppressWarnings
Hadoop 332 20 6 22 3
Hive 213 0 1 7 1
Lucene 148 2 0 0 0
HBase 96 0 0 1 2
Daikon 1583 0 30 7 95
FindBugs 133 7 1 3 3
TotalTotal 2505 29 38 40 104
Annotation Burden 107
Bugs Revealed 104
![Page 44: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/44.jpg)
44
Evaluation - Usage EffortProject Format
CallsType Annotations False Positives Bugs
@Format @FormatFor @SuppressWarnings
Hadoop 332 20 6 22 3
Hive 213 0 1 7 1
Lucene 148 2 0 0 0
HBase 96 0 0 1 2
Daikon 1583 0 30 7 95
FindBugs 133 7 1 3 3
TotalTotal 2505 29 38 40 104
Annotation Burden 107
Bugs Revealed 104 = = 1.0
![Page 45: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/45.jpg)
45
Evaluation - Usage EffortProject Format
CallsType Annotations False Positives Bugs
@Format @FormatFor @SuppressWarnings
Hadoop 332 20 6 22 3
Hive 213 0 1 7 1
Lucene 148 2 0 0 0
HBase 96 0 0 1 2
Daikon 1583 0 30 7 95
FindBugs 133 7 1 3 3
TotalTotal 2505 29 38 40 104
![Page 46: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/46.jpg)
46
Project Constant Propagation
Dynamic Width
Exception Handled
Misc
Hadoop 10 6 0 6
Hive 3 2 1 1
Lucene 2 0 0 0
HBase 0 0 0 1
Daikon 0 6 0 1
FindBugs 0 0 3 0
TotalTotal 13 14 4 9
Evaluation – False Positives
![Page 47: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/47.jpg)
47
Project Constant Propagation
Dynamic Width
Exception Handled
Misc
Hadoop 10 6 0 6
Hive 3 2 1 1
Lucene 2 0 0 0
HBase 0 0 0 1
Daikon 0 6 0 1
FindBugs 0 0 3 0
TotalTotal 13 14 4 9
Evaluation – False Positives
printf(“%”+“d”, 42);
![Page 48: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/48.jpg)
48
Project Constant Propagation
Dynamic Width
Exception Handled
Misc
Hadoop 10 6 0 6
Hive 3 2 1 1
Lucene 2 0 0 0
HBase 0 0 0 1
Daikon 0 6 0 1
FindBugs 0 0 3 0
TotalTotal 13 14 4 9
Evaluation – False Positives
String fs = “%” + width + “d”;printf(fs, 42);
![Page 49: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/49.jpg)
49
Project Constant Propagation
Dynamic Width
Exception Handled
Misc
Hadoop 10 6 0 6
Hive 3 2 1 1
Lucene 2 0 0 0
HBase 0 0 0 1
Daikon 0 6 0 1
FindBugs 0 0 3 0
TotalTotal 13 14 4 9
Evaluation – False Positives
try { printf(userInput, 4.12);} catch (FormatExp e) {/*error handling*/}
![Page 50: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/50.jpg)
50
Project Constant Propagation
Dynamic Width
Exception Handled
Misc
Hadoop 10 6 0 6
Hive 3 2 1 1
Lucene 2 0 0 0
HBase 0 0 0 1
Daikon 0 6 0 1
FindBugs 0 0 3 0
TotalTotal 13 14 4 9
Evaluation – False Positives
<T> void f(String fs, Iterator<T> iter) { System.out.format(fs, iter.next());}
![Page 51: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/51.jpg)
51
Goal
Statically guarantee thatformat methods are not misused
✔ Verify Format String Syntax
✔ Verify Number of Arguments
✔ Verify Type of Arguments● Ease of Use
![Page 52: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/52.jpg)
52
Goal
Statically guarantee thatformat methods are not misused
✔ Verify Format String Syntax
✔ Verify Number of Arguments
✔ Verify Type of Arguments
✔ Ease of Use
![Page 53: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/53.jpg)
53
Related Work● Dynamic Checking[0][1][2]
☺ ☹ No compile time guarantee
Easy to use
[0] C. Cowan, et al. USENIX Security Symposium. 2001.[1] T. Tsai, et al. Avaya Labs. 2001.
[2] M. F. Ringenburg and D. Grossman. CCS 2005
![Page 54: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/54.jpg)
54
Related Work● Dynamic Checking[0][1][2]
● Alternative APIs[3][4]
☺ Guarantees no misuse
☹ ● No i18n● Less readable
[3] Danvy. Journal of FP. 1998.[4] ISO/IEC 14882:2011. C++, 2011.
cout << “We detected ” << setw(10) << n << “bugs”;
![Page 55: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/55.jpg)
55
Related Work● Dynamic Checking[0][1][2]
● Alternative APIs[3][4]
● Dependent Type Systems[5]
☺ ☹ ● No mainstream language support
● Hard to use
● Expressive● Guarantees no misuse
[5] J. Gronski, et.al. SFP Workshop, 2006.
![Page 56: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/56.jpg)
56
Related Work● Dynamic Checking[0][1][2]
● Alternative APIs[3][4]
● Dependent Type Systems[5]
● Lightweight Analysis[6][7][8]
☺ ☹ … for constant format stringsonly
[6] Leroy, et al. The OCaml system release 4.01.[7] GCC -Wformat. gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
[8] Edward Aftandilian, et al. SCAM 2012.
Guaranteesno misuse ...
![Page 57: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/57.jpg)
57
Related Work● Dynamic Checking[0][1][2]
● Alternative APIs[3][4]
● Dependent Type Systems[5]
● Lightweight Analysis[6][7][8]
● Static Taint Analysis[9]
☺ ☹ Type/number of arguments and syntax not verified
[9] U. Shankar, et al. USENIX Security Symposium. 2001.
Guards againstformat stringsfrom input
![Page 58: A Type System for Format Strings - pdfs.semanticscholar.org€¦ · 1 A Type System for Format Strings Konstantin Weitz Gene Kim Siwakorn Srisakaokul Michael D. Ernst weitzkon@uw.edu](https://reader033.vdocuments.us/reader033/viewer/2022042915/5f50fa10f69dc07f464d0250/html5/thumbnails/58.jpg)
58
Contributions● Type system with guarantee that
format methods are not misused● Instantiation for Java● Evaluation shows type system:
– Finds bugs (104 bugs, 102 fixed)– Easy to use (1.0 annotations / bug)
http://checkerframework.org