CN116450402B - Program flow monitoring method, compiling device, processor and computer equipment - Google Patents

Abstract

The invention discloses a program flow monitoring method, a compiling device, a processor and computer equipment, wherein the program flow is correspondingly provided with a control flow and a data flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; the program flow monitoring method comprises the following steps: executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block; in the case that the current basic block is running to the data stream check instruction, CRC signature values of all instructions of the current basic block are determined to check the integrity of the data stream. Therefore, the program flow is doubly monitored on the data flow and the control flow, and the problem that the program execution behavior is inconsistent with the expected behavior can be effectively detected.

Description

Program flow monitoring method, compiling device, processor and computer equipment

Technical Field

The present invention relates to the field of program flow monitoring technologies, and in particular, to a program flow monitoring method, a compiling device, a processor, and a computer device.

Background

The CPU (Central Processing Unit ) is widely used in various fields as a core unit on a chip. In general, the CPU sequentially performs instruction fetching, decoding, and execution operations on the instruction stream sequence according to the order of the instruction stream, so as to complete execution of the instruction. If the sequence of program flow execution is corrupted, program logic errors may occur and even cause an overall system exception. Therefore, it is necessary to monitor the program flow to ensure that the entire system program runs safely and reliably.

In the related art, a CPU internal watchdog or an external system watchdog module is generally used to monitor program flows. However, the watchdog-based program flow monitoring method can detect whether the program flow is executed completely within a period of time, and cannot detect whether the program flow is executed efficiently in accordance with design logic.

Disclosure of Invention

The present invention aims to solve at least one of the technical problems in the related art to some extent. Therefore, a first object of the present invention is to provide a program flow monitoring method, by which the program flow is doubly monitored on the data flow and the control flow, so as to effectively detect the problem that the program execution behavior is inconsistent with the expectations due to the influence of the electromagnetic interference, the line crosstalk and other factors.

A second object of the present invention is to provide a program code compiling method.

A third object of the invention is to propose a processor.

A fourth object of the present invention is to provide a program flow monitoring device.

A fifth object of the present invention is to provide a program code compiling apparatus.

A sixth object of the invention is to propose a computer device.

A seventh object of the present invention is to propose a computer readable storage medium.

In order to achieve the above object, an embodiment of a first aspect of the present invention provides a program flow monitoring method, where the program flow corresponds to a control flow and a data flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; wherein the data stream checking instruction is inserted by replacing a occupying instruction inserted into the tail of the basic block in the compiling stage in the linking stage; the method comprises the following steps: executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block; in the case that the current basic block is running to the data stream check instruction, CRC signature values of all instructions of the current basic block are determined to check the integrity of the data stream.

According to one embodiment of the invention, the basic block is assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block; the executing the control flow checking instruction in the current basic block to check the correctness of the control flow includes: acquiring a compensation signature of the precursor basic block and a runtime signature of the precursor basic block; wherein the compensation signature is determined based on an exclusive or calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located; determining a static signature and a signature difference of the current basic block; the signature difference is determined based on the result of exclusive OR calculation of the static signature of the precursor basic block and the static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

According to one embodiment of the present invention, when the number of the precursor basic blocks is 1, the precursor basic blocks are the precursor reference basic blocks, and the compensation signature is 0.

According to one embodiment of the invention, when the number of precursor basic blocks is greater than 1, the precursor reference basic block is determined based on a static signature of a basic block at a control level at which the precursor basic block is located.

According to one embodiment of the present invention, the program flow monitoring method further includes: and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is not equal to the static signature of the current basic block, the current basic block does not pass the control flow verification so as to trigger the exception.

According to one embodiment of the present invention, before the current basic block passes the control flow verification if the result of the exclusive-or calculation of the runtime signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the program flow monitoring method further includes: based on the signature difference and the static signature of the current basic block, a control flow checking instruction is inserted into the head of the current basic block; and if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, checking the current basic block through a control flow, wherein the checking comprises the following steps: and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

According to one embodiment of the present invention, a static check signature is attached to the data stream check instruction, and the static check signature is determined based on CRC signature values of all instructions in the current basic block when a compiler compiles a link; said determining CRC signature values for all instructions of said current basic block to verify the integrity of said data stream, comprising: calculating CRC signature values of all instructions in the current basic block to obtain a dynamic check signature; and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

According to one embodiment of the present invention, the determining CRC signature values of all instructions of the current basic block to verify the integrity of the data stream further includes: and if the dynamic check signature of the current basic block after the execution is completed is inconsistent with the static check signature, the current basic block does not pass through data flow check to trigger exception.

According to one embodiment of the invention, the control flow comprises a function control flow comprising an inlet basic block and an outlet basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the program flow monitoring method further comprises the following steps: executing the signature information storage instruction when the function is called so as to support the push operation of the runtime signature and the compensation signature; and executing the signature information recovery instruction when the called function returns to support the spring stack operation of the saved runtime signature and the compensation signature.

According to one embodiment of the present invention, the program flow monitoring method further includes: the compiler parameters of global monitoring are increased to monitor the whole running process of the application.

According to one embodiment of the present invention, the program flow monitoring method further includes: and adding a program flow detection mark and a compiler parameter at a specified position of a specified function aiming at the specified function in the source code so as to monitor the running process of the specified function.

According to one embodiment of the present invention, the program flow monitoring method further includes: the method comprises the steps that target source codes to be monitored are bracketed in source codes through brackets; and adding guidance sentences at the appointed position of the target source code to monitor the running process of the target source code.

In order to achieve the above object, according to a second aspect of the present invention, there is provided a program code compiling method, where the program code corresponds to a program control flow graph, and the program control flow graph has a plurality of basic blocks therein; the method comprises the following steps: in the compiling stage, inserting a control flow checking instruction into the head part of the basic block, and inserting a occupying instruction into the tail part of the basic block; the control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block; in the link stage, the instruction code corresponding to the occupying instruction is replaced by a data stream checking instruction; and the data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when the program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

According to one embodiment of the invention, the control flow comprises a function control flow comprising an inlet basic block and an outlet basic block; the program code compiling method further includes: in the compiling stage, inserting a signature information storage instruction into the entry basic block, and inserting a signature information recovery instruction into the exit basic block; the signature information saving instruction is used for runtime signature and push operation for adjusting the signature when the function is called, and the signature information recovering instruction is used for runtime signature and pop operation for adjusting the signature before the called function returns.

To achieve the above object, an embodiment of a third aspect of the present invention provides a processor, where the processor is configured to execute a program stream, where the program stream corresponds to a control stream and a data stream; the control flow comprises a plurality of basic blocks; the processor comprises an expansion decoding circuit positioned at a decoding pipeline stage, a control flow checking circuit positioned at a writing back pipeline stage and a data flow checking circuit; the expansion decoding circuit is used for decoding the control flow checking instruction and the data flow checking instruction; the control flow checking instruction is inserted into the head part of the basic block in the compiling stage, and the data flow checking instruction is inserted by replacing the occupation instruction inserted into the tail part of the basic block in the compiling stage in the linking stage; the control flow checking circuit is used for executing a control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block; the data stream checking circuit is used for determining CRC signature values of all instructions of the current basic block to check the integrity of the data stream under the condition that the current basic block runs to the data stream checking instructions.

According to one embodiment of the invention, the basic block is assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block; the processor is provided with a run-time signature register and a compensation signature register; the runtime signature register stores runtime signatures of the precursor basic blocks, and the compensation signature register stores compensation signatures of the precursor basic blocks; the compensation signature is determined based on an exclusive OR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located; the control flow verification circuit is further configured to determine a static signature and a signature difference of the current basic block, and if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification; the signature difference is determined based on the result of exclusive-or calculation of the static signature of the precursor basic block and the static signature of the current basic block.

According to one embodiment of the invention, the control flow comprises a function control flow comprising an inlet basic block and an outlet basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the processor is provided with a signature stack; the signature stack is used for executing the signature information storage instruction when the function is called, and supporting the push operation of the signature and the compensation signature during operation; and executing the signature information recovery instruction when the called function returns, and supporting the spring stack operation of the stored runtime signature and the compensation signature.

According to one embodiment of the present invention, a static check signature is attached to the data stream check instruction, and the static check signature is determined based on CRC signature values of all instructions in the current basic block when a compiler compiles a link; the processor is provided with a CRC intermediate value register; the CRC intermediate value register is used for storing an intermediate CRC signature value generated when the current basic block runs to a current instruction; the data stream checking circuit is also used for calculating CRC signature values of all instructions in the current basic block to obtain dynamic checking signatures; and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

In order to achieve the above object, a fourth aspect of the present invention provides a program flow monitoring device, where the program flow corresponds to a control flow and a data flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; wherein the data stream checking instruction is inserted by replacing a occupying instruction inserted into the tail of the basic block in the compiling stage in the linking stage; the device comprises: the control flow checking module is used for executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block; and the data stream checking module is used for determining CRC signature values of all instructions of the current basic block so as to check the integrity of the data stream under the condition that the current basic block runs to the data stream checking instructions.

According to one embodiment of the invention, the basic block is assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block; the control flow verification module is further used for acquiring a compensation signature of the precursor basic block and a runtime signature of the precursor basic block; wherein the compensation signature is determined based on an exclusive or calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located; determining a static signature and a signature difference of the current basic block; the signature difference is determined based on the result of exclusive OR calculation of the static signature of the precursor basic block and the static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

According to one embodiment of the present invention, the control flow checking module is further configured to insert a control flow checking instruction into a header of the current basic block based on the signature difference and a static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

According to one embodiment of the present invention, a static check signature is attached to the data stream check instruction, and the static check signature is determined based on CRC signature values of all instructions in the current basic block when a compiler compiles a link; the data flow checking module is also used for calculating CRC signature values of all instructions in the current basic block to obtain dynamic checking signatures; and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

According to one embodiment of the invention, the control flow comprises a function control flow comprising an inlet basic block and an outlet basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the program flow monitoring device further includes: the signature stack pushing module is used for executing the signature information storage instruction when the function is called so as to support the stack pushing operation of the runtime signature and the compensation signature; and the signature pop module is used for executing the signature information recovery instruction when the called function returns so as to support the pop operation of the saved runtime signature and the compensation signature.

In order to achieve the above object, according to a fifth aspect of the present invention, there is provided a program code compiling apparatus, wherein the program code corresponds to a program control flow graph, and the program control flow graph has a plurality of basic blocks therein; the device comprises: the first instruction insertion module is used for inserting a control flow checking instruction into the head part of the basic block and inserting a occupation instruction into the tail part of the basic block in the compiling stage; the control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block; the system comprises a space occupying instruction replacing module, a data stream checking module and a data stream checking module, wherein the space occupying instruction replacing module is used for replacing an instruction code corresponding to the space occupying instruction into a data stream checking instruction in a link stage; and the data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when the program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

According to one embodiment of the invention, the control flow comprises a function control flow comprising an inlet basic block and an outlet basic block; the program code compiling apparatus further includes: the second instruction insertion module is used for inserting a signature information storage instruction into the entry basic block and inserting a signature information recovery instruction into the exit basic block in the compiling stage; the signature information saving instruction is used for runtime signature and push operation for adjusting the signature when the function is called, and the signature information recovering instruction is used for runtime signature and pop operation for adjusting the signature before the called function returns.

To achieve the above object, an embodiment of the present invention provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method according to any one of the previous embodiments when the processor executes the computer program.

To achieve the above object, an embodiment of a seventh aspect of the present invention proposes a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the method according to any of the previous embodiments.

According to the embodiments provided by the invention, the signature information saving instruction, the signature information recovering instruction, the control flow checking instruction and the data flow checking instruction are used for checking the integrity and the correctness of the control flow and the data flow of the application program in real time. And then respectively realizing a CPU micro-architecture supporting the execution of the program flow monitoring instruction and a compiling tool chain supporting the generation of the program flow monitoring instruction, and carrying out double monitoring on the program flow on the data flow and the control flow through a program flow monitoring method combining software and hardware. Meanwhile, the method that the control flow checking instruction and the occupied instruction of the data flow checking instruction are inserted into the assembly code in the compiling stage firstly, and then the data flow checking instruction is inserted into the binary instruction code in the linking stage to replace the occupied instruction is adopted, so that the integrity check of the newly added control flow checking instruction is realized.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

Fig. 1 is a flow chart of a program flow monitoring method according to an embodiment of the present disclosure.

Fig. 2 is a schematic flow chart of checking correctness of a control flow according to an embodiment of the present disclosure.

Fig. 3 is a schematic flow chart of checking the integrity of a data stream according to an embodiment of the present disclosure.

Fig. 4 is a flow chart of a program flow monitoring method according to an embodiment of the present disclosure.

Fig. 5a is a flowchart illustrating a program code compiling method according to an embodiment of the present disclosure.

Fig. 5b is a schematic structural diagram of a compiler system according to an embodiment of the present disclosure.

Fig. 5c is a schematic diagram of an encoding format of a control flow check instruction according to an embodiment of the present disclosure.

Fig. 5d is a schematic diagram of an encoding format of a control flow verification instruction according to an embodiment of the present disclosure.

Fig. 5e is a schematic diagram of an encoding format of a data stream verification instruction according to an embodiment of the present disclosure.

Fig. 5f is a schematic diagram of a process for inserting a control flow check instruction and a data flow check instruction according to one embodiment of the present disclosure.

Fig. 6a is a schematic diagram of an encoding format of a signature information holding instruction according to an embodiment of the present disclosure.

Fig. 6b is a schematic diagram of an encoding format of a signature information recovery instruction according to an embodiment of the present disclosure.

Fig. 6c is a schematic diagram of a process for inserting instructions in a basic block according to one embodiment of the present disclosure.

Fig. 7 is a block diagram of a processor according to one embodiment of the present disclosure.

Fig. 8a is a block diagram of a processor according to an embodiment of the present disclosure.

Fig. 8b is a block diagram of a processor according to one embodiment of the present disclosure.

Fig. 9a is a block diagram of a processor according to an embodiment of the present disclosure.

Fig. 9b is a block diagram of a processor according to an embodiment of the present disclosure.

Fig. 10a is a block diagram of a processor according to an embodiment of the present disclosure.

Fig. 10b is a block diagram of a processor according to one embodiment of the present disclosure.

Fig. 11a is a block diagram of a program flow monitoring device according to an embodiment of the present disclosure.

Fig. 11b is a block diagram of a program flow monitoring device according to an embodiment of the present disclosure.

Fig. 12a is a block diagram showing the configuration of a program code compiling apparatus according to an embodiment of the present specification.

Fig. 12b is a block diagram showing the configuration of a program code compiling apparatus according to an embodiment of the present specification.

Fig. 13 is a block diagram of a computer device according to one embodiment of the present disclosure.

Detailed Description

Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.

The CPU (Central Processing Unit ) is widely used in various fields as a core unit on a chip. Taking the fields of electric power, aerospace and the like as an example, due to the specificity of the environment where an electric power system, aerospace equipment and the like are located, a CPU is extremely susceptible to factors such as electromagnetic interference, line crosstalk, space single particles and the like, and program operation faults occur. The program counter and the memory unit are abnormally rewritten, so that the program execution branch is abnormally jumped, and the fault that the value of the key variable is seriously beyond the normal range is serious. Because such faults are influenced by external environment factors, the content of the faults and the random nature of the generated memory address are strong, and therefore, the faults cannot be found and processed through a conventional software testing method.

Generally, a compiler compiles a software program into a series of binary instruction stream sequences, and a CPU sequentially performs instruction fetching, decoding and executing operations on the instruction stream sequences according to the order of the instruction streams to complete execution of the instructions. The CPU can only ensure that the running of the program meets the expected logic by executing the instructions in sequence according to the instruction flow sequence. If the sequence of program flow execution is disturbed, such as partial instruction not being executed, branch jump error, etc., or the instruction is rewritten to other instructions or erroneous instructions, the program execution result is inconsistent with expectations, and even the whole system is abnormal. Therefore, it is necessary to monitor the execution process of the program flow in real time, so as to find out the abnormal situation in the running process of the program in time and make corresponding treatment, and ensure the safe and reliable running of the whole system program.

When the program runs, after executing one jump instruction, the program will switch to executing another instruction, and this process is called a control flow transfer. A basic block is a sequence of instructions that are executed sequentially and, based on the basic block, a program may be represented as a control flow graph consisting of basic blocks and directed edges connecting the basic blocks, where the directed edges represent the actual program control flow transitions. If there is an edge from basic block Bi to basic block Bj, it indicates that there is a route from Bi to Bj in the program, bi is denoted as the predecessor basic block of Bj, and Bj is denoted as the successor basic block of Bi. Based on basic blocks and program control flow diagrams, legal program control flow has the following two-layer meaning: (1) program control flow inside basic blocks. Since the instructions in the basic block are sequentially executed, the execution (control flow) of the program can only enter from the first statement of the basic block and leave from the last statement of the basic block, and each instruction has only a unique subsequent instruction except the last instruction of the basic block; (2) program control flow transfer between basic blocks. There may be multiple subsequent instructions for the last instruction of a basic block, but all must be the first instruction of the subsequent basic block of the basic block to which the last instruction belongs in the control flow graph.

In the related art, the following two methods are generally used to monitor the running condition of a program flow:

(1) The running condition of the software is monitored by adopting a CPU internal watchdog or an external system watchdog module. The watchdog circuit has a timer function, and if the program does not initialize the count value within a predetermined time, the program is considered to be abnormally executed, and the watchdog circuit outputs an interrupt or reset signal. However, the watchdog-based program flow monitoring method can only confirm whether the program has an entry exception, and cannot confirm whether the program flow is actually executed as expected. For example, if a jump instruction abnormality causes a program flow to execute, a jump instruction is not executed, and monitoring cannot be performed. And as long as the cleared timed task is still operating properly, errors elsewhere will not be found. It is possible that the program has been running in the error state for a longer period of time before the watchdog reset signal is triggered, and this period of time may result in some loss of erroneous data output by the user.

(2) And additionally adding a flag value field for each monitored subprogram, if the subprogram is called, calculating a corresponding flag value field by the subprogram according to a pre-agreed algorithm, then comparing and checking the calculated flag value of the subprogram with an expected standard value by the main program, if the calculated flag value is the same as the expected standard value, determining that the execution of the subprogram in a program flow meets the expected requirement, and otherwise, determining that the execution of the subprogram in the program flow is wrong. However, the method can only confirm whether the subroutine is called and whether the program stream of the function of calculating the flag value field in the program stream is normally executed, and the condition that the function logic of the subroutine itself is not executed or is executed by mistake cannot be well monitored, so that the monitoring effect on the program stream is not good, and more redundant code overhead may be increased.

In order to solve the problems caused by the monitoring mode of the program flow operation process in the related art and effectively improve the monitoring effect, it is necessary to provide a program flow monitoring method, a compiling method, a device, a processor and computer equipment, which extend program flow monitoring instructions through a CPU architecture instruction set, ensure the integrity of data flow among instructions in basic blocks through data flow checking instructions in the basic blocks through setting signature checking instructions, and ensure the correctness of control flow of transfer skip of the basic blocks through control flow checking instructions among the basic blocks. And then respectively realizing a CPU micro-architecture supporting the execution of the program flow monitoring instruction and a compiling tool chain supporting the generation of the program flow monitoring instruction. By the program flow monitoring method combining software and hardware, the program flow is doubly monitored on the data flow and the control flow, and the problem that the program execution behavior is inconsistent with the expected program due to the influence of factors such as electromagnetic interference and line crosstalk can be effectively detected. The program flow monitoring detects that the program execution is wrong and then immediately triggers the abnormality, so that the application software can timely take countermeasures such as module reset or integral reset and the like, and the correctness of the program operation is ensured.

The embodiment of the specification provides a program flow monitoring method, wherein a program flow corresponds to a control flow and a data flow; the control flow comprises a plurality of basic blocks; the basic block head is inserted with control flow check instructions at the compiling stage, and the basic block tail is inserted with data flow check instructions at the linking stage. The data stream checking instruction is inserted by replacing the occupying instruction inserted into the tail part of the basic block in the compiling stage in the linking stage. Referring to fig. 1, the program flow monitoring method may include the following steps.

And S110, under the condition that the program flow runs to the current basic block, executing a control flow checking instruction in the current basic block to check the correctness of the control flow.

The control flow is used for representing directed jump among basic blocks in the program, and the control flow checking instruction can be a signature checking instruction containing basic block signature information. It will be appreciated that a program may be represented as a control flow graph consisting of basic blocks and directed edges connecting the basic blocks, where the directed edges represent the actual program control flow transitions. If there is a directed edge from basic block Bi to basic block Bj, it indicates that there is a route from Bi to Bj in the program, bi is denoted as the predecessor basic block of Bj, and Bj is denoted as the successor basic block of Bi. Therefore, the basic blocks can be used as program flow monitoring and checking units in the program, and checking can be performed when the basic blocks jump, so that the correctness of the control flow is ensured.

The current basic block is used to represent a basic block in the program stream that is currently ready to be executed or is currently being executed. It will be appreciated that since the basic block is the largest continuous block of sequentially executed instructions in the program, none of the other instructions except the last instruction can be program control instructions (program control instructions can change the original execution order of the program, typically include conditional branch instructions, unconditional jump instructions, function call instructions, function return instructions, etc.), none of the other instructions except the first instruction can be the branching target of the program control instructions. Therefore, a control flow checking instruction can be inserted into the head of the basic block, and is used for executing a corresponding control flow checking instruction before the first instruction of the current basic block is executed under the condition that the program flow runs to the current basic block, so as to check whether the current basic block is a correct jump target of a precursor basic block which jumps to the current basic block, and can directly trigger an exception under the condition that the precursor basic block is checked to jump errors, and the application program carries out corresponding processing. Further, the compiler may divide and flag basic blocks according to jump instructions and build a control flow graph of the program based thereon. By adding the control flow checking instruction into the extended instruction set of the CPU and expanding the compiling tool chain, the compiler inserts the control flow checking instruction into the executable code instruction sequence of the basic block in the compiling stage of the program code, so that the insertion and execution of the checking instruction are not influenced by the grammar of a high-level programming language and the like.

Specifically, the signature information in the control flow verification instruction may include signature information of each basic block and its corresponding legal precursor basic block. When the program flow runs to the current basic block, signature information in a control flow checking instruction of the current basic block and signature information of a precursor basic block which jumps to the current basic block are checked to detect whether the precursor basic block has jump errors or not. By inserting the control flow checking instruction into the head of the basic block, when the program flow is executed to a certain basic block, whether the jump of the precursor basic block which jumps to the basic block is correct can be verified immediately, so that the jump correctness of each basic block in the running process of the program flow can be checked on the one hand, the correctness of the control flow is checked, and on the other hand, the exception is triggered immediately under the condition of verifying the jump error, so that the situation that the subsequent error instruction is discovered after being executed for a period of time is avoided, and the larger program error is avoided.

S120, under the condition that the current basic block runs to the data stream checking instruction, CRC signature values of all instructions of the current basic block are determined to check the integrity of the data stream.

Wherein the data stream is used to represent sequential execution of instructions within the basic block, and the data stream check instruction may be a signature check instruction that includes CRC signature values of all instructions within the basic block. It can be understood that each instruction in the basic block is executed without branch jump interference, so that a data stream checking instruction can be inserted at the tail of the basic block for immediately checking the integrity of an instruction sequence in the current basic block when the program is executed out of the current basic block and enters the next basic block, and an exception can be directly triggered under the condition that the checking is not passed, and the application program can correspondingly process the instruction sequence, so that the subsequent instruction sequence can be prevented from being executed by mistake under the condition that the subsequent instruction sequence is abnormal in the program stream.

In some cases, since the binary machine code of the instruction in the basic block is needed to calculate the CRC signature value of the basic block, the space occupying instruction is only inserted at the tail of the basic block in the assembly file generated in the compiling stage of the program code, so that the data stream checking instruction can occupy the space through the space occupying instruction. In the program code linking stage, the assembler has converted the assembly instructions in the assembly file into binary instruction codes in the target file, can calculate CRC signature values of all instructions in the basic block through a CRC check algorithm and the like to fill the CRC signature into the data stream check instructions, and replaces the occupying instructions at the tail part of the basic block by using the data stream check instructions to realize the insertion of the data stream check instructions.

It should be noted that the CRC signature value included in the data stream checking instruction is the original static checking CRC signature value when all instructions in the basic block are not executed. In the above embodiment, the CRC signature value determined in the case where the current basic block is run to the data stream check instruction is a dynamic check CRC signature value at the time of execution of all instructions of the current basic block.

Specifically, dynamic CRC signature values for all instructions within a current basic block are dynamically calculated as instructions within the current basic block execute. When program instructions in a current basic block are executed, namely, jumping to a next basic block, executing a data stream checking instruction at the tail part of the current basic block, comparing a static checking CRC signature in the data stream checking instruction with a calculated dynamic checking CRC signature of the basic block, and if the static checking CRC signature is consistent with the calculated dynamic checking CRC signature, completing an instruction sequence in the basic block; if the instruction sequences are inconsistent, the instruction sequences in the basic blocks are tampered, and the exception can be directly triggered at the moment, and the application program carries out corresponding processing.

In the above embodiment, based on four stages of preprocessing, compiling, assembling and linking the source code file to generate the final executable program file, the control flow checking instruction is inserted into the assembly code generated in the compiling stage, and then the data flow checking instruction is inserted into the binary instruction code generated in the compiling stage. On one hand, the problem that the original static CRC signature values of all instructions in a basic block need to be recalculated due to the insertion of control flow checking instructions can be avoided; on the other hand, the inserted control flow checking instruction also needs to be listed in the basic block to perform correctness checking of instruction execution in the basic block, so as to ensure the integrity and correctness of the program flow and the newly added control flow checking instruction sequence.

In some implementations, the basic blocks are assigned static signatures; the plurality of basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block. Referring to fig. 2, a method of executing a control flow check instruction within a current basic block to check the correctness of a control flow may include the following steps.

S210, acquiring a compensation signature of the precursor basic block and a runtime signature of the precursor basic block.

The compensation signature is determined based on an exclusive OR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block and the precursor basic block are in the same control level, and the precursor basic block is a basic block on the control level of the precursor basic block. The compensation signature may be an adjustment signature.

Specifically, the static signature may be a natural number or a consecutive prime number or the like sequentially assigned to each basic block, which is incremented from 0. The runtime signature may be a static signature of the current basic block that is stored after the verification is passed and that is used for control flow verification when the current basic block jumps to the next basic block when the program flow runs to the current basic block.

In some cases, a current basic block may correspond to a plurality of different legal precursor basic blocks that may legally jump to the current basic block. When a program stream runs from any legal precursor basic block to the current basic block, the control stream of the current basic block needs to be checked and passed according to the signature information of the corresponding any legal precursor basic block. Because the precursor basic block which jumps to the current basic block cannot be determined in the running process of the program, too much redundancy overhead is easily caused if signature information of all legal precursor basic blocks is added into a control flow checking instruction of the current basic block. Therefore, a precursor basic block can be selected from a plurality of legal precursor basic blocks of the current basic block, and a compensation signature corresponding to each legal precursor basic block is obtained through calculation of the static signature of each legal precursor basic block and the static signature of the precursor basic block so as to bridge the difference between the static signatures of different legal precursor basic blocks. When the program flow runs to the current basic block, the jump correctness of the precursor basic block can be verified by combining the compensation signature of the precursor basic block which jumps to the current basic block through a control flow verification instruction containing the signature information of the precursor basic block.

In some embodiments, the initial value of the compensation signature is 0, and the compensation signature of the precursor basic block may be correspondingly adjusted according to the static signature of the precursor basic block with which it is at the same control level. Illustratively, the static signature of basic block B1 is 1, the static signature of basic block B2 is 2, the static signature of basic block B3 is 3, and the static signature of basic block B4 is 4. The basic block B1, the basic block B2 and the basic block B3 are legal precursor basic blocks of the basic block B4, and the basic block B1 is a precursor reference basic block of the basic block B4, the compensation signature of the basic block B1 is 0. Performing exclusive OR calculation on the static signature of the basic block B2 and the static signature of the basic block B1 to obtain a compensation signature of the basic block B2 as 3; and performing exclusive OR calculation on the static signature of the basic block B3 and the static signature of the basic block B1 to obtain a compensation signature of 2 of the basic block B3.

In some embodiments, a current basic block may only correspond to a precursor basic block that can legally jump to the current basic block, and the precursor basic block is the precursor reference basic block, where the compensation signature of the precursor basic block may be obtained to be 0. In other embodiments, it may be determined from the control flow graph of the program code that the precursor basic block does not have the same subsequent basic block as the other basic blocks, and it may be appreciated that the compensation signature of the precursor basic block may not be used to control flow check the target basic block that it jumps to, so the compensation signature of the precursor basic block may be set to 0 directly.

It should be noted that, a plurality of different precursor basic blocks that can legally jump to the same basic block are at the same control level.

S220, determining the static signature and the signature difference of the current basic block.

The signature difference is determined based on the result of exclusive-or calculation of the static signature of the precursor basic block and the static signature of the current basic block.

Specifically, in the case that a current basic block may correspond to a plurality of different precursor basic blocks that can legally jump to the basic block, a precursor reference basic block may be determined among a plurality of legal precursor basic blocks of the current basic block, so that an exclusive or calculation may be performed on a static signature of the precursor reference basic block and a static signature of the current basic block, to determine a signature difference of the current basic block.

In some embodiments, in the case that a current basic block corresponds to only one precursor basic block that can be legally jumped to the basic block, the precursor basic block is the precursor basic block, and the signature difference of the current basic block can be determined by performing exclusive-or calculation on the static signature of the precursor basic block and the static signature of the current basic block.

S230, if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

Illustratively, the static signature of basic block B1 is 1, the static signature of basic block B2 is 2, the static signature of basic block B3 is 3, the static signature of basic block B4 is 4, the static signature of basic block B5 is 5, and the static signature of basic block B6 is 6. The basic block B1 and the basic block B2 are legal precursor basic blocks of the basic block B4, and the basic block B1 is a precursor reference basic block of the basic block B4; basic block B3 and basic block B5 are both legal precursor basic blocks of basic block B6, and basic block B3 is a precursor reference basic block of basic block B6. The calculation shows that the runtime signature of the basic block B1 is 1, and the compensation signature is 0; the run-time signature of the basic block B2 is 2, and the compensation signature is 3; the run-time signature of basic block B3 is 3 and the compensation signature is 0; the run-time signature of basic block B5 is 5 and the offset signature is 6. Performing exclusive OR calculation on the static signature of the basic block B1 and the static signature of the basic block B4 to obtain a signature difference of 5 of the basic block B4; exclusive or calculation is performed on the static signature of the basic block B3 and the static signature of the basic block B6, so that the signature difference of the basic block B6 is 5. When a program stream is run from the basic block B1 to the basic block B4, it is necessary to check whether the basic block B4 is a correct jump target of the basic block B1. And performing exclusive or calculation on the signature difference 5 of the basic block B4, the running time signature 1 of the basic block B1 and the compensation signature 0 of the basic block B1 to obtain a calculation result of 4, wherein the calculation result is equal to the static signature of the basic block B4, and the basic block B4 stores the running time signature of the basic block B4 as 4 through control flow verification, namely the basic block B4 is a correct jump target of the basic block B1.

Illustratively, when a program stream is run from basic block B2 to basic block B4, it is necessary to check whether basic block B4 is the correct jump target of basic block B2. Exclusive or calculation is carried out on the signature difference 5 of the basic block B4, the running time signature 2 of the basic block B2 and the compensation signature 3 of the basic block B2 to obtain a calculation result of 4, and if the calculation result is equal to the static signature of the basic block B4, the basic block B4 stores the running time signature of the basic block B4 as 4 through control flow verification.

Illustratively, when a program stream is run from basic block B3 to basic block B4, it is necessary to check whether basic block B4 is the correct jump target of basic block B3. Exclusive or calculation is carried out on the signature difference 5 of the basic block B4, the running signature 3 of the basic block B3 and the compensation signature 0 of the basic block B3 to obtain a calculation result of 6, and if the calculation result is unequal to the static signature of the basic block B4, the basic block B4 does not pass the control flow verification, namely the basic block B4 is not the correct jump target of the basic block B3, and the exception is directly triggered.

In the above embodiment, for the current basic block having a plurality of legal precursor basic blocks, by selecting one precursor basic block from the plurality of legal precursor basic blocks and adjusting the compensation signature of other legal precursor basic blocks by the signature of the precursor basic block, the calculation and verification are performed by combining the compensation signature of the corresponding precursor basic block when the program flow runs to the current basic block through which legal precursor basic block, so that the current basic block can pass the verification.

In some embodiments, when the number of precursor basic blocks is 1, the precursor basic block is a precursor reference basic block and the compensation signature is 0.

In some embodiments, when the number of precursor basic blocks is greater than 1, the precursor reference basic block is determined based on the static signature of the basic block at the control level at which the precursor basic block is located.

For example, a precursor basic block having a minimum or maximum static signature among precursor basic blocks at the same control level may be determined as a reference basic block at the control level, i.e., a precursor reference basic block.

In some embodiments, if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is not equal to the static signature of the current basic block, the current basic block does not pass the control flow check to trigger an exception.

In some embodiments, before the current basic block passes the control flow verification if the result of the exclusive or calculation of the runtime signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the program flow monitoring method may further include: based on the signature difference and the static signature of the current basic block, a control flow checking instruction is inserted into the head of the current basic block.

Correspondingly, if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification, and may further include: and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

Specifically, the control flow verification signature is designed to include a static signature, a runtime signature, a signature difference and a compensation signature of the basic blocks, so as to record signature information of each basic block and a precursor basic block thereof for the control flow verification, and avoid the basic block from jumping to the head of a non-subsequent basic block. The control flow check instruction for each basic block may include a static signature for each basic block and a signature difference. Further, the runtime signature register is designed to store the runtime signature after the basic block passes the verification, for control flow verification when the basic block jumps to the next basic block; the compensation signature register is designed to store the compensation signature of a basic block for control flow verification when jumping from the basic block to the next basic block.

Illustratively, when a program stream is run from basic block B1 to basic block B2, a control flow check instruction of basic block B2 needs to be executed to check whether basic block B2 is the correct jump target of basic block B1. The control flow checking instruction of B2 includes a static signature of the basic block B2, and a signature difference of the basic block B2 calculated according to the static signatures of the basic block B2 and a precursor basic block (precursor basic block) thereof. At this time, the runtime signature of the basic block B1 is stored in the runtime signature register, and the compensation signature of the basic block B1 is stored in the compensation signature register. Executing a control flow checking instruction of the basic block B2, acquiring a runtime signature of the basic block B1 from a runtime register, acquiring a compensation signature of the basic block B1 from a compensation signature register, acquiring a static signature and a signature difference of the basic block B2 from the control flow checking instruction, performing exclusive OR calculation on the acquired runtime signature, compensation signature and signature difference, and comparing the obtained calculation result with the static signature of the basic block B2. If the calculation result is consistent with the static signature of the basic block B2, the control flow of the basic block B2 passes the verification, and no error occurs in the jump of the basic block B1; if the calculation result is inconsistent with the static signature of the basic block B2, the control flow verification of the basic block B2 is not passed, and the jump forwarding of the basic block B1 generates errors, so that the abnormal alarm can be directly triggered.

In the above embodiment, the correctness of the control flow of the basic block is dynamically verified by dynamically calculating the runtime signature of the basic block and storing the runtime signature of the basic block as a variable or a component (such as a register) in the program running process, so as to ensure the correctness of the program executing process in real time.

In some embodiments, the data stream check instruction is accompanied by a static check signature, which is determined based on CRC signature values of all instructions within the current basic block at the time of compiling the link by the compiler. Referring to fig. 3, determining CRC signature values for all instructions of a current basic block to verify the integrity of a data stream may include the following steps.

S310, calculating CRC signature values of all instructions in the current basic block to obtain a dynamic check signature.

S320, if the dynamic check signature and the static check signature are consistent when the current basic block completes execution, the current basic block passes data stream check.

The dynamic verification signature may be a CRC signature value after all instructions in the current basic block are executed.

Specifically, the data stream verification signature comprises a static verification signature and a dynamic verification signature, so that instruction coding information in each basic block is recorded, and illegal tampering of instructions in the basic block and control stream verification instructions added in the basic block in a compiling stage is avoided. Further, the dynamic check signature register is designed to store dynamic check signatures of all instructions within the basic block at the end of the basic block run for data stream checking at the end of the basic block run.

Illustratively, when instructions within basic block B1 are executed, the control flow check instructions, including the basic block B1 header, may dynamically calculate dynamic check signatures for all instructions within basic block B1 according to a CRC check algorithm or the like, and store in a dynamic check signature register. When the instruction in the basic block B1 is executed, namely, jumping to the next basic block, executing a data stream checking instruction at the tail part of the basic block B1, acquiring dynamic checking signatures of all instructions in the basic block B1 from a dynamic checking signature register, acquiring static checking signatures of all instructions in the basic block B1 from the data stream checking instruction of the basic block B1, comparing the dynamic checking signatures with the static checking signatures, and if the dynamic checking signatures are consistent with the static checking signatures, completing each instruction sequence in the basic block B1; if the two types of the commands are inconsistent, the commands in the basic block B1 are tampered, and abnormal alarm can be directly triggered.

In the above embodiment, the correctness and the integrity of all instruction sequences in the basic block are dynamically verified by dynamically calculating the dynamic verification signatures of all instructions in the basic block and storing the dynamic verification signatures as variables or components (such as registers) in the program running process, so as to further ensure the correctness and the integrity of the program executing process.

In some embodiments, the method of executing the control flow checking instruction within the current basic block to check the correctness of the control flow may further include: if the dynamic check signature and the static check signature are inconsistent when the current basic block completes execution, the current basic block does not pass the data stream check to trigger an exception.

In some implementations, the control flow includes a function control flow including an ingress basic block and an egress basic block. The entry basic block is inserted with a signature information saving instruction in the compiling stage, and the exit basic block is inserted with a signature information recovering instruction in the compiling stage. Referring to fig. 4, the program flow monitoring method may further include the following steps.

S410, executing a signature information saving instruction when a function is called so as to support push operation of a runtime signature and a compensation signature.

S420, executing a signature information recovery instruction when the called function returns to support the bullet stack operation of the saved runtime signature and the compensation signature.

The signature information saving instruction is used for saving the signature information of the basic block in the original function control flow which is jumped to the function control flow through the function call in the entry basic block of the function control flow. The signature information restoring instruction is used for restoring the signature information of the basic blocks in the original function control flow stored by the signature information storing instruction in the outlet basic blocks of the function control flow.

It will be appreciated that a program is made up of several functions, and a function call can be seen as an interruption of the original function control flow, jumping into a special control flow transition of the called function control flow. In order to avoid that the basic blocks in the called function control flow affect the control flow verification process of the basic blocks in the original function control flow for executing the call, the signature information of the basic blocks in the original function control flow for calling the function needs to be stored in the entry basic blocks of the function control flow of the called function, and the stored signature information of the basic blocks in the original function control flow is restored in the exit basic blocks of the function control flow of the called function, so that when the execution of the exit basic blocks in the called function is finished and the original function is returned, the control flow verification of the basic blocks in the original function control flow can be continued.

Specifically, a signature information saving instruction may be inserted into the head of the entry basic block of the function control flow, and a signature information restoring instruction may be inserted into the tail of the exit basic block of the function control flow. Further, a signature stack may be set, so that after the signature information storing instruction is executed, corresponding signature information may be stored by executing a push operation on the signature stack, and after the signature information recovering instruction is executed, corresponding signature information stored by the signature information storing instruction may be recovered by executing a pop operation on the signature stack.

Illustratively, when function FUN2 is called by function FUN1, program flow is run to function FUN2 via function call instructions in function FUN1, and the function control flow of function FUN1 is interrupted. Firstly, executing a signature information storage instruction of an entry basic block of the function FUN2, pushing a run-time signature and a compensation signature of the basic block at a function control flow interrupt of the function FUN1 to a signature stack to store, and secondly, initializing signature values in a current run-time signature register and a compensation signature register to be used for checking a control flow of the basic block in the function control flow of the function FUN 2. When the execution of the function FUN2 ends, the return instruction of the program flow through the function FUN2 returns to the function FUN1, and the function control flow of the function FUN1 needs to be restored. Firstly, executing a signature information recovery instruction of an export basic block of the function FUN2, taking out a running signature and a compensation signature of the basic block at a function control flow interrupt position of the function FUN1 stored in a signature stack through a pop operation, setting a signature value in a current running signature register as the running signature, and setting a signature value in a compensation signature register as the compensation signature so as to be used for recovering a control flow check of the basic block in the function control flow of the function FUN1 after the function FUN2 returns.

In some embodiments, the program flow monitoring method may further include: the compiler parameters of global monitoring are increased to monitor the whole running process of the application.

The compiler parameters may be parameters of a program flow monitoring switch and/or key codes of a program flow monitoring range.

Specifically, parameters of a global monitoring switch and/or a global monitoring keyword code are added in the monitored application program code, so that an extended compiler tool chain with a program flow monitoring function can identify and automatically generate a control flow check instruction and a data flow check instruction, the generated check instruction can be automatically inserted into a basic block of the application program code, and executable codes of instruction sequences in the whole application program code range are finally generated.

In some embodiments, the program flow monitoring method may further include: and adding a program flow detection mark and a compiler parameter at a specified position of the specified function aiming at the specified function in the source code so as to monitor the running process of the specified function.

The program flow detection mark can be a descriptive prefix, and is used for marking functions needing program flow monitoring. For example, for a function specified in application program code that needs to monitor a running process, a descriptive prefix may be added before a function name at the time of function definition, to mark that the function immediately after the function definition needs to perform program flow monitoring.

Further, the functionality of the program flow detection flag may be changed by compiler parameter adjustment. By way of example, the compiler parameter adjustment is used to make the program flow detection mark for marking the function that does not need to be monitored, and the corresponding program flow detection mark can be added in front of the function name when the function is defined in a larger program flow monitoring range containing the specified function, so that the function that is immediately after the function is defined needs to be excluded from the program flow monitoring range.

In some embodiments, the program flow monitoring method may further include: the method comprises the steps that target source codes to be monitored are bracketed in source codes through brackets; and adding guidance sentences at the appointed position of the target source code to monitor the running process of the target source code.

The guidance statement may be a code statement having grammar rules and action rules that can be identified by a compiler, and is used to mark target source codes that need to be monitored by a program flow. For example, for target source codes specified in application program codes and needing to monitor running processes, a bracket pair "{ }" may be used to bracket the target source codes, and guidance sentences are added in front of a left bracket "{ }" to mark that source codes in the bracket pair "{ }" following the guidance sentences need program flow monitoring.

Further, the functionality of the guidance statement may be changed by compiler parameter adjustment. Illustratively, by adjusting parameters of a compiler, a guidance sentence is used for marking target source codes which do not need to be monitored by a program flow, and in a larger program flow monitoring range containing the target source codes, the target source codes can be bracketed by using a bracket pair "{ }", and corresponding guidance sentences are added in front of a left bracket "{" for marking source codes in a bracket pair "{ }" which is immediately behind the marking guidance sentence, so that the source codes need to be removed from the program flow monitoring range.

The embodiment of the specification provides a program code compiling method, program code corresponds to a program control flow diagram, and the program control flow diagram is provided with a plurality of basic blocks. Referring to fig. 5a, the program code compiling method may include the following steps.

S510, inserting a control flow checking instruction into the head part of the basic block and inserting a occupation instruction into the tail part of the basic block in the compiling stage.

The control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block.

S520, in the link stage, the instruction code corresponding to the occupied instruction is replaced by a data stream checking instruction.

The data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when a program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

It should be noted that, for the description of the control flow check instruction and the data flow check instruction in the above embodiment, please refer to the description of the control flow check instruction and the data flow check instruction in the program flow monitoring method in this specification, and details are not repeated here.

Specifically, a compiling tool chain is expanded, a compiler is modified, a basic block is divided into program codes by the compiler, a control flow diagram is constructed, and in the compiling stage of the program codes, on one hand, according to a designed control flow checking process, a corresponding control flow checking instruction is generated by the compiler, and the control flow checking instruction is inserted into an executable instruction sequence of the basic block; on the other hand, the compiler inserts the occupying instruction at the tail part of the basic block, and the occupying instruction is replaced by the data stream checking instruction by the assembler in the link stage of the subsequent program codes. Illustratively, the compiler is modified such that the compiler first creates statements of the control flow check instructions and the placeholder instructions of the data flow check instructions, and secondly inserts the created statements of the control flow check instructions and the placeholder instructions into the statement sequence of the basic block, and then updates the control flow graph. In some embodiments, the insert statement may be executed before the GIMPLE tree is converted to the RTL tree after the compiler divides the program code into basic blocks and builds the control flow graph. Illustratively, reference is made to FIG. 5b, which illustrates a compiler system architecture after modification of the GCC compiler according to the above described embodiments.

Specifically, the assembler is modified, the definition of the corresponding extended instruction is added in the instruction list first, and then the instruction processing function is written, so that the assembler can fill in each domain of the binary machine code of the corresponding instruction according to different instructions. Meanwhile, when the assembler translates the assembled file into binary machine codes, the binary machine codes of all instructions in the basic block are processed by a CRC (cyclic redundancy check) algorithm to obtain static check signatures of the basic block so as to be filled into corresponding domains in the data stream check instructions. In the linking phase of the program code, i.e. after the assembler has translated the assembly file into binary machine code, the placeholder instructions are replaced at the end of the basic block with data stream check instructions containing the signature value.

Illustratively, the signature difference D, the static signature S, and the compensating signature D are based on the current basic block _c The assembly format of the control flow checking instruction is set as CTRRSIG_ M D, S, D _c . Wherein operand D, operand S and operand D _c Are both source operands and are all constants, are pre-calculated by the program code compile time and are placed into the instruction without the need to read the source operands from the general purpose registers. The process of executing control flow verification by the instruction comprises the following steps:

First, the runtime signature of the current basic block is calculated: g _c =G＇⊕op(d)⊕D＇。

Where the op operation represents taking the immediate from the instruction encoding, G 'represents the runtime signature of the precursor basic block held in the runtime signature register, and D' represents the compensation signature of the precursor basic block held in the compensation signature register.

Secondly, checking the run-time signature of the current basic block, triggering an abnormality if G 'is equal to D' and P (S), and writing the instruction into an abnormality reason register; if G 'includes op (D) and D' =op (S), checking to pass, and signing the current basic block runtime signature G _c Saving the compensation signature D of the current basic block in a runtime signature register _c Stored in a compensating signature register, i.e. G' =g _c ＝op(S)，D＇＝op(D _c ) And the control flow check is used for the control flow check when the current basic block jumps to the next basic block. Fig. 5c shows a coding format corresponding to the control flow check instruction.

In some embodiments, when the current basic block has only one legal precursor basic block, the compensation signature of the precursor basic block is 0. It will be appreciated that in this case, the control flow check of the current basic block may not use the compensation signature of the precursor basic block, and thus the assembly format of the control flow check instruction may be set to CTRUSIG_ S D, S, D _c . The process of executing control flow verification by the instruction comprises the following steps:

first, a runtime signature G of a current basic block is calculated _c =G＇⊕op(d)。

Second, check the runtime of the current basic blockSignature, if G' is equal to op (d) and op (S), triggering an abnormality, and writing the instruction into an abnormality reason register; if G' and # -op (d) =op (S), checking to pass, and signing the current basic block runtime signature G _c Saving the compensation signature D of the current basic block in a runtime signature register _c Stored in a compensating signature register, i.e. G' =g _c ＝op(S)，D＇＝op(D _c ) And the control flow check is used for the control flow check when the current basic block jumps to the next basic block. Fig. 5d shows a coding format corresponding to the control flow check instruction.

Illustratively, the assembly format of the data stream check instruction is set to CRCSIG C according to the static check signature C of all instructions in the current basic block. The operand C is a source operand, and is pre-calculated and generated when the assembler generates the target file and put into the instruction, so that the source operand does not need to be read from a general register. The process of executing data flow verification by the instruction comprises the following steps: firstly, calculating dynamic check signature N of all instructions when the current basic block is executed, and storing the dynamic check signature N in a dynamic check signature register. And comparing the dynamic check signature N with the static check signature C in the dynamic check signature register, if the dynamic check signature N is equal to the static check signature C, the instruction sequence in the current basic block is correct and complete, and if the instruction sequence in the current basic block is not equal to the static check signature C, triggering an exception. Fig. 5e shows a coding format corresponding to the data stream verification command.

Further, in some embodiments, referring to fig. 5f, a process diagram of inserting corresponding control flow check instructions and data flow check instructions in basic blocks during program code compiling is shown. The process may include:

in the compiling stage, after analyzing the jump relation in the program code, dividing the basic blocks of the program code and constructing a control flow graph, the compiler may first allocate a corresponding static signature S to each basic block.

And secondly, selecting any one current basic block according to the control flow diagram, and judging whether the current basic block has the same subsequent basic block with other basic blocks in the same control level where the current basic block is located. If it is judged that the current basic block is congested with other basic blocks in the same control level as the current basic blockWith the same subsequent basic block, then the precursor basic block is determined in the corresponding control level and the compensation signature D of the current basic block is calculated _c The method comprises the steps of carrying out a first treatment on the surface of the Otherwise, the compensation signature D of the current basic block _c Set to 0.

Thirdly, judging whether the current basic block has a plurality of legal precursor basic blocks, if yes, inserting a control flow check instruction CTRRSIG_ M D, S, D into the head of the current basic block _c The method comprises the steps of carrying out a first treatment on the surface of the If not, inserting a control flow check instruction CTRRSIG_ S D, S, D into the head of the current basic block _c 。

Then, a space occupying instruction for the data stream checking instruction to occupy space is inserted at the tail part of the current basic block.

The assembly file processed by the compiling stage method comprises a control flow checking instruction and a occupation instruction of a positioning data flow checking instruction. Then, the assembler converts the assembly instructions in the assembly file into binary instruction codes in the target file, and fills each field of the corresponding instruction binary machine codes according to the instruction processing function. The assembler calculates static check signature C of all instructions in each basic block according to the CRC algorithm so as to fill the static check signature C into a corresponding data stream check instruction CRCSIG C, and updates the occupying instructions at the tail of the corresponding basic block one by one. Finally, the linker links the target files together to generate an executable program file with control flow verification instructions and data flow verification instructions.

In the above embodiment, only one control flow checking signature instruction is inserted into each basic block, and only one data flow checking instruction is inserted into the tail, so that the additional overhead caused by the signature instruction is reduced as much as possible while the program flow error monitoring is satisfied, and the code increment of the application program after recompilation can be minimized.

In some implementations, the control flow includes a function control flow including an ingress basic block and an egress basic block. The program code compiling method may further include: in the compiling stage, a signature information saving instruction is inserted into the entry basic block, and a signature information recovering instruction is inserted into the exit basic block.

The signature information saving instruction is used for performing a push operation of signing and adjusting the signature when the function is called, and the signature information recovering instruction is used for performing a pop operation of signing and adjusting the signature before the called function returns.

It should be noted that, for the description of the signature information saving instruction and the signature information recovering instruction in the above embodiment, please refer to the description of the signature information saving instruction and the signature information recovering instruction in the program flow monitoring method in the present specification, and details are not repeated here.

Specifically, the compiler is modified by expanding the compilation tool chain, dividing a basic block of a program code by the compiler and constructing a control flow graph, and in the compilation stage of the program code, a signature information saving instruction and a signature information recovering instruction generated by the compiler are inserted into an executable instruction sequence of an entry basic block of each function, and the signature information recovering instruction is inserted into an executable instruction sequence of an exit basic block of each function.

Illustratively, the compilation format of the signature information retention instruction is set to PUSHSIG. The instruction, when executed, jumps to the runtime signature G of the previous function basic block of the current function entry basic block by a function call instruction _pf Compensating signature D _pf The push signature stack is saved while initializing the runtime signature G in the current runtime signature register and the compensation signature D in the compensation signature register. Fig. 6a shows a coding format corresponding to the signature information storing instruction.

Illustratively, the compilation format of the signature information recovery instruction is set to POPSIG. The instruction executes the runtime signature G of the previous function basic block stored in the signature stack through a pop operation _pf Compensating signature D _pf Fetch and sign G the runtime _pf Save to runtime signature register, store the compensation signature D _pf Saved into compensating signature registers, i.e. g=g _pf ，D＝D _pf . Fig. 6b shows a coding format corresponding to the signature information recovery instruction.

Further, in some embodiments, referring to fig. 6c, a schematic process diagram of inserting a signature information save instruction and a signature information restore instruction into a function during compiling of a program code, and inserting a corresponding control flow check instruction and data flow check instruction into a basic block is shown. After the basic blocks are divided into the program codes and the control flow graph is constructed, the compiler can insert a signature information saving instruction PUSHSIG for the entry basic block of each function and insert a signature information restoring instruction POPSIG for the exit basic block of each function. It should be noted that, for a description of the process of inserting the corresponding control flow check instruction and the data flow check instruction into the basic block shown in fig. 6c, please refer to the description of the process of inserting the corresponding control flow check instruction and the data flow check instruction into the basic block shown in fig. 5f in this specification, and details thereof will not be repeated here.

According to the above embodiments in the present specification, by inserting a save signature instruction in the entry basic block of each function and inserting a restore signature instruction in each exit basic block; only one control flow checking signature instruction is inserted into each basic block, and only one data flow checking instruction is inserted into the tail of each basic block, so that the aim of program flow monitoring can be fulfilled by using the minimum expansion instruction, and the additional expenditure caused by the expansion instruction to the storage and execution of an application program is reduced as much as possible. Meanwhile, each basic block generally contains 6-10 instructions, and the abnormal execution of the instructions can be detected quickly, so that the errors of the instructions are limited in the basic block or the starting position of the next basic block. Further, in the compiling method in the embodiment of the present disclosure, some expansion instructions for program flow monitoring are newly added to the text section of the program file, and the size increase ratio of the compiled whole executable target file is generally within 10%, so that the running effect of the application program is less.

The embodiment of the specification provides a processor, which is used for executing a program flow, wherein the program flow corresponds to a control flow and a data flow; the control stream comprises a number of basic blocks. Referring to fig. 7, a processor 700 may include an extended decode circuit 710 at a decode pipeline stage, a control stream check circuit 720 at a write-back pipeline stage, and a data stream check circuit 730.

An extension decoding circuit 710 for decoding the control flow check instruction and the data flow check instruction; the control flow checking instruction is inserted into the head of the basic block in the compiling stage, and the data flow checking instruction is inserted by replacing the occupying instruction inserted into the tail of the basic block in the compiling stage in the linking stage.

And a control flow checking circuit 720 for executing a control flow checking instruction in the current basic block to check the correctness of the control flow in case that the program flow is run to the current basic block. And a data stream checking circuit 730 for determining CRC signature values of all instructions of the current basic block to check the integrity of the data stream in case that the current basic block is run to the data stream checking instruction.

It will be appreciated that the instruction pipeline on processor 700 may include a fetch-decode-execute-memory-write-back pipeline stage, a decode pipeline stage, an instruction execution pipeline stage, a memory-memory pipeline stage, and a write-back pipeline stage, according to the five-stage instruction execution process of fetch-decode-execute-memory-write-back.

In particular, the extension decode circuitry 710 may be used to add decode logic to an extended instruction at the instruction decode functional unit. The decode logic may identify instruction types based on values of instruction opcode bit fields of the extended instruction to generate corresponding control signals based on the identified different instruction types and pass the control signals down pipeline inter-stage registers between instruction pipelines, the control signals being used to control operation type selection, operand selection, result selection, etc. of each stage of pipeline. Illustratively, the extended decoding circuit 710 needs to generate at least the control signals as shown in table 1 for the control flow check instruction, the data flow check instruction, the signature information save instruction, and the signature information restore instruction.

TABLE 1

Wherein the basic block start signal may be used to indicate the start position of the basic block, which may be passed through the instruction pipeline to the data stream verification circuit 730. The intermediate signature may include a runtime signature that is required to be calculated during the control flow verification process and/or a compensation signature that is obtained by taking the immediate from the instruction code.

Illustratively, the control flow verification circuitry 720 may include intermediate signature computation circuitry and intermediate signature comparison circuitry. The intermediate signature computation circuit, the intermediate signature comparison circuit, the runtime signature register regG, and the compensation signature register regD may be provided at the write-back pipeline level of the instruction pipeline, corresponding to the CTRLSIG instruction of the control flow check. The intermediate signature computation circuit may compute the intermediate signature of the current basic block according to the signature operation rules of the control flow verification described above, based on control signals generated by the extension decode circuit 710 and passed along the instruction pipeline to the write back stage. The intermediate signature comparison circuit can compare the intermediate signature generated by the intermediate signature calculation circuit with operands in the instruction according to the semantics of the CTRRSIG instruction, if the comparison result is consistent, the runtime signature calculated in the intermediate signature is stored in the runtime signature register regG, and the compensation signature obtained by taking the immediate number is stored in the compensation signature register regD; if the comparison result is inconsistent, generating an instruction exception indication signal, and performing subsequent exception processing by an exception processing circuit.

Illustratively, the data stream verification circuitry 730 may include dynamic verification signature value calculation circuitry and verification signature value comparison circuitry. Corresponding to the CRCSIG instruction of data flow verification, a dynamic verification signature value calculation circuit, a verification signature value comparison circuit and a dynamic verification signature value register regN can be arranged at a write-back flow stage of an instruction pipeline. The check signature value comparison circuit can receive the instruction currently being executed and the instruction code width indication signal, if the instruction is 16 bits wide, 16 0 s can be filled in the high order of the instruction code to form a 32-bit instruction code, and the 32-bit instruction code is put into the dynamic check signature value calculation circuit; if the instruction is 32 bits wide, then the 32 bits instruction code is placed into the dynamic check signature value calculation circuit without additional padding of 0's. The dynamic check signature value calculating circuit dynamically calculates a check signature value for the placed instruction, and the adopted algorithm can be other check algorithms of a CRC check algorithm. When the currently executed instruction is not a CRCSIG instruction, storing the result of the dynamic verification signature value calculation circuit into a dynamic verification signature value register regN; when the current instruction is a CRCSIG instruction, comparing the result of the dynamic verification signature value calculation circuit with operands in the CRCSIG instruction, if the result is consistent, executing the instruction normally, and if the result is inconsistent, generating an instruction exception signal, and carrying out subsequent exception processing by an exception processing circuit.

Further, since the CRCSIG instruction performs a check on the instruction in each basic block, when a new basic block starts to execute, it is necessary to restart to calculate the dynamic check signature value in the basic block. In some embodiments, the current basic block start signal generated by decoding the CTRLSIG instruction by the extended decoding circuit 710 may be used to remove the value of the dynamic check signature value register regN to save the calculated dynamic check signature value of the instruction in the current basic block, so that the data stream check of the previous basic block will not affect the data stream check of the current basic block.

In some embodiments, an instruction exception signal will be generated if a comparison by either control flow verification circuitry 720 or data flow verification circuitry 730 finds that the corresponding signatures are inconsistent. To handle these instruction exception signals, an exception collection and recording circuit may be provided to enable the instruction exception signal to be sent to the exception collection and recording circuit after it has been generated. The circuit can collect the abnormal information in the instruction abnormal signals such as control flow checking abnormality, data flow checking abnormality and the like, and generates a final instruction abnormal instruction after being combined with the original abnormal processing circuit of the instruction pipeline. The processing of exceptions by the instruction pipeline is well known in the art, and detailed descriptions thereof are omitted herein.

In the embodiment, the 0 filling operation is performed on the instruction codes with different lengths in the data stream verification circuit, so that the instruction codes for calculating the dynamic verification signature value are unified into 32 bits, the complexity of the data stream verification circuit is simplified, and meanwhile, the requirement of calculating the verification value on the instruction codes with different lengths can be met.

In some implementations, the basic blocks are assigned static signatures; the plurality of basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block. Referring to fig. 8a, the processor 700 may be provided with a runtime signature register 810, a compensation signature register 820.

The runtime signature register 810 stores the runtime signature of the precursor basic block and the compensation signature register 820 stores the compensation signature of the precursor basic block. The compensation signature is determined based on an exclusive OR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is at the same control level as the precursor basic block, which can be understood as a basic block at the control level where the precursor basic block is located.

The control flow verification circuit 720 is further configured to determine a static signature and a signature difference of the current basic block, and if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification. The signature difference is determined based on the result of exclusive-or calculation of the static signature of the precursor basic block and the static signature of the current basic block.

Illustratively, referring to FIG. 8b, the control flow verification circuitry 720 may be coupled to the runtime signature register 810 and the compensation signature register 820, and the control flow verification circuitry 720 may further include an intermediate signature computation circuit 830 and an intermediate signature comparison circuit 840. When executing instruction CTRRSIG_ M D, S, D _c In this case, the intermediate signature computation circuit 830 may compute the runtime signature G of the current basic block according to the signature operation rule of the control flow verification described above based on the control signals generated by the extended decode circuit 710 and passed along the instruction pipeline to the write-back stage _c =g '# -op (D) # -D', where op operation represents taking the immediate from the instruction code, G 'represents the run-time signature of the precursor basic block taken from the current run-time signature register 810, and D' represents the compensation signature of the precursor basic block taken from the current compensation signature register 820. Intermediate signaturesThe comparison circuit 840 will calculate the generated runtime signature G _c According to the semantics of the CTRUSIG_M instruction, the data is compared with operands in the instruction, namely whether G 'is consistent with op (D) and whether D' is consistent with op (S), and if the comparison result is consistent, the runtime signature G of the current basic block is obtained _c The current basic block compensation signature op (D) obtained by taking the immediate is stored in the run-time signature register 810, and the compensation signature register 820.

In some implementations, the control flow includes a function control flow including an ingress basic block and an egress basic block; the entry basic block is inserted with a signature information saving instruction in the compiling stage, and the exit basic block is inserted with a signature information recovering instruction in the compiling stage. Referring to fig. 9a, the processor 700 may be provided with a signature stack 910. The signature stack 910 is configured to execute a signature information saving instruction when a function is called, and support a push operation of a run-time signature and a compensation signature; and executing a signature information recovery instruction when the called function returns, and supporting the spring stack operation of the stored runtime signature and the compensation signature.

Illustratively, referring to FIG. 9b, a signature stack 910 may be coupled to the control flow verification circuitry 720. In some embodiments, signature stack 910 may be implemented by providing dedicated hardware storage circuitry and managing this storage circuitry in a stack manner. When the PUSHSIG instruction is executed, the runtime signature G and the compensation signature D of the current basic block are stored in a stack top register of the signature stack 910; when the POPSIG instruction is executed, the runtime signature G and the compensation signature D are read from the top register of the current signature stack 910 and stored in the runtime signature register 810 and the compensation signature register 820, respectively. The signature stack 910 is implemented by setting a dedicated hardware memory circuit, which has the advantage that no software needs to be set for additional circuit control; the disadvantage is that, because there is a limit to the capacity of the dedicated hardware circuit, and in order to save the hardware circuit, the area of the circuit is usually smaller, and when the program is executed, if the signature information required to push the stack exceeds the capacity of the dedicated hardware circuit, the problem of stack overflow will occur, and the exception handling of stack overflow needs to be performed additionally.

In other embodiments, signature stack 910 may be implemented by software setting up a portion of the space in system memory for storage of signature information, with associated configuration information to be stored in software accessible configuration registers, such as a start address configuration register of signature stack 910, a capacity configuration register of signature stack 910, a register pointing to the top of stack of signature stack 910, etc. When the PUSHSIG instruction is executed, writing a runtime signature G and a compensation signature D of the current basic block into a system memory according to the value of a register currently pointing to the stack top of the signature stack 910; when executing the pop instruction, the runtime signature G and the compensation signature D are read from system memory based on the value of the register currently pointing to the top of the signature stack 910 and stored in the runtime signature register 810 and the compensation signature register 820, respectively. The signature stack 910 is realized through software setting, which has the advantage that the characteristic of large capacity of a system memory can be fully utilized to store more signature information; the disadvantage is that the signature stack 910 needs to be pre-configured in software.

In some embodiments, the data stream check instruction is accompanied by a static check signature, which is determined based on CRC signature values of all instructions within the current basic block at the time of compiling the link by the compiler. Referring to fig. 10a, the processor 700 may be provided with a CRC intermediate value register 1010.CRC intermediate value register 1010 is used to store an intermediate CRC signature generated when the current basic block is run to the current instruction. The data stream checking circuit 730 is further configured to calculate CRC signature values of all instructions in the current basic block, to obtain a dynamic check signature; and if the dynamic check signature and the static check signature are consistent when the current basic block completes execution, checking the current basic block through the data stream.

Specifically, when the current basic block is run to the current instruction, a dynamic check signature value for execution of the instruction may be calculated and stored as an intermediate CRC signature in CRC intermediate value register 1010. After execution of all instructions in the current basic block is completed, the dynamic check signature values of all instructions within the current basic block may be included in CRC intermediate value register 1010.

Illustratively, referring to FIG. 10b, a data stream verification circuit 730 may be coupled to the CRC intermediate value register 1010, and the data stream verification circuit 730 may further include a dynamic verification signature calculation circuit 1020 and a verification signature comparison circuit 1030. When an instruction in the basic block is executed, the check signature value comparison circuit 1030 may accept the instruction currently being executed and the instruction code width indication signal, put into the dynamic check signature value calculation circuit 1020, and the dynamic check signature value calculation circuit 1020 dynamically calculates a CRC signature value for the put instruction. When the currently executed instruction is not a CRCSIG instruction, storing the CRC signature value calculated by the dynamic check signature value calculation circuit 1020 in the CRC intermediate value register 1010; when the current instruction is a CRCSIG instruction, the CRC signature value calculated by dynamic check signature value calculation circuit 1020 is compared with operands in the CRCSIG instruction, and if consistent, the instruction execution is normal.

In some cases, in order to avoid that in the debugging process, a soft power-off instruction and other debugging instructions issued by an upper computer are wrongly regarded as internal instructions of a basic block to be used for calculating a dynamic verification signature value of the internal instructions of the basic block, so that a data stream verification result of the basic block is interfered, a shielding mechanism of the debugging instructions issued by the upper computer can be set, so that the debugging instructions issued by the upper computer cannot participate in the data stream verification process of the basic block, and therefore, a program added with an expansion instruction in the specification can support various debugging actions without affecting the data stream verification.

The embodiment of the specification provides a program flow monitoring device, wherein a program flow corresponds to a control flow and a data flow; the control flow comprises a plurality of basic blocks; the basic block head is inserted with control flow check instructions at the compiling stage, and the basic block tail is inserted with data flow check instructions at the linking stage. The data stream checking instruction is inserted by replacing the occupying instruction inserted into the tail part of the basic block in the compiling stage in the linking stage. Referring to fig. 11a, the program flow monitoring apparatus 1100 includes: a control flow verification module 1110 and a data flow verification module 1120.

And a control flow checking module 1110, configured to execute a control flow checking instruction in the current basic block to check the correctness of the control flow in case that the program flow runs into the current basic block.

The data stream verification module 1120 is configured to determine CRC signature values of all instructions of the current basic block to verify the integrity of the data stream in case that the current basic block is run to the data stream verification instruction.

In some implementations, the basic blocks are assigned static signatures; the plurality of basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block. The control flow verification module 1110 is further configured to obtain a compensation signature of the precursor basic block and a runtime signature of the precursor basic block; the compensation signature is determined based on an exclusive OR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located; determining a static signature and a signature difference of the current basic block; the signature difference is determined based on the result of exclusive OR calculation between the static signature of the precursor basic block and the static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, checking the current basic block through the control flow.

In some embodiments, the control flow verification module 1110 is further configured to insert a control flow verification instruction into the header of the current basic block based on the signature difference and the static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

In some embodiments, the data stream check instruction is accompanied by a static check signature, which is determined based on CRC signature values of all instructions within the current basic block at the time of compiling the link by the compiler. The data flow checking module 1120 is further configured to calculate CRC signature values of all instructions in the current basic block, to obtain a dynamic check signature; and if the dynamic check signature and the static check signature are consistent when the current basic block completes execution, checking the current basic block through the data stream.

In some implementations, the control flow includes a function control flow including an ingress basic block and an egress basic block; the entry basic block is inserted with a signature information saving instruction in the compiling stage, and the exit basic block is inserted with a signature information recovering instruction in the compiling stage. Referring to fig. 11b, the program flow monitoring apparatus 1100 may further include: signature push module 1130, signature pop module 1140.

The signature stacking module 1130 is configured to execute a signature information saving instruction when a function is called, so as to support stacking operations of a runtime signature and a compensation signature.

The signature pop module 1140 is configured to execute a signature information recovery instruction when the called function returns, so as to support a saved runtime signature and a pop operation for compensating the signature.

The embodiment of the specification provides a program code compiling device, program code corresponds to a program control flow diagram, and the program control flow diagram is provided with a plurality of basic blocks. Referring to fig. 12a, the program code compiling apparatus 1200 includes: a first instruction insertion module 1210, a placeholder instruction replacement module 1220.

The first instruction insertion module 1210 is configured to insert a control flow check instruction at the head of the basic block and insert a stub instruction at the tail of the basic block during the compiling stage. The control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block.

The occupying instruction replacing module 1220 is configured to replace an instruction code corresponding to the occupying instruction with a data stream checking instruction in the linking stage. The data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when a program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

In some implementations, the control flow includes a function control flow including an ingress basic block and an egress basic block. Referring to fig. 12b, the program code compiling apparatus 1200 may further include: the second instruction insertion module 1230.

A second instruction insertion module 1230, configured to insert a signature information saving instruction into the entry basic block and insert a signature information recovery instruction into the exit basic block during the compiling stage; the signature information saving instruction is used for performing a push operation of signing and adjusting the signature when the function is called, and the signature information recovering instruction is used for performing a pop operation of signing and adjusting the signature before the called function returns.

The specific limitations regarding the program flow monitoring apparatus and the program code compiling apparatus may be referred to as the limitations regarding the program flow monitoring method and the program code compiling method hereinabove, and are not repeated here. The respective modules in the program flow monitoring device and the program code compiling device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

The present description further provides a computer device, and referring to fig. 13, the computer device 1300 includes a memory 1310 and a processor 1320, where the memory 1310 stores a computer program 1330, and the processor 1320 implements the steps of the program flow monitoring method and/or the program code compiling method according to any of the foregoing embodiments when executing the computer program 1330.

The present specification further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the program flow monitoring method and/or the program code compiling method of any preceding embodiment.

According to the embodiments of the present disclosure, by using the program flow monitoring method based on the combination of software and hardware of the extended instruction, full-automatic program flow monitoring can be implemented without additional modification to the user program, and the monitoring delay does not exceed the instruction number of a basic block, so that the delay is very low, and the abnormal situation that the subsequent instruction continues to execute after the instruction execution is abnormal is avoided.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered as a ordered listing of executable instructions for implementing logical functions, and may be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.

It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.

In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly, through intermediaries, or both, may be in communication with each other or in interaction with each other, unless expressly defined otherwise. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.

While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (27)

1. A program flow monitoring method is characterized in that a control flow and a data flow are corresponding to the program flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; wherein the data stream checking instruction is inserted by replacing a occupying instruction inserted into the tail of the basic block in the compiling stage in the linking stage; the method comprises the following steps:

executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block;

in the case that the current basic block is running to the data stream check instruction, CRC signature values of all instructions of the current basic block are determined to check the integrity of the data stream.

2. The method of claim 1, wherein the basic block is assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block; the executing the control flow checking instruction in the current basic block to check the correctness of the control flow includes:

Acquiring a compensation signature of the precursor basic block and a runtime signature of the precursor basic block; wherein the compensation signature is determined based on an exclusive or calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located;

determining a static signature and a signature difference of the current basic block; the signature difference is determined based on the result of exclusive OR calculation of the static signature of the precursor basic block and the static signature of the current basic block;

and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

3. The method of claim 2, wherein when the number of precursor basic blocks is 1, the precursor basic block is the precursor reference basic block, and the compensation signature is 0.

4. The method of claim 2, wherein the precursor basic block is determined based on a static signature of a basic block at a control level at which the precursor basic block is located when the number of precursor basic blocks is greater than 1.

5. The method according to claim 2, wherein the method further comprises:

and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is not equal to the static signature of the current basic block, the current basic block does not pass the control flow verification so as to trigger the exception.

6. The method of claim 2, wherein before the current basic block passes control flow verification if the exclusive-or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensated signature of the precursor basic block is equal to the static signature of the current basic block, the method further comprises:

based on the signature difference and the static signature of the current basic block, a control flow checking instruction is inserted into the head of the current basic block;

and if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, checking the current basic block through a control flow, wherein the checking comprises the following steps:

And if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

7. The method of claim 1, wherein the data stream check instruction is accompanied by a static check signature, the static check signature being determined based on CRC signature values of all instructions within the current basic block at the time of compiling the link by a compiler; said determining CRC signature values for all instructions of said current basic block to verify the integrity of said data stream, comprising:

calculating CRC signature values of all instructions in the current basic block to obtain a dynamic check signature;

and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

8. The method of claim 7, wherein the method further comprises:

and if the dynamic check signature of the current basic block after the execution is completed is inconsistent with the static check signature, the current basic block does not pass through data flow check to trigger exception.

9. The method of claim 2, wherein the control flow comprises a function control flow comprising an ingress basic block and an egress basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the method further comprises the steps of:

executing the signature information storage instruction when the function is called so as to support the push operation of the runtime signature and the compensation signature;

and executing the signature information recovery instruction when the called function returns to support the spring stack operation of the saved runtime signature and the compensation signature.

10. The method according to claim 1, wherein the method further comprises:

the compiler parameters of global monitoring are increased to monitor the whole running process of the application.

11. The method according to claim 1, wherein the method further comprises:

and adding a program flow detection mark and a compiler parameter at a specified position of a specified function aiming at the specified function in the source code so as to monitor the running process of the specified function.

12. The method according to claim 1, wherein the method further comprises:

The method comprises the steps that target source codes to be monitored are bracketed in source codes through brackets;

and adding guidance sentences at the appointed position of the target source code to monitor the running process of the target source code.

13. A program code compiling method, characterized in that the program code corresponds to a program control flow graph, and the program control flow graph is provided with a plurality of basic blocks; the method comprises the following steps:

in the compiling stage, inserting a control flow checking instruction into the head part of the basic block, and inserting a occupying instruction into the tail part of the basic block; the control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block;

in the link stage, the instruction code corresponding to the occupying instruction is replaced by a data stream checking instruction; and the data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when the program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

14. The method of claim 13, wherein the control flow comprises a function control flow comprising an ingress basic block and an egress basic block; the method further comprises the steps of:

In the compiling stage, inserting a signature information storage instruction into the entry basic block, and inserting a signature information recovery instruction into the exit basic block; the signature information saving instruction is used for runtime signature and push operation for adjusting the signature when the function is called, and the signature information recovering instruction is used for runtime signature and pop operation for adjusting the signature before the called function returns.

15. A processor, wherein the processor is configured to execute a program stream, the program stream corresponding to a control stream and a data stream; the control flow comprises a plurality of basic blocks; the processor comprises an expansion decoding circuit positioned at a decoding pipeline stage, a control flow checking circuit positioned at a writing back pipeline stage and a data flow checking circuit;

the expansion decoding circuit is used for decoding the control flow checking instruction and the data flow checking instruction; the control flow checking instruction is inserted into the head part of the basic block in the compiling stage, and the data flow checking instruction is inserted by replacing the occupation instruction inserted into the tail part of the basic block in the compiling stage in the linking stage;

the control flow checking circuit is used for executing a control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block;

The data stream checking circuit is used for determining CRC signature values of all instructions of the current basic block to check the integrity of the data stream under the condition that the current basic block runs to the data stream checking instructions.

16. The processor of claim 15, the basic block assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block; the processor is provided with a run-time signature register and a compensation signature register;

the runtime signature register stores runtime signatures of the precursor basic blocks, and the compensation signature register stores compensation signatures of the precursor basic blocks; the compensation signature is determined based on an exclusive OR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located;

the control flow verification circuit is further configured to determine a static signature and a signature difference of the current basic block, and if the exclusive or calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block, and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification; the signature difference is determined based on the result of exclusive-or calculation of the static signature of the precursor basic block and the static signature of the current basic block.

17. The processor of claim 16, the control flow comprising a function control flow comprising an ingress basic block and an egress basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the processor is provided with a signature stack;

the signature stack is used for executing the signature information storage instruction when the function is called, and supporting the push operation of the signature and the compensation signature during operation; and executing the signature information recovery instruction when the called function returns, and supporting the spring stack operation of the stored runtime signature and the compensation signature.

18. The processor of claim 15, the data stream check instruction having appended thereto a static check signature determined based on CRC signature values of all instructions within the current basic block at compile-time of a link by a compiler; the processor is provided with a CRC intermediate value register; the CRC intermediate value register is used for storing an intermediate CRC signature value generated when the current basic block runs to a current instruction;

the data stream checking circuit is also used for calculating CRC signature values of all instructions in the current basic block to obtain dynamic checking signatures; and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

19. A program flow monitoring device, characterized in that the program flow corresponds to a control flow and a data flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; wherein the data stream checking instruction is inserted by replacing a occupying instruction inserted into the tail of the basic block in the compiling stage in the linking stage; the device comprises:

the control flow checking module is used for executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block;

and the data stream checking module is used for determining CRC signature values of all instructions of the current basic block so as to check the integrity of the data stream under the condition that the current basic block runs to the data stream checking instructions.

20. The apparatus of claim 19, wherein the basic block is assigned a static signature; the basic blocks comprise a current basic block and a precursor basic block which jumps to the current basic block;

The control flow verification module is further used for acquiring a compensation signature of the precursor basic block and a runtime signature of the precursor basic block; wherein the compensation signature is determined based on an exclusive or calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor basic block is a basic block on a control level where the precursor basic block is located; determining a static signature and a signature difference of the current basic block; the signature difference is determined based on the result of exclusive OR calculation of the static signature of the precursor basic block and the static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference of the current basic block and the compensation signature of the precursor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

21. The apparatus of claim 20, wherein the control flow verification module is further configured to insert a control flow verification instruction at a header of the current basic block based on the signature difference and a static signature of the current basic block; and if the exclusive OR calculation result of the run-time signature of the precursor basic block, the signature difference attached to the control flow verification instruction and the compensation signature of the precursor basic block is equal to the static signature attached to the control flow verification instruction, the current basic block passes the control flow verification.

22. The apparatus of claim 19, wherein the data stream check instruction is accompanied by a static check signature, the static check signature being determined based on CRC signature values of all instructions within the current basic block at the time of compiling the link by a compiler;

the data flow checking module is also used for calculating CRC signature values of all instructions in the current basic block to obtain dynamic checking signatures; and if the dynamic verification signature of the current basic block after the execution is completed is consistent with the static verification signature, the current basic block passes through data stream verification.

23. The apparatus of claim 19, wherein the control flow comprises a function control flow comprising an ingress basic block and an egress basic block; the entry basic block is inserted with a signature information storage instruction in a compiling stage, and the exit basic block is inserted with a signature information recovery instruction in the compiling stage; the apparatus further comprises:

the signature stack pushing module is used for executing the signature information storage instruction when the function is called so as to support the stack pushing operation of the runtime signature and the compensation signature;

and the signature pop module is used for executing the signature information recovery instruction when the called function returns so as to support the pop operation of the saved runtime signature and the compensation signature.

24. A program code compiling device, characterized in that the program code corresponds to a program control flow graph, and the program control flow graph is provided with a plurality of basic blocks; the device comprises:

the first instruction insertion module is used for inserting a control flow checking instruction into the head part of the basic block and inserting a occupation instruction into the tail part of the basic block in the compiling stage; the control flow checking instruction is used for checking the correctness of the control flow when the program flow corresponding to the program code runs to any basic block;

the system comprises a space occupying instruction replacing module, a data stream checking module and a data stream checking module, wherein the space occupying instruction replacing module is used for replacing an instruction code corresponding to the space occupying instruction into a data stream checking instruction in a link stage; and the data stream checking instruction is used for determining CRC signature values of all instructions of any basic block when the program stream corresponding to the program code runs to the data stream checking instruction of any basic block so as to check the integrity of the data stream.

25. The apparatus of claim 24, wherein the control flow comprises a function control flow comprising an ingress basic block and an egress basic block; the apparatus further comprises:

the second instruction insertion module is used for inserting a signature information storage instruction into the entry basic block and inserting a signature information recovery instruction into the exit basic block in the compiling stage; the signature information saving instruction is used for runtime signature and push operation for adjusting the signature when the function is called, and the signature information recovering instruction is used for runtime signature and pop operation for adjusting the signature before the called function returns.

26. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 14 when the computer program is executed.

27. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 14.