CN116594869A - Memory defect static detection method based on type region model - Google Patents
Memory defect static detection method based on type region model Download PDFInfo
- Publication number
- CN116594869A CN116594869A CN202310457369.4A CN202310457369A CN116594869A CN 116594869 A CN116594869 A CN 116594869A CN 202310457369 A CN202310457369 A CN 202310457369A CN 116594869 A CN116594869 A CN 116594869A
- Authority
- CN
- China
- Prior art keywords
- analysis
- program
- statement
- defect
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007547 defect Effects 0.000 title claims abstract description 109
- 238000001514 detection method Methods 0.000 title claims abstract description 71
- 230000003068 static effect Effects 0.000 title claims abstract description 36
- 238000004458 analytical method Methods 0.000 claims abstract description 101
- 230000006870 function Effects 0.000 claims abstract description 58
- 238000000034 method Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 10
- 230000006399 behavior Effects 0.000 claims abstract description 8
- 238000010586 diagram Methods 0.000 claims abstract description 8
- 238000006243 chemical reaction Methods 0.000 claims description 19
- 238000012795 verification Methods 0.000 claims description 10
- 230000009191 jumping Effects 0.000 claims description 9
- 238000010276 construction Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 claims description 3
- 238000007667 floating Methods 0.000 claims description 3
- 239000002243 precursor Substances 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 2
- 238000003672 processing method Methods 0.000 claims description 2
- 238000013507 mapping Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/425—Lexical analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
- G06F8/436—Semantic checking
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Computational Linguistics (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a static detection method of memory defects based on a type area model, which comprises the steps of firstly, obtaining a function call diagram and a control flow diagram of a program to be detected through front-end processing; then, a type area model is built based on the function call graph and the control flow chart, static analysis is carried out, and the model and the program state are updated after analysis; and then entering a detection flow of a certain defect type according to possible defect behaviors of the current program point and program state information carried by static analysis. According to the method for detecting the memory defects based on the type region model, the states of the program can be accurately described, and the correctness of data flow information on most program points is ensured; the deeper reasons related to occurrence of memory defects can be analyzed in detail, and corresponding defect detection rules are designed to ensure sufficient detection of the defects and reduce missing report and false report.
Description
Technical Field
The invention relates to the technical field of software security and program static detection, in particular to a memory defect static detection method based on a type region model.
Background
The software defects are mainly introduced by artificial factors such as non-rigorous programming specifications, insufficient experience and the like, and if the defects cannot be found out in time, the later maintenance cost can be greatly increased along with the development of the software; part of the defects may cause resource waste, system running, and even entry of hacking. In the information age, the range of software defects is wide and far beyond the past, wherein the defects related to the memory seriously jeopardize the safety and the reliability of the current software engineering. The memory related defects mainly comprise: repeated release of the memory, use after release and memory leakage; these drawbacks are the main reasons affecting the stability, reliability and security of the current software, and they not only bring serious economic loss to development companies, but also pose a threat to personal privacy information and property security of users.
Aiming at different forms of programs, the defect detection methods proposed by the current scholars can be mainly divided into two main categories: the dynamic detection method and the static detection method are mainly distinguished according to whether a program runs during detection. The dynamic detection method is a software defect detection technology widely adopted in the industry at present. The technology uses a specific test case to run the program, and judges whether the program has defects by paying attention to whether the program has abnormality in the execution process or the output result. Dynamic detection methods rely on high quality test cases to achieve higher program path coverage. However, when the quality of the test cases is insufficient, the coverage rate is often low, and excessive missing report problems exist. The static detection method does not need to run a program, but analyzes the intermediate representation product based on compiling processing, models the product, interprets the program behavior based on operation semantics or grammar rules of the model, and simulates the state of the program when running. And finally, verifying the attribute of the program state through the designed rule, so as to judge whether the program has related defects. Because the static detection method does not depend on the quality of the test case, but analyzes the program control information and the data information, the coverage rate of the static detection method is relatively high and the missing report rate is low in general.
Symbolic execution, a popular static analysis technique, was created in the last 70 th century to detect if there was an unsatisfied condition of the program security attributes. The technique uses symbols to abstract the current program external input values and starts the analysis of the program based on the initial program state of the symbol representation. The program states maintained in symbol execution are mainly symbol storage and path constraints derived from program analysis. The symbol execution technology can explore different paths in the program at the same time, give out test cases of the paths after analysis is finished, and construct examples causing attribute conflict by means of a constraint solver to detect related defects.
However, in the prior art, the static detection method, especially the static analysis technology based on symbol execution, is affected by the complexity of the program, and the analysis efficiency and accuracy thereof can be drastically reduced, resulting in missing report or false report of the detection result. Wherein factors affecting program complexity mainly include variable type and operation. The former varies with the nature of the different variable types, and the information changes need to be fully considered during analysis to ensure that the analysis is correct. The latter introduces complex variable pointing relationships and some difficult-to-analyze operations such as type conversion. In addition, the robustness of the defect detection rules also affects the performance of defect detection.
Disclosure of Invention
The invention aims to provide a static detection method for memory defects based on a type region model, which aims to solve the defects of the current static detection method proposed in the background art, and particularly relates to program state description and defect detection scheme design.
In order to achieve the above purpose, the invention adopts the following technical scheme:
a memory defect static detection method based on a type region model specifically comprises the following steps:
s1, obtaining a pretreatment product of a program to be detected through front-end processing: a function call graph and a control flow graph;
s2, constructing a type area model based on the pretreatment product, performing static analysis, and updating the model and the program state after analysis;
sequentially analyzing the program sentences according to the control structure in the control flow chart;
s3, detecting memory defects based on the type region model: and entering a detection flow of a certain defect type according to the possible defect behaviors of the current program point and the program state information carried by static analysis.
Further, the pretreatment product of the program is generated by the following front-end processing method:
s11, scanning source codes of a program to be detected, performing lexical analysis, grammar analysis and semantic analysis at a compiling stage, performing preliminary examination on the program, judging whether lexical, grammar or semantic errors exist, and performing macro expansion and conditional compiling at the same time to establish an abstract grammar tree;
s12, searching a function statement and a function call statement based on the structure of the abstract syntax tree to generate a function call graph; and the abstract syntax tree is controlled and packaged according to the control flow structure statement of the abstract syntax tree, and a control flow chart is constructed.
Further, further processing of the pretreated product is included: recording each function statement according to a control flow chart of the current program, and sequentially exploring each function call statement, wherein when a statement jumping to a called function exists in a certain function, the caller is used as a precursor node of the callee; repeating the composition to construct a topological ordering diagram; meanwhile, according to the occurrence reason and the form of the memory defect, classifying each statement in a control flow chart: assignment statement, function call statement, circulation statement and type conversion statement, and marking suspected points possibly causing defects; and registering corresponding defect detection rules in an analysis interface of the statement or the position of the suspected point, and when the statement needs to be analyzed, entering a defect detection flow while calling the interface to perform defect detection analysis.
Further, the construction and static analysis of the type region model specifically comprises the following steps:
s21, modeling is carried out on each function variable which is firstly declared according to the control flow graph information, and the area is allocated: the type and value information of the current variable is reserved in the area, the state of the current variable is additionally recorded for the pointer and the heap memory, and meanwhile, the address of the variable in analysis is recorded;
s22, initializing a state pool to be empty, and adding the state pool with a program state at an analysis inlet;
s23, if the state pool is empty, ending analysis; if the state pool is not empty, according to different selection strategies, defaulting to breadth-first traversal, selecting one state from the state pool, and continuing program analysis;
s24, calling a corresponding analysis interface to perform program analysis according to different types of sentences in the control flow graph, and ending the current analysis stage to jump to the step S25 after updating the model and the program state after analysis;
s25, for the suspected points, calling corresponding defect detection rules for analysis; if the suspected points of various defects possibly exist, respectively entering different defect detection rule flows; after the detection is finished, if analysis is continued, the step S26 is skipped, otherwise, the step S23 is skipped;
s26, after the current state is added into the state pool, the step S23 is skipped.
Further, in the program analysis process:
for the assignment statement, directly calling an analysis interface for different assignment statements to perform program analysis, and updating the model and the program state;
for a function call statement, calling a function definition position corresponding to the statement, and connecting the content in the function to a current analysis point in an inlining manner; calling the statement to bind the real parameters and the shape parameters, and establishing a context; initializing the analysis depth of the current function, setting the upper limit of the depth, starting analysis, collecting path information, updating a model and a state; meanwhile, after the function exits, deleting constraint information and areas related to life cycle end variables, recording information with side effects, and updating information in the current context;
for the circulation statement, judging whether the current circulation condition is satisfied, if not, skipping, otherwise, entering a circulation body for analysis: taking the path in the loop body as a conditional branch, selecting a current executable path as an analysis path, and updating a model and a program state; after the cycle analysis is performed for more than four times, the cycle is forcedly exited, so that the analysis cost is prevented from being increased rapidly;
for a type conversion statement, describing the converted expression value according to the constraint of the current constraint space and the expression value of the conversion statement and the constraint transfer rule: constraints on the integer part are described with respect to the valid range of the expression value or sign and the new value after conversion, especially after forced truncation for the sign floating point number.
Further, the memory defect detection specifically includes the following steps:
s31, selecting a defect rule according to the defect type, converting the rule into a Boolean expression, and merging the Boolean expression into a path constraint of the current program state to form a group of verification conditions for detecting violation of a certain attribute;
s32, solving the verification condition by a constraint solver, if the verification condition can be met, jumping to the step S33, otherwise jumping to the step S34;
s33, generating warning information for the defect point with the defect behavior currently: recording the defect type and the position of the current detection point, adding the defect type and the position of the current detection point into a defect warning table, and generating program warning information after analysis is finished; ending the analysis if the current defect belongs to a serious defect; otherwise, the process goes to step S34.
S34, updating the state information and returning to continue analysis.
According to the technical scheme, the memory defect detection method based on the type area model can accurately describe the state of the program with the help of the type area model, ensures the correctness of data flow information on most program points, is particularly embodied in modeling of complex variables and type conversion operation, and is beneficial to the detection of subsequent defects; meanwhile, the invention analyzes deeper reasons related to occurrence of memory defects in detail, and designs corresponding defect detection rules to ensure sufficient detection of the defects and reduce missing report and false report.
Drawings
FIG. 1 is a flow chart showing the steps of a static detection method for memory defects according to the present invention;
FIG. 2 is a logic flow diagram of static analysis in accordance with the present invention;
FIG. 3 is a logic flow diagram of defect detection according to the present invention.
Detailed Description
A preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings.
The static detection method for the memory defect based on the type area model shown in fig. 1 specifically comprises the following steps:
s1, obtaining a pretreatment product of a program to be detected through front-end processing.
The preferred embodiment performs front-end processing on a program to be detected by the following method: scanning a source code of a program to be detected, performing lexical analysis, grammar analysis and semantic analysis in a compiling stage, and performing preliminary examination on the program to judge whether lexical, grammar or semantic errors exist; performing macro expansion and conditional compiling at the same time, and establishing an abstract syntax tree; searching a function statement and a function call statement based on the structure of the abstract syntax tree to generate a function call graph; and the abstract syntax tree is controlled and packaged according to the control flow structure statement of the abstract syntax tree, and a control flow chart is constructed.
The control flow diagram of the preferred embodiment is made up of basic blocks and connections between blocks, each of which records a series of statements, and any jump to the target basic block has only one entry and only one exit. When control flow enters a basic block, a jump or exit occurs only when the basic block end position is reached.
S2, constructing a type area model based on the pretreatment product, performing static analysis, and updating the model and the program state after analysis;
in a specific operation, before the type region model is built and static analysis is performed, further processing of the pretreated product is required: recording each function statement according to a control flow chart of the current program, and sequentially exploring each function call statement, wherein when a statement jumping to a called function exists in a certain function, the caller is used as a precursor node of the callee; repeating the composition to construct a topological ordering diagram; meanwhile, according to the common occurrence reasons and forms of the memory defects, classifying each statement in a control flow chart: assignment statement, function call statement, circulation statement and type conversion statement, and marking suspected points possibly causing defects; and registering corresponding defect detection rules in an analysis interface of the statement or the position of the suspected point, and when the statement needs to be analyzed, entering a defect detection flow while calling the interface to perform defect detection analysis.
The type region model in the preferred embodiment is an abstract memory model, analyzes the program based on the preprocessing product, and accurately characterizes the program state in the analysis process, especially on the related description related to type conversion; then, on the basis of the control flow chart and the function call chart, a program analysis starting position is selected according to the function call chart, the function orders the first node for the topology established by the function call chart, and then program sentences are sequentially analyzed according to a control structure in the control flow chart.
Specifically, the construction of the type region model comprises the steps of establishing four mapping relations and maintaining two sets of information to describe the state of a program; the four mapping relations comprise variable-to-region mapping, address-to-region mapping, region-to-region mapping and region-to-storage value mapping; information of the pointing relation and the value between the variables at any moment can be obtained through the mapping; the two groups of information comprise symbol variable binding information and path constraint information, the state of the current program is described by maintaining the symbol variable binding information and the path constraint information, and the variable binding information is used for storing the value of the current variable; the path constraint information describes conditions for reaching the current path. The information maintained by the program state is obtained based on the four mapping relations of the model.
As shown in fig. 2, when the program statement analysis is performed, the program is characterized by a type region model with rich expressive power, and model information is updated for different program statements or path conditions on the basic block side are collected and added into the current symbol constraint based on control flow information and data flow information provided by a control flow graph. Specifically, the construction and static analysis of the type region model specifically comprises the following steps:
s21, modeling is carried out on each function variable which is firstly declared according to the control flow graph information, and the area is allocated: the type and value information of the current variable is reserved in the area, the state of the current variable is additionally recorded for the pointer and the heap memory, and meanwhile, the address of the variable in analysis is recorded;
s22, initializing a state pool to be empty, and adding the state pool with a program state at an analysis inlet;
s23, if the state pool is empty, ending analysis; if the state pool is not empty, according to different selection strategies, the priority traversal is defaulted to breadth first, one state is selected from the state pool, and program analysis is continued.
S24, calling a corresponding analysis interface to perform program analysis according to different types of sentences in the control flow graph, and ending the current analysis stage to jump to the step S25 after updating the model and the program state after analysis:
for the assignment statement, directly calling an analysis interface for different assignment statements to perform program analysis, and updating the model and the program state;
for a function call statement, calling a function definition position corresponding to the statement, and connecting the content in the function to a current analysis point in an inlining manner; calling the statement to bind the real parameters and the shape parameters, and establishing a context; initializing the analysis depth of the current function, setting the upper limit of the depth, starting analysis, collecting path information, updating a model and a state; meanwhile, after the function exits, deleting constraint information and areas related to life cycle end variables, recording information with side effects, and updating information in the current context; in specific operation, when encountering a function call statement, firstly carrying out inline expansion on a function, initializing the current function access layer number to be 0, and tentatively setting the upper limit of the layer number to be 4; the method can prevent the function from being too complex (such as a deep-level recursive function), and analysis of the function is too long, takes a lot of time, and causes coverage to be reduced;
for the circulation statement, judging whether the current circulation condition is satisfied, if not, skipping, otherwise, entering a circulation body for analysis: taking the path in the loop body as a conditional branch, selecting a current executable path as an analysis path, and updating a model and a program state; after the cycle analysis is performed for more than four times, the cycle is forcedly exited, so that the analysis cost is prevented from being increased rapidly; the loop sentence is analyzed as a conditional sentence, and the maximum number of loops of analysis is set to 4. The method is similar to the function call processing, so that the cycle analysis is prevented from spending too much time or the cycle is not terminated;
for a type conversion statement, describing the converted expression value according to the constraint of the current constraint space and the expression value of the conversion statement and the constraint transfer rule: constraint descriptions on integer parts after forced truncation of the expression values or the valid range of the symbols and the converted new values, especially for the symbol floating point number; in a specific operation, the type conversion occurs mainly in the form of display (forced) and implicit (automatic) type conversion, and when the operation that the type conversion occurs is encountered, the preferred embodiment is used for describing that the value after the type conversion has constraint information through constraint transmission rules so as to accurately track the data flow information after the type conversion.
S25, for the suspected points, calling corresponding defect detection rules for analysis; if the suspected points of various defects possibly exist, respectively entering different defect detection rule flows; after the detection is finished, if analysis is continued, the step S26 is skipped, otherwise, the step S23 is skipped;
s26, after the current state is added into the state pool, the step S23 is skipped.
Performing memory defect detection based on the type region model: and carrying program state information according to possible defect behaviors of the current program point through static analysis, and entering a detection flow of a certain defect type.
Specifically, as shown in fig. 3, the memory defect detection in the preferred embodiment includes the following procedures:
s31, selecting a defect rule according to the defect type, converting the rule into a Boolean expression, and merging the Boolean expression into a path constraint of the current program state to form a group of verification conditions for detecting violation of a certain attribute;
s32, solving the verification condition by a constraint solver, if the verification condition can be met, jumping to the step S33, otherwise jumping to the step S34;
s33, generating warning information for the defect point with the defect behavior currently: recording the defect type and the position of the current detection point, adding the defect type and the position of the current detection point into a defect warning table, and generating program warning information after analysis is finished; ending the analysis if the current defect belongs to a serious defect; otherwise, the process goes to step S34.
S34, updating the state information and returning to continue analysis.
In a specific operation, the related occurrence point type can be defined according to the occurrence reasons and the forms of the three main types of memory defects pointed out in the background art; specifically, the relevant occurrence points are a type of suspected points considered to be possible to generate defects, and mainly include: initializing statement program points, assigning statement program points, and a scope about to exit program points and program points after function call. These occurrence points are considered as suspected points where memory defects exist. When the model carrying the program state information reaches the suspected point, adding the attribute or condition of the model into the constraint condition maintained by the current program state according to the designed related defect detection rule, constructing a verification condition against the program attribute, and judging by a constraint solver. If this condition is satisfied, it means that there is a test case that triggers the defect when arrived. Otherwise, if the condition is unsatisfiable, the suspected point is secure.
The above embodiments are merely illustrative of the preferred embodiments of the present invention and are not intended to limit the scope of the present invention, and various modifications and improvements made by those skilled in the art to the technical solution of the present invention should fall within the protection scope defined by the claims of the present invention without departing from the design spirit of the present invention.
Claims (6)
1. A memory defect static detection method based on a type region model is characterized by comprising the following steps:
s1, obtaining a pretreatment product of a program to be detected through front-end processing: a function call graph and a control flow graph;
s2, constructing a type area model based on the pretreatment product, performing static analysis, and updating the model and the program state after analysis;
s3, detecting memory defects based on the type region model: and entering a detection flow of a certain defect type according to the possible defect behaviors of the current program point and the program state information carried by static analysis.
2. The static detection method of memory defects based on a type area model according to claim 1, wherein the preprocessing product of the program is generated by the following front-end processing method:
s11, scanning source codes of a program to be detected, performing lexical analysis, grammar analysis and semantic analysis at a compiling stage, performing preliminary examination on the program, judging whether lexical, grammar or semantic errors exist, and performing macro expansion and conditional compiling at the same time to establish an abstract grammar tree;
s12, searching a function statement and a function call statement based on the structure of the abstract syntax tree to generate a function call graph; and the abstract syntax tree is controlled and packaged according to the control flow structure statement of the abstract syntax tree, and a control flow chart is constructed.
3. The static detection method for memory defects based on a type area model according to claim 1, further comprising the step of further processing the pre-processed product: recording each function statement according to a control flow chart of the current program, and sequentially exploring each function call statement, wherein when a statement of a certain function statement exists in a statement which jumps to a called function, the caller is used as a precursor node of the callee; repeating the composition to construct a topological ordering diagram; meanwhile, according to the occurrence reason and the form of the memory defect, classifying each statement in a control flow chart: assignment statement, function call statement, circulation statement and type conversion statement, and marking suspected points possibly causing defects; and registering corresponding defect detection rules in an analysis interface of the statement or the position of the suspected point, and when the statement needs to be analyzed, entering a defect detection flow while calling the interface to perform defect detection analysis.
4. The static memory defect detection method based on the type area model according to claim 3, wherein the construction and static analysis of the type area model specifically comprises the following steps:
s21, modeling is carried out on each function variable which is firstly declared according to the control flow graph information, and the area is allocated: the type and value information of the current variable is reserved in the area, the state of the current variable is additionally recorded for the pointer and the heap memory, and meanwhile, the address of the variable in analysis is recorded;
s22, initializing a state pool to be empty, and adding the state pool with a program state at an analysis inlet;
s23, if the state pool is empty, ending analysis; if the state pool is not empty, according to different selection strategies, defaulting to breadth-first traversal, selecting one state from the state pool, and continuing program analysis;
s24, calling a corresponding analysis interface to perform program analysis according to different types of sentences in the control flow graph, and ending the current analysis stage to jump to the step S25 after updating the model and the program state after analysis;
s25, for the suspected points, calling corresponding defect detection rules for analysis; if the suspected points of various defects possibly exist, respectively entering different defect detection rule flows; after the detection is finished, if analysis is continued, the step S26 is skipped, otherwise, the step S23 is skipped;
s26, after the current state is added into the state pool, the step S23 is skipped.
5. The static memory defect detection method based on the type area model according to claim 3, wherein in the program analysis process:
for the assignment statement, directly calling an analysis interface for different assignment statements to perform program analysis, and updating the model and the program state;
for a function call statement, calling a function definition position corresponding to the statement, and connecting the content in the function to a current analysis point in an inlining manner; calling the statement to bind the real parameters and the shape parameters, and establishing a context; initializing the analysis depth of the current function, setting the upper limit of the depth, starting analysis, collecting path information, updating a model and a state; meanwhile, after the function exits, deleting constraint information and areas related to life cycle end variables, recording information with side effects, and updating information in the current context;
for the circulation statement, judging whether the current circulation condition is satisfied, if not, skipping, otherwise, entering a circulation body for analysis: taking the path in the loop body as a conditional branch, selecting a current executable path as an analysis path, and updating a model and a program state; after the cycle analysis is performed for more than four times, the cycle is forcedly exited, so that the analysis cost is prevented from being increased rapidly;
for a type conversion statement, describing the converted expression value according to the constraint of the current constraint space and the expression value of the conversion statement and the constraint transfer rule: constraints on the integer part are described with respect to the valid range of the expression value or sign and the new value after conversion, especially after forced truncation for the sign floating point number.
6. The static memory defect detection method based on the type area model according to claim 1, wherein the memory defect detection specifically comprises the following steps:
s31, selecting a defect rule according to the defect type, converting the rule into a Boolean expression, and merging the Boolean expression into a path constraint of the current program state to form a group of verification conditions for detecting violation of a certain attribute;
s32, solving the verification condition by a constraint solver, if the verification condition can be met, jumping to the step S33, otherwise jumping to the step S34;
s33, generating warning information for the defect point with the defect behavior currently: recording the defect type and the position of the current detection point, adding the defect type and the position of the current detection point into a defect warning table, and generating program warning information after analysis is finished; ending the analysis if the current defect belongs to a serious defect; otherwise, jumping to step S34;
s34, updating the state information and returning to continue analysis.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310457369.4A CN116594869A (en) | 2023-04-25 | 2023-04-25 | Memory defect static detection method based on type region model |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310457369.4A CN116594869A (en) | 2023-04-25 | 2023-04-25 | Memory defect static detection method based on type region model |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116594869A true CN116594869A (en) | 2023-08-15 |
Family
ID=87599911
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310457369.4A Pending CN116594869A (en) | 2023-04-25 | 2023-04-25 | Memory defect static detection method based on type region model |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116594869A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117520199A (en) * | 2023-12-06 | 2024-02-06 | 北京邮电大学 | Numerical software defect detection method and device based on static symbol execution |
-
2023
- 2023-04-25 CN CN202310457369.4A patent/CN116594869A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117520199A (en) * | 2023-12-06 | 2024-02-06 | 北京邮电大学 | Numerical software defect detection method and device based on static symbol execution |
CN117520199B (en) * | 2023-12-06 | 2024-05-14 | 北京邮电大学 | Numerical software defect detection method and device based on static symbol execution |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112100054B (en) | Data management and control oriented program static analysis method and system | |
CN109753288B (en) | Intelligent contract compiling method suitable for formalized verification | |
US8312440B2 (en) | Method, computer program product, and hardware product for providing program individuality analysis for source code programs | |
CN111240982A (en) | Static analysis method for source code | |
CN104573503B (en) | The detection method and device that a kind of internal storage access overflows | |
del Mar Gallardo et al. | Debugging UML designs with model checking | |
Zhang et al. | {APICraft}: Fuzz driver generation for closed-source {SDK} libraries | |
CN116594869A (en) | Memory defect static detection method based on type region model | |
CN101727385A (en) | Method for processing information change of user interface and system | |
CN108563561B (en) | Program implicit constraint extraction method and system | |
CN103914379A (en) | Automatic fault injection and fault detecting method and system | |
CN112256271A (en) | Block chain intelligent contract security detection system based on static analysis | |
CN110162474B (en) | Intelligent contract reentry vulnerability detection method based on abstract syntax tree | |
CN112860545B (en) | Software defect detection method and device | |
CN105354035A (en) | Method for compiling test case of web engineering | |
CN111966578A (en) | Automatic evaluation method for android compatibility defect repair effect | |
Bernardi et al. | Model checking to improve precision of design pattern instances identification in OO systems | |
CN115080448B (en) | Method and device for automatically detecting inaccessible path of software code | |
CN100451969C (en) | Method for recognizing composite conditional branch structure | |
CN115039083A (en) | Validity verification enabling method for asynchronous algorithm generated during execution of logic connection program | |
CN115310095A (en) | Block chain intelligent contract mixed formal verification method and system | |
CN110309656B (en) | Implicit type conversion security detection method | |
Jiang et al. | An exploitability analysis technique for binary vulnerability based on automatic exception suppression | |
Barros et al. | Towards an integrated tool support for the analysis of iopt nets using the spin model checker | |
CN113849814A (en) | Configurable system bug reproduction system and reproduction method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |