CN110674495B

CN110674495B - Detection method, device and equipment for group border crossing access

Info

Publication number: CN110674495B
Application number: CN201910828384.9A
Authority: CN
Inventors: 赖建新; 李隆
Original assignee: Xc5 Hong Kong Ltd
Current assignee: Alipay Intellectual Property Holding Co
Priority date: 2019-09-03
Filing date: 2019-09-03
Publication date: 2021-07-09
Anticipated expiration: 2039-09-03
Also published as: CN110674495A

Abstract

The embodiment of the specification discloses a method, a device and equipment for detecting group border crossing access, wherein the method comprises the following steps: acquiring functions contained in a program code to be detected and call relation information among the functions; if the calling relation information among the functions comprises the target program statements which are not accessed, detecting whether the target program statements need to access the array or not; if the target program statement needs to access an array, acquiring a value range of a preset variable of the array accessed by the target program statement in a program area corresponding to the array; and detecting whether the program code contains array out-of-range access or not based on the value range of the preset variable of the array accessed by the target program statement in the program area corresponding to the array.

Description

Detection method, device and equipment for group border crossing access

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for detecting group out-of-range access.

Background

The array border crossing access is a common program coding defect, the array border crossing access can cause the crash in the program running process or the incorrect program running result and the like, in addition, the array border crossing access can also cause serious system security problems, and an attacker can utilize the defect to improve the own authority of the attacker so as to read or modify the sensitive data of the user.

At present, the method for finding out array out-of-range access in a program can be a method based on a black box test or a white box test, that is, an execution program is tested by constructing a test case, and whether array out-of-range access exists in the program execution is observed. In the above method of detecting array boundary crossing access, the method of black box test or white box test cannot construct enough test cases to cover all the execution paths of the program code, so the method has low detection accuracy and low detection efficiency. Therefore, it is necessary to provide an array out-of-range access mechanism capable of detecting out-of-range accesses across functions or across files, and the mechanism has the advantages of faster detection speed, higher detection accuracy and capability of detecting array out-of-range access defects in program codes in a wider range.

Disclosure of Invention

An object of the embodiments of the present specification is to provide a method, an apparatus, and a device for detecting array boundary crossing access, so as to provide an array boundary crossing access mechanism capable of detecting a cross-function or a cross-file, and the detection speed of the mechanism may be faster, the detection accuracy is higher, and array boundary crossing access defects in program codes may be detected in a wider range.

In order to implement the above technical solution, the embodiments of the present specification are implemented as follows:

an embodiment of the present specification provides a method for detecting group out-of-range access, where the method includes:

acquiring functions contained in a program code to be detected and call relation information among the functions;

if the calling relation information among the functions comprises the target program statements which are not accessed, detecting whether the target program statements need to access the array or not;

if the target program statement needs to access an array, acquiring a value range of a preset variable of the array accessed by the target program statement in a program area corresponding to the array;

and detecting whether the program code contains array out-of-range access or not based on the value range of the preset variable of the array accessed by the target program statement in the program area corresponding to the array.

Optionally, after obtaining the functions included in the program code to be detected and the call relationship information between the functions, the method further includes:

detecting whether the calling relation information among the functions comprises the functions which are not accessed;

if the calling relation information among the functions comprises the functions which are not accessed, taking the program statements in the functions which are not accessed as the target program statements;

and if the calling relation information among the functions does not include the function which is not accessed, detecting whether the calling relation information among the functions includes the target program statement which is not accessed.

Optionally, the method further comprises:

converting the program code to be detected into a program code in a preset expression form;

the acquiring functions included in the program code to be detected and the call relation information among the functions includes:

the method includes the steps of obtaining functions contained in program codes converted into a preset expression form and calling relation information among the functions.

Optionally, the method further comprises:

identifying the structure of a program statement of a function contained in the converted program code to obtain an identification result;

if the identification result indicates that the program statement of the function is a loop statement, acquiring a loop induction variable and a loop body corresponding to the program statement of the function;

determining a range of values of the cyclic induction variable within the cyclic body.

Optionally, the method further comprises:

IF the identification result indicates that the program statement of the function is an IF branch statement, acquiring a THEN statement block, an ELSE statement block and a condition judgment variable corresponding to the program statement of the function;

and respectively determining the value range of the condition judgment variable in the THEN statement block and the value range of the condition judgment variable in the ELSE statement block.

Optionally, the method further comprises:

if the identification result indicates that the program statement of the function is a SWITCH selection statement, acquiring a CASE statement value corresponding to the program statement of the function, and a CASE statement block, a DEFAULT statement block and a selection variable corresponding to the CASE statement value;

determining a range of values of the selection variable within each CASE statement block and within the defiult statement block.

Optionally, the obtaining of the call relationship information between the functions includes:

analyzing the calling relation among the functions to obtain a function calling map, wherein the function calling map comprises a plurality of functions and connecting lines among the functions;

connecting the form parameters of the functions in the function call map with the actual parameters of the functions in the function call map to obtain parameter connection information;

and acquiring the use and definition relation of a preset global variable among all functions in the function call map to obtain global variable use definition connection information.

Optionally, if the target program statement needs to access an array, acquiring a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array, where the value range includes:

if the object program statement needs to access an array, determining the definition of the array accessed by the object program statement according to preset use definition relation information;

and inquiring the value range of each dimension predetermined variable in the array accessed by the target program statement in the program area corresponding to the array according to the predetermined use definition relation information and the record information corresponding to the definition of the array accessed by the target program statement.

An embodiment of the present specification provides a device for detecting group out-of-range access, where the device includes:

the information acquisition module is used for acquiring functions contained in the program codes to be detected and call relation information among the functions;

the array access detection module is used for detecting whether the object program statement needs to access an array or not if the calling relation information among the functions comprises the object program statement which is not accessed;

a value range obtaining module, configured to obtain, if the target program statement needs to access an array, a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array;

and the boundary crossing access detection module is used for detecting whether the program code contains the boundary crossing access of the array based on the value range of the preset variable of the array accessed by the target program statement in the program area corresponding to the array.

Optionally, the apparatus further comprises:

the function detection module is used for detecting whether the calling relation information among the functions comprises the functions which are not accessed;

a function detection result module, configured to, if the call relationship information between the functions includes an unvisited function, take a program statement in the unvisited function as the target program statement;

and the statement detection module is used for detecting whether the calling relation information among the functions comprises the target program statement which is not accessed or not if the calling relation information among the functions does not comprise the functions which are not accessed.

Optionally, the apparatus further comprises:

the conversion module is used for converting the program code to be detected into a program code in a preset expression form;

the information acquisition module is used for acquiring functions contained in the program codes converted into the preset expression form and calling relation information among the functions.

Optionally, the apparatus further comprises:

the recognition module is used for recognizing the structure of the program statement of the function contained in the converted program code to obtain a recognition result;

the first statement processing module is used for acquiring a loop induction variable and a loop body corresponding to the program statement of the function if the identification result indicates that the program statement of the function is a loop statement;

a first value range determination module to determine a range of values of the cyclic induction variable within the cyclic body.

Optionally, the apparatus further comprises:

the second statement processing module is used for acquiring a THEN statement block, an ELSE statement block and a condition judgment variable corresponding to the program statement of the function IF the identification result indicates that the program statement of the function is an IF branch statement;

and the second value range determining module is used for respectively determining the value range of the condition judgment variable in the THEN statement block and the value range of the condition judgment variable in the ELSE statement block.

Optionally, the apparatus further comprises:

a third statement processing module, configured to, if the identification result indicates that the program statement of the function is a SWITCH selection statement, obtain a CASE statement value corresponding to the program statement of the function, and a CASE statement block, a DEFAULT statement block, and a selection variable corresponding to the CASE statement value;

a third value range determination module for determining a range of values of the selection variable within each CASE statement block and within the defiult statement block.

Optionally, the information obtaining module includes:

the call graph determining unit is used for analyzing the call relation among the functions to obtain a function call graph, and the function call graph comprises a plurality of functions and connecting lines among the functions;

the parameter connection determining unit is used for connecting the form parameters of the functions in the function call map with the actual parameters of the functions in the function call map to obtain parameter connection information;

and the connection information determining unit is used for acquiring the use and definition relation of a preset global variable among all functions in the function call map to obtain global variable use definition connection information.

Optionally, the value range obtaining module includes:

a definition determining unit, configured to determine, according to predetermined usage definition relationship information, a definition of an array accessed by the target program statement if the target program statement requires accessing the array;

and the value range acquisition unit is used for inquiring the value range of each dimension predetermined variable in the array accessed by the target program statement in the program area corresponding to the array according to the predetermined use definition relation information and the record information corresponding to the definition of the array accessed by the target program statement.

An embodiment of the present specification provides a detection apparatus for array boundary crossing access, where the detection apparatus for array boundary crossing access includes:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

As can be seen from the above technical solutions provided by the embodiments of the present specification, in the embodiments of the present specification, by obtaining functions included in a program code to be detected and call relationship information between the functions, if the call relationship information between the functions includes an object program statement that is not accessed, it is detected whether the object program statement needs to access an array, if the object program statement needs to access the array, a value range of a predetermined variable of the array accessed by the object program statement in a program area corresponding to the array is obtained, based on the value range of the predetermined variable of the array accessed by the object program statement in the program area corresponding to the array, it is detected whether the program code includes array out-of-bounds access, so that whether the program code includes array out-of-bounds access is determined by detecting the program statement in the call relationship information between the functions, therefore, the detection process can cover all execution paths of the program code, the detection accuracy is improved, in addition, whether the program code contains array out-of-range access or not is further detected by detecting the program statements in the calling relation information among the functions and acquiring the value range of the predetermined variable of the array in the program area corresponding to the array, and the detection efficiency of the array out-of-range access can be higher.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.

FIG. 1 is a block diagram illustrating an embodiment of a method for detecting group out-of-range access;

FIG. 2 is a block diagram of another embodiment of a method for detecting out-of-range access to an array;

FIG. 3 is a structural diagram of a loop statement in the present specification;

FIG. 4 is a schematic diagram of another loop statement in this specification;

FIG. 5 is a structural diagram of another loop statement in the present specification;

FIG. 6 is a block diagram of an IF branch statement according to the present disclosure;

FIG. 7 is a block diagram of another IF branch statement according to the present disclosure;

FIG. 8 is a block diagram of a SWITCH selection statement in accordance with the present disclosure;

FIG. 9 is a diagram illustrating an example of a calling relationship graph structure according to the present disclosure;

FIG. 10 is a block diagram of an embodiment of an apparatus for detecting group out of range access according to the present disclosure;

FIG. 11 is a block diagram illustrating an embodiment of an apparatus for detecting group out-of-range access.

Detailed Description

The embodiment of the specification provides a method, a device and equipment for detecting group out-of-range access.

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art without making any inventive step based on the embodiments in this description shall fall within the scope of protection of this document.

Example one

As shown in fig. 1, an execution subject of the method may be a terminal device or a server, where the terminal device may be, for example, a mobile phone, a tablet computer, and the server may be an independent server, or a server cluster formed by multiple servers. The server may be a background server of a certain service (such as a transaction service), or may be a background server of a certain application (such as a financial application). The method may specifically comprise the steps of:

in step S102, functions included in the program code to be detected and call relationship information between the functions are acquired.

The program code to be detected may be any program code that needs to detect whether there is an array out-of-range access therein. The call relation information between the functions may be related information in mutual call between different functions, and the like.

In implementation, the array out-of-range access is a common program coding defect, and the array out-of-range access may cause a crash in the program running process or an incorrect program running result, and further may cause a serious system security problem, and an attacker may use the defect to raise the own authority of the attacker, thereby reading or modifying the sensitive data of the user.

Currently, methods for finding out an array out-of-range access in a program generally include four methods: the method is based on a black box test or a white box test, namely, the execution program is tested by constructing a test case, and whether array out-of-range access exists in the program execution is observed. The other is a symbolic execution method, that is, enumerating all possible input combinations of the program code, then simulating and executing the program code through a symbolic execution mechanism, and detecting whether array out-of-range access exists in the program code in the process of simulating and executing the program code. And thirdly, a detection method during code instrumentation operation, namely, inserting additional detection codes into the program codes by using a code instrumentation mechanism, and detecting whether array out-of-range access exists in the program codes in the execution process. And fourthly, a program static detection method, which utilizes a program static analysis mechanism to analyze whether the subscript is within the array permission range when the array is accessed in the program.

In the above method for detecting array boundary-crossing access, the method for black box test or white box test has the disadvantages that enough test cases cannot be constructed to cover all execution paths of the program code, for the method for symbolic execution, the method has low detection efficiency, overlong detection time and large memory occupied during detection, for the detection method during code instrumentation operation, the method significantly reduces the execution speed of the program code, for the method for program static detection, the detection range of the method is usually limited in the function, and the defect of boundary-crossing access of data crossing functions or files is difficult to find. Therefore, embodiments of the present disclosure need to provide a mechanism capable of detecting an array out-of-bounds access across functions or across files, and the acceleration speed of the mechanism can be faster, occupy less memory, and be capable of detecting an array out-of-bounds access defect in a program code in a wider range. The embodiment of the present specification provides a related technical solution, which may specifically include the following contents:

when the detection of the array out-of-range access needs to be performed on a certain section or multiple sections of program codes, the program codes to be detected can be obtained, in practical application, the program codes to be detected can be obtained in multiple modes, for example, the program codes to be detected can be obtained in an uploading mode by a user, namely, an uploading page of the program codes can be preset, the uploading page can comprise a code uploading input frame, an uploading key, a canceling key and the like, the program codes to be detected can be input into the code uploading input frame by the user, the uploading key can be clicked after the program codes are input, at the moment, the terminal equipment where the uploading page is located can obtain the program codes input by the user in the code input frame and can transmit the program codes to the server, and the server can obtain the program codes to be detected. The server may analyze content included in the program code to be detected, determine functions included therein, and may obtain call relationship information between different functions.

In practical application, array out-of-range access often occurs in functions, so that functions in program codes can be embodied more intuitively, function call maps among different functions can be generated based on call relation information among different functions, and subsequent corresponding processing can be performed based on the function call maps.

In step S104, if the calling relationship information between the functions includes an object program statement that is not accessed, it is detected whether the object program statement needs to access an array.

The target program statement may be any program statement.

In implementation, the detection of the array boundary crossing access may be performed by detecting whether the function call graph further includes an unvisited program statement, specifically, the obtained function call relation information may be analyzed, and whether record information in which each program statement in the function call relation information is accessed is included may be searched in the server, if the record information in which a certain program statement is accessed is not found, it is indicated that the program statement is not accessed, at this time, it may be detected whether the target program statement needs to access a predetermined array, specifically, whether a preset keyword or the like is included in the target program statement, if the preset keyword or keyword is included in the target program statement, it is indicated that the target program statement needs to access the array, at this time, the processing of the following step S106 may be performed, if the preset keyword or keyword is not included in the target program statement, it indicates that the target program statement does not need to access the array. And if the record information that all the program statements are accessed is found, indicating that the program statements in the calling relation information among the functions are all accessed.

It should be noted that the above-mentioned manner for detecting whether the target program statement needs to access the predetermined array is only an optional processing manner, and in practical applications, a variety of different processing manners may also be included, which may be specifically set according to practical situations, and this is not limited in this embodiment of the present specification.

In step S106, if the target program statement requires to access an array, a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array is obtained.

The predetermined variable may be a variable existing in a subscript of an array, the predetermined variable may include one or more variables, the array may include a one-dimensional array or a multi-dimensional array, each dimensional array may set a variable, the variable may be located in the subscript (also referred to as a subscript variable), and the like.

In implementation, a variable value range analysis mechanism may be preset, and program statements included in the call relationship information between the functions may be analyzed to determine value ranges of variables in different regions of the branches. If it is determined that the target program statement needs to access the array through the processing method, the definition of the array can be found through a preset tracing mechanism, then the predetermined variable of the array accessed by the target program statement can be obtained, and the value range of the predetermined variable of the array in the program area corresponding to the array can be determined through a variable value range analysis mechanism.

In step S108, it is detected whether the program code includes an array out-of-range access based on a value range of a predetermined variable of the array accessed by the target program statement in the program area corresponding to the array.

In implementation, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array may be compared with the number of the dimensions corresponding to the array that the target program statement needs to access, and if the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array is the same as the number of the dimensions corresponding to the array that the target program statement needs to access, it indicates that there is no array out-of-bounds access in the target program statement. If the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array is greater than the number of the dimensions corresponding to the array to be accessed by the target program statement, it indicates that the array out-of-bounds access exists in the target program statement, and at this time, the target program statement may be correspondingly processed, which may be specifically set according to an actual situation, and this is not limited in the embodiments of the present specification.

The embodiment of the present specification provides a method for detecting group boundary crossing access, which includes obtaining functions included in a program code to be detected and call relationship information between the functions, detecting whether a target program statement needs to access an array if the call relationship information between the functions includes an unvisited target program statement, obtaining a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array if the target program statement needs to access the array, detecting whether the program code includes the group boundary crossing access based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, and thus determining whether the program code includes the group boundary crossing access by detecting the program statement in the call relationship information between the functions, therefore, the detection process can cover all execution paths of the program code, the detection accuracy is improved, in addition, whether the program code contains array out-of-range access or not is further detected by detecting the program statements in the calling relation information among the functions and acquiring the value range of the predetermined variable of the array in the program area corresponding to the array, and the detection efficiency of the array out-of-range access can be higher.

Example two

As shown in fig. 2, an execution subject of the method may be a terminal device or a server, where the terminal device may be, for example, a mobile phone, a tablet computer, and the server may be an independent server, or a server cluster formed by multiple servers. The server may be a background server of a certain service (such as a transaction service), or may be a background server of a certain application (such as a financial application). The method may specifically comprise the steps of:

in step S202, the program code to be detected is converted into a program code in a predetermined expression form.

The predetermined expression form may be any preset expression form, that is, a plurality of different expression forms of the same thing may be unified into the predetermined expression form.

In implementation, in order to make the subsequent processing simple and easy, the program code to be detected can be converted into the program code in the uniform preset expression form, so that the same thing can have the same expression mode, and the subsequent program code processing is facilitated. For example, regarding whether an array out-of-range access exists in the program code to be detected, the related arrays may be converted into a uniform expression form, for example, the arrays may be uniformly expressed as a base [ sub.1 ] [ sub.2 ] … [ sub.n ], where base is an n-dimensional array, n is a positive integer, and sub.1 to sub.n are subscripts of each dimensional array.

In step S204, a function included in the program code converted into a predetermined expression form is acquired.

In implementation, because the program code to be detected is converted into a uniform expression form, different functions can be represented by setting keywords and/or structure formats and the like, so that after the program code converted into the predetermined expression form is obtained, which functions are included in the program code converted into the predetermined expression form can be determined based on the keywords and/or structure formats corresponding to the different functions, and thus the functions included in the program code converted into the predetermined expression form can be obtained.

In step S206, the structure of the program statement of the function included in the converted program code is recognized, and a recognition result is obtained.

In implementation, in order to determine a variable included in a program statement, a structure of the program statement of a function included in a converted program code needs to be identified, so as to determine which specific statements (such as a loop statement or a branch statement) are included in the program statement of the function, for this reason, an identification mechanism of the program statement may be set in advance, and the identification mechanism may be set in a variety of ways, for example, the identification mechanism may be set according to features or characteristics in different specific statements, for example, a specific keyword, a keyword segment, or the like included in a feature statement may be acquired, structural features or structural characteristics of a specific statement may be set, and then the identification mechanism is set based on the specific keyword, the keyword, or the keyword segment, and the structural features or the structural characteristics. Then, the program statement of the function can be matched with the keywords, keywords or key fields, and the structural features or structural characteristics in the recognition mechanism, and the matching result can be taken as the recognition result.

In step S208, if the recognition result indicates that the program statement of the function is a loop statement, a loop induction variable and a loop body corresponding to the program statement of the function are acquired.

In implementation, the identification mechanism of the program statement may identify the structure of the program statement of the function, and if the identified result is a loop statement, the loop structure in the function and loop induction variables or auto-increment and auto-decrement variables used in the loop structure may be identified, and loop entry, loop exit, and loop body may be determined, as well as initial values, termination conditions, loop step sizes, and the like of the induction variables.

In step S210, the range of values of the loop inducing variable within the loop is determined.

In the implementation, a variable value range analysis mechanism can be preset, the judgment conditions of program statements in the function can be analyzed through the variable value range analysis mechanism, the value ranges of the variables in different branch areas are determined, and the value ranges of the variables in different areas are determined by using the result of the loop analysis. Different types of loop statements, the specific processing of step S208 and step S210 may be different, for example:

as shown in fig. 3, if the loop statement is a regular loop statement, the loop entry, the loop back edge, the loop exit, the loop body, and the like in the function can be identified based on the identification mechanism of the program statement, and the loop induction variable can also be identified as I, where an initial value, a constraint condition, and a self-increment value exist, and the number of loops is (end-start)/step. The variable value range analysis mechanism may determine the value range of the loop-inducing variable I within the loop body as [ start, end ], and may determine the value range of the loop-inducing variable I after leaving the loop as (start + ((end-start)/step +1) × step).

As shown in fig. 4, if the loop statement is a loop statement that can be terminated in advance, the loop entry, the loop exit, and the loop body in the function can be identified based on the identification mechanism of the program statement, and it can be identified that the loop statement can be terminated in advance, etc., and it can also identify that the loop induction variable is I, there is an initial value, a constraint condition, and a self-increment value, and the number of loops is (end-start)/step. The variable value range analysis mechanism may determine that the value range of the loop-inducing variable I within the loop is [ start, end ], and may determine that the value range of the loop-inducing variable I after leaving the loop is [ start, (start + ((end-start)/step +1) × step) ], or approximately [ start, end + step) ].

As shown in fig. 5, if the loop statement is a loop statement without loop induction variable, the loop entry, the loop exit, the loop body, and the like in the function can be identified based on the identification mechanism of the program statement, and the auto-increment/auto-decrement variable can also be identified as I. The variable value range analysis mechanism may determine that the auto-increment variable I has an initial pre-value range of (I _ min, I _ max), may determine that I has a value range of [ start, I _ max ] within the loop body, and may determine that the loop-inducing variable I has a value range of [ start, I _ max ] after leaving the loop.

In step S212, IF the identification result indicates that the program statement of the function is an IF branch statement, the THEN statement block, the ELSE statement block, and the condition judgment variable corresponding to the program statement of the function are acquired.

In implementation, the identification mechanism of the program statement may identify the structure of the program statement of the function, and IF the identified result is an IF branch statement, the branch structure in the function and the THEN statement block, the ELSE statement block, the condition judgment variable, and the like used in the branch structure may be identified.

In step S214, the value range of the condition judgment variable within the THEN statement block and the value range within the ELSE statement block are determined, respectively.

In implementation, the variable value range analysis mechanism can be used for analyzing the judgment conditions of branch statements in the function to determine the value ranges of the variables in different branch areas, and the result of the loop analysis is used for determining the value ranges of the variables in different loop areas. Different types of IF branch statements, the specific processing of step S208 and step S210 may be different, for example:

as shown in fig. 6, IF the branch statement is an IF branch statement, THEN the THEN statement block, ELSE statement block, condition judgment variable I, etc. in the function can be identified based on the identification mechanism of the program statement. IF the conditional judgment variable I has a value range of (I _ min, I _ max) before the IF branch statement, the value range of I in the THEN statement block is determined to be (I _ min, cond), and the value range of [ cond, I _ max ] in the ELSE statement block is determined.

As shown in fig. 7, IF the branch statement is a nested IF branch statement, THEN the THEN statement block, ELSE statement block, condition judgment variable I, etc. in the function can be identified based on the identification mechanism of the program statement. Specifically, the top-level IF branch structure, the THEN statement block 1, the ELSE statement block 1, and the condition judgment variable I therein may be identified, or the IF branch structure in the THEN statement block, the THEN statement block 2, the ELSE statement block 2, and the condition judgment variable I therein may be identified, or the IF branch structure in the ELSE statement block, the THEN statement block 3, the ELSE statement block 3, the condition judgment variable I, and the like may be identified.

IF the value range of the condition judgment variable I before the IF branch statement is (I _ min, I _ max), the value range of I in the THEN statement block 1 is (I _ min, cond _1), and the value range of [ cond _1, I _ max ] in the ELSE statement block 1 is determined. It can be determined that I has a value of (cond _2) in the THEN statement block 2 and a value range of (I _ min, cond _2) U (cond _2, cond _1) in the ELSE statement block. It can be determined that I has a value range of (cond _3, I _ max) within the THEN statement block 3 and a value range of [ cond _1, cond _3] within the ELSE statement block.

In step S216, if the recognition result indicates that the program statement of the function is a SWITCH selection statement, the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block, and selection variable are acquired.

In implementation, the program statement identification mechanism may identify the structure of the program statement of the function, and if the identified result is a SWITCH selection statement, may identify a CASE statement value in the function and a SWITCH selection statement thereof, and the like.

In step S218, the value range of the selection variable within each CASE statement block and the value range within the DEFAULT statement block are determined.

In implementation, as shown in fig. 8, if the selection statement is a SWITCH selection statement, the CASE statement value and the corresponding CASE statement block in the function, the DEFAULT statement block and the selection variable I, etc. may be identified based on the identification mechanism of the program statement. The value range of I in each CASE statement block may be set to its corresponding CASE statement value, and the value range of I in the DEFAULT statement block is set to the value range of I before entering the SWITCH selection structure, except for the remaining set of all CASE statement values.

In addition, besides the above processing may be performed to obtain the variable value range, the relationship between the use and definition of the variable in the function may be obtained, and specifically, the relationship between the use and definition of the variable in the function may be analyzed through a preset variable use definition analysis mechanism in the function, so as to establish use-definition relationship information (in practical application, a relationship chain may be used), so that the use of each variable in the function may be traced to the definition of the variable along the relationship chain, and the definition of the variable may be derived from a global variable, a form parameter of the function, or a return value of another function called by the function, and the like.

In the above, the program statements in the function are analyzed to determine the variable value range in the function, and in practical applications, the relationship between the functions may also be analyzed, specifically, the following processing from step S220 to step S224 may be referred to.

In step S220, the call relationship between the functions is analyzed to obtain a function call map, where the function call map includes a plurality of functions and connection lines between the functions.

In implementation, a function call relation analysis mechanism may be preset, where the function call relation analysis mechanism may analyze call relations among functions to generate a function call graph, where the function call graph includes a plurality of functions and a plurality of connection lines between the functions, each node on the function call graph may be a function, and each connection line (or edge) may be a call point.

In step S222, the form parameter of the function in the function call map is connected to the actual parameter of the function in the function call map, so as to obtain parameter connection information.

In implementation, a function call actual parameter and form parameter analysis mechanism may be preset, and an auxiliary data structure may be established through the function call actual parameter and form parameter analysis mechanism to connect the form parameter of the function with the actual parameter of the function at each call point, so as to obtain parameter connection information.

In step S224, the usage and definition relationship of a predetermined global variable between the functions in the function call map is obtained, and global variable usage definition connection information is obtained.

In implementation, an inter-function global variable definition use analysis mechanism may be preset, and the inter-function global variable definition use analysis mechanism is used to analyze the relationship between the use and definition of the global variable among the functions, so as to connect the use and definition of the global variable across the functions. The parameters, return values and connection information of the global variable usage and definition may be stored in a predetermined additional data table, which may be labeled on each connection line of the function call graph in the form of labels, and the labels on the function call graph and the connection lines may be as shown in fig. 9.

In addition, a path tracking mechanism can be preset, and for the path information selected in the process of program code analysis and during loop, branch or function call, the loop, branch or function can be prevented from being missed or repeatedly accessed through the path tracking mechanism, and the correct function call point can be returned after cross-function analysis.

In step S226, it is detected whether or not an unaccessed function is included in the call relationship information between functions.

In implementation, in order to improve processing efficiency, the access record of each function in the function call graph (i.e. the call relation information between functions) may be traversed to determine whether the function call graph includes an unaccessed function.

In step S228, if an unvisited function is included in the call relationship information between functions, a program statement in the unvisited function is taken as a target program statement.

In implementation, if the call relation information (i.e. function call map) between functions includes an unvisited function, it indicates that none of the program statements in the function have been accessed, and the program statement in the function is taken as the target program statement.

In step S230, if the non-accessed function is not included in the call relation information between functions, it is detected whether a non-accessed target program statement is included in the call relation information between functions.

In step S232, if the call relation information between the functions includes an object program statement that is not accessed, it is detected whether the object program statement needs to access an array.

In implementation, for each target program statement, whether a predetermined array access structure is included, such as base [ sub.1 ] [ sub.2 ] … [ sub.n ], may be identified, and if a predetermined array access structure is included in a certain target program statement (such as base [ sub.1 ] [ sub.2 ] … [ sub.n ], etc.), all definitions of the array may be first found along the usage definition relationship information (e.g., usage definition relationship chain) of the array for each data access structure, that is, the following processing of step S234 is performed.

In step S234, if the target program statement requires access to an array, the definition of the array to be accessed by the target program statement is determined according to the predetermined usage definition relationship information.

The information of the use definition relationship may be determined by the variable use definition analysis mechanism in the function, and specific processing may refer to the above related contents, which are not described herein again.

In step S236, according to the predetermined usage definition relationship information and the record information corresponding to the definition of the array accessed by the target program statement, the value range of each dimension of the predetermined variable in the array accessed by the target program statement in the program area corresponding to the array is queried.

In implementation, for each array definition, the size of each dimension corresponding to the array under the definition may be obtained, the path of the definition of the array accessed by the target program statement is recorded through a path tracking mechanism, and then, the value range of each predetermined variable in the program area passed by the path may be searched according to the defined path of the array usage.

In step S238, it is detected whether the program code includes an array out-of-range access based on a value range of a predetermined variable of the array accessed by the target program statement in the program area corresponding to the array.

In implementation, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array may be compared with the size of the dimension corresponding to the array, and if the value range of the predetermined variable of the array in the program area corresponding to the array exceeds the size of the dimension corresponding to the array, the array out-of-range access error may be determined and the path tracking information may be output.

It should be noted that, in the above processing procedure, each function and each program statement are only accessed once, and when checking the access of each array, the definition of the corresponding array can be searched along the definition relationship information, and the length of the definition relationship information usually has an upper bound of fixed length. When verifying along the defined path of the array whether the predetermined variable is within the range of values in the program area corresponding to the array, only the statement blocks less than the length of the path need to be queried, so the time complexity of the above process can be considered linear.

EXAMPLE III

Based on the same idea, the method for detecting array boundary crossing access provided in the embodiment of the present specification further provides a device for detecting array boundary crossing access, as shown in fig. 10.

The detection device for the array out-of-range access comprises: an information acquisition module 1001, an array access detection module 1002, a value range acquisition module 1003, and an out-of-range access detection module 1004, wherein:

an information obtaining module 1001, configured to obtain functions included in a program code to be detected and call relationship information between the functions;

an array access detection module 1002, configured to detect whether an array needs to be accessed by the target program statement if the call relationship information between the functions includes the target program statement that is not accessed;

a value range obtaining module 1003, configured to, if the target program statement needs to access an array, obtain a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array;

the boundary crossing access detection module 1004 is configured to detect whether the program code includes an array boundary crossing access based on a value range of a predetermined variable of an array accessed by the target program statement in a program area corresponding to the array.

In an embodiment of this specification, the apparatus further includes:

In this embodiment, the information obtaining module 1001 includes:

In this embodiment of the present specification, the value range obtaining module 1003 includes:

The embodiment of the present specification provides a device for detecting group out-of-range access, which obtains functions included in a program code to be detected and call relationship information between the functions, detects whether a target program statement needs to access an array if the call relationship information between the functions includes an object program statement that is not accessed, obtains a value range of a predetermined variable of the array accessed by the object program statement in a program area corresponding to the array if the target program statement needs to access the array, detects whether the program code includes the group out-of-range access based on the value range of the predetermined variable of the array accessed by the object program statement in the program area corresponding to the array, and thus determines whether the program code includes the group out-of-range access by detecting the program statement in the call relationship information between the functions, therefore, the detection process can cover all execution paths of the program code, the detection accuracy is improved, in addition, whether the program code contains array out-of-range access or not is further detected by detecting the program statements in the calling relation information among the functions and acquiring the value range of the predetermined variable of the array in the program area corresponding to the array, and the detection efficiency of the array out-of-range access can be higher.

Example four

Based on the same idea, the apparatus for detecting array boundary crossing access provided in the embodiments of the present specification further provides a device for detecting array boundary crossing access, as shown in fig. 11.

The detection device for the array out-of-range access may be the server provided in the above embodiment.

The detection device for array out-of-range access may have a large difference due to different configurations or performances, and may include one or more processors 1101 and a memory 1102, where the memory 1102 may store one or more stored applications or data. Wherein memory 1102 may be transient or persistent. The application stored in memory 1102 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a detection device for out-of-range access to a set of numbers. Still further, the processor 1101 may be configured to communicate with the memory 1102 to execute a series of computer-executable instructions in the memory 1102 on a plurality of sets of boundary crossing access detection devices. The array of devices for detecting out-of-range access may also include one or more power supplies 1103, one or more wired or wireless network interfaces 1104, one or more input-output interfaces 1105, and one or more keyboards 1106.

In particular, in this embodiment, the detection apparatus for array out-of-range access includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions in the detection apparatus for array out-of-range access, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:

In this embodiment of this specification, after acquiring the functions included in the program code to be detected and the call relationship information between the functions, the method further includes:

In the embodiment of this specification, the method further includes:

In an embodiment of this specification, the obtaining of the call relationship information between the functions includes:

In this embodiment of this specification, if the target program statement needs to access an array, acquiring a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array, where the value range includes:

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data set boundary crossing access detection apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data set boundary crossing access detection apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims

1. A method of detecting group out of range access, the method comprising:

detecting whether the program code contains array out-of-range access or not based on the value range of a preset variable of the array accessed by the target program statement in a program area corresponding to the array;

wherein, if the target program statement needs to access an array, acquiring a value range of a predetermined variable of the array accessed by the target program statement in a program area corresponding to the array, including:

and if the target program statement needs to access the array, determining the definition of the array accessed by the target program statement according to the preset use definition relation information, and inquiring the value range of each dimension preset variable in the array accessed by the target program statement in the program area corresponding to the array according to the preset use definition relation information and the record information corresponding to the definition of the array accessed by the target program statement.

2. The method according to claim 1, after obtaining the functions included in the program code to be detected and the call relation information between the functions, the method further comprising:

3. The method of claim 1, further comprising:

4. The method of claim 3, further comprising:

5. The method of claim 4, further comprising:

6. The method of claim 4, further comprising:

7. The method of claim 1, wherein the obtaining of call relation information between the functions comprises:

8. An apparatus for detecting group out of range access, the apparatus comprising:

the boundary crossing access detection module is used for detecting whether the program code contains the boundary crossing access of the array based on the value range of the preset variable of the array accessed by the target program statement in the program area corresponding to the array;

wherein, the value range obtaining module comprises:

9. The apparatus of claim 8, the apparatus further comprising:

10. The apparatus of claim 8, the apparatus further comprising:

11. The apparatus of claim 10, the apparatus further comprising:

12. The apparatus of claim 11, the apparatus further comprising:

13. The apparatus of claim 11, the apparatus further comprising:

14. The apparatus of claim 8, the information acquisition module, comprising:

15. A device for detecting array out of range access, the device comprising:

a processor; and