CN103218296B - A kind of method of abundant detection null pointer dereference defect - Google Patents

Abstract

The invention discloses a kind of method of abundant detection null pointer dereference defect, comprising: the whole addressable expression formulas identifying tested application based on abstract syntax tree; The interval arithmetic of tested application being guarded according to controlling stream graph and pointer analysis according to the result of interval arithmetic and pointer analysis, generating function is made a summary; Identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and null pointer dereference defect state machine example is created to each pointer be cited; Run null pointer dereference defect state machine example based on controlling stream graph, on each node of controlling stream graph, the result according to interval arithmetic, pointer analysis carries out state transition to each defect state machine example, carries out null pointer dereference detection.Adopt the present invention, what effectively can solve null pointer dereference defect fails to report problem, realizes null pointer dereference defects detection zero and fails to report and low wrong report.

Description

A kind of method of abundant detection null pointer dereference defect

Technical field

The present invention relates to the null pointer detection technique in software static test technology, particularly relate to a kind of method of abundant detection null pointer dereference defect.

Background technology

Software test is a kind of process ensureing software quality, and its basic goal is by some cost-effective methods, goes the various defects finding to exist in software with the least possible time and manpower, and then ensures the quality of software.For software test, classify from based on the need of the angle running tested software, software test is divided into dynamic test and static test, and wherein, static test is also referred to as static analysis.Static test is actual motion tested software not, but scan source application, therefrom find out the situations such as textural anomaly, control flow check exception and the data flow anomaly that may lead to errors.Static test compares dynamic test, has low, the easy realization of cost, can cover all paths, and do not rely on the advantage of specific running environment; Its shortcoming is the problem found is not often real problem, needs manual confirmation to investigate.

Existing static test exists to be reported by mistake in a large number or fails to report situation.And the existence of wrong report needs manual confirmation to get rid of; The existence of failing to report can cause application to have the illusion of better quality, but the defect failed to report is triggered once at running software, may cause uncertain adverse consequences.

At present, representative aacode defect static test instrument mainly contain Stanford University research project Metal, University of Maryland research and development Java application static test instrument FindBugs, the Java application static test instrument PMD increased income, Klocwork company of the U.S. research and develop aacode defect testing tool K8.

But by using above-mentioned testing tool to test null pointer dereference, all can there is wrong report in various degree and failing to report situation.Therefore, how reducing rate of false alarm and the rate of failing to report of null pointer dereference defect, is the problem needing solution at present badly.

Summary of the invention

In view of this, fundamental purpose of the present invention is a kind of method providing abundant detection null pointer dereference defect, and what not only solve null pointer dereference defect fails to report problem, and can realize failing to report and low wrong report zero of null pointer dereference defect.

For achieving the above object, technical scheme of the present invention is achieved in that

The invention provides a kind of method of abundant detection null pointer dereference defect, described method comprises:

Read tested application file, lexical analysis and grammatical analysis are carried out to tested application, generate the abstract syntax tree of tested application, the controlling stream graph of the tested application controls structure of reflection is generated according to described abstract syntax tree, and symbol table system and the type system of tested application is created according to described abstract syntax tree, whole addressable expression formulas of tested application are identified based on abstract syntax tree;

The interval arithmetic of tested application being guarded according to described controlling stream graph and pointer analysis, and according to the result of interval arithmetic and pointer analysis, generating function is made a summary;

Identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and null pointer dereference defect state machine example is created to each pointer be cited;

Null pointer dereference defect state machine example is run based on described controlling stream graph, for each node of described controlling stream graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and determine null pointer dereference set, pointerforsafety quotes set, uncertain pointer quotes set.

In such scheme, the described whole addressable expression formulas identifying tested application based on abstract syntax tree, comprising:

The symbol of all definition of tested application and the addressable expression formula of all uses is identified based on abstract syntax tree.

In such scheme, the described addressable expression formula identifying all uses of tested application based on abstract syntax tree, comprising:

From the postfix expression of all uses of postfix expression node recognition abstract syntax tree;

From the pointer REFER expression of all uses of unary expression node recognition abstract syntax tree.

In such scheme, described interval arithmetic of guarding tested application according to controlling stream graph and pointer analysis, comprising:

A1, node number order when producing according to controlling stream graph, get next node in controlling stream graph as present node, and when described present node is last node, terminate to work as pre-treatment; Otherwise perform steps A 2;

A2, on described present node first time occur variable, with the model of DHGF <Variable based on abstract region of memory, Region, Expression, Domain> carries out modeling to described variable, and carry out initial operation according to described type of variables, and initial interval value is set; If type of variables is pointer, then described variable is set and points to set for empty; Wherein, Variable is the described variable be modeled, the abstract region of memory that Region distributes for described variable, and Expression is character expression, and Domain is interval;

Each pointer except the pointer of action scope that A3, predecessor node to described present node occur, determine the sensing union of sets collection of each pointer on all predecessor node of described present node, obtain the initial directional set of pointer on described present node; Wherein, described action scope is the action scope in symbol table system;

A4, each variable except the variable of action scope to the predecessor node of described present node, determine the union of interval of each variable on all predecessor node of described present node or the union of Interval Set, obtain the initial interval of variable on described present node or initial Interval Set; Judge whether to exist the initial interval of certain variable or initial Interval Set on described present node for empty, if exist, then marking this node is contradiction node, execution steps A 1; If do not exist, then perform steps A 6;

A5, the statement type corresponding according to described present node, to the pointer analysis that pointer having obtained initial directional set each on this node is guarded, to the interval arithmetic that each variable having obtained initial interval value or initial Interval Set on this node is guarded, and perform A1.

In such scheme, described modeling is carried out to described variable, comprising:

When variable is array element, also set up the Region of array and father and son's hierarchical relationship of this variable R egion; Variable be structure or union type time, also set up father and son's hierarchical relationship of the Region of the Region of structure or the Region of associating and this variable; When variable is pointer type, also arrange variable and point to set for empty, arranging variable original state is uncertain unsure state.

In such scheme, described steps A 5 comprises:

If the statement type corresponding to the described present node of A51 is assignment statement, then perform A52; If the statement type corresponding to described present node is conditional statement, then perform A58;

A52, to determine to be assigned variable be pointer when quoting, and performs A53; When determining that being assigned variable is pointer, perform A55; Determine to be assigned type of variables be structure or associating time, perform A56; Otherwise, perform A57;

If the sensing set of the pointer that A53 is cited only has an abstract region of memory, then using this abstract region of memory as the abstract region of memory be assigned, then perform A52; If the sensing set of the pointer be cited has multiple abstract region of memory, then perform A54;

A54, the interval of each abstract region of memory determining to point to set are the union of the current interval of variable and right-hand member expression formula interval; If the abstract region of memory type pointing to set is pointer type, then determine that the sensing set of each abstract region of memory is that current sensing set points to union of sets collection with right-hand member expression formula; Terminate the process to current statement;

A55, determine that the interval of pointer variable is the interval of right-hand member expression formula, determine that the sensing set of pointer variable is the sensing set of right-hand member expression formula;

If it is structure or associating that A56 is assigned type of variables, each member of this variable is assigned variable as one, using the member of each correspondence in right-hand side expression as the right-hand side expression for this member's assignment, and performs A52;

If it is fundamental type that A57 is assigned type of variables, then according to the interval being assigned type of variables and right-hand member expression formula and determining expression formula in this assignment statement, and the described interval being assigned variable is reset to the interval of determined expression formula;

If the statement type corresponding to the described present node of A58 is condition judgment statement, then to each pointer associated by this node get initial may point to collection after, what each pointer analyzed associated by this node pointed in described condition judgment statement may gather and must gather; After initial may collection is got to each variable associated by this node, calculate may collecting and must collecting of the value of each variable in described condition judgment statement associated by this node, obtain the value of the described variable in the controlling stream graph corresponding to this node in true and false branch.

In such scheme, described generating function summary, comprising:

Preposition constraint condition, characteristic information and rearmounted constraint condition that generating function is made a summary.

In such scheme, describedly identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, comprising:

Identify the pointer that all processes pointer that is interior and interprocedual is quoted and is cited;

Wherein, in all processes, pointer is quoted and is comprised:

The unary expression node of abstract syntax tree identifies pointer quote, and the pointer be cited;

The pointer that the postfix expression node of abstract syntax tree identifies is quoted, and the pointer be cited;

All interprocedual pointers are quoted and are comprised:

The unary expression node of abstract syntax tree identifies function call expression formula;

If when called function corresponding to function call expression formula has function to make a summary, then obtain whole restrained variable in the preposition constraint condition of function summary and described preposition constraint condition, using the argument corresponding with described restrained variable or global variable as the pointer be cited; If when called function corresponding to function call expression formula does not have function to make a summary, then will all pointer type parameters of called function be passed to as the pointer be cited.

In such scheme, described based on described controlling stream graph operation null pointer dereference defect state machine example, for each node of described controlling stream graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and determine null pointer dereference set, pointerforsafety quotes set, uncertain pointer quotes set, comprising:

B1, node number order when producing according to controlling stream graph, get next node in controlling stream graph as present node, if described present node is last node, then terminate to detect the null pointer dereference of current function; Otherwise perform step B2;

The defect state machine example collection that B2, predecessor node to described present node occur, when multiple defect state machine example associates same pointer variable, merge described multiple defect state machine example, as the new defect state machine example that this pointer variable is corresponding;

B3, when the value of the pointer variable that the defect state machine example of present node associates changes, determine the defect state machine example that variable is corresponding state produce migration;

B4, when described present node occurs that pointer is quoted, according to the value of pointer on present node that be cited pointer quoted and detect;

B5, the null pointer dereference terminated on present node detect, and perform B1.

In such scheme, described when occurring that pointer is quoted on described present node, according to the value of pointer on present node that be cited pointer quoted and detect, also comprise:

When carrying out security reference under non-null states, described pointer is quoted and is input to pointerforsafety and quotes set;

When carrying out null pointer dereference under dummy status, described pointer is quoted and is input to null pointer dereference set;

Under nondeterministic statement, carry out pointer when quoting, described pointer has been quoted and is input to uncertain pointer and quotes set.

The method of abundant detection null pointer dereference defect provided by the present invention, identifies whole addressable expression formulas of tested application based on abstract syntax tree; The interval arithmetic of tested application being guarded according to controlling stream graph and pointer analysis according to the result of interval arithmetic and pointer analysis, generating function is made a summary; Identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and null pointer dereference defect state machine example is created to each pointer be cited; Run null pointer dereference defect state machine example based on controlling stream graph, on each node of controlling stream graph, the result according to interval arithmetic, pointer analysis carries out state transition to each defect state machine example, carries out null pointer dereference detection.So, what efficiently solve null pointer dereference defect fails to report problem, can realize zero of null pointer dereference defect and fail to report and low wrong report, improve the adequacy of null pointer dereference defects detection, reliability and accuracy.

In addition, the abstract syntax tree that the present invention generates and measured source file have mapping relations, can identify the various expression formulas occurred in the application of source on the expression formula node of abstract syntax tree exactly; The present invention can identify whole addressable expression formulas and go out its type by the type inference rule induction of type system, and guarantee identifies the pointer that whole pointers is quoted and is cited, thus ensure that the accuracy of identification.Interval arithmetic of the present invention and pointer analysis all take the strategy guarded, may value when ensureing that the interval of the variable that interval arithmetic goes out comprises all operations, possible sensing when ensureing that the sensing set of the pointer that pointer analysis goes out comprises all operation, thus ensure that the reliability of analysis.The null pointer dereference defects detection that the present invention carries out is carried out based on reliable analysis result, reliable analysis strategy is adopted to the identified pointer be cited, the pointer of the clear and definite pointed information of energy is quoted there is clear and definite testing result, the pointer can not specifying its directional information is quoted there is uncertain testing result, thus ensure that the adequacy of detection.

Accompanying drawing explanation

Fig. 1 is the method flow schematic diagram that the present invention fully detects null pointer dereference defect;

Fig. 2 is the schematic flow sheet of conservative interval arithmetic and the pointer analysis carried out based on controlling stream graph;

Fig. 3 is schematic flow sheet variable being carried out to abstract internal memory modeling;

The pointer analysis that Fig. 4 carries out every bar statement for the statement type corresponding to present node and interval arithmetic process flow diagram;

Fig. 5 is left side expression formula is pointer analysis and the interval arithmetic procedure chart of the assignment expression of complex data structures type;

Fig. 6 is the procedure chart of the preposition constraint condition of generating function summary;

Fig. 7 is the processing flow chart of the preposition constraint condition creating the relevant pointer that is cited;

Fig. 8 is the identification of all detected pointers and the procedure chart of null pointer dereference defect state machine establishment.

Embodiment

Below in conjunction with the drawings and specific embodiments, the technical solution of the present invention is further elaborated.

Fig. 1 is the method flow schematic diagram that the present invention fully detects null pointer dereference defect, and as shown in Figure 1, described method comprises:

Step 101: read tested application file, lexical analysis and grammatical analysis are carried out to tested application, generate the abstract syntax tree of tested application, the controlling stream graph of the tested application controls structure of reflection is generated according to described abstract syntax tree, and symbol table system and the type system of tested application is created according to described abstract syntax tree, whole addressable expression formulas of tested application are identified based on abstract syntax tree;

Concrete, the present invention utilizes aid to generate the abstract syntax tree of tested application; Described aid comprises JJtree;

Concrete, the described whole addressable expression formulas identifying tested application based on abstract syntax tree, comprising:

The symbol of all definition of tested application and the addressable expression formula of all uses is identified based on abstract syntax tree; Wherein,

Identify the symbol of all definition of tested application based on abstract syntax tree, comprising:

Identify the function of all definition, and the function of identification is joined in respective action territory as a symbol;

Identify the structure of all definition and combine; And the structure identified is joined in respective action territory as a symbol with combining; Identify structure and the member combined, and join in respective action territory;

Identify the variable of all definition; Wherein, when type of variables is pointer, variable is added in corresponding action scope as a pointer type symbol, pointer quoted as a variable to be identified; When type of variables is array, variable is added in corresponding action scope as an array type symbol, using each member of array as a variable to be identified; Type of variables be structure or associating time, variable is added in corresponding action scope as a structure and union type symbol, using structure and each member combined as a variable to be identified; Otherwise, using variable as a fundamental type symbol, add in corresponding action scope.

Identify the addressable expression formula of all uses of tested application based on abstract syntax tree, comprising:

From the postfix expression of all uses of postfix expression node recognition abstract syntax tree;

From the pointer REFER expression of all uses of unary expression node recognition abstract syntax tree.

All kinds of symbols that the present invention adopts the action scope storage of four ranks to identify, SourceFileScope is source file action scope, and a file only has a SourceFileScope; ClassScope is class scope, correspond to the structure of definition, associating; MethodScope is function scope, correspond to the function of definition; LocalScope is local action territory, correspond to a block in function body.For id and id (exp), obtain action scope by its definition.Lvexp.id, * lvexp, lvexp-> id, lvexp [exp] is consistent with the action scope of father's layer expression formula lvexp respectively.

For meeting extensibility, type system of the present invention takes the strategy that two-stage maps.First to do Token in source file level and map, such as general _ int64, _ int32, int are mapped to int.Second level DATATYPES TO is the type that the present invention defines by the DATATYPES TO of code level.

For the addressable expression formula identified, by its type of type inference rule induction.For the identifier variable of statement, according to its statement its type known.Variable for complex data type:

(1) if array, the type of its element known;

(2) if pointer, the known type of expression that it points to;

(3) if structure, the type of its each territory member known;

For not by the addressable expression formula that statement identifies, go out its type by type inference rule induction.Different addressable type of expression derivation rule is:

The type inference of structure member exp.id:

The type inference of array element exp [exp1]:

The type inference of non-immediate structure member exp-> id:

The type inference of pointer REFER expression * exp:

exp＝(pe++)|(pe--)|(++pe)

Step 102: the interval arithmetic of tested application being guarded according to controlling stream graph and pointer analysis; And according to the result of interval arithmetic and pointer analysis, generating function is made a summary;

Concrete, described interval arithmetic of guarding tested application according to controlling stream graph and pointer analysis, comprising:

B1, node number order when producing according to controlling stream graph, get next node in controlling stream graph as present node, if described present node be last node, then terminate to travel through; Otherwise perform step B2;

B2, on described present node first time occur variable, with the model of DHGF <Variable based on region, Region, Expression, Domain> carries out modeling to described variable, and carry out initial operation according to described type of variables, comprising: initial interval value is set; If type of variables is pointer, it is set and points to set for empty;

Wherein, Variable is the described variable be modeled, the abstract region of memory that Region distributes for described variable, and Expression is character expression, and Domain is interval;

Each pointer except the pointer of action scope that B3, predecessor node to described present node occur, asks its sensing union of sets on all predecessor node of described present node, obtains the initial directional set of this pointer on described present node; Wherein, described action scope is the action scope in symbol table system, for storing all kinds of symbols identified;

Each variable except the variable of action scope that B4, predecessor node to described present node occur, ask its interval on all predecessor node of described present node or the union of Interval Set, obtain the initial interval of this variable on described present node or initial Interval Set, then perform step B5;

B5, the initial interval judging whether to exist certain variable on described present node or initial Interval Set are for empty, if exist, then marking this node is after contradiction node, execution step B1; If do not exist, then perform step B6;

B6, statement type corresponding to described present node, corresponding conservative pointer analysis is carried out to pointer having obtained initial directional set each on this node, corresponding conservative interval arithmetic is carried out to each variable having obtained initial interval value or initial Interval Set on this node, then performs B1.

Here, described step B2 carries out modeling to described variable, specifically comprises:

When variable is fundamental type, with the model of DHGF based on region, modeling is carried out to it, arrange between original area according to its particular type; When variable is array element, set up the Region of array and father and son's hierarchical relationship of this variable R egion; Variable be structure or union type time, set up father and son's hierarchical relationship of the Region of structure or associating and the Region of this variable; When variable is pointer type, arrange it and point to set for empty, arranging its original state is unsure.

Here, described step B6 specifically comprises:

If the statement type corresponding to the described present node of B61 is assignment statement, perform B62; If the statement type corresponding to described present node is conditional statement, perform B68;

If it is that pointer is quoted that B62 is assigned variable, perform B63; If being assigned variable is pointer, perform B65; If being assigned type of variables is structure or associating, perform B66; Otherwise, perform B67;

If the sensing set of the pointer that B63 is cited only has an abstract region of memory, then using this abstract region of memory as the abstract region of memory be assigned, perform B62; If the sensing set of the pointer be cited has multiple abstract region of memory, perform B64;

B64, will point to each abstract region of memory of set, its interval is the union of the current interval of variable and right-hand member expression formula interval; If the abstract region of memory type pointing to set is pointer type, then the sensing set of each abstract region of memory is that current sensing set points to union of sets collection with right-hand member expression formula; Perform B69;

The interval of B65, pointer variable is the interval of right-hand member expression formula, and the sensing set of pointer variable is the sensing set of right-hand member expression formula;

If it is structure or associating that B66 is assigned type of variables, each member of this variable is assigned variable as one, using the member of each correspondence in right-hand side expression as the right-hand side expression for this member's assignment, performs B62;

If it is fundamental type that B67 is assigned type of variables, then according to the interval being assigned type of variables and right-hand member expression formula and calculating expression formula in this assignment statement, and the described interval being assigned variable is reset to the interval of the expression formula that this newly calculates;

If the statement type corresponding to the described present node of B68 is condition judgment statement, then to each pointer associated by this node get initial may point to collection after, what each pointer analyzed associated by this node pointed in described condition judgment statement may gather and must gather; After initial may collection is got to each variable associated by this node, calculate may collecting and must collecting of the value of each variable in described condition judgment statement associated by this node, and then obtain the described variable-value situation in the controlling stream graph corresponding to this node in true and false branch;

B69, the process terminating current statement.

Concrete, described generating function summary specifically comprises:

The preposition constraint condition of generating function summary; The characteristic information of generating function summary; The rearmounted constraint condition of generating function summary.

Here, the preposition constraint condition of described generating function summary, specifically comprises:

Identify and need restrained, that type is pointer function parameter and global variable;

Calculate the weak constraint condition of restrained pointer.

Here, the characteristic information of described generating function summary, specifically comprises:

Analytic function calls the situation causing control flow check to change;

The rreturn value of computing function.

Here, the rearmounted constraint condition of described step generating function summary, specifically comprises:

Analytic function calls pointer type parameter and the points relationship of pointer type global variable and the renewal of state;

Analytic function calls and upgrades the data stream of global variable.

Step 103: identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and null pointer dereference defect state machine example is created to each pointer be cited;

Concrete, describedly identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, comprising:

Identify the pointer that all processes pointer that is interior and interprocedual is quoted and is cited;

Wherein, in all processes, pointer is quoted and is specifically comprised:

The unary expression node of abstract syntax tree identifies pointer quote, and the pointer be cited;

The pointer that the postfix expression node of abstract syntax tree identifies is quoted, and the pointer be cited;

All interprocedual pointers are quoted and are specifically comprised:

The unary expression node of abstract syntax tree identifies function call expression formula;

If when called function corresponding to function call expression formula has function to make a summary, then obtain the preposition constraint condition of function summary, and whole restrained variable in described preposition constraint condition, using the argument corresponding with described restrained variable or global variable as the pointer be cited; If when called function corresponding to function call expression formula does not have function to make a summary, will all pointer type parameters of called function be passed to as the pointer be cited.

Step 104: run null pointer dereference defect state machine example based on controlling stream graph, on each node of controlling stream graph, result according to interval arithmetic, pointer analysis carries out state transition to each defect state machine example, determines that pointerforsafety quotes set, null pointer dereference set, uncertain pointer quote set.

Fig. 2 is the method flow schematic diagram that the present invention is based on conservative interval arithmetic that controlling stream graph carries out and pointer analysis, and the method comprises the following steps:

Step 201: node number order when producing according to controlling stream graph, gets the next node of controlling stream graph as present node; Then step 202 is performed;

Step 202: judge whether described present node is last node, if not, performs step 203; If so, step 212 is performed;

Step 203: the next predecessor node getting present node is in order current predecessor node;

Step 204: judge whether present node is branch node, if so, performs step 205; Otherwise, perform step 206;

Step 205: Branch Computed conditional expression limits sensing limiting set that is interval and pointer to the value of each symbol, and the sensing set of the sensing limiting set of the pointer calculated and each pointer of predecessor node asked and hand over, the value of each symbol calculated limited and intervally ask friendship with each symbol interval of predecessor node, and each symbol interval of predecessor node and the sensing set of each pointer are updated to the result after asking friendship; Then step 206 is performed;

Step 206: present node is merged into each variable symbol expression formula value of current predecessor node and each symbol interval; Present node is merged into the sensing set of each pointer of current predecessor node and each pointed set;

Step 207: judge whether current predecessor node is last predecessor node, if so, performs step 208; Otherwise, perform step 203;

Step 208: judge whether present node has initial interval value or initial Interval Set are empty variable, if had, to perform step 209; If no, perform step 210;

Step 209: mark present node is contradiction node, performs step 201;

Step 210: abstract internal memory modeling is carried out to the variable that first time on present node occurs;

Step 211: according to the statement type corresponding to described present node, corresponding conservative pointer analysis is carried out to pointer having obtained initial directional set each on this node, corresponding conservative interval arithmetic is carried out to each variable having obtained initial interval value or initial Interval Set on this node; That is: according to the sensing set of each pointer of expression parsing present node in statement corresponding to present node, expression formula in the corresponding statement of present node is calculated and is mapped as corresponding symbolic computation, upgrade present node each symbol interval, each abstract region of memory value, each variable symbol expression formula value; Then, step 201 is performed;

Step 212: terminate interval arithmetic and pointer analysis.

What the present invention proposed carries out the stream guarded is responsive, territory is responsive pointer analysis and interval arithmetic based on controlling stream graph, ensure the interval of variable on may point under the sensing set of each pointer of controlling stream graph contains all true running statuses, each node contain all true running statuses under possible value.

Concrete, in step 210, the schematic flow sheet of abstract internal memory modeling is carried out as shown in Figure 3 to variable, specifically comprises the following steps:

Step 210a: the variable describing first time appearance with abstract region of memory;

Step 210b: if variable is the member variable of certain variable, then perform step 210c; Otherwise, perform step 210d;

Step 210c: the father and son's hierarchical relationship setting up the abstract region of memory of father's variable of this variable and the abstract region of memory of this variable, then performs step 210h;

Step 210d: whether judgment variable is numeric type variable, if so, performs step 210e; If not, then step 210f is performed;

Step 210e: its Interval Set is initialized as { [MIN, MAX] }, wherein, M1N and MAX is self-defining minimum value and maximal value, then performs step 210h;

Step 210f: whether judgment variable is Reference Type Variable, if so, performs step 210g; Otherwise, perform step 210h;

Step 210g: be URSURE by its state initialization, is pointed to set and is initialized as empty set.

Step 210h: terminate abstract internal memory modeling.

Wherein, the statement type in described step 211 corresponding to described present node, carries out corresponding conservative pointer analysis, and carry out corresponding conservative interval arithmetic, its schematic flow sheet as shown in Figure 4, specifically comprises the following steps:

Step 211a: whether the statement type judging present node is assignment statement, if so, performs step 211b; Otherwise, perform step 211c;

Step 211b: pointer analysis and the interval arithmetic of carrying out assignment expression, according to equal sign left and right sides variable and expression formula information, the new sensing set of value between the new district being obtained abstract region of memory corresponding to correlated variables by algorithms of different, abstract region of memory that pointer is corresponding; Then, step 211g is performed;

Step 211c: judge whether current statement is function call, if function call, then performs step 211d; Otherwise perform step 211e.

Step 211d: carry out interprocedual interval arithmetic and pointer analysis, does corresponding constraint according to parameter type to function internal information, if function inside operates reference object, then upgrades corresponding controlling stream graph nodal information; Then, step 211g is performed;

Step 211e: judge whether current statement is condition judgment statement, if so, then performs step 211f, otherwise performs step 211g;

Step 211f: the character expression corresponding to each variable associated by this node gets initial may collecting, the sensing set of each pointer, then may collecting and must collecting of the interval value of each character expression in described condition judgment statement associated by this node is calculated, analyze may pointing to set and set must being pointed to of the sensing set of each pointer in described judgement statement associated by this node, and then the value condition of character expression corresponding to described variable in the controlling stream graph obtaining corresponding to this node in true and false branch, the sensing situation of described pointer.

Step 211g: terminate the interval arithmetic to current statement and pointer analysis.

Wherein, described step 211b carries out pointer analysis and the interval arithmetic process of assignment expression, specifically comprises the following steps:

Judge type of expression on the left of equal sign, if expression formula is pointer dereference on the left of equal sign, then carry out interval arithmetic and pointer analysis according to expression formula information different on the right side of equal sign; If expression formula is pointer variable on the left of equal sign, then carry out interval arithmetic and pointer analysis according to expression formula information different on the right side of equal sign; If expression formula is complex data structures type on the left of equal sign, carry out interval arithmetic and pointer analysis according to expression formula information different on the right side of equal sign; Otherwise, be basic data type by type of expression on the left of equal sign, carry out interval arithmetic and pointer analysis according to expression formula information different on the right side of equal sign.

Further, when left side type of expression is basic data type, if right side is pointer dereference, then obtain right side to be cited the sensing set of pointer, try to achieve the union of the symbol value of the abstract region of memory pointed to pointed by set, the symbol value of the abstract region of memory of left-hand variable is updated to gained union; Otherwise, the symbol value of the abstract region of memory of left-hand variable is updated to the symbol value of right-hand side expression.

Further, when left side type of expression for be cited pointer time, obtain left side and to be cited the sensing set of pointer, obtain and point to abstract region of memory set corresponding to set;

If abstract region of memory is all processed, terminate the process of the assignment statement to left side being pointer dereference; Otherwise, to get in abstract region of memory set a not processed abstract region of memory, then judge whether left side type expression is complex data type, if, according to expression formula information different on the right side of equal sign, interval arithmetic is carried out to abstract region of memory, if not, according to expression formula information different on the right side of equal sign, interval arithmetic and pointer analysis are carried out to abstract region of memory.

Further, when left side type of expression is pointer variable,

The sensing set of abstract region of memory corresponding for left side pointer variable is set to sky; Judge whether right-hand side expression is address of variable, if address of variable, abstract region of memory corresponding for right side address variable is added to the sensing set of the abstract region of memory of left side pointer, the value of the abstract region of memory of left side pointer is non-NULL (NOTNULL); If not address of variable, analyze sensing set and the value of right side pointer expression formula, the sensing set of right-hand side expression is given to the sensing set of the abstract region of memory of left side pointer, by the value assignment of right-hand side expression to the value of the abstract region of memory of left side pointer.

Further, when left side type of expression is complex data structures type, the pointer analysis of its assignment expression and interval arithmetic process as shown in Figure 5, specifically comprise the following steps:

Step 501: right-hand side expression type is pointer dereference if judge, then perform step 503; Otherwise, perform step 502;

Step 502: obtain abstract region of memory corresponding to right-hand side expression, by the member of abstract region of memory one by one assignment to the member of abstract region of memory corresponding to left side expression formula, then perform step 509;

Step 503: the abstract region of memory of the pointer that is cited on the right side of obtaining, obtains the pointed set of abstract region of memory, the abstract region of memory S set pointed by obtaining based on pointed set;

Step 504: the abstract region of memory R1 taking out from pointed abstract region of memory S set;

Step 505: by the member of abstract region of memory R1 one by one assignment to the member of abstract region of memory corresponding to left side expression formula;

Step 506: if there is not untreated abstract region of memory in abstract region of memory S set, performs step 509; Otherwise, perform step 507;

Step 507: take out a untreated abstract region of memory R2;

Step 508: the member of abstract region of memory corresponding with left side expression formula for the member of abstract region of memory R2 is asked union, and will union result assignment be asked to the member of abstract region of memory corresponding to left side expression formula; Then step 506 is performed;

Step 509: terminating is the process of complex data structures type assignment statement to expression formula on the left of equal sign.

The pointer analysis of the function call statement that wherein said step 211d describes and interval arithmetic process, specifically comprise the following steps:

Obtain the function summary of called function;

Obtain the rearmounted constraint condition of function summary, obtain function parameter and the global variable of the reference type creating spinoff in rearmounted constraint condition;

To the function parameter of reference type and the global variable that create spinoff, upgrade its interval value and directional information based on rearmounted constraint condition.

The present invention, when carrying out interprocedural analysis and creating function summary, considers that the variable in whole analyzed function scopes comprises top variable and member variable.Consider the reliability that the weak constraint condition of each restrained variable is analyzed with conservative guarantee simultaneously.The present invention is the reliability ensureing to analyze, and when retraining bound variable, take the strategy guarded, the weak constraint condition weak to its constraint condition Selection radio full-scale condition restriction ability, the most weak precondition is empty condition.Function of the present invention summary is prepared for null pointer dereference detects, and the variable of the therefore preposition constraint condition constraint of function summary is members of pointer type by the function parameter of the pointer type of dereference and global variable and they; The rearmounted constraint condition of function summary is by the parameter to pointer type of this function side effects and global variable and their member; The characteristic information of function summary comprises the information such as rreturn value, control flow check termination of function.

Concrete, generating function is made a summary, and comprising: the preposition constraint condition of generating function summary, the characteristic information of generating function summary; And, the rearmounted constraint condition of generating function summary;

Wherein, the process of the preposition constraint condition of generating function summary as shown in Figure 6, specifically comprises the following steps:

Step 601: obtain the set of pointers S1 be cited in current function;

Step 602: judge whether the pointer in S1 is disposed, if the pointer in S1 is processed, performs step 609; Otherwise, perform step 603;

Step 603: to get in S1 the pointer P1 that is not created constraint; Then, step 604 is performed;

Step 604: judge whether the statement that pointer P1 is cited appears on contradiction node, if there is on contradiction node, performs step 602; Otherwise, perform step 605;

Step 605: the value judging the abstract region of memory that pointer P1 is corresponding, if the value of abstract region of memory corresponding to pointer P1 is UNKNOWN, performs step 602; Otherwise, perform step 606;

Step 606: the sensing S set 2 obtaining abstract region of memory corresponding to pointer P1;

Step 607: judge whether S2 is empty, if be empty, performs step 602; Otherwise, perform step 608;

Step 608: the preposition constraint condition creating the relevant pointer that is cited based on S2, then performs steps A 2;

Step 609: terminate to work as pre-treatment.

Wherein, described step 608 creates the treatment scheme of the preposition constraint condition of the relevant pointer that is cited as shown in Figure 7, specifically comprises the following steps:

Step 608a: if the abstract field in the sensing S set 2 of abstract region of memory corresponding to processed pointer is processed complete, perform step 608i;

Step 608b: get the abstract region of memory R that in S2 one is not analyzed;

Step 608c: if the action scope of abstract region of memory R is not local action territory, then perform step 608d; Otherwise perform step 608a;

Step 608d: analyze the weak path condition C1 obtaining pointer P1 and be cited, analyzes the weak path condition C2 that P1 is set to point to R for the last time, calculates the union C3 of C1 and C2; Then step 608e is performed;

Step 608e: obtain the pointer P2 with the abstract region of memory R of sensing when entering this function;

Step 608f: if P2 is not also confined to the preposition constraint condition of function summary, perform step 608g; Otherwise, perform step 608h;

Step 608g: using P2 as restrained variable, constraint condition is C3; Perform step 608a;

Step 608h: the constraint condition of taking out P2 from the preposition constraint condition of function summary, asks the new constraint condition of union as P2 constraint condition and C3 also; Perform step 608a;

Step 608i: terminate to work as pre-treatment.

From syntax rule, pointer quotes total * p, p [exp], p-> id tri-kinds of grammatical forms, and the pointer be wherein cited is p; If but pointer is restrained, then need to detect at the point of invocation place of calling current function the argument or global variable transmitted.Therefore, the detection of quoting pointer is divided into detection and interprocedual in process to detect by the present invention.Wherein, the pointer detected in process is cited but not restrained pointer of going out; The function that is called at function call point place during the pointer that interprocedual detects is made a summary the global variable and the argument corresponding with the parameter retrained in preposition constraint condition that retrain in preposition constraint condition.For built-in function, take the mode that artificial generating function is made a summary.If invoked function does not have function to make a summary, then the parameter non-NULL of the conservative each pointer type of requirement.

The process that the identification of all detected pointers and null pointer dereference defect state machine create as shown in Figure 8, comprises the following steps:

Step 801: search from abstract syntax tree the node that symbolic pointer quotes grammatical form * p, p [exp], p-> id, obtain node set S1;

Step 802: if the node in S1 is all processed, then perform step 804; Otherwise, get a untreated node N in S1;

Step 803: if the variable P1 on node N is pointer type, and not restrainedly to go out, not also being created defect state machine, is then that P1 creates null pointer dereference defect state machine; Perform step 802;

Step 804: search node set S2 corresponding to function call from abstract syntax tree;

Step 805: if the node in S2 is all processed, then perform step 813; Otherwise, get a untreated node N in S2;

Step 806: if called function corresponding to node N does not have function to make a summary, then perform step 810;

Step 807: if the preposition constraint condition of the function summary of called function corresponding to node N be empty, execution step 805; Otherwise, obtain the variables collection S3 of preposition constraint condition constraint;

Step 808: if the variable in S3 is all processed, then perform step 805; Otherwise, to get in S3 a not processed bound variable P2, obtain the argument corresponding with bound variable P2 or global variable P3;

Step 809: if the variable-value in current statement corresponding node exists the possibility meeting the constraint condition of bound variable P2 in function summary is then that P3 creates null pointer dereference defect state machine; Perform step 808.

Step 810: the argument S set 4 obtaining the pointer type that function call point corresponding to node N transmits;

Step 811: if the variable in argument S set 4 is all processed, then perform step 805; Otherwise, to get in S4 a not processed parameter P4;

Step 812: for parameter P4 creates null pointer dereference defect state machine;

Step 813: the establishment terminating the null pointer dereference defect state machine example to current institute function.

Null pointer dereference defects detection of the present invention is carried out based on controlling stream graph, carries out the state transition of null pointer dereference defect state machine based on the state of pointer on control flow check node.If pointer has carried out security reference under non-null states, then the state transition of state machine is to Satefy, is quoted by pointer to be input to pointerforsafety and to quote set; If carried out null pointer dereference under dummy status, pointer, to Error, has been quoted and has been input to null pointer dereference set by the state transition of state machine; If carried out pointer to quote under nondeterministic statement, pointer, to Dubious, has been quoted and has been input to uncertain pointer and quotes set by the state transition of state machine.

The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.

Claims (9)

1. detect a method for null pointer dereference defect, it is characterized in that, described method comprises:

Read tested application file, lexical analysis and grammatical analysis are carried out to tested application, generate the abstract syntax tree of tested application, the controlling stream graph of the tested application controls structure of reflection is generated according to described abstract syntax tree, and symbol table system and the type system of tested application is created according to described abstract syntax tree, whole addressable expression formulas of tested application are identified based on abstract syntax tree;

The interval arithmetic of tested application being guarded according to described controlling stream graph and pointer analysis, and according to the result of interval arithmetic and pointer analysis, generating function is made a summary;

Identify according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and null pointer dereference defect state machine example is created to each pointer be cited;

Null pointer dereference defect state machine example is run based on described controlling stream graph, for each node of described controlling stream graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and determine null pointer dereference set, pointerforsafety quotes set, uncertain pointer quotes set;

Wherein, described interval arithmetic of guarding tested application according to controlling stream graph and pointer analysis, comprising:

A1, node number order when producing according to controlling stream graph, get next node in controlling stream graph as present node, and when described present node is last node, terminate to work as pre-treatment; Otherwise perform steps A 2;

A2, on described present node first time occur variable, with the model of DHGF <Variable based on abstract region of memory, Region, Expression, Domain> carries out modeling to described variable, and carry out initial operation according to described type of variables, and initial interval value is set; If type of variables is pointer, then described variable is set and points to set for empty; Wherein, Variable is the described variable be modeled, the abstract region of memory that Region distributes for described variable, and Expression is character expression, and Domain is interval;

Each pointer except the pointer of action scope that A3, predecessor node to described present node occur, determine the sensing union of sets collection of each pointer on all predecessor node of described present node, obtain the initial directional set of pointer on described present node; Wherein, described action scope is the action scope in symbol table system;

A4, each variable except the variable of action scope to the predecessor node of described present node, determine the union of interval of each variable on all predecessor node of described present node or the union of Interval Set, obtain the initial interval of variable on described present node or initial Interval Set; Judge whether to exist the initial interval of certain variable or initial Interval Set on described present node for empty, if exist, then marking this node is contradiction node, execution steps A 1; If do not exist, then perform steps A 5;

A5, the statement type corresponding according to described present node, to the pointer analysis that pointer having obtained initial directional set each on this node is guarded, to the interval arithmetic that each variable having obtained initial interval value or initial Interval Set on this node is guarded, and perform A1.

2. method according to claim 1, is characterized in that, the described whole addressable expression formulas identifying tested application based on abstract syntax tree, comprising:

The symbol of all definition of tested application and the addressable expression formula of all uses is identified based on abstract syntax tree.

3. method according to claim 2, is characterized in that, the described addressable expression formula identifying all uses of tested application based on abstract syntax tree, comprising:

From the postfix expression of all uses of postfix expression node recognition abstract syntax tree;

From the pointer REFER expression of all uses of unary expression node recognition abstract syntax tree.

4. method according to claim 1, is characterized in that, describedly carries out modeling to described variable, comprising:

When variable is array element, also set up the Region of array and father and son's hierarchical relationship of this variable R egion; Variable be structure or union type time, also set up father and son's hierarchical relationship of the Region of the Region of structure or the Region of associating and this variable; When variable is pointer type, also arrange variable and point to set for empty, arranging variable original state is uncertain unsure state.

5. method according to claim 1, is characterized in that, described steps A 5 comprises:

If the statement type corresponding to the described present node of A51 is assignment statement, then perform A52; If the statement type corresponding to described present node is conditional statement, then perform A58;

A52, to determine to be assigned variable be pointer when quoting, and performs A53; When determining that being assigned variable is pointer, perform A55; Determine to be assigned type of variables be structure or associating time, perform A56; Otherwise, perform A57;

If the sensing set of the pointer that A53 is cited only has an abstract region of memory, then using this abstract region of memory as the abstract region of memory be assigned, then perform A52; If the sensing set of the pointer be cited has multiple abstract region of memory, then perform A54;

A54, the interval of each abstract region of memory determining to point to set are the union of the current interval of variable and right-hand member expression formula interval; If the abstract region of memory type pointing to set is pointer type, then determine that the sensing set of each abstract region of memory is that current sensing set points to union of sets collection with right-hand member expression formula; Terminate the process to current statement;

A55, determine that the interval of pointer variable is the interval of right-hand member expression formula, determine that the sensing set of pointer variable is the sensing set of right-hand member expression formula;

If it is structure or associating that A56 is assigned type of variables, each member of this variable is assigned variable as one, using the member of each correspondence in right-hand side expression as the right-hand side expression for this member's assignment, and performs A52;

If it is fundamental type that A57 is assigned type of variables, then according to the interval being assigned type of variables and right-hand member expression formula and determining expression formula in this assignment statement, and the described interval being assigned variable is reset to the interval of determined expression formula;

If the statement type corresponding to the described present node of A58 is condition judgment statement, then to each pointer associated by this node get initial may point to collection after, what each pointer analyzed associated by this node pointed in described condition judgment statement may gather and must gather; After initial may collection is got to each variable associated by this node, calculate may collecting and must collecting of the value of each variable in described condition judgment statement associated by this node, obtain the value of the described variable in the controlling stream graph corresponding to this node in true and false branch.

6. method according to claim 1, is characterized in that, described generating function summary, comprising:

Preposition constraint condition, characteristic information and rearmounted constraint condition that generating function is made a summary.

7. method according to claim 1, is characterized in that, describedly identifies according to described function summary and abstract syntax tree the pointer that whole pointers quotes and be cited, and comprising:

Identify the pointer that all processes pointer that is interior and interprocedual is quoted and is cited;

Wherein, in all processes, pointer is quoted and is comprised:

The unary expression node of abstract syntax tree identifies pointer quote, and the pointer be cited;

The pointer that the postfix expression node of abstract syntax tree identifies is quoted, and the pointer be cited;

All interprocedual pointers are quoted and are comprised:

The unary expression node of abstract syntax tree identifies function call expression formula;

If when called function corresponding to function call expression formula has function to make a summary, then obtain whole restrained variable in the preposition constraint condition of function summary and described preposition constraint condition, using the argument corresponding with described restrained variable or global variable as the pointer be cited; If when called function corresponding to function call expression formula does not have function to make a summary, then will all pointer type parameters of called function be passed to as the pointer be cited.

8. method according to claim 1, it is characterized in that, described based on described controlling stream graph operation null pointer dereference defect state machine example, for each node of described controlling stream graph, result according to interval arithmetic, pointer analysis carries out state transition respectively to each defect state machine example, and determine null pointer dereference set, pointerforsafety quotes set, uncertain pointer quotes set, comprising:

B1, node number order when producing according to controlling stream graph, get next node in controlling stream graph as present node, if described present node is last node, then terminate to detect the null pointer dereference of current function; Otherwise perform step B2;

The defect state machine example collection that B2, predecessor node to described present node occur, when multiple defect state machine example associates same pointer variable, merge described multiple defect state machine example, as the new defect state machine example that this pointer variable is corresponding;

B3, when the value of the pointer variable that the defect state machine example of present node associates changes, determine the defect state machine example that variable is corresponding state produce migration;

B4, when described present node occurs that pointer is quoted, according to the value of pointer on present node that be cited pointer quoted and detect;

B5, the null pointer dereference terminated on present node detect, and perform B1.

9. method according to claim 8, is characterized in that, described when occurring that pointer is quoted on described present node, to quote and detects, also comprise according to the value of pointer on present node that be cited to pointer:

When carrying out security reference under non-null states, described pointer is quoted and is input to pointerforsafety and quotes set;

When carrying out null pointer dereference under dummy status, described pointer is quoted and is input to null pointer dereference set;

Under nondeterministic statement, carry out pointer when quoting, described pointer has been quoted and is input to uncertain pointer and quotes set.