CN103218296A - Method of fully detecting null pointer reference defects - Google Patents
Method of fully detecting null pointer reference defects Download PDFInfo
- Publication number
- CN103218296A CN103218296A CN2013101417690A CN201310141769A CN103218296A CN 103218296 A CN103218296 A CN 103218296A CN 2013101417690 A CN2013101417690 A CN 2013101417690A CN 201310141769 A CN201310141769 A CN 201310141769A CN 103218296 A CN103218296 A CN 103218296A
- Authority
- CN
- China
- Prior art keywords
- pointer
- variable
- node
- interval
- quoted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method of fully detecting null pointer reference defects. The method comprises recognizing all addressable expressions of an application to be detected based on an abstract syntax tree; carrying out conservative interval arithmetic and pointer analysis on the application to be detected according to a control flow diagram, and generating a procedural summary according to results of the interval arithmetic and the pointer analysis; recognizing all pointer reference and referred pointers according to the procedural summary and the abstract syntax tree, and creating a null pointer reference defect state machine example on each referred pointer; and running the null pointer reference defect state machine examples based on the control flow diagram, carrying out state transition on each defect state machine example on each node of the control flow diagram according to the results of the interval arithmetic and the pointer analysis, and carrying out null pointer reference detection. By adopting the method of fully detecting the null pointer reference defects, the problem of failing to report the null pointer reference defects can be effectively solved, and zero omission and low misinformation of the null pointer reference defect detection are achieved.
Description
Technical field
The present invention relates to the null pointer detection technique in the software static test technology, relate in particular to the method that a kind of abundant detection null pointer is quoted defective.
Background technology
Software test is a kind of process that ensures software quality, and its basic goal is by some cost-effective methods, goes to find the various defectives that exist in the software with the least possible time and manpower, and then guarantees the quality of software.For software test, from classifying based on the angle that whether needs to move tested software, software test is divided into dynamic test and static test, and wherein, static test is also referred to as static analysis.Static test is the actual motion tested software not, but the scan source application is therefrom found out textural anomaly, the control stream that may lead to errors and reached situations such as data flow anomaly unusually.Static test is compared dynamic test, has low, the easy realization of cost, can cover all paths, and do not rely on the advantage of specific running environment; Its shortcoming is that the problem of finding often is not real problem, needs the artificial investigation of confirming.
Existing static test exists reports or fails to report situation in a large number by mistake.And the existence of wrong report needs artificial affirmation to get rid of; The existence of failing to report can cause uses the illusion with better quality, and still, in a single day the defective of failing to report is triggered when running software, may cause uncertain adverse consequences.
At present, representative code defective static test instrument mainly contains the research project Metal of Stanford University, Java application static test instrument FindBugs, the Java application static test instrument PMD that increases income, the code defect detection tool K8 of U.S. Klocwork company research and development that University of Maryland researches and develops.
But test by using above-mentioned testing tool that null pointer is quoted, all can have wrong report in various degree and fail to report situation.Therefore, how reducing rate of false alarm and rate of failing to report that null pointer is quoted defective, is the problem of needing solution at present badly.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of abundant detection null pointer to quote the method for defective, has not only solved null pointer and has quoted the problem of failing to report of defective, and can realize that null pointer is quoted the zero of defective to be failed to report and low wrong report.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of abundant detection null pointer and quote the method for defective, described method comprises:
Read tested application file, lexical analysis and grammatical analysis are carried out in tested application, generate the abstract syntax tree of tested application, generate the control flow graph of the tested application controls structure of reflection according to described abstract syntax tree, and create the symbol table system and the type system of tested application according to described abstract syntax tree, identify whole addressable expression formulas of tested application based on abstract syntax tree;
Interval arithmetic and the pointer analysis tested application guarded according to described control flow graph, and according to the result of interval arithmetic and pointer analysis, generating function summary;
Identify the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, and each pointer that is cited is created null pointer quote defect state machine example;
Quote defect state machine example based on described control flow graph operation null pointer, each node for described control flow graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and definite null pointer is quoted, and set is quoted in set, pointerforsafety, uncertain pointer is quoted set.
In the such scheme, describedly identify whole addressable expression formulas of tested application, comprising based on abstract syntax tree:
Identify the symbol of all definition of tested application and the addressable expression formula of all uses based on abstract syntax tree.
In the such scheme, the described addressable expression formula that identifies all uses of tested application based on abstract syntax tree comprises:
Postfix expression node from the abstract syntax tree is discerned the postfix expression of all uses;
Unary expression node from the abstract syntax tree is discerned the pointer REFER expression of all uses.
In the such scheme, described interval arithmetic and the pointer analysis of tested application being guarded according to the control flow graph comprises:
A1, the node number order when producing according to the control flow graph get next node in the control flow graph as present node, and when described present node be last node, pre-treatment were worked as in end; Otherwise execution in step A2;
A2, the variable to occurring for the first time on the described present node are used the quaternary model<Variable based on abstract region of memory, Region, Expression, Domain〉described variable is carried out modeling, and carry out initial operation according to described type of variables, and initial interval value is set; If type of variables is a pointer, described variable then is set points to set for empty; Wherein, Variable is the described variable that is modeled, the abstract region of memory of Region for distributing for described variable, and Expression is a character expression, Domain is an interval;
Each pointer except that the pointer of action scope that occurs on A3, the forerunner's node to described present node, determine the sensing union of sets collection of each pointer on all forerunner's nodes of described present node, obtain the initial directional set of pointer on described present node; Wherein, described action scope is the action scope in the symbol table system;
A4, to each variable except that the variable of action scope of forerunner's node of described present node, determine the union of the interval of each variable on all forerunner's nodes of described present node or the union of interval collection, obtain variable and between initial interval on the described present node or original area, collect; Judgement collects between initial interval that whether has certain variable on the described present node or original area for empty, if exist, then this node of mark is the contradiction node, execution in step A1; If do not exist, execution in step A6 then;
A5, according to the statement type of described present node correspondence, to each has obtained the pointer analysis that the pointer of initial directional set is guarded on this node, the interval arithmetic that each variable that has obtained to collect between initial interval value or original area on this node is guarded, and carry out A1.
In the such scheme, described described variable is carried out modeling, comprising:
When variable is array element, also set up the Region of array and father and son's hierarchical relationship of this variable R egion; When variable is structure or union type, also set up father and son's hierarchical relationship of the Region of the Region of the Region of structure or associating and this variable; When variable is pointer type, variable also is set points to set for empty, it is uncertain unsure state that the variable original state is set.
In the such scheme, described steps A 5 comprises:
A51, if the pairing statement type of described present node be assignment statement, then carry out A52; If the pairing statement type of described present node is a conditional statement, then carry out A58;
A52, determine that by assigned variable be pointer when quoting, carry out A53; When determining to be pointer, carry out A55 by assigned variable; When determining to be structure or associating, carry out A56 by the type of assigned variable; Otherwise, carry out A57;
If the sensing of the pointer that A53 is cited set has only an abstract region of memory, then will abstract region of memory conduct by the abstract region of memory of assignment, then carry out A52; If the sensing of the pointer that is cited set has a plurality of abstract region of memorys, then carry out A54;
A54, definite interval that points to each abstract region of memory of set are the union of current interval of variable and right-hand member expression formula interval; If pointing to the abstract region of memory type of set is pointer type, the sensing set of then determining each abstract region of memory is that current sensing set and right-hand member expression formula are pointed to the union of sets collection; End is to the processing of current statement;
A55, determine that the interval of pointer variable is the interval of right-hand member expression formula, determine the sensing set of the sensing set of pointer variable for the right-hand member expression formula;
If A56 is structure or associating by the type of assigned variable, with each member of this variable as one by assigned variable, each the corresponding member in the right-hand side expression as the right-hand side expression that is this member's assignment, and is carried out A52;
If A57 is a fundamental type by the type of assigned variable, then according to being determined the interval of expression formula in this assignment statement, and described interval by assigned variable is reset to the interval of determined expression formula by the type of assigned variable and right-hand member expression formula;
A58, if the pairing statement type of described present node be the condition judgment statement, then to each associated pointer of this node get initial may point to collection after, analyze each associated pointer of this node points to may gather and must gather in described condition judgment statement; After each associated variable of this node got initial may the collection, calculate may collecting and must collecting of the value of each associated variable of this node in described condition judgment statement, obtain the value of the described variable in the true and false branch in the pairing control flow graph of this node.
In the such scheme, described generating function summary comprises:
Preposition constraint condition, characteristic information and the rearmounted constraint condition of generating function summary.
In the such scheme, describedly identify the pointer that whole pointers is quoted and is cited, comprising according to described function summary and abstract syntax tree:
Identify the pointer that all processes pointer interior and interprocedual is quoted and is cited;
Wherein, the interior pointer of all processes is quoted and is comprised:
On the unary expression node of abstract syntax tree, identify pointer and quote, and the pointer that is cited;
The pointer that identifies on the postfix expression node of abstract syntax tree is quoted, and the pointer that is cited;
All interprocedual pointers are quoted and are comprised:
On the unary expression node of abstract syntax tree, identify the function call expression formula;
When if the function that is called of function call expression formula correspondence has the function summary, then obtain whole restrained variablees in the preposition constraint condition of function summary and the described preposition constraint condition, real ginseng that will be corresponding with described restrained variable or global variable are as the pointer that is cited; When if the function that is called of function call expression formula correspondence does not have the function summary, all pointer type parameters that then will pass to the function that is called are as the pointer that is cited.
In the such scheme, describedly quote defect state machine example based on described control flow graph operation null pointer, each node for described control flow graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and definite null pointer quotes that set is quoted in set, pointerforsafety, uncertain pointer is quoted set, comprising:
B1, the node number order when producing according to the control flow graph are got next node in the control flow graph as present node, if described present node is last node, then finish the null pointer of current function is quoted detection; Otherwise execution in step B2;
The defect state machine example collection that occurs on B2, the forerunner's node to described present node, when the same pointer variable of a plurality of defect state machine examples associations, merge described a plurality of defect state machine example, as the new defect state machine example of this pointer variable correspondence;
B3, when the value of the pointer variable of the defect state machine example association of present node changes, determine that the state of the defect state machine example of variable correspondence produces migration;
B4, when on described present node, pointer occurring and quoting, according to the value of pointer on present node that be cited pointer is quoted and to be detected;
B5, the null pointer that finishes on the present node are quoted detection, carry out B1.
In the such scheme, described when on described present node, pointer occurring and quoting, according to the value of pointer on present node that be cited pointer is quoted and to be detected, also comprise:
When under non-dummy status, carrying out security reference, described pointer quoted be input to pointerforsafety and quote set;
Under dummy status, carry out null pointer when quoting, described pointer is quoted be input to null pointer and quote set;
Under nondeterministic statement, carried out pointer when quoting, described pointer is quoted be input to uncertain pointer and quote set.
Abundant detection null pointer provided by the present invention is quoted the method for defective, identifies whole addressable expression formulas of tested application based on abstract syntax tree; The interval arithmetic of tested application being guarded according to the control flow graph and pointer analysis and according to the result of interval arithmetic and pointer analysis, generating function is made a summary; Identify the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, and each pointer that is cited is created null pointer quote defect state machine example; Quote defect state machine example based on control flow graph operation null pointer, on each node of control flow graph, each defect state machine example is carried out state transition, carry out null pointer and quote detection according to the result of interval arithmetic, pointer analysis.So, efficiently solve the problem of failing to report that null pointer is quoted defective, can realize that null pointer quotes that zero of defective is failed to report and low wrong report, improved adequacy, reliability and accuracy that null pointer is quoted defects detection.
In addition, abstract syntax tree and measured source file that the present invention generates have mapping relations, the various expression formulas that the source of can identifying exactly on the expression formula node of abstract syntax tree occurs in using; The present invention can identify whole addressable expression formulas and derive its type by the type derivation rule of type system, guarantees to identify the pointer that whole pointers is quoted and is cited, thereby has guaranteed the accuracy of discerning.Interval arithmetic of the present invention and pointer analysis are all taked the strategy guarded, may value when the interval that guarantees the variable that interval arithmetic goes out comprises all operations, sensing possible when comprising all operations is gathered in the sensing that guarantees the pointer that pointer analysis goes out, thereby has guaranteed the reliability of analyzing.The null pointer that the present invention carries out is quoted defects detection and is based on that reliable analysis result carries out, the pointer of being discerned that is cited is adopted reliable analysis strategy, pointer that can clear and definite pointed information quoted have clear and definite testing result, pointer that can not clear and definite its directional information quoted have uncertain testing result, thereby guaranteed the adequacy that detects.
Description of drawings
Fig. 1 fully detects the method flow synoptic diagram that null pointer is quoted defective for the present invention;
Fig. 2 is the conservative interval arithmetic carried out based on the control flow graph and the schematic flow sheet of pointer analysis;
The schematic flow sheet of Fig. 3 for variable is carried out abstract internal memory modeling;
Pointer analysis and the interval arithmetic process flow diagram of Fig. 4 for every statement being carried out according to the pairing statement type of present node;
Fig. 5 is the pointer analysis and the interval arithmetic procedure chart of the assignment expression of complex data structures type for the left side expression formula;
Fig. 6 is the procedure chart of the preposition constraint condition of generating function summary;
Fig. 7 is the processing flow chart of the preposition constraint condition of the relevant pointer that is cited of establishment;
Fig. 8 quotes the procedure chart that the defect state machine is created for the identification and the null pointer of all detected pointers.
Embodiment
The technical solution of the present invention is further elaborated below in conjunction with the drawings and specific embodiments.
Fig. 1 fully detects the method flow synoptic diagram that null pointer is quoted defective for the present invention, and as shown in Figure 1, described method comprises:
Step 101: read tested application file, lexical analysis and grammatical analysis are carried out in tested application, generate the abstract syntax tree of tested application, generate the control flow graph of the tested application controls structure of reflection according to described abstract syntax tree, and create the symbol table system and the type system of tested application according to described abstract syntax tree, identify whole addressable expression formulas of tested application based on abstract syntax tree;
Concrete, the present invention utilizes aid to generate the abstract syntax tree of tested application; Described aid comprises JJtree;
Concrete, describedly identify whole addressable expression formulas of tested application based on abstract syntax tree, comprising:
Identify the symbol of all definition of tested application and the addressable expression formula of all uses based on abstract syntax tree; Wherein,
Identify the symbol of all definition of tested application based on abstract syntax tree, comprising:
Discern the function of all definition, and the function of identification is joined in the respective action territory as a symbol;
Discern the structure and the associating of all definition; And the structure that identifies joined in the respective action territory with uniting as a symbol; Identify the member of structure and associating, and join in the respective action territory;
Discern the variable of all definition; Wherein, when type of variables is pointer, variable is added in the corresponding action scope as a pointer type symbol, with quoting of pointer as a variable to be identified; When type of variables is array, variable is added in the corresponding action scope as an array type symbol, with each member of array as a variable to be identified; Type of variables is structure or when associating, variable is added in the corresponding action scope as a structure and union type symbol, with each member of structure and associating as a variable to be identified; Otherwise, variable as a fundamental type symbol, is added in the corresponding action scope.
Identify the addressable expression formula of all uses of tested application based on abstract syntax tree, comprising:
Postfix expression node from the abstract syntax tree is discerned the postfix expression of all uses;
Unary expression node from the abstract syntax tree is discerned the pointer REFER expression of all uses.
All kinds of symbols that the present invention adopts other action scope storage of four levels to identify, SourceFileScope is the source file action scope, a file has only a SourceFileScope; ClassScope is a class scope, corresponding structure, the associating of definition; MethodScope is a function scope, corresponding the function of definition; LocalScope is the local action territory, a piece in corresponding the function body.For id and id (exp), can obtain action scope by its definition.Lvexp.id, * lvexp, lvexp->id, lvexp[exp] action scope with father's layer expression formula lvexp is consistent respectively.
For satisfying extensibility, type system of the present invention has been taked the strategy of two-stage mapping.At first Token is done mapping in the source file level, for example general _ int64, _ int32, int be mapped to int.Second level data type mapping is the type that the data type of code level is mapped as the present invention's definition.
For the addressable expression formula that identifies, by type derivation rule its type of deriving.For the identifier variable of statement, state its type as can be known according to it.Variable for complex data type:
(1) if array, the type of its element as can be known;
(2) if pointer, the type of expression of its sensing as can be known;
(3) if structure, its each territory member's type as can be known;
For can not deriving its type by the type derivation rule by the addressable expression formula of statement identification.Different addressable type of expression derivation rules are:
The type of structure member exp.id is derived:
Array element exp[exp1] type derive:
The type of non-direct organization body member exp->id is derived:
The type of pointer REFER expression * exp is derived:
exp=(pe++)|(pe--)|(++pe)
Step 102: according to controlling interval arithmetic and the pointer analysis that flow graph is guarded tested application; And according to the result of interval arithmetic and pointer analysis, the generating function summary;
Concrete, described interval arithmetic and the pointer analysis of tested application being guarded according to the control flow graph comprises:
B1, the node number order when producing according to the control flow graph are got next node in the control flow graph as present node, if described present node be last node, then finish to travel through; Otherwise execution in step B2;
B2, the variable to occurring for the first time on the described present node are used the quaternary model<Variable based on the zone, Region, Expression, Domain〉described variable is carried out modeling, and carry out initial operation according to described type of variables, comprising: initial interval value is set; If type of variables is a pointer, it is set points to set for empty;
Wherein, Variable is the described variable that is modeled, the abstract region of memory of Region for distributing for described variable, and Expression is a character expression, Domain is an interval;
Each pointer except that the pointer of action scope that occurs on B3, the forerunner's node to described present node is asked its sensing union of sets on all forerunner's nodes of described present node, obtains the initial directional set of this pointer on described present node; Wherein, described action scope is the action scope in the symbol table system, is used to store all kinds of symbols that identify;
Each variable except that the variable of action scope that occurs on B4, the forerunner's node to described present node, ask its interval on all forerunner's nodes of described present node or the union of interval collection, obtain this variable and between initial interval on the described present node or original area, collect, then execution in step B5;
B5, judgement collection between initial interval that whether has certain variable on the described present node or original area is sky, if existence, after then this node of mark is the contradiction node, execution in step B1; If do not exist, execution in step B6 then;
B6, according to the pairing statement type of described present node, each pointer that has obtained initial directional set on this node is carried out conservative accordingly pointer analysis, each variable that has obtained to collect between initial interval value or original area on this node is carried out conservative accordingly interval arithmetic, carry out B1 then.
Here, described step B2 carries out modeling to described variable, specifically comprises:
When variable is fundamental type, use quaternary model that it is carried out modeling, be provided with between original area according to its particular type based on the zone; When variable is array element, set up the Region of array and father and son's hierarchical relationship of this variable R egion; When variable is structure or union type, set up father and son's hierarchical relationship of the Region of the Region of structure or associating and this variable; When variable is the pointer type, it is set points to set for empty, it is unsure that its original state is set.
Here, described step B6 specifically comprises:
B61, if the pairing statement type of described present node is an assignment statement, carry out B62; If the pairing statement type of described present node is a conditional statement, carry out B68;
If B62 is that pointer is quoted by assigned variable, carry out B63; If by assigned variable is pointer, carry out B65; If by the type of assigned variable is structure or associating, carry out B66; Otherwise, carry out B67;
If the sensing of the pointer that B63 is cited set has only an abstract region of memory, then will abstract region of memory as by the abstract region of memory of assignment, execution B62; If the sensing of the pointer that is cited set has a plurality of abstract region of memorys, carry out B64;
B64, will point to the set each abstract region of memory, its interval is the union of current interval of variable and right-hand member expression formula interval; If pointing to the abstract region of memory type of set is pointer type, then the sensing of each abstract region of memory set is current sensing set and right-hand member expression formula sensing union of sets collection; Carry out B69;
The interval of B65, pointer variable is the interval of right-hand member expression formula, and the sensing set of pointer variable is the sensing set of right-hand member expression formula;
If B66 is structure or associating by the type of assigned variable, with each member of this variable as one by assigned variable, each the corresponding member in the right-hand side expression as the right-hand side expression that is this member's assignment, is carried out B62;
If B67 is a fundamental type by the type of assigned variable, then according to being calculated the interval of expression formula in this assignment statement, and described interval by assigned variable is reset to the interval of this expression formula that newly calculates by the type of assigned variable and right-hand member expression formula;
B68, if the pairing statement type of described present node be the condition judgment statement, then to each associated pointer of this node get initial may point to collection after, analyze each associated pointer of this node points to may gather and must gather in described condition judgment statement; After each associated variable of this node got initial may the collection, calculate may collecting and must collecting of the value of each associated variable of this node in described condition judgment statement, and then obtain the described variable-value situation in the true and false branch in the pairing control flow graph of this node;
B69, finish processing to current statement.
Concrete, described generating function summary specifically comprises:
The preposition constraint condition of generating function summary; The characteristic information of generating function summary; The rearmounted constraint condition of generating function summary.
Here, the preposition constraint condition of described generating function summary specifically comprises:
Identify that to need restrained, type be the function parameter and the global variable of pointer;
Calculate the weak constraint condition of restrained pointer.
Here, the characteristic information of described generating function summary specifically comprises:
Analytic function calls the situation that causes that control stream changes;
The rreturn value of computing function.
Here, the rearmounted constraint condition of described step generating function summary specifically comprises:
Analytic function calls pointer type shape is participated in the points relationship of pointer type global variable and the renewal of state;
Analytic function calls the data stream of global variable is upgraded.
Step 103: identify the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, and each pointer that is cited is created null pointer quote defect state machine example;
Concrete, describedly identify the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, comprising:
Identify the pointer that all processes pointer interior and interprocedual is quoted and is cited;
Wherein, the interior pointer of all processes is quoted specifically and is comprised:
On the unary expression node of abstract syntax tree, identify pointer and quote, and the pointer that is cited;
The pointer that identifies on the postfix expression node of abstract syntax tree is quoted, and the pointer that is cited;
All interprocedual pointers are quoted specifically and are comprised:
On the unary expression node of abstract syntax tree, identify the function call expression formula;
When if the function that is called of function call expression formula correspondence has the function summary, then obtain the preposition constraint condition of function summary, and whole restrained variablees in the described preposition constraint condition, real ginseng that will be corresponding with described restrained variable or global variable are as the pointer that is cited; If when the function that is called of function call expression formula correspondence does not have the function summary, will pass to all pointer type parameters of the function that is called as the pointer that is cited.
Step 104: quote defect state machine example based on control flow graph operation null pointer, on each node of control flow graph, result according to interval arithmetic, pointer analysis carries out state transition to each defect state machine example, determines that pointerforsafety quotes that set is quoted in set, null pointer, uncertain pointer is quoted set.
Fig. 2 the present invention is based on the conservative interval arithmetic that the control flow graph carries out and the method flow synoptic diagram of pointer analysis, and this method may further comprise the steps:
Step 201: the node number order when producing according to the control flow graph, the next node of getting the control flow graph is as present node; Execution in step 202 then;
Step 202: judge whether described present node is last node, if not, execution in step 203; If, execution in step 212;
Step 203: next forerunner's node of getting present node in order is current forerunner's node;
Step 204: judge whether present node is branch node, if, execution in step 205; Otherwise, execution in step 206;
Step 205: the Branch Computed conditional expression limits sensing limiting set interval and pointer to the value of each symbol, and with the sensing set of each pointer of the sensing limiting set of the pointer that calculates and forerunner's node ask friendships, the value of each symbol that will calculate limits interval each symbol interval with forerunner's node and asks friendship, and the sensing of each symbol interval of forerunner's node and each pointer gathered be updated to the result who asks after the friendship; Execution in step 206 then;
Step 206: each variable symbol expression formula value and each symbol interval to current forerunner's node merge to present node; Sensing set to each pointer of current forerunner's node merges to present node with each pointed;
Step 207: judge whether current forerunner's node is last forerunner's node, if, execution in step 208; Otherwise, execution in step 203;
Step 208: judge whether to have on the present node to collect between initial interval value or original area for empty variable, if having, execution in step 209; If no, execution in step 210;
Step 209: the sign present node is the contradiction node, execution in step 201;
Step 210: the variable that occurs for the first time on the present node is carried out abstract internal memory modeling;
Step 211: according to the pairing statement type of described present node, each pointer that has obtained initial directional set on this node is carried out conservative accordingly pointer analysis, each variable that has obtained to collect between initial interval value or original area on this node is carried out conservative accordingly interval arithmetic; That is: gather according to the sensing of each pointer of expression parsing present node in the statement of present node correspondence, expression formula calculating in the corresponding statement of present node is mapped as corresponding symbolic computation, upgrades each symbol interval of present node, each abstract region of memory value, each variable symbol expression formula value; Then, execution in step 201;
Step 212: finish interval arithmetic and pointer analysis.
The stream sensitivity of guarding based on the control flow graph that the present invention proposes, the pointer analysis and the interval arithmetic of territory sensitivity guarantee that interval that sensing set at each pointer of control flow graph has comprised variable on may point under all true running statuses, each node has comprised the possible value under all true running statuses.
Concrete, the schematic flow sheet that in the step 210 variable is carried out abstract internal memory modeling specifically may further comprise the steps as shown in Figure 3:
Step 210a: describe the variable that occurs for the first time with abstract region of memory;
Step 210c: set up father and son's hierarchical relationship of the abstract region of memory of the abstract region of memory of father's variable of this variable and this variable, then execution in step 210h;
Step 210g: its state is initialized as URSURE, it is pointed to set be initialized as empty set.
Wherein, according to the pairing statement type of described present node, carry out conservative accordingly pointer analysis in the described step 211, and, carrying out conservative accordingly interval arithmetic, its schematic flow sheet specifically may further comprise the steps as shown in Figure 4:
Step 211b: carry out the pointer analysis and the interval arithmetic of assignment expression, according to equal sign left and right sides variable and expression formula information, obtain the new sensing set of the abstract region of memory of value, pointer correspondence between the newly developed area of abstract region of memory of correlated variables correspondence by algorithms of different; Then, execution in step 211g;
Step 211e: judge whether current statement is the condition judgment statement, if, execution in step 211f then, otherwise execution in step 211g;
Step 211g: finish interval arithmetic and pointer analysis to current statement.
Wherein, described step 211b carries out the pointer analysis and the interval arithmetic process of assignment expression, specifically may further comprise the steps:
Judge equal sign left side type of expression,, then carry out interval arithmetic and pointer analysis according to the different expression formula information in equal sign right side if equal sign left side expression formula is the pointer dereference; If equal sign left side expression formula is a pointer variable, then carry out interval arithmetic and pointer analysis according to the different expression formula information in equal sign right side; If equal sign left side expression formula is the complex data structures type, carry out interval arithmetic and pointer analysis according to the different expression formula information in equal sign right side; Otherwise, be basic data type with equal sign left side type of expression, carry out interval arithmetic and pointer analysis according to the different expression formula information in equal sign right side.
Further, when the left side type of expression is basic data type, if the right side is the pointer dereference, then obtain the be cited sensing set of pointer of right side, try to achieve the union of the symbol value of pointing to set abstract region of memory pointed, the symbol value of the abstract region of memory of left-hand variable is updated to the gained union; Otherwise, the symbol value of the abstract region of memory of left-hand variable is updated to the symbol value of right-hand side expression.
Further, when the left side type of expression when being cited pointer, obtain the be cited sensing set of pointer of left side, obtain to point to the corresponding abstract region of memory set of set;
If abstract region of memory is all processed, finishing the left side is the processing of the assignment statement of pointer dereference; Otherwise, get not processed abstract region of memory in the abstract region of memory set, judge then whether the left side type expression is complex data type, if, abstract region of memory is carried out interval arithmetic according to the different expression formula information in equal sign right side, if not, abstract region of memory is carried out interval arithmetic and pointer analysis according to the different expression formula information in equal sign right side.
Further, when the left side type of expression is pointer variable,
The sensing set of the abstract region of memory of left side pointer variable correspondence is changed to sky; Judge whether right-hand side expression is address of variable, if address of variable adds the abstract region of memory of address, right side variable correspondence to the sensing set of the abstract region of memory of left side pointer, the value of the abstract region of memory of left side pointer is non-NULL (NOTNULL); If be not address of variable, analyze the sensing set and the value of right side pointer expression formula, the sensing set of giving to the abstract region of memory of left side pointer, the value of the value assignment of right-hand side expression being given the abstract region of memory of left side pointer are gathered in the sensing of right-hand side expression.
Further, when the left side type of expression was the complex data structures type, the pointer analysis of its assignment expression and interval arithmetic process specifically may further comprise the steps as shown in Figure 5:
Step 501: if judge that the right-hand side expression type is the pointer dereference, then execution in step 503; Otherwise, execution in step 502;
Step 502: obtain the abstract region of memory of right-hand side expression correspondence, with the member of abstract region of memory one by one assignment give the member of the abstract region of memory of left side expression formula correspondence, execution in step 509 then;
Step 503: obtain the be cited abstract region of memory of pointer of right side, obtain the pointed set of abstract region of memory, set obtains abstract region of memory S set pointed based on pointed;
Step 504: from abstract region of memory S set pointed, take out one abstract region of memory R1;
Step 505: with the member of abstract region of memory R1 one by one assignment give the member of the abstract region of memory of left side expression formula correspondence;
Step 506: if do not have untreated abstract region of memory, execution in step 509 in the abstract region of memory S set; Otherwise, execution in step 507;
Step 507: take out a untreated abstract region of memory R2;
Step 508: the member of the abstract region of memory that the member of abstract region of memory R2 is corresponding with the left side expression formula asks union, and will ask union as a result assignment give the member of the abstract region of memory of left side expression formula correspondence; Execution in step 506 then;
Step 509: finishing equal sign left side expression formula is the processing of complex data structures type assignment statement.
The pointer analysis and the interval arithmetic process of the function call statement that wherein said step 211d describes specifically may further comprise the steps:
The be called function summary of function of acquisition;
Obtain the rearmounted constraint condition of function summary, obtain to have produced in the rearmounted constraint condition function parameter and the global variable of the reference type of spinoff;
Function parameter and global variable to the reference type that produced spinoff upgrade its interval value and directional information based on rearmounted constraint condition.
The present invention considers that the variable in whole analyzed function scopes comprises top variable and member variable when carrying out interprocedural analysis establishment function summary.Consider the reliability of the weak constraint condition of each restrained variable simultaneously with conservative guarantee analysis.The reliability of the present invention for guarantee analyzing when bound variable is retrained, taked the strategy guarded, and its constraint condition is selected than the weak constraint condition a little less than the full-scale condition restriction ability, and the most weak precondition is an empty condition.Function of the present invention summary is quoted to detect for null pointer and is prepared, so the variable of the preposition constraint condition constraint of function summary is members of pointer type by the function parameter of the pointer type of dereference and global variable and they; The rearmounted constraint condition of function summary is by parameter and the global variable and their member to pointer type of this function side effects; The characteristic information of function summary comprises information such as the rreturn value, the termination of control stream of function.
Concrete, the generating function summary comprises: the preposition constraint condition of generating function summary, the characteristic information of generating function summary; And, the rearmounted constraint condition of generating function summary;
Wherein, the process of the preposition constraint condition of generating function summary specifically may further comprise the steps as shown in Figure 6:
Step 601: obtain the set of pointers S1 that is cited in the current function;
Step 602: judge whether the pointer among the S1 disposes, if the pointer among the S1 is handled execution in step 609; Otherwise, execution in step 603;
Step 603: get pointer P1 who is not created constraint among the S1; Then, execution in step 604;
Step 604: judge whether the statement that pointer P1 is cited appears on the contradiction node, if on the contradiction node, execution in step 602; Otherwise, execution in step 605;
Step 605: judge the value of the abstract region of memory of pointer P1 correspondence, if the value of the abstract region of memory of pointer P1 correspondence is UNKNOWN, execution in step 602; Otherwise, execution in step 606;
Step 606: the sensing S set 2 that obtains the abstract region of memory of pointer P1 correspondence;
Step 607: judge whether S2 is empty, if be empty, execution in step 602; Otherwise, execution in step 608;
Step 608: based on the preposition constraint condition of the relevant pointer that is cited of S2 establishment, execution in step A2 then;
Step 609: finish to work as pre-treatment.
Wherein, the treatment scheme of the preposition constraint condition of the relevant pointer that is cited of described step 608 establishment specifically may further comprise the steps as shown in Figure 7:
Step 608g: as restrained variable, constraint condition is C3 with P2; Execution in step 608a;
Step 608i: finish to work as pre-treatment.
From syntax rule, pointer is quoted total * p, p[exp], three kinds of grammatical forms of p->id, the pointer that wherein is cited is p; If but pointer is restrained, then real ginseng or the global variable that transmission is detected at current function calls point place need called.Therefore, the present invention will be divided into detection and interprocedual detection in the process to the detection that pointer is quoted.Wherein, the pointer that detects in the process is to be cited but not restrained pointer of going out; During pointer that interprocedual detects function call point place be called function make a summary the global variable that retrains in the preposition constraint condition and with preposition constraint condition in corresponding real ginseng of shape ginseng that retrain.For built-in function, take the mode of artificial generating function summary.If invoked function does not have function summary, the Bao Shou parameter that requires each pointer type non-NULL all then.
The identification of all detected pointers and null pointer are quoted process that the defect state machine creates as shown in Figure 8, may further comprise the steps:
Step 801: search symbolic pointer from abstract syntax tree and quote grammatical form * p, p[exp], the node of p->id, obtain node set S1;
Step 802: if the node among the S1 is all processed, then execution in step 804; Otherwise, get untreated node N among the S1;
Step 803: if the variable P1 on the node N is the pointer type, and not restrained going out, be not created the defect state machine yet, then, P1 quotes the defect state machine for creating null pointer; Execution in step 802;
Step 804: the node set S2 that searches the function call correspondence from abstract syntax tree;
Step 805: if the node among the S2 is all processed, then execution in step 813; Otherwise, get untreated node N among the S2;
Step 806: if the function that is called of node N correspondence does not have the function summary, then execution in step 810;
Step 807: if the preposition constraint condition of the function of the function that is called of node N correspondence summary is sky, execution in step 805; Otherwise the variable that obtains preposition constraint condition constraint is gathered S3;
Step 808: if the variable among the S3 is all processed, then execution in step 805; Otherwise, get not processed bound variable P2 among the S3, obtain real ginseng or the global variable P3 corresponding with bound variable P2;
Step 809:, then quote the defect state machine for P3 creates null pointer if there is the possibility that satisfies the constraint condition of bound variable P2 in the function summary in the variable-value on the current statement corresponding node; Execution in step 808.
Step 810: the real ginseng S set 4 of the pointer type that the function call point of acquisition node N correspondence transmits;
Step 811: all processed as the variable in the fruit ginseng S set 4, then execution in step 805; Otherwise, get not processed parameter P4 among the S4;
Step 812: quote the defect state machine for parameter P4 creates null pointer;
Step 813: the establishment that end is quoted defect state machine example to the null pointer of current institute function.
Null pointer of the present invention is quoted defects detection and is based on the control flow graph and carries out, and carries out the state transition that null pointer is quoted the defect state machine based on the state of pointer on control stream node.If pointer is to have carried out security reference under non-dummy status, then the state transition of state machine is to Satefy, pointer quoted be input to pointerforsafety and quote set; If carried out null pointer quote under dummy status, the state transition of state machine is to Error, pointer quoted be input to null pointer and quote set; If carried out pointer quote under nondeterministic statement, the state transition of state machine is to Dubious, pointer quoted be input to uncertain pointer and quote set.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (10)
1. one kind is fully detected the method that null pointer is quoted defective, it is characterized in that described method comprises:
Read tested application file, lexical analysis and grammatical analysis are carried out in tested application, generate the abstract syntax tree of tested application, generate the control flow graph of the tested application controls structure of reflection according to described abstract syntax tree, and create the symbol table system and the type system of tested application according to described abstract syntax tree, identify whole addressable expression formulas of tested application based on abstract syntax tree;
Interval arithmetic and the pointer analysis tested application guarded according to described control flow graph, and according to the result of interval arithmetic and pointer analysis, generating function summary;
Identify the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, and each pointer that is cited is created null pointer quote defect state machine example;
Quote defect state machine example based on described control flow graph operation null pointer, each node for described control flow graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and definite null pointer is quoted, and set is quoted in set, pointerforsafety, uncertain pointer is quoted set.
2. method according to claim 1 is characterized in that, describedly identifies whole addressable expression formulas of tested application based on abstract syntax tree, comprising:
Identify the symbol of all definition of tested application and the addressable expression formula of all uses based on abstract syntax tree.
3. method according to claim 2 is characterized in that, the described addressable expression formula that identifies all uses of tested application based on abstract syntax tree comprises:
Postfix expression node from the abstract syntax tree is discerned the postfix expression of all uses;
Unary expression node from the abstract syntax tree is discerned the pointer REFER expression of all uses.
4. method according to claim 1 is characterized in that, described interval arithmetic and the pointer analysis of tested application being guarded according to the control flow graph comprises:
A1, the node number order when producing according to the control flow graph get next node in the control flow graph as present node, and when described present node be last node, pre-treatment were worked as in end; Otherwise execution in step A2;
A2, the variable to occurring for the first time on the described present node are used the quaternary model<Variable based on abstract region of memory, Region, Expression, Domain〉described variable is carried out modeling, and carry out initial operation according to described type of variables, and initial interval value is set; If type of variables is a pointer, described variable then is set points to set for empty; Wherein, Variable is the described variable that is modeled, the abstract region of memory of Region for distributing for described variable, and Expression is a character expression, Domain is an interval;
Each pointer except that the pointer of action scope that occurs on A3, the forerunner's node to described present node, determine the sensing union of sets collection of each pointer on all forerunner's nodes of described present node, obtain the initial directional set of pointer on described present node; Wherein, described action scope is the action scope in the symbol table system;
A4, to each variable except that the variable of action scope of forerunner's node of described present node, determine the union of the interval of each variable on all forerunner's nodes of described present node or the union of interval collection, obtain variable and between initial interval on the described present node or original area, collect; Judgement collects between initial interval that whether has certain variable on the described present node or original area for empty, if exist, then this node of mark is the contradiction node, execution in step A1; If do not exist, execution in step A6 then;
A5, according to the statement type of described present node correspondence, to each has obtained the pointer analysis that the pointer of initial directional set is guarded on this node, the interval arithmetic that each variable that has obtained to collect between initial interval value or original area on this node is guarded, and carry out A1.
5. method according to claim 4 is characterized in that, described described variable is carried out modeling, comprising:
When variable is array element, also set up the Region of array and father and son's hierarchical relationship of this variable R egion; When variable is structure or union type, also set up father and son's hierarchical relationship of the Region of the Region of the Region of structure or associating and this variable; When variable is pointer type, variable also is set points to set for empty, it is uncertain unsure state that the variable original state is set.
6. method according to claim 4 is characterized in that, described steps A 5 comprises:
A51, if the pairing statement type of described present node be assignment statement, then carry out A52; If the pairing statement type of described present node is a conditional statement, then carry out A58;
A52, determine that by assigned variable be pointer when quoting, carry out A53; When determining to be pointer, carry out A55 by assigned variable; When determining to be structure or associating, carry out A56 by the type of assigned variable; Otherwise, carry out A57;
If the sensing of the pointer that A53 is cited set has only an abstract region of memory, then will abstract region of memory conduct by the abstract region of memory of assignment, then carry out A52; If the sensing of the pointer that is cited set has a plurality of abstract region of memorys, then carry out A54;
A54, definite interval that points to each abstract region of memory of set are the union of current interval of variable and right-hand member expression formula interval; If pointing to the abstract region of memory type of set is pointer type, the sensing set of then determining each abstract region of memory is that current sensing set and right-hand member expression formula are pointed to the union of sets collection; End is to the processing of current statement;
A55, determine that the interval of pointer variable is the interval of right-hand member expression formula, determine the sensing set of the sensing set of pointer variable for the right-hand member expression formula;
If A56 is structure or associating by the type of assigned variable, with each member of this variable as one by assigned variable, each the corresponding member in the right-hand side expression as the right-hand side expression that is this member's assignment, and is carried out A52;
If A57 is a fundamental type by the type of assigned variable, then according to being determined the interval of expression formula in this assignment statement, and described interval by assigned variable is reset to the interval of determined expression formula by the type of assigned variable and right-hand member expression formula;
A58, if the pairing statement type of described present node be the condition judgment statement, then to each associated pointer of this node get initial may point to collection after, analyze each associated pointer of this node points to may gather and must gather in described condition judgment statement; After each associated variable of this node got initial may the collection, calculate may collecting and must collecting of the value of each associated variable of this node in described condition judgment statement, obtain the value of the described variable in the true and false branch in the pairing control flow graph of this node.
7. method according to claim 1 is characterized in that, described generating function summary comprises:
Preposition constraint condition, characteristic information and the rearmounted constraint condition of generating function summary.
8. method according to claim 1 is characterized in that, describedly identifies the pointer that whole pointers is quoted and is cited according to described function summary and abstract syntax tree, comprising:
Identify the pointer that all processes pointer interior and interprocedual is quoted and is cited;
Wherein, the interior pointer of all processes is quoted and is comprised:
On the unary expression node of abstract syntax tree, identify pointer and quote, and the pointer that is cited;
The pointer that identifies on the postfix expression node of abstract syntax tree is quoted, and the pointer that is cited;
All interprocedual pointers are quoted and are comprised:
On the unary expression node of abstract syntax tree, identify the function call expression formula;
When if the function that is called of function call expression formula correspondence has the function summary, then obtain whole restrained variablees in the preposition constraint condition of function summary and the described preposition constraint condition, real ginseng that will be corresponding with described restrained variable or global variable are as the pointer that is cited; When if the function that is called of function call expression formula correspondence does not have the function summary, all pointer type parameters that then will pass to the function that is called are as the pointer that is cited.
9. method according to claim 1, it is characterized in that, describedly quote defect state machine example based on described control flow graph operation null pointer, each node for described control flow graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and definite null pointer quotes that set is quoted in set, pointerforsafety, uncertain pointer is quoted set, comprising:
B1, the node number order when producing according to the control flow graph are got next node in the control flow graph as present node, if described present node is last node, then finish the null pointer of current function is quoted detection; Otherwise execution in step B2;
The defect state machine example collection that occurs on B2, the forerunner's node to described present node, when the same pointer variable of a plurality of defect state machine examples associations, merge described a plurality of defect state machine example, as the new defect state machine example of this pointer variable correspondence;
B3, when the value of the pointer variable of the defect state machine example association of present node changes, determine that the state of the defect state machine example of variable correspondence produces migration;
B4, when on described present node, pointer occurring and quoting, according to the value of pointer on present node that be cited pointer is quoted and to be detected;
B5, the null pointer that finishes on the present node are quoted detection, carry out B1.
10. method according to claim 9 is characterized in that, and is described when pointer occurring quoting on described present node, according to the value of pointer on present node that be cited pointer quoted and detected, and also comprises:
When under non-dummy status, carrying out security reference, described pointer quoted be input to pointerforsafety and quote set;
Under dummy status, carry out null pointer when quoting, described pointer is quoted be input to null pointer and quote set;
Under nondeterministic statement, carried out pointer when quoting, described pointer is quoted be input to uncertain pointer and quote set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310141769.0A CN103218296B (en) | 2013-04-22 | 2013-04-22 | A kind of method of abundant detection null pointer dereference defect |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310141769.0A CN103218296B (en) | 2013-04-22 | 2013-04-22 | A kind of method of abundant detection null pointer dereference defect |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103218296A true CN103218296A (en) | 2013-07-24 |
| CN103218296B CN103218296B (en) | 2015-12-02 |
Family
ID=48816114
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310141769.0A Expired - Fee Related CN103218296B (en) | 2013-04-22 | 2013-04-22 | A kind of method of abundant detection null pointer dereference defect |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103218296B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744776A (en) * | 2013-11-04 | 2014-04-23 | 北京邮电大学 | Static analysis method and system based on symbolic function abstracts |
| CN103914382A (en) * | 2014-03-25 | 2014-07-09 | 北京邮电大学 | Method for completely recognizing pointer quotation detection object |
| CN103955426A (en) * | 2014-04-21 | 2014-07-30 | 中国科学院计算技术研究所 | Method and device for detecting code C null-pointer reference |
| CN105607990A (en) * | 2014-11-19 | 2016-05-25 | 腾讯科技(成都)有限公司 | Null pointer crash mining method and device |
| CN106991050A (en) * | 2017-04-05 | 2017-07-28 | 西安邮电大学 | A kind of static test null pointer dereference defect false positive recognition methods |
| CN107239317A (en) * | 2017-06-07 | 2017-10-10 | 成都四象联创科技有限公司 | Executable program program optimization method |
| CN109426615A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Null pointer dereference detection method, system, equipment and the medium of interprocedual |
| CN110188029A (en) * | 2019-03-15 | 2019-08-30 | 中山大学 | A kind of Java null pointer analysis system reaching analysis method based on definite value |
| CN110471669A (en) * | 2019-08-02 | 2019-11-19 | Xc5有限公司 | A kind of detection method and detection device of null pointer dereference |
| CN110633212A (en) * | 2019-09-04 | 2019-12-31 | 中国石油大学(华东) | Abstract memory model for static analysis of C program sequential storage structure |
| CN110674031A (en) * | 2019-09-04 | 2020-01-10 | 中国石油大学(华东) | Restricted set-based automatic program semantic defect repairing method |
| CN111124484A (en) * | 2018-10-31 | 2020-05-08 | 上海奥陶网络科技有限公司 | Java program parameter optimization method |
| CN112612471A (en) * | 2020-11-19 | 2021-04-06 | 孙永杰 | Code processing method, device, equipment and storage medium |
| CN114595148A (en) * | 2022-03-02 | 2022-06-07 | 北京大学 | Java null pointer reference detection method and system based on data stream propagation analysis |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110175123A (en) * | 2019-05-22 | 2019-08-27 | 中国石油大学(华东) | One kind being based on the Event correlation recognition methods of character expression static defect |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286132A (en) * | 2008-06-02 | 2008-10-15 | 北京邮电大学 | Test method and system based on software defect mode |
| CN101894064A (en) * | 2009-05-21 | 2010-11-24 | 北京邮电大学 | Method for testing software by applying across function analysis |
-
2013
- 2013-04-22 CN CN201310141769.0A patent/CN103218296B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286132A (en) * | 2008-06-02 | 2008-10-15 | 北京邮电大学 | Test method and system based on software defect mode |
| CN101894064A (en) * | 2009-05-21 | 2010-11-24 | 北京邮电大学 | Method for testing software by applying across function analysis |
Non-Patent Citations (2)
| Title |
|---|
| 张冠楠: "《第三届全国软件测试会议与移动计算、栅格、智能化高级论坛论文集》", 15 August 2009 * |
| 杨睿等: "《Java中空指针引用故障的静态检测方法》", 《清华大学学报》 * |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744776B (en) * | 2013-11-04 | 2016-11-16 | 北京邮电大学 | A kind of Static Analysis Method based on symbolization function summary and system |
| CN103744776A (en) * | 2013-11-04 | 2014-04-23 | 北京邮电大学 | Static analysis method and system based on symbolic function abstracts |
| CN103914382A (en) * | 2014-03-25 | 2014-07-09 | 北京邮电大学 | Method for completely recognizing pointer quotation detection object |
| CN103914382B (en) * | 2014-03-25 | 2016-06-29 | 北京邮电大学 | A kind of abundant identification pointer quotes the method for detection object |
| CN103955426A (en) * | 2014-04-21 | 2014-07-30 | 中国科学院计算技术研究所 | Method and device for detecting code C null-pointer reference |
| CN105607990A (en) * | 2014-11-19 | 2016-05-25 | 腾讯科技(成都)有限公司 | Null pointer crash mining method and device |
| CN105607990B (en) * | 2014-11-19 | 2019-07-05 | 腾讯科技(成都)有限公司 | A kind of method for digging and device of null pointer collapse |
| CN106991050B (en) * | 2017-04-05 | 2020-05-29 | 西安邮电大学 | False positive identification method for reference defect of static test null pointer |
| CN106991050A (en) * | 2017-04-05 | 2017-07-28 | 西安邮电大学 | A kind of static test null pointer dereference defect false positive recognition methods |
| CN107239317A (en) * | 2017-06-07 | 2017-10-10 | 成都四象联创科技有限公司 | Executable program program optimization method |
| CN109426615B (en) * | 2017-09-01 | 2022-01-28 | 深圳市源伞新科技有限公司 | Inter-process null pointer dereference detection method, system, device, and medium |
| CN109426615A (en) * | 2017-09-01 | 2019-03-05 | 深圳市源伞新科技有限公司 | Null pointer dereference detection method, system, equipment and the medium of interprocedual |
| CN111124484B (en) * | 2018-10-31 | 2023-09-01 | 上海奥陶网络科技有限公司 | Java program parameter optimization method |
| CN111124484A (en) * | 2018-10-31 | 2020-05-08 | 上海奥陶网络科技有限公司 | Java program parameter optimization method |
| CN110188029A (en) * | 2019-03-15 | 2019-08-30 | 中山大学 | A kind of Java null pointer analysis system reaching analysis method based on definite value |
| CN110471669B (en) * | 2019-08-02 | 2023-09-05 | 支付宝知识产权控股公司 | Null pointer reference detection method and detection device |
| CN110471669A (en) * | 2019-08-02 | 2019-11-19 | Xc5有限公司 | A kind of detection method and detection device of null pointer dereference |
| CN110633212B (en) * | 2019-09-04 | 2022-07-26 | 中国石油大学(华东) | Data flow analysis method based on abstract memory model |
| CN110674031B (en) * | 2019-09-04 | 2022-09-30 | 中国石油大学(华东) | Restricted set-based automatic program semantic defect repairing method |
| CN110674031A (en) * | 2019-09-04 | 2020-01-10 | 中国石油大学(华东) | Restricted set-based automatic program semantic defect repairing method |
| CN110633212A (en) * | 2019-09-04 | 2019-12-31 | 中国石油大学(华东) | Abstract memory model for static analysis of C program sequential storage structure |
| CN112612471B (en) * | 2020-11-19 | 2021-11-09 | 北京鸿渐科技有限公司 | Code processing method, device, equipment and storage medium |
| CN112612471A (en) * | 2020-11-19 | 2021-04-06 | 孙永杰 | Code processing method, device, equipment and storage medium |
| CN114595148A (en) * | 2022-03-02 | 2022-06-07 | 北京大学 | Java null pointer reference detection method and system based on data stream propagation analysis |
| CN114595148B (en) * | 2022-03-02 | 2024-04-16 | 北京大学 | Java null pointer reference detection method and system based on data stream propagation analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103218296B (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103218296A (en) | Method of fully detecting null pointer reference defects | |
| CN110334740A (en) | The electrical equipment fault of artificial intelligence reasoning fusion detects localization method | |
| Engelson et al. | Error correction in mobile robot map learning | |
| CN107949812A (en) | For detecting the abnormal combined method in water distribution system | |
| CN104536883B (en) | A kind of static defect detection method and its system | |
| CN102073588B (en) | Code static analysis based multithread deadlock detection method and system | |
| CN107590073A (en) | Automatic example generation method based on path Coverage Software Testing | |
| Phillips et al. | Deep multi-task learning for joint localization, perception, and prediction | |
| CN102565845B (en) | Gamma ray spectrometry radionuclide identification method utilizing multiple detectors | |
| CN108804326B (en) | Automatic software code detection method | |
| ES2809466T3 (en) | Procedure for the improved detection of process anomalies of a technical installation and corresponding diagnostic system | |
| CN108257365B (en) | Industrial alarm design method based on global uncertainty evidence dynamic fusion | |
| CN107038380A (en) | A kind of leak detection method and system based on performance of program tree | |
| CN110501671A (en) | A kind of method for tracking target and device based on measurement distribution | |
| CN107247668A (en) | Code automatic detection and bearing calibration | |
| CN109522221A (en) | A kind of method and system improving fuzz testing efficiency | |
| CN104931989A (en) | Method and device for detecting abnormal point in movement locus | |
| CN105701016A (en) | Test method for exception handling codes | |
| CN105159827A (en) | Reliability accelerated testing method for GUI software | |
| CN113916306B (en) | Pipeline defect detection and positioning method based on multi-sensing information fusion | |
| Radlak et al. | Organization of machine learning based product development as per ISO 26262 and ISO/PAS 21448 | |
| Hroob et al. | Benchmark of visual and 3D lidar SLAM systems in simulation environment for vineyards | |
| CN106681851A (en) | Defect report missing analysis and solving method of code-level memory in program | |
| CN103914382B (en) | A kind of abundant identification pointer quotes the method for detection object | |
| CN107168881A (en) | Code positioning and processing method extremely |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151202 Termination date: 20210422 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |