CN102110051A - Static defect detection method of application program slicing technology - Google Patents
Static defect detection method of application program slicing technology Download PDFInfo
- Publication number
- CN102110051A CN102110051A CN2010106242006A CN201010624200A CN102110051A CN 102110051 A CN102110051 A CN 102110051A CN 2010106242006 A CN2010106242006 A CN 2010106242006A CN 201010624200 A CN201010624200 A CN 201010624200A CN 102110051 A CN102110051 A CN 102110051A
- Authority
- CN
- China
- Prior art keywords
- node
- defect
- state
- condition
- control flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a static defect detection method of an application program slicing technology, which comprises the following steps of: A, acquiring defect characteristics of a defect mode to be detected; B, calculating path conditions of all branch nodes according to the defect characteristics, and generating slicing criteria; C, traversing a control flow graph according to the slicing criteria to perform program slicing, and reconstructing the control flow graph to obtain a reconstructed control flow graph; D, performing defect mode state machine calculation by using the reconstructed control flow graph and using a defect state iterative algorithm; E, if the current control flow graph node is a non-convergence node, converging and updating the state conditions in all defect states; and F, if the current control flow graph node is a convergence node, merging the states according to the state condition of the current defect state. By adopting the method, the defect detection efficiency can be improved to certain degree, and misinformation of a path merging strategy-based path sensitivity detection method is reduced.
Description
Technical field
The present invention relates to software testing technology, relate in particular to a kind of static defect inspection method of application program microtomy, belong to the application of path sensitivity method in static defects detection.
Background technology
Software test is the important means that improves software quality, and according to whether moving tested program, software test can be divided into dynamic test and static test.Static analysis method based on software defect can be implemented Validity Test at the small probability defective, has been subjected to the extensive concern of academia and industry member.The efficient of static analysis is to influence the key that can it be applied to the large software defects detection, and the computation complexity in it and the analytic process is closely related.Because static analysis need take out complete Program Semantics information, this abstract semantic information often accurately Program Semantics " guard " be similar to, thereby cause its calculated amount will be much larger than the accurately semantic represented calculated amount of program, the calculated amount when therefore reducing conservative property and analyzing can improve analysis efficiency.According to the Rice theorem, static analysis is at any non-trivial attribute (for example: whether have run time error) of program, can not accomplish be reliably (sound) be again complete (complete), cause its result of calculation wrong report (false positive) may occur and fail to report (false negative).A large amount of wrong reports can make the people that analysis tool is lost the confidence, and fails to report the illusion that can cause program to have better quality, and therefore improving precision is to improve the another challenge of static analysis function.
The defect inspection method of path sensitivity carries out the state iteration successively from control flow graph head node, all traffic flow informations of all can the be related current control stream of each defect state node, when the defect state iterative computation, the traffic flow information irrelevant with defective can transmit and calculate on control stream, and this irrelevant calculating certainly will reduce the efficient of defects detection.By increasing the new path of control stream joint structure, or reconstruct control flow graph is to eliminate unreachable route method, but also realizing route sensibility analysis, but this is a kind of method of typically changing precision with efficient, has limited its application in the large software defects detection.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of static defect inspection method of application program microtomy, improving the efficient and the precision of the responsive defect inspection method in path, can further reduce analysis time and reduce wrong report during than large program in the detection of code amount.
For achieving the above object, technical scheme of the present invention is achieved in that
The static defect inspection method of application program microtomy, this method comprises:
A, obtain the defect characteristic of defect mode to be detected;
B, according to described defect characteristic, the path condition of Branch Computed node, and generate the section criterion;
C, according to described section criterion, traversal control flow graph carries out program slice, and the control flow graph is reconstructed, and obtains the control flow graph of reconstruct;
D, utilize the control flow graph of described reconstruct, applied defect state iterative algorithm carries out the defect mode state machine and calculates;
E, if current control flow graph node is the non-node that converges, then the status condition in all defect state is converged and upgrades operation;
If the current control flow graph of F node is for converging node, then the status condition according to current defect state carries out the state merging.
Wherein, the process of obtaining its defect characteristic according to defect mode to be detected in the described steps A is specially:
A1, according to the establishment condition of defect mode state machine FSM, the variable of defectiveness pattern association whether in the trace routine, this defective correlated variables is defect characteristic DefectFeature, is designated as Df (FSM).
Wherein, among the described step B, the defect characteristic that calculates according to steps A, all branch node n in the traversal control flow graph according to whether comprising defect characteristic among the branch statement piece Stmt (n), determine whether n is path condition, be designated as Pc (n), this step B further comprises;
B1, press node preface traversal control flow graph, inquire about all out-degree, it is added branch statement set B ranchList, wherein may comprise if-else, switch conditional branch statements greater than 2 node, and loop statements such as while, do-while, for;
B2, the BranchList that B1 is obtained are inverted, and travel through each branch node SplitNode wherein then successively, inquire about its statement block Stmt (SplitNode) that comprises and whether comprise defect characteristic Df (FSM); If do not comprise then execution in step B3, otherwise execution in step B4;
B3, current branch statement piece do not comprise defect characteristic information, and its path condition IsPc=false is set, and it can be fallen according to this path condition sign rapid section when follow-up program slice;
Comprise defect characteristic information in B4, the current branch statement piece, therefore the conditional-variable with current branch adds path condition set PCSet, and IsPc ()=true is set simultaneously;
If the BranchList traversal finishes, then defect characteristic Df (FSM) and path condition set PCSet are merged, thereby obtain cutting into slices criterion SCSet.
Wherein, the defect characteristic and the path condition that obtain according to steps A and step B among the step C generate the section criterion, and the traffic flow information according to each control stream node carries out program slice then: further comprise:
C1, press node preface traversal control flow graph, obtain the associated variable information RelVarSet of each control stream node;
C2,, the relation of inclusion of the RelVarSet by section criterion SCSet among the comparison step B and present node is carried out program slice, the execution in step C4 if the two occurs simultaneously for sky; Otherwise, execution in step C3;
Comprise the traffic flow information relevant among the traffic flow information set RelVarSet of C3, present node, therefore should do not fallen, continue execution in step C2 by section with defects detection or path condition;
The traffic flow information of C4, present node and defects detection and path condition are all irrelevant, therefore should be fallen by section, are about to be fallen by section the forerunner and follow-up being connected of statement; If run into the conditional branching node in the slicing processes, then the path condition sign IsPc () that calculates by step B determines whether and can carry out rapid section to whole conditional branch statements piece.
Wherein, in the step e, carry out the state iteration successively from control flow graph head node, each defect state is all related path condition of current control stream node is represented status condition with the abstract value of each variable of present node; If present node is the sequential control flow node: then further comprise:
E1, status condition converge: all forerunner's nodes for state conditions of current control stream node n are merged, obtain the original state condition of new status condition as n;
E2, status condition upgrade: according to the traffic flow information of current control stream node n, and the original state condition that calculates among the step of updating E1, and whether according to the state transition condition judgment state transition can take place; If state transition then reports a check point to the Error state.
Wherein, converge node if run into control stream in the step F, then according to status attribute State Attribute and step C1 obtain the cutting into slices relation of inclusion of criterion SCSet, whether decision carries out the state merging, and it further comprises:
F1, obtain the defect state of all forerunner's nodes,, then only carry out the status condition union operation if not equal state, otherwise execution in step F2;
If the defect state of F2 forerunner's node is identical, check that further whether its status attribute Attr (State) is contained in section criterion SCSet, does not merge if relation of inclusion is not then carried out state.
The static defect inspection method of application program microtomy provided by the present invention has the following advantages:
Method of the present invention is applied in the software static test, and the defects detection that the realization demand drives can be cut into slices according to the difference of different defects detection purpose calculation procedures, thereby has dwindled the scope of defects detection, improves defects detection efficient.Because the various dependences that exist in the program slice consideration program (being not only that data rely on and the control dependence), and any one program can with the union equivalence of batch processing section, detecting each section reality is exactly to have tested whole procedure, has therefore satisfied the conservative property of static analysis method based on the program slice method of defective.Experiment showed, the time overhead that can effectively reduce static defects detection after the application program microtomy, reduce wrong report simultaneously.
Description of drawings
Fig. 1 is the application flow synoptic diagram of program slicing technique of the present invention in defects detection;
The resource leakage pattern diagram of Fig. 1 a for representing with digraph;
The null pointer reference pattern synoptic diagram of Fig. 1 b for representing with digraph;
Fig. 2 is a program slice generating algorithm schematic flow sheet of the present invention;
Fig. 3 is the program slice algorithm flow synoptic diagram that the present invention is based on defective.
Embodiment
Below in conjunction with accompanying drawing and embodiments of the invention method of the present invention is described in further detail.
The responsive detection method in existing path based on data-flow analysis is considered the syntagmatic between branch, the different routing informations on can the record controls flow graph, thereby the wrong report when effectively reducing static analysis.Accurate path sensibility analysis method all routing informations in can logging program, more or exist circulation time can cause the path blast at the control flow branching, thus can't analyze.
Therefore, practical path sensibility analysis method tends to adopt some compromise strategies, might cause loss of significance:
1) traffic flow information on the different paths merges at control stream meet;
2) data stream is transmitted on unreachable path.
For example, adopt iteration refinement strategy, the result of each iterative analysis can the update mode merging criterion, and this adjustable merging criterion can reduce because the loss of significance that the critical path merging brings, but the iteration refinement will be carried out double counting, and might face the situation that iteration does not stop; Perhaps, adopt the abstract value of variable to represent status condition, converge node at control stream and avoid the path blast by the status condition that merges in the equal state, can not carry out safe state merging but the state consolidation strategy of this method has differentiation which converges node at, cause wrong report thereby cause the routing information relevant to be lost with defective.
Based on above-mentioned analysis, can obtain to draw a conclusion to the responsive defect inspection method in path:
1) control flow graph node number has determined the number of times of state iterative computation;
Complexity when 2) quantity of associated data stream information has determined to carry out the state iteration along control stream in the status condition;
3) the state consolidation strategy influences the precision of the responsive detection method in path.The main focus of the present invention is how to optimize this three aspects, to improve the efficient and the precision of path sensibility analysis method.
The thought of reference demand driver analytical approach, the present invention is applied to defects detection with program slicing technique, a kind of method of testing of application program microtomy is proposed, this method is set up the section criterion based on defect characteristic and path condition, carry out program slice according to the traffic flow information on the control stream node and the relation of inclusion of section criterion, the section program that the obtains defective of not only having cut into slices when defects detection does not have articulation point, thereby the calculated amount when having reduced the data stream iteration, thereby and with the source program conservative property that has guaranteed static analysis fully of equal value.In order further to reduce wrong report, propose a kind of defect state consolidation strategy based on section, the path condition according to control flow branching node adds status attribute to defect state, merge thereby selectively control stream is converged nodes for state, to improve accuracy of detection.
According to the execution order of whether considering program statement, static analysis can be divided into stream sensibility analysis (flow sensitive) and non-stream sensibility analysis (flow insensitive).The control flow graph of program (CFG, Control Flow Graph) promptly is abstract to execution order of statement, is to have single, the fixing Ingress node and the digraph of Egress node.
Definition 1 control flow graph: the control flow graph of program can be expressed as digraph G=(N, E, a n
0, n
f), wherein: the set of N representation node, each node n
iOrder perform statement CommonStmt in the ∈ N reflection program, condition judgment (circulation) statement SelectionStmt etc. are with node n
iRelated program statement piece is expressed as Stmt (n
i); E ∈ N * N represents the set of directed edge, the control flow relation in the reflection program between statement, e
hAnd e
tHead node and the tail node of representing directed edge e respectively; n
0Be unique Ingress node of function, n
fUnique node that withdraws from for function.
Static defect inspection method key is that defect mode is defined and detects, and treatable defect mode kind analyzing and testing ability more at most is strong more.
Define 2 defect modes: refer to recurrent defective (BUG) is presented in the program grammer or semantic feature.
Defect mode is a kind of description to program attribute, if violate this attribute then cause a defective.For example, the resource of application must discharge after using, otherwise causes resource leakage defective (RL, Resource Leak); The use of array index must be stated in magnitude range in its array, otherwise can cause Array Bound defective (OOB, Out Of Boundary); Pointer must guarantee that before dereference it points to non-NULL, otherwise can cause null pointer to quote defective (NPD, Null Pointer Dereference).
State machine is a kind of commonly used and understandable abstract representation to Program Semantics, and defect mode can be represented with the defect mode state machine.
Define 3 defect mode state machines: be used to describe the finite state machine (FSM, Finite State Machine) of defect mode, comprise state set D, state transition set T, reach transition condition set Conditions, wherein D={$start , $error} ∪ D
Other, T:D * Conditions → D.$start and $error represent initial state and error condition, D respectively
OtherRepresent the set of other intermediatenesses.
The defect mode state machine can represent intuitively with digraph, for example RL and NPD defect mode respectively the upstate machine be described below, described resource leakage pattern as shown in Figure 1a and the defect state machine of null pointer reference pattern shown in Fig. 1 b):
The defect inspection method of path sensitivity carries out the state iteration successively from control flow graph head node, and all variable-value information of all related current control stream node of each state are referred to as status condition (State Condition).We represent status condition with the abstract value of variable, bring in constant renewal in status condition in the data stream iterative process, will cause defect state to move, in case just there is the defective of the type in Discovery Status Qian Yidao $error in the representation program.
Middle code snippet (a) as follows detects the RL defective that wherein exists, the path sensibility analysis method that adopts equal state to merge, and its state transition sequence is as shown in table 1.
(a) (b) (c)
The defect state migration series of the described code snippet of table 1 (a)
According to defect state migration series in the table 1, at the defect state automat Qian Yidao $error of L7 place, this is a significantly wrong report.Reason is: the control stream meet after the L3, two Ge $start states in the true and false branch are merged, and cause the incidence relation of flag and dump to be lost.Can also observe in addition, the abstract value of all related i and j in the status condition after the P1, this type of traffic flow information can not produce any influence to the result of RL defects detection, the calculated amount in the time of only can increasing the state iteration.
By observation and the analysis to above-mentioned example procedure, we can obtain to draw a conclusion:
1) eliminates and the irrelevant redundant code of defects detection, can reduce control flow graph node number, thereby reduce the state number of iterations;
2) reduce the variable that has nothing to do with defects detection in the status condition, the complexity in the time of can reducing data stream transmission and calculating;
3) the defect state consolidation strategy that control stream is converged node is optimized, and can reduce the path and merge the loss of significance that causes.
According to above-mentioned three needs, our reference demand drives the thought of analytical technology, has proposed the static defect test method of application program microtomy of the present invention, to improve defects detection efficient and precision.
The static analysis technology that demand drives is from the demand of process analysis, the extraction program semantic information, before analyzing, reduce the complexity of program, significantly reduced the calculated amount in the analytic process, not only can reappear bugs rapidly and accurately, and can detect some specific fault in the large program.The present invention adopts program slicing technique to realize the defect inspection method that demand drives, utilize the section program when carrying out defects detection with source program equivalence fully, reduced computation complexity simultaneously, improved analysis efficiency and precision.
Program slicing technique is a kind of the analysis and the technology of prehension program among the present invention, reaches analysis and understanding to program by each point of interest in the source program being calculated respectively cut into slices.The principle of program slice and method are proposed in its PhD dissertation in 1979 first by Mark Weiser, Weiser think intelligence that program slice and people are done when debugged program abstract be corresponding, the section S of he define program P is an executable program, and this section program is equivalent fully with P on certain functional attributes.According to process analysis different point of interest when understanding, can define corresponding section criterion (Slicing Criteria), can carry out slice to source program according to different section criterions " as required ".Just be based on the principle of this " simplification problem, dwindle target zone ", program slicing technique becomes one of effective way that improves static analysis efficient.
According to the characteristics of the responsive defect inspection method in path, the section criterion can obtain from defect characteristic and two angles of path condition.
Define 4 defect characteristics (Defect Feature): given defect mode fsm, it can detect a certain program attribute feature and whether violate program syntax or semantic rules, the program variable of this feature correspondence is the defect characteristic of defect mode fsm, is designated as Df (fsm).
Define 5 node associated variables (Vex Related Variable): for control flow graph G=(N, E, n
0, n
f),
Var wherein is the associated variable of node n, is designated as RelVar (n).
Define 6 path conditions (Path Condition): have only branch and cyclic node can produce new path among the CFG, therefore path condition can only produce in the SelectionStmt statement, the path condition Pc (n) of defined node n={ var|var ∈ RelVar (n) ∧ n ∈ SelectionStmt}, it comprises all variablees of conditional branching and cyclic node association in the control flow graph.
Whether defect characteristic can be understood as defects detection relevant with certain variable in the program, and for example the NPD pattern is inevitable relevant with a pointer variable, and the RL pattern is inevitable relevant with a resource handle; Path condition then is the associated variable of conditional branch statements that may produce new route in the program, for example the conditional-variable of association in the statement blocks such as if-else, switch, while.
By further observation to program control flow, be not that all path conditions all influence the defects detection result, conditional branching as P1, P2 place in the above-mentioned program segment (a) can not produce any influence to the testing result of RL, and this type of path condition should be as the section criterion.In addition, the relation of the another name between variable also can influence the generation of section criterion.Consider this program segment (c), L2 place assignment statement is that a and b have set up direct another name relation, also is a=0 simultaneously, and the flag=true traffic value has been set up data dependence relation; Because b is not path condition, can cause above-mentioned data dependence relation to be lost if L1 place statement cut into slices, might cause the cutout of data stream iteration.
The present invention is by carrying out interval arithmetic in advance, and the another name of having avoided assignment statement to form concerns the influence to program slice.We adopt the numerical value interval to represent the abstract value of variable, have obtained the block information of a before program slice by interval arithmetic, even the section of L1 place is fallen also can not exert an influence to defects detection.Based on above-mentioned analysis, the present invention's criterion of cutting into slices is defined as follows:
SCSet=Df(fsm)∪{Pc(n
i)|n
i∈SelectionStmt ∧ Df(fsm)∈RelVar(n
i)}。
Algorithm 1: section criterion generating algorithm:
BranchList: all conditional branching node in the program
IsPc (n): indicate whether current conditional branching node n is path condition
GetBranchVexList (n): all statement blocks that obtain current conditional branching n place branch
SkipBranchVexList (n): if current conditional branching n is not a path condition, then can skip current branch statement piece, continue in branch's subsequent node, to travel through and search path condition
Input: control flow graph G and defect mode fsm
Output: section criterion SCSet
Top the present invention has provided the section criterion generating algorithm 1 based on defect characteristic, its main expense is the inquiry of path condition among the Step2, suppose that CFG node number is N, the branch node number is Q, the node number of each branch statement piece be P (P<<N): Step2.1 travels through the CFG node, the all conditions branch node is joined in the BranchList tabulation, and complexity is O (N); The Step2.2 BranchList backward of at first conditional branching being tabulated, travel through successively then among each conditional branch statements piece GetBranchVexList () and whether comprise Var, in case the present node associated variable comprises Var current path condition Pc (n) is joined SCSet, indicate current path condition IsPc ()=true simultaneously; If there is nested branched structure, by judging the path condition IsPc () of internal layer branch, whether decision skips the analysis SkipBranchVexList () of internal layer branch statement piece, and complexity is O (Q * P).Therefore, the complexity of algorithm 1 is O (N)+O (Q * P).
The program slice algorithm is relatively classical the algorithm of Weiser based on data-flow equations, the accessibility algorithm of Ottenstein and L.M.Ottenstein and Horwitz based on the program dependency graph, and based on the context-sensitive algorithm of system dependence graph etc.The present invention adopts the algorithm of Weiser based on data-flow equations, traversal CFG node, observe the correlated variables that whether comprises in the present node set of data flows in the algorithm 1 section criterion, whether should be cut into slices with definite this node, and control flow graph according to the section sign reconstruct of each node.
Algorithm 2: program slice algorithm
SliceBranchVexList (n):, then the whole branch statement piece at n place is cut into slices if conditional branching node n is not a path condition
Slice (n): n section from the control flow graph is fallen, its all forerunners are associated with descendant node
Input: control flow graph G, section criterion SCSet
Output: the control flow graph G ' after the section
Algorithm 2 traversal CFG calculate the common factor of each node associated variable and section criterion SCSet, are that the empty present node of representing should be fallen Slice () by section if occur simultaneously.In order further to improve efficiency of algorithm, if the node of being cut into slices is the conditional branching node, then can utilize the path condition sign IsPc () that is provided with in the algorithm 1, to determine to cut into slices whole branch statement piece SliceBranchVexList ().Section algorithm Slice (n) is associated all forerunners of n with follow-up, complexity depends on out-degree and the in-degree sum of n, is normal value in practical programs; SliceBranchVexList (n) is directly with the forerunner and follow-up being associated of branch statement piece, and complexity depends on that from branch's Ingress node traversal to the node number that converges node, promptly the node of branch statement piece is counted P, so complexity is O (P).The complexity of whole algorithm depends on that the CFG node is counted N in for circulation, so the complexity of algorithm 2 is O (N * P).
Behind the program slicing technique, variable number can correspondingly reduce in control flow graph node number and the status condition in application algorithm 1, the algorithm 2, therefore can carry out guestimate to the improved efficiency situation by the section effect.Section effect η can be understood as section and falls the ratio that node number and protopodium are counted, and η shows that near 1 the effect of cutting into slices is good more more.Suppose that control stream node adds up to φ in the source program, node adds up in the section program
The effect of then cutting into slices
Can reflect roughly owing to node number, variable number reduce the improved efficiency situation that causes.Certainly, actual defects detection also is subjected to the influence of other factors, and as the judgement of the calculating of status condition and transmission, state transition etc., therefore actual improved efficiency value can be less than η.
For further improving accuracy of detection, the present invention proposes a kind of defect state consolidation strategy based on section, path condition according to control flow branching node, on defect state, add status attribute (State Attribute), thus can according to status attribute decide control stream converge node whether needs carry out state and merge.This consolidation strategy merges converging nodes for state selectively, preserved with defect characteristic (Defect Feature) thus relevant routing information reduces wrong report.
Define 7 status attributes (State Attribute): given defect state S and current C FG node n, if Stmt (n) ∈ is SelectionStmt, the status attribute Attr of S (S)=RelVar (n) then.
Algorithm 3: a kind of defect state merge algorithm based on section
S
T, S
F: the defect state in the true and false branch
StateCompute (S): according to the traffic flow information of present node, upgrade the status condition of S, and judge the state transition situation
MergeState (S
T, S
F): merge the defect state that true and false branch converges the place, simultaneously identical status condition is merged
Input: branch node n and defect state S
Output: converge the defect state S ' that node n ' locates
In the above-mentioned algorithm, Step1 is the path condition Pc (n) of Branch Computed node n at first, is that original state S adds status attribute, carries out state iteration StateCompute () according to traffic values different in the true and false branch then and upgrades the status condition of S; The complexity of state iteration depends on that the node of branch statement piece counts P, so complexity is O (P); Step2 judges at first whether converge node is equal state, and state checks further more whether status attribute Attr (S) is contained in the section criterion before merging, to determine whether needing state to merge MergeState (S
T, S
F); State merges to be actually identical status condition is merged, and complexity depends on the quantity of correlated variables on the execution route, and this is a normal value in practical programs, so the complexity of algorithm 3 is O (P).
By the description of preamble to algorithm 1, algorithm 2 and algorithm 3 complexities, algorithm complex of the present invention mainly depends on control flow graph node and counts the node that N, conditional branching quantity Q and each conditional branch statements piece comprise and count P, Q in the practical programs<<P<<N<λ, λ is a constant, so algorithm complex is lower.In addition, algorithm 1 has generated subsequent algorithm 2 and algorithm 3 used most of data, and the static attribute that this partial data can be used as control stream node transmits, thereby has further reduced the calculated amount of algorithm 2 and algorithm 3.
Below in conjunction with accompanying drawing, efficient and the precision methods of utilizing program slicing technique to improve static defect detecting system that the present invention is proposed are explained and illustrated, and Fig. 1 is the application flow synoptic diagram of program slicing technique of the present invention in defects detection.As shown in Figure 1, this method may further comprise the steps:
Steps A, according to the associated variable of defective fsm to be detected, generate corresponding defect characteristic Df (fsm);
Step B, the defect characteristic that obtains according to steps A, all branch statements in the traversal control flow graph inquire abouts path condition relevant with defect characteristic and are gathered PCSet, and the generation criterion SCSet that cuts into slices;
B1, press node preface traversal control flow graph, inquire about all out-degree, it is added branch statement set B ranchList, wherein may comprise if-else, switch conditional branch statements greater than 2 node, and loop statements such as while, do-while, for;
B2, the BranchList that B1 is obtained are inverted, and travel through each branch node SplitNode wherein then successively, inquire about its statement block Stmt (SplitNode) that comprises and whether comprise defect characteristic Df (FSM); If do not comprise then execution in step B3, otherwise execution in step B4;
B3, current branch statement piece do not comprise defect characteristic information, and its path condition IsPc=false is set, and it can be fallen according to this path condition sign rapid section when follow-up program slice;
Comprise defect characteristic information in B4, the current branch statement piece, therefore the conditional-variable with current branch adds path condition set PCSet, and IsPc ()=true is set simultaneously;
If the BranchList traversal finishes, then defect characteristic Df (FSM) and path condition set PCSet are merged, thereby obtain cutting into slices criterion SCSet.
Step C, the defect characteristic and the path condition that obtain according to steps A, B generate the section criterion, and it is as follows to carry out the step of program slice according to the traffic flow information of each control stream node then:
C1, press node preface traversal control flow graph, obtain the associated variable information RelVarSet of each control stream node;
C2,, the relation of inclusion of the RelVarSet by section criterion SCSet among the comparison step B and present node is carried out program slice, the execution in step C4 if the two occurs simultaneously for sky; Otherwise, execution in step C3;
Comprise the traffic flow information relevant among the traffic flow information set RelVarSet of C3, present node, therefore should do not fallen, continue execution in step C2 by section with defects detection or path condition;
The traffic flow information of C4, present node and defects detection and path condition are all irrelevant, therefore should be fallen by section, are about to be fallen by section the forerunner and follow-up being connected of statement; If run into the conditional branching node in the slicing processes, then the path condition sign IsPc () that calculates by step B determines whether and can carry out rapid section to whole conditional branch statements piece.
The control flow graph of reconstruct carries out the defect state iterative computation after step D, the section that obtains according to step C, for common sequential control flow node, and execution in step E, otherwise execution in step F;
Step e, for the order node of control in the flow graph, its forerunner's traffic flow information is converged, upgrade the status condition of each defect state, the present invention represents status condition with the abstract value of each variable; According to the traffic flow information update mode condition of present node, judge whether state transition can take place then according to the defect state transition condition; If Discovery Status is moved to the Error state, then report a fault detecting point (Inspect Point), otherwise proceed state iteration execution in step D;
E1, status condition converge: all forerunner's nodes for state conditions of current control stream node n are merged, obtain the original state condition of new status condition as n;
E2, status condition upgrade: the traffic flow information according to current control stream node n, upgrade the original state condition that calculates among the E1, and whether state transition can take place according to the state transition condition judgment; If state transition then reports a check point to the Error state.
Step F: converge node for control in the flow graph, the path blast when preventing the path sensibility analysis need be carried out the defect state union operation; At first according to the path condition of current branch statement, generate the status attribute (State Attribute) of defect state, before merging, equal state checks whether whether this status attribute is contained in section criterion SCSet among the step C, need to carry out the merging of status condition with decision.
F1, obtain the defect state of all forerunner's nodes, if not equal state, then only carry out the status condition union operation, otherwise carry out F2;
If the defect state of F2 forerunner's node is identical, check that further whether its status attribute Attr (State) is contained in section criterion SCSet, does not merge if relation of inclusion is not then carried out state.
The present invention will be further described in conjunction with instantiation in following the present invention.
For program segment in the preamble (a), program slice method and the defect state consolidation strategy of using the preamble description detect the RL pattern, and its concise and to the point analysis process is as follows:
Obtain RL defect mode feature: Df (RL)={ f};
Use algorithm 1, obtain L4, the path condition Pc of L6 place (L4)={ dump}, Pc (L6)={ flag}, so criterion SCSet (RL)={ f, dump, the flag} that cut into slices;
Use algorithm 2 program segment (a) is cut into slices, the P1 that can cut into slices, P2 place and RL analyze irrelevant code, obtain program segment (b);
Use algorithm 3, (b) the state sequence of iterations such as the table 2 of segment.Because the redundancy at P1, P2 place has been fallen in section, has reduced associated variable i and the j in the status condition; At the L4 place because
, so the two Ge $start states that produce of L2 branch converge node L4 at control stream and do not carry out state and merge; Keep the incidence relation of flag and dump at L6 place , $start state, can not carry out the Close operation in the true branch, therefore can not produce wrong report.
Table 2: the state transition sequence of said procedure (b) after application the inventive method
The above only is preferred embodiment of the present invention.Following the present invention is with concrete static defects detection example, illustrates that the inventive method is in detection of code amount efficient and precision improvement situation during than large program:
GCC is as the main flow compiler (please refer to http://gcc.gnu.org) of exploitation C programmer in the linux system, when having obtained more high flexibility by ANSI C standard being carried out grammer expansion, make its Program Semantics complicated more, cause its probability that software defect occurs also higher, and be difficult to detect.The present invention is based on above-mentioned DTS Frame Design has realized not only can detecting the static defect detection tool DTSGCC of path sensitivity the source program of ANSI C standard, and can detect at the engineering of increasing income of GCC standard among the Linux.
The present invention uses DTSGCC1.0 to adopt different analytical approachs that 10 engineerings of increasing income among the Linux have been carried out defects detection contrast experiment, and the defect mode of scanning comprises RL and NPD.In these 10 engineerings of increasing income, the Combine of amount of source code minimum is 1.6 ten thousand row, and maximum Binutils is 1,030,000 row.The experiment computer basic configuration of using is: Intel E2160 1.8GHz CPU, 2G internal memory, Windows XP operating system.Use two kinds of different analytical approachs in the experimentation, method 1: the path sensitivity method that equal state merges, method 2: the path sensitivity method that the present invention proposes based on program slice.
Based on above experiment setting, static defects detection result has been carried out artificial affirmation, the result is as shown in table 3.Wherein, number of files is only added up the source file that suffix is * .c or * .h, and the source code line number is to have removed the statistics after the null.DTSGCC does not directly detect the C source file, but it is carried out pre-service (comprising header file expansion, conditional compilation execution, macro definition replacement) by the GCC compiler, therefore the intermediate file that obtains is handled, the actual test code amount size of code that is intermediate file.After using program slice method of the present invention, the variation of control flow graph node number can reflect the effect of program slice, thereby estimated efficiency promotes situation roughly.
Table 3: contrast and experiment
(annotate: go up in the table,, report IP more, do not finish whole wrong reports so far and confirm that therefore efficient of the present invention and precision improvement statistics do not comprise the data of these 3 engineerings because Bash, Openssl, Binutils engineering size of code are bigger.)
This statistics shows, 10 its NPD of engineering detecting and RL defective in the his-and-hers watches 3, detection resources size of code 1,540,000 is gone altogether, intermediate file size of code 7,610,000 row, 13.52 hours 1 times spent of method, report 2228 checkpoint (Inspection Point altogether, IP), and 11.73 hours the inventive method times spent, the IP number is reduced to 1908, detection efficiency has improved 13.28%, and rate of false alarm has reduced by 4.59%.
The present invention is from improving the efficient and the precision of the responsive defect inspection method in path, the process analysis thought that the reference demand drives, program slicing technique is applied to static defects detection, a kind of program slice method based on defective is proposed, the section program when defects detection and source program of equal value fully, the calculated amount when having reduced the state iteration.In order further to reduce wrong report, according to the status attribute of the path condition generation defective of controlling the flow branching node, selectively control stream is converged nodes for state and merge, reduced the path and merged the loss of significance relevant that causes with defects detection.Experimental result shows, the inventive method, can improve the analysis efficiency about 13%, and reduce the wrong report about 5% during than large program in the detection of code amount.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (6)
1. the static defect inspection method of application program microtomy is characterized in that, this method comprises:
A, obtain the defect characteristic of defect mode to be detected;
B, according to described defect characteristic, the path condition at Branch Computed node place, and generate the section criterion;
C, according to described section criterion, traversal control flow graph carries out program slice, and the control flow graph is reconstructed, and obtains the control flow graph of reconstruct;
D, utilize the control flow graph of described reconstruct, applied defect state iterative algorithm carries out the defect mode state machine and calculates;
E, if current control flow graph node is the non-node that converges, then the status condition in all defect state is converged and upgrades operation;
If the current control flow graph of F node is for converging node, then the status condition according to current defect state carries out the state merging.
2. the static defect inspection method of application program microtomy according to claim 1 is characterized in that, the process of obtaining its defect characteristic according to defect mode to be detected in the described steps A is specially:
A1, according to the establishment condition of defect mode state machine FSM, the variable of defectiveness pattern association whether in the trace routine, this defective correlated variables is defect characteristic DefectFeature, is designated as Df (FSM).
3. the static defect inspection method of application program microtomy according to claim 1, it is characterized in that, among the described step B, the defect characteristic that calculates according to steps A, all branch node n in the traversal control flow graph according to whether comprising defect characteristic among the branch statement piece Stmt (n), determine whether n is path condition, be designated as Pc (n), this step B further comprises;
B1, press node preface traversal control flow graph, inquire about all out-degree, it is added branch statement set B ranchList, wherein may comprise if-else, switch conditional branch statements greater than 2 node, and loop statements such as while, do-while, for;
B2, the BranchList that B1 is obtained are inverted, and travel through each branch node SplitNode wherein then successively, inquire about its statement block Stmt (SplitNode) that comprises and whether comprise defect characteristic Df (FSM); If do not comprise, execution in step B3 then; Otherwise execution in step B4;
B3, current branch statement piece do not comprise defect characteristic information, and its path condition IsPc=false is set, and it can be fallen according to this path condition sign rapid section when follow-up program slice;
Comprise defect characteristic information in B4, the current branch statement piece, therefore the conditional-variable with current branch adds path condition set PCSet, and IsPc ()=true is set simultaneously;
When described BranchList traversal finishes, then defect characteristic Df (FSM) and path condition set PCSet are merged, thereby obtain cutting into slices criterion SCSet.
4. according to the static defect inspection method of claim 1 or 3 described application program microtomies, it is characterized in that, the defect characteristic and the path condition that obtain according to steps A and step B among the step C, generate the section criterion, traffic flow information according to each control stream node carries out program slice then, further comprises:
C1, press node preface traversal control flow graph, obtain the associated variable information RelVarSet of each control stream node;
The relation of inclusion of C2, the RelVarSet by section criterion SCSet among the comparison step B and present node is carried out program slice, the execution in step C4 if the two occurs simultaneously for sky; Otherwise, execution in step C3;
Comprise the traffic flow information relevant among the traffic flow information set RelVarSet of C3, present node, therefore should do not fallen, continue execution in step C2 by section with defects detection or path condition;
The traffic flow information of C4, present node and defects detection and path condition are all irrelevant, therefore should be fallen by section, are about to be fallen by section the forerunner and follow-up being connected of statement; If run into the conditional branching node in the slicing processes, then the path condition sign IsPc () that calculates by step B determines whether and can carry out rapid section to whole conditional branch statements piece.
5. the static defect inspection method of application program microtomy according to claim 1, it is characterized in that, in the step e, carry out the state iteration successively from control flow graph head node, each defect state is all related path condition of current control stream node is represented status condition with the abstract value of each variable of present node; If present node is the sequential control flow node: then further comprise:
E1, status condition converge: all forerunner's nodes for state conditions of current control stream node n are merged, obtain the original state condition of new status condition as n;
E2, status condition upgrade: according to the traffic flow information of current control stream node n, and the original state condition that calculates among the step of updating E1, and whether according to the state transition condition judgment state transition can take place; If state transition then reports a check point to the Error state.
6. the static defect inspection method of application program microtomy according to claim 4, it is characterized in that, converge node if run into control stream in the step F, then according to status attribute State Attribute and step C1 obtain the cutting into slices relation of inclusion of criterion SCSet, whether decision carries out state merges, and it further comprises:
F1, obtain the defect state of all forerunner's nodes,, then only carry out the status condition union operation if not equal state, otherwise execution in step F2;
If the defect state of F2 forerunner's node is identical, check that further whether its status attribute Attr (State) is contained in section criterion SCSet, does not merge if relation of inclusion is not then carried out state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010624200.6A CN102110051B (en) | 2010-12-31 | 2010-12-31 | Static defect detection method of application program slicing technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010624200.6A CN102110051B (en) | 2010-12-31 | 2010-12-31 | Static defect detection method of application program slicing technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102110051A true CN102110051A (en) | 2011-06-29 |
| CN102110051B CN102110051B (en) | 2014-02-05 |
Family
ID=44174217
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010624200.6A Expired - Fee Related CN102110051B (en) | 2010-12-31 | 2010-12-31 | Static defect detection method of application program slicing technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102110051B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750223A (en) * | 2012-06-06 | 2012-10-24 | 东南大学 | Error positioning method based on object-oriented program slice spectrum |
| CN103488571A (en) * | 2013-10-12 | 2014-01-01 | 浙江大学城市学院 | Method for verifying correctness of JavaScript procedure in mixed mode |
| CN103530119A (en) * | 2013-10-12 | 2014-01-22 | 浙江大学城市学院 | Method for combining JavaScript programming module in increment mode |
| CN103678128A (en) * | 2013-12-13 | 2014-03-26 | 北京邮电大学 | Flaw warning grouping method and device based on abstract interpretation technology |
| CN103927258A (en) * | 2014-04-08 | 2014-07-16 | 北京邮电大学 | Method for refining static defect detection on basis of state partitions |
| CN104407969A (en) * | 2014-11-03 | 2015-03-11 | 东南大学 | Method for automatically obtaining program execution track states based on path features |
| CN104536883A (en) * | 2014-12-05 | 2015-04-22 | 北京邮电大学 | Static defect detecting method and system thereof |
| CN104699599A (en) * | 2013-12-10 | 2015-06-10 | 上海精密计量测试研究所 | Interprocedural static slice extracting method based on idUCf quinary structure |
| CN104866417A (en) * | 2014-02-25 | 2015-08-26 | 华为技术有限公司 | Path-sensitive detection method and device |
| CN108897678A (en) * | 2018-06-20 | 2018-11-27 | 中国联合网络通信集团有限公司 | Static code detection method and static code detection system, storage equipment |
| CN109446066A (en) * | 2018-09-20 | 2019-03-08 | 北京大学 | The static detection method and system of unreachable code in C/C++ program |
| CN110321458A (en) * | 2019-05-21 | 2019-10-11 | 国家电网有限公司 | A kind of dataflow analysis method and device based on controlling stream graph |
| CN111506493A (en) * | 2019-12-31 | 2020-08-07 | 中国石油大学(华东) | Program slice-based repair position determination method for automatically repairing defects |
| CN112860307A (en) * | 2019-11-12 | 2021-05-28 | 纬创资通股份有限公司 | Version management system, method and non-volatile computer readable recording medium |
| CN113742205A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Code vulnerability intelligent detection method based on man-machine cooperation |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101799767A (en) * | 2010-03-05 | 2010-08-11 | 中国人民解放军国防科学技术大学 | Method for carrying out parallel simulation by repeatedly switching a plurality of operation modes of simulator |
-
2010
- 2010-12-31 CN CN201010624200.6A patent/CN102110051B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101799767A (en) * | 2010-03-05 | 2010-08-11 | 中国人民解放军国防科学技术大学 | Method for carrying out parallel simulation by repeatedly switching a plurality of operation modes of simulator |
Non-Patent Citations (2)
| Title |
|---|
| 宫云战等: "基于软件缺陷模型的测试系统", 《北京邮电大学学报》, vol. 31, no. 5, 31 October 2008 (2008-10-31), pages 1 - 4 * |
| 肖庆等: "一种路径敏感的静态缺陷检测方法", 《软件学报》, vol. 21, no. 2, 28 February 2010 (2010-02-28), pages 209 - 217 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102750223A (en) * | 2012-06-06 | 2012-10-24 | 东南大学 | Error positioning method based on object-oriented program slice spectrum |
| CN102750223B (en) * | 2012-06-06 | 2015-07-29 | 东南大学 | A kind of location of mistake method based on object-oriented program section spectrum |
| CN103488571A (en) * | 2013-10-12 | 2014-01-01 | 浙江大学城市学院 | Method for verifying correctness of JavaScript procedure in mixed mode |
| CN103530119A (en) * | 2013-10-12 | 2014-01-22 | 浙江大学城市学院 | Method for combining JavaScript programming module in increment mode |
| CN104699599B (en) * | 2013-12-10 | 2018-11-06 | 上海精密计量测试研究所 | Interprocedual static slicing extracting method based on five meta structures of idUCf |
| CN104699599A (en) * | 2013-12-10 | 2015-06-10 | 上海精密计量测试研究所 | Interprocedural static slice extracting method based on idUCf quinary structure |
| CN103678128A (en) * | 2013-12-13 | 2014-03-26 | 北京邮电大学 | Flaw warning grouping method and device based on abstract interpretation technology |
| CN104866417A (en) * | 2014-02-25 | 2015-08-26 | 华为技术有限公司 | Path-sensitive detection method and device |
| CN104866417B (en) * | 2014-02-25 | 2018-01-02 | 华为技术有限公司 | Path-sensitive detection method and device |
| CN103927258A (en) * | 2014-04-08 | 2014-07-16 | 北京邮电大学 | Method for refining static defect detection on basis of state partitions |
| CN103927258B (en) * | 2014-04-08 | 2017-06-23 | 北京邮电大学 | A kind of static defect detection refinement method based on Condition Areas |
| CN104407969A (en) * | 2014-11-03 | 2015-03-11 | 东南大学 | Method for automatically obtaining program execution track states based on path features |
| CN104407969B (en) * | 2014-11-03 | 2017-04-05 | 东南大学 | A kind of program performing track state automatic obtaining method based on route characteristic |
| CN104536883A (en) * | 2014-12-05 | 2015-04-22 | 北京邮电大学 | Static defect detecting method and system thereof |
| CN104536883B (en) * | 2014-12-05 | 2017-06-16 | 北京邮电大学 | A kind of static defect detection method and its system |
| CN108897678A (en) * | 2018-06-20 | 2018-11-27 | 中国联合网络通信集团有限公司 | Static code detection method and static code detection system, storage equipment |
| CN108897678B (en) * | 2018-06-20 | 2021-10-15 | 中国联合网络通信集团有限公司 | Static code detection method, static code detection system and storage device |
| CN109446066A (en) * | 2018-09-20 | 2019-03-08 | 北京大学 | The static detection method and system of unreachable code in C/C++ program |
| CN110321458A (en) * | 2019-05-21 | 2019-10-11 | 国家电网有限公司 | A kind of dataflow analysis method and device based on controlling stream graph |
| CN110321458B (en) * | 2019-05-21 | 2021-10-15 | 国家电网有限公司 | Data flow analysis method and device based on control flow graph |
| CN112860307A (en) * | 2019-11-12 | 2021-05-28 | 纬创资通股份有限公司 | Version management system, method and non-volatile computer readable recording medium |
| CN112860307B (en) * | 2019-11-12 | 2024-04-19 | 纬创资通股份有限公司 | Version management system, method and non-volatile computer readable recording medium |
| CN111506493A (en) * | 2019-12-31 | 2020-08-07 | 中国石油大学(华东) | Program slice-based repair position determination method for automatically repairing defects |
| CN113742205A (en) * | 2020-05-27 | 2021-12-03 | 南京大学 | Code vulnerability intelligent detection method based on man-machine cooperation |
| CN113742205B (en) * | 2020-05-27 | 2024-04-23 | 南京大学 | Code vulnerability intelligent detection method based on man-machine cooperation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102110051B (en) | 2014-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102110051B (en) | Static defect detection method of application program slicing technology | |
| US10664601B2 (en) | Method and system automatic buffer overflow warning inspection and bug repair | |
| CN101286132B (en) | Test method and system based on software defect mode | |
| Taneja et al. | eXpress: guided path exploration for efficient regression test generation | |
| US7971193B2 (en) | Methods for performining cross module context-sensitive security analysis | |
| CN101739339B (en) | Program dynamic dependency relation-based software fault positioning method | |
| CN103778061B (en) | Automatically detection and the bearing calibration of Array Bound mistake | |
| CN102073588B (en) | Code static analysis based multithread deadlock detection method and system | |
| CN102915271A (en) | Method for optimizing unit regression test case set based on control flow diagram | |
| KR20060045568A (en) | Method and system for probe optimization while instrumenting a program | |
| Kothari et al. | Deriving state machines from TinyOS programs using symbolic execution | |
| CN104732152A (en) | Buffer overflow loophole automatic detection method based on symbolic execution path pruning | |
| Cai et al. | SENSA: Sensitivity analysis for quantitative change-impact prediction | |
| CN102063328A (en) | System for detecting interrupt-driven type program data competition | |
| CN103218297B (en) | The screening technique and device of test data | |
| Sun et al. | A projection-based approach for memory leak detection | |
| CN106294136B (en) | The online test method and system of performance change between the concurrent program runtime | |
| Eddeland et al. | Enhancing temporal logic falsification with specification transformation and valued booleans | |
| Chen et al. | Exploiting branch constraints without exhaustive path enumeration | |
| Cai et al. | Abstracting program dependencies using the method dependence graph | |
| Kaur et al. | A modelling framework for automotive software design and optimal test path generation | |
| Dai et al. | An improving approach to analyzing change impact of C programs | |
| Brandner et al. | Criticality: static profiling for real-time programs | |
| Labbe et al. | Slicing communicating automata specifications for efficient model reduction | |
| Celik et al. | A regression proof selection tool for Coq |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140205 Termination date: 20191231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |