CN109710538B

CN109710538B - Static detection method for state-related defects in large-scale system

Info

Publication number: CN109710538B
Application number: CN201910042564.4A
Authority: CN
Inventors: 左志强; 潘秋红; 陆申明; 王乙飞; 王林章; 李宣东
Original assignee: Nanjing University
Current assignee: Nanjing University
Priority date: 2019-01-17
Filing date: 2019-01-17
Publication date: 2021-05-28
Anticipated expiration: 2039-01-17
Also published as: CN109710538A

Abstract

The invention relates to a static detection method for state-related defects in a large-scale system. Second, an inter-process control flow execution tree (ICFET) is generated based on the symbolic execution technology, and a new interval-based path encoding/decoding algorithm is proposed to represent the path constraint. Alias analysis and data flow analysis are then performed in a context-sensitive and path-sensitive manner based on the ICFETs, tracking the flow of each object of each specified type to identify sequences of events that may occur on the object. Finally, based on the ICFET and the program graph generated by the alias analysis and the data flow analysis, a graph reachability calculation based on constraints is performed, if the reachable edges can reach an undefined or error state in the finite state machine, then there is a sequence of events that can drive an object or a group of objects to the undefined or error state on the specification, generating an error report.

Description

Static detection method for state-related defects in large-scale system

Technical Field

The invention relates to a static detection method for state-related defects in a large-scale system, and belongs to the field of software engineering, computer systems and high-performance computing cross technology application.

Background

Large-scale software systems, including operating systems, web browsers, databases, database processing engines, etc., constitute the mainstay of modern computing. Since these systems are widely used in various fields, it is important to ensure the reliability thereof. Despite the continuing efforts of the industry and academia to make these systems more reliable, errors still often occur in large-scale software systems.

One common type of error in large-scale software systems is state-dependent: after a limited sequence of events has occurred at the object of interest, an error occurs that drives the object to an erroneous state. Such as unreleased to acquire locks after no longer being used, open file handlers that are not closed after file access is complete, or allocated memory regions that are unreleased or doubly released when the containing data is never used again, etc. Objects that are involved in such errors can often be described by a Finite State Machine (FSM) having its possible states.

The program static analysis is a code analysis technology for verifying whether a code meets indexes such as safety, reliability and the like by scanning a source code based on a predefined rule or model. The static analysis technology does not need to run a program, can find defects before software deployment, is convenient for automation, and is widely applied to the field of security vulnerability detection in recent years.

Efficient detection of state-related errors requires accurate tracking of state transitions for each object of interest, and requires both context and path sensitivity to accurately report true errors. Therefore, the conventional static analysis technique requires a very large memory to record the state transition information of each object of interest when detecting state-related defects in a large-scale system, and requires a lot of time for calculation to generate a detection result.

Disclosure of Invention

The technical problem is as follows: the invention provides a static detection method for state-related defects in a large-scale system, aiming at solving the problem that the prior art is difficult to detect the state-related defects in the large-scale system, and can perform accurate and extensible static detection on finite state attributes of a very large code library, and efficiently and accurately detect various errors in the large-scale system, including source-receiving problems (such as resource leakage), abnormal processing errors (such as lack of error processing codes), or type state-related errors (such as inappropriately used file processing programs) and the like. These are common errors in modern distributed computing systems.

The technical scheme is as follows: the invention provides a static detection method for state-related defects in a large-scale system. Second, an inter-process control flow execution tree (ICFET) is generated based on the symbolic execution technology, and a new interval-based path encoding/decoding algorithm is proposed to represent the path constraint. Alias analysis and data flow analysis are then performed in a context-sensitive and path-sensitive manner based on the ICFETs, tracking the flow of each object of each specified type to identify sequences of events that may occur on the object. Finally, based on the ICFET and the program graph generated by the alias analysis and the data flow analysis, a graph reachability calculation based on constraints is performed, if the reachable edges can reach an undefined or error state in the finite state machine, then there is a sequence of events that can drive an object or a group of objects to the undefined or error state on the specification, generating an error report.

The method proposed by the invention consists of a front-end and a back-end, the front-end consisting of two compiler-based graph generators that convert the program into two different graph representations, one for alias analysis and the other for data flow analysis. The back end is a disk-based graphics engine, processes very large input graphics using the fast SSD, and performs constraint-based graph reachability calculations on the graphics generated at the front end.

The method comprises the following steps:

1) the path constraints are obtained using symbolic execution to create a static inter-process control flow execution tree (ICFET).

1.1) first, an intra-process Control Flow Execution Tree (CFET) is generated for each method in the program to represent all possible control flow paths in the method. Then an interval-based intra-process encoding/decoding algorithm is defined, the control flow path can be uniquely represented as an interval on the CFET, which can be succinctly encoded as a pair of integers, each edge in the graph does not carry a boolean formula, but instead contains a constrained interval-based encodingThe encoding can be used as an indicator to quickly locate paths and compute their constraints during graph computation. At decoding time, for the coded section [ ID ]_start，ID_end]From the ID_endSubsequent traversal to ID_startAnd combining the constraints of each node to obtain the decoded path constraint information.

1.2) extend the CFET by adding a call/return edge, add inter-process path constraints for it, generate an inter-process control flow execution tree (ICFET). Adding a call/return edge is connecting the call edge from the calling site to the root node of the called method, and connecting the return edge from each method return of the called method back to the calling site. The intra-process path encoding/decoding algorithm is then extended to give an inter-process path encoding/decoding algorithm to represent inter-process path constraint information. To efficiently encode inter-process paths, we extend the intra-process path coding algorithm by representing the paths as a sequence of intervals, each interval representing a path segment in the method. The inter-process path may be decoded by repeatedly performing the intra-process path decoding algorithm for each interval.

2) And performing alias analysis on the program, converting the program into a graph containing alias information, and preparing for subsequent alias calculation.

2.1) performing in-process analysis separately for each method in the program. Given a context-free grammar suitable for alias analysis to specify the constraints that the analysis must follow, during execution, the traversal graph is analyzed to find paths whose labels match the grammar rules, and pass edges are added to those paths, while a path encoding of each edge is computed according to an intra-procedural path encoding algorithm to represent the path constraint information that needs to be satisfied.

2.2) for each variable v (e.g. b) present in a plurality of basic blocks₁，b₂，…，b_n) If on ICFET from block b_iTo b_jThere is a path, we are for each such basic block b_iCreating individual vertices v_iAnd from v_iTo v_jAnd (5) manually adding edges.

2.3) giving an in-process program diagram, increasing corresponding call/return edges in a bottom-up mode based on a pre-calculated context-insensitive call diagram, calculating path codes of the in-process path codes according to an inter-process path coding algorithm, and cloning the called method program diagram into a calling method to realize the in-line.

3) And carrying out data flow analysis on the program, and converting the program into a corresponding graph form. The procedure is similar to step 2:

3.1) performing in-process analysis according to the context-free grammar of the data flow analysis.

3.2) for each variable v (e.g. b) present in a plurality of basic blocks₁，b₂，…，b_n) If on ICFET from block b_iTo b_jThere is a path, we are for each such basic block b_iCreating individual vertices v_iAnd from v_iTo v_jAnd (5) manually adding edges.

3.3) giving an in-process program diagram, increasing corresponding call/return edges in a bottom-up mode based on a pre-calculated context-insensitive call diagram, calculating the path code of the in-process path code algorithm, and cloning the called method program diagram into a calling method to realize the in-line.

4) And carrying out graph reachability calculation based on path constraint on the two program graphs generated in the step 2 and the step 3.

4.1) fully loading the ICFET into the memory.

4.2) partitioning the input map into a set of smaller partitions stored on disk.

4.3) performing calculation with a pair of edges as the center, namely checking one pair of edges each time, acquiring the path constraint of the pair of edges according to a path decoding algorithm, calculating a merging constraint for the path constraint and generating a new code. In each iteration, two edge partitions are loaded into memory.

4.4) processing the related work after each iteration is finished. The scheduler then selects two other partitions to load into memory for the next iteration. The computation iterates until no new edges can be found.

Has the advantages that: the invention provides a static detection method for state-related defects in a large-scale system, which has the following beneficial effects:

(1) according to the static detection method for the state-related defects in the large-scale system, alias analysis and data flow analysis are carried out in a context sensitive and path sensitive mode, infeasible alias relationships and unreachable data flows can be effectively eliminated, and the defect detection accuracy is improved.

(2) In the static detection method for the state-related defects in the large-scale system, the graph accessibility calculation based on the constraint is carried out by selecting the graph engine based on the hard disk at the back end, so that the graph accessibility calculation based on the constraint can be accurately carried out on large-scale data.

(3) In the static detection method for state-related defects in large-scale systems, the whole method is operated in a single machine environment, so that developers can use the method every day and can perform code inspection on their own desktop/notebook computers without accessing clusters.

(4) In a static detection method for state-related defects in large-scale systems, a new interval-based path encoding/decoding technique is proposed to effectively represent path constraints, convert the path constraints from more complex character strings into intervals represented by numbers based on the representation of an interval sequence, and reduce repeated access and computation of the path constraints by merging the intervals, compared to representing the path constraints in the original form (i.e., boolean formula). Although each edge still requires variable size memory, this storage is limited by the depth of the above-path method call. In practice, this depth is usually small.

Drawings

FIG. 1 is a schematic diagram of a static detection method for state-related defects in a large-scale system according to an embodiment of the present invention.

Fig. 2 is a schematic diagram of an intra-process path constraint decoding algorithm according to an embodiment of the present invention.

FIG. 3 is a representation of edges and a context-free grammar diagram for alias analysis in accordance with an embodiment of the present invention.

Fig. 4 is a schematic diagram of a graph reachability calculation flow based on path constraint according to an embodiment of the present invention.

FIG. 5 is a schematic diagram illustrating the front-end and back-end configurations of a static state-related defect detection method in a large-scale system according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail below with reference to the accompanying drawings and specific embodiments.

The present embodiment proposes a static detection method for state-related defects in a large-scale system, which first abstracts the state-related defects in the large-scale system into a finite-state machine representation. Second, an inter-process control flow execution tree (ICFET) is generated based on the symbolic execution technology, and a new interval-based path encoding/decoding algorithm is proposed to represent the path constraint. And finally, according to the ICFET and a program diagram generated by the alias analysis and the data flow analysis, a graph engine based on a hard disk is used for carrying out graph reachability calculation based on constraint, and the defects related to the state in the large-scale system are effectively detected. FIG. 1 is a schematic diagram of a static finite state feature inspection method for a large-scale system.

The method proposed by this embodiment consists of a front-end and a back-end, the front-end consisting of two compiler-based graph generators that convert the program into two different graph representations, one for alias analysis and the other for dataflow analysis. The back end is a disk-based graphics engine, processes very large input graphics using the fast SSD, and performs constraint-based graph reachability calculations on the graphics generated at the front end. As shown in fig. 5, the front end and the rear end constitute a schematic view.

The specific implementation mode of the invention is as follows:

1.1) first, for each method in the program, an intra-process Control Flow Execution Tree (CFET) is generated to represent all possible control flow paths in the method. Representing each basic block in the method as a node, each non-leaf node is a branch point, whichThe two child nodes of (1) are true and false branches. It is then assigned an ID: the root node ID is 0, the true branch ID of the node with ID n is 2 × n +2, and the false branch ID is 2 × n + 1. This allocation ensures that each node in the CFET is assigned a unique ID, and the ID of the parent node can be calculated very simply from the ID of one node. An interval-based intra-process encoding/decoding algorithm is then defined, and the control flow path can be uniquely represented as an interval [ ID ] on the CFET_start，ID_end]It can be succinctly coded as a pair of integers, each edge in the graph does not carry a boolean formula, but rather an interval-based code containing constraints that can serve as an indicator to quickly locate a path and compute its constraints during graph computation. In decoding, FIG. 2 shows the in-process path decoding algorithm for the encoded interval [ ID_start，ID_end]From the ID_endSubsequent traversal to ID_startAnd combining the constraints of each node to obtain the decoded path constraint information.

1.2) add inter-process path constraints by adding call/return edges. The call edge is connected from the calling point to the root node of the called method, and the return edge is connected from each method return of the called method back to the calling point. The intra-process path encoding/decoding algorithm is then extended to give an inter-process path encoding/decoding algorithm to represent inter-process path constraint information. To efficiently encode an ICFET path, the path is represented as a list of intervals, each interval representing a path segment in the method. The actual encoding of the inter-process path physically stored in the edge takes the following format: {2, [123,312],21, [45,890]}. Here 2 the length of the recording path, 21, is the ID of the call edge connecting the two intra-procedural path segments encoded by [123,312] and [45,890 ]. The inter-process path may be decoded by repeatedly performing the intra-process path decoding algorithm of fig. 2 for each interval.

2) And performing alias analysis on the program, converting the program into a graph containing alias information, and preparing for subsequent alias calculation. Alias analysis can be expressed as a grammar-based graph reachability problem.

2.1) performing in-process analysis separately for each method in the program. FIG. 3 specifies the constraints that the analysis must follow for the representation of edges and context-free syntax applicable to alias analysis. The graph produced by the present process is constructed in such a way that: vertices represent variables, and edges represent assignments. Each edge has a label that indicates the semantics of the assignment. FIG. 3(a) shows the representation of 4 types of statements and corresponding edges that are important in alias analysis. FIG. 3(b) is a corresponding context-free grammar, u and v having an alias relationship if object o can flow to variables u and v (i.e., (o, u) ∈ flowTo and (o, v) ∈ flowTo). During execution, the traversal graph is analyzed to find paths whose labels match the grammar rules, transfer edges are added to the paths, and a path code for each edge is calculated according to an in-process path coding algorithm to represent path constraint information that needs to be satisfied.

2.2) for each variable v (e.g. b) present in a plurality of basic blocks₁，b₂，…，b_n) If on ICFET from block b_iTo b_jThere is a path, we are for each such basic block b_iCreating individual vertices v_iAnd from v_iTo v_jAnd (5) manually adding edges. For example, if the object out is contained in both the basic block 0 and the basic block 2, and there is a path from the basic block 0 to the basic block 2 in the ICFET, the object out is created separately for the two basic blocks₀And out₁Then increases the slave out₀To out₁Is identified as assign, and the constraint is { [0,2 { []The edge of (c).

2.3) giving an in-process program diagram, increasing corresponding call/return edges in a bottom-up mode based on a pre-calculated context-insensitive call diagram, calculating path codes of the in-process path codes according to an inter-process path coding algorithm, and cloning the called method program diagram into a calling method to realize the in-line. The parameter passing edge and the value returning edge are added firstly, and then the edge inside the called method is cloned into the calling method. The parameter passing edge connects the actual parameter in the caller to the corresponding formal parameter in the callee's clone. It uses an assign tag and a list of singletons c_idDenotes wherein c is_idIs the corresponding call edge ID in the ICFET. Similarly, value returnsThe edge connects the return variable in the clone of the callee to the left-hand (LHS) variable of the caller's call site. It carries an assign tag and a list of singletons r_idIn which r is_idIs the ID of the corresponding return edge in the ICFET.

3) And carrying out data flow analysis on the program, and converting the program into a corresponding graph form. The procedure is similar to step 2 and is not described here in a complicated way:

4) And carrying out graph reachability calculation based on path constraint on the two program graphs generated in the step 2 and the step 3. Path-sensitive alias computation is performed on the alias parser graph. Path sensitive data flow calculations are then performed on the data flow analysis program graph. During this phase, the alias results produced by the alias calculation will remain in memory to answer the alias queries for the dataflow analysis. Finally, at each program point of the data stream computation, state information is extracted and checked against the FSM to detect if there is an error. The process of alias computation and data stream computation is the same, and fig. 4 shows a graph reachability calculation flow based on path constraints:

4.1) fully loading the ICFET into the memory.

4.2) partitioning the input map into a set of smaller partitions stored on disk. Each partition is defined by a logical interval of vertices and contains all the edges that the source vertex falls within the interval.

4.3) perform a computation centered on a pair of edges, i.e. check one edge at a time, compute the merging constraints and the new code for it. In each iteration, two edge partitions are loaded into memory. We use a pair of edges

And y is an example, where l_aAnd l_bAssignment types for two edges, i₁And i₂Is an interval sequence representing two paths in an ICFET, and needs to do the following operations:

first, the combination constraint is calculated, i needs to be paired₁And i₂And (6) decoding. If i₁And i₂All only contain a single interval, i is respectively decoded by the in-process path decoding algorithm in fig. 2₁And i₂Decoding, i.e. from the ID_endSubsequent traversal to ID_startAnd performing conjunction on the constraint of each node. If i₁And/or i₂Containing a call/return edge ID, or a number of span sequences that are already connected by a call/return edge, for i₁And i₂The interval in (1) repeatedly executes the in-process path decoding algorithm in the figure 2, and then the constraint of the subinterval is combined to obtain the i₁And i₂The constrained decoding result of (2). Next, the two sub-paths i involved₁And i₂The constraints of (2) are merged into a conjunctive form, representing the constraints of the combined path.

Secondly, judging whether the combined path constraint can be met by using an SMT solver, if so, adding a path from x to z, and calculating new codes for the path. If i₁And i₂Are not call/return edges, e.g., { [ a, b ]]}、{[b,c]The new code is { [ a, c ]]}; if i₁Or i₂Containing only one call/return edge ID, e.g., { [ a, b { []And { c }and_iThe new code is { [ a, b ]],c_i,[0,0]}; if i₁And i₂All comprise a plurality of intervals, and i₁And i₂The call/return ID in (1) is a pair of call/return pairs, e.g., { [ a, b ]],c_i,[0,0]And { [0, d ]],r_i,[b,c]Is the new code { [ a ],c]}; if both i1 and i2 contain multiple bins and the call/return IDs in i1 and i2 are not paired, e.g., { [ a, b ]],c_i,[0,0]And { [0, d ]],c_j,[0,0]Is the new code { [ a, b ]],c_i,[0,d],c_j,[0,0]}。

4.4) after each iteration is over, relevant work is handled, such as the need to repartition the oversized partition to ensure that all partitions are balanced and do not grow beyond the memory size after the new edge is added. The scheduler then selects two other partitions to load into memory for the next iteration. The computation iterates until no new edges can be found.

As described above, the present invention is not limited to the above embodiments, and any person skilled in the art can make some changes or modifications to the equivalent embodiments by using the technical content disclosed above without departing from the scope of the present invention, but all simple modifications, equivalent changes and modifications made to the above embodiments according to the technical essence of the present invention still fall within the scope of the present invention.

Claims

1. A static detection method for state-related defects in large-scale systems, comprising:

firstly abstracting defects related to states in a large-scale system into a finite state machine representation form; secondly, generating an inter-process control flow execution tree ICFET based on a symbolic execution technology, and providing a path coding/decoding algorithm based on intervals to represent path constraints; then performing alias analysis and data flow analysis in a context-sensitive and path-sensitive manner based on the ICFET, tracking the flow of each object of each specified type to identify sequences of events that may occur on the object; finally, according to the ICFET and the program diagram generated by alias analysis and data flow analysis, carrying out diagram reachability calculation based on path constraint, if the reachable edge can reach the undefined or error state in the finite state machine, then there is an event sequence for driving an object or a group of objects to the undefined or error state on the specification, and generating an error report;

the method for representing the path constraint by the path coding/decoding algorithm based on the interval comprises the following specific steps:

firstly, generating an in-process Control Flow Execution Tree (CFET) for each method in a program to represent all possible control flow paths in the method and define an in-process path coding/decoding algorithm; then generating an inter-process control flow execution tree ICFET by adding a call/return edge extension in-process control flow execution tree CFET, connecting the call edge to a root node of a called method from a calling point, and connecting the return edge to a calling position from each method return position of the called method; similarly, the inter-process path coding/decoding algorithm is realized by expanding the intra-process path coding/decoding algorithm to effectively express the path constraint;

based on the alias analysis of context sensitivity and path sensitivity of ICFET, the specific steps are as follows:

performing in-process analysis on each method in the program; specifying constraints that the analysis must follow based on a given context-free grammar, analyzing the traversal graph to find paths whose labels match the grammar rules, and adding a passing edge on those paths; for the occurrence in basic block b₁，b₂，…，b_nIf on the ICFET from block b_iTo b_jThere exists a path, for each such basic block b_iCreating individual vertices v_iAnd from v_iTo v_jManually adding edges; during execution, each added edge calculates a path code according to an in-process path coding algorithm to represent the path constraint which the edge needs to satisfy; then, adding inter-process information, for a given intra-process program diagram, based on a pre-calculated context insensitive call diagram, adding corresponding call/return edges in a bottom-up manner, calculating a path code according to an inter-process path coding algorithm, and cloning the called method program diagram into a calling method to realize the inlining;

the data flow analysis based on ICFET context sensitivity and path sensitivity comprises the following specific steps:

context-free grammar from data flow analysisPerforming in-process analysis; for the occurrence in basic block b₁，b₂，…，b_nIf on the ICFET from block b_iTo b_jThere exists a path, for each such basic block b_iCreating individual vertices v_iAnd from v_iTo v_jManually adding edges; given an in-process program diagram, based on a pre-computed context-insensitive call diagram, corresponding call/return edges are added in a bottom-up mode, path codes of the call/return edges are computed according to an inter-process path coding algorithm, and then the called method program diagram is cloned into a calling method to realize the in-line.

2. The static detection method for state-related defects in large-scale systems according to claim 1, wherein the graph reachability calculation based on path constraints comprises the following specific steps:

loading the ICFET completely into memory before computation; then partitioning the input graph into a set of smaller partitions stored on disk; then, carrying out calculation by taking a pair of edges as a center, namely checking one pair of edges each time, and calculating a merging constraint and a new code for the pair of edges; in each iteration, two edge partitions are loaded into the memory; after each iteration is finished, processing related work; then, the scheduler selects two other partitions to load into the memory for the next iteration; the computation iterates until no new edges can be found.