Reading list 2023

Jan 2023

Beginning of the year, still struggling in error handling and exception…

Automatic Detecting Error Handling Bugs using Error Specifications

The paper was published in Usenix Security 2016. Error Path Explorer (EPEx) was created to find error handling bugs in the C program.

Authors consider the lack of exception-support makes error handling bugs in C program difficult to detect. This work addressed three challenges: error path exploration, lack of an error oracle, error bug localization with under-constrained symbolic execution. If program doesn’t follow three rules: propagating correct error value, stop execution, logging to handle the error, then EPEx would mark it as potential bug.

What is error specification? it means how data used to indicate error and non-error. For example, the function return negative integer to show that some error happens in it. This paper assumes manually created per-function error specification was given.

From my understanding, to define incorrect error handling is the most difficult part to find such type of bug. To achieve it, this work combines the error specification and default behaviors based on observation.

Here is the link.

Detecting Error-Handling Bugs without Error Specification Input

The paper was published in ASE 2019. EH-Miner was created to find error handling bugs without error specfication.

The paper first elaborates that error specification is error prone and the bug detectors should not rely on it.

So how do we know error handling is correct or not without knowing the semantics of error value? In this paper, authors use error handling action to identify whether it is correct or not. Take chroot in the paper for example (this example really makes it easy to understand), EH-miner mines the error-handling rule that “chroot should be logged when return -1”, then any other action which doesn’t have same semantics as logging would be considered as incorrect. EH-miner mines such rules from different software which both use chroot based on their observation that error-handling action should be same as program-independent, while non-error handling action could be program-dependent.

Here is the link.

Clean Code: A Handbook of Agile Software Craftsmanship

Actually, since my summer internship in 2022, I have found that my code styles are ugly compared to a senior engineer. Lack of industry experience, I still hope I can learn something by myself to improve my code style with this bible;)

Related articles would be tagged with clean code.

April 2023

Summer is coming. Recently, I am exploring the problem how generic type could affect existing static analyzers…

Verifying Dynamic Trait Objects in Rust

This was a paper accepted by ICSE SEIP track 2022. I am not familiar with software verification at this moment. What I focused on when I read this paper was how dynamic trait object could lead to a challenge.

In rust, trait implementation could be separated to static or dynamic dispatch. With static dispatch, method calls are implemented with monomorphization just as generic type, which would converted to concrete type before translating to low-level representation such as LLVM-IR. However, mono- brings drawbacks such as larger code size and longer compilation time. Therefore, Rust provides developers with option of dynamic dispatch as a trade-off. &dyn dynamic trait object can be used as a type for function parameters. Rust will decide which implementation to call via vtable during runtime. Different from monomorphization whose details could be found on low-level code, dynamic trait object would jump to dynamically computed address at runtime and hence vulnerable to control-flow hijacking attack as in C/C++.

Here is the link.