JP2012032947A - Support method, apparatus and program of detecting context violation - Google Patents

Abstract

PROBLEM TO BE SOLVED: To appropriately support a detection of contextually inappropriate calling in methods in a library.SOLUTION: A computer executes: a rule analyzing procedure reading and analyzing contextual rule information related to a set of methods, stored in storage means; a history storage program generating procedure, upon detection of an execution of a method related to the rule information by a program using the set of methods, generating a history record program which records the history of the execution; and a rule verification program generating procedure collating the history with the rule information and generating a verification program for determining whether or not the use of the method by the program satisfies the rule information.

Description

  The present invention relates to a context violation detection support method, a context violation detection support device, and a context violation detection support program, and more particularly to a context violation detection support method, a context violation detection support device, and a context that support detection of inappropriate use of a library. It relates to a violation detection support program.

  In recent years, program componentization has progressed, and improvement of program development efficiency has been attempted by using an existing library in which these componentized programs are collected as files. Some libraries have clear rules (or constraints) regarding the context of the function or method involved (eg, call order, etc.). If such a rule is not followed, a situation may occur in which the original functions of the library cannot be obtained effectively. Here, the method represents an operation or procedure for each object or the like that each object has in object-oriented programming or aspect-oriented programming.

  A prominent example is a security-related library (hereinafter referred to as “security library”) for performing encrypted communication or the like. When the security library is used, for example, if inappropriate initialization is performed or initialization is not performed, a situation may occur in which the safety expected to be originally expected cannot be ensured.

  Whether or not the library is used correctly depends largely on the programmer's knowledge or experience. That is, in a program created by a programmer with insufficient knowledge or lack of experience, there is a high possibility that the library is not used correctly.

JP 2006-236336 A

  Even programs created without following the library's contextual rules may appear to be working correctly. However, the security library is very dangerous because the original safety is not ensured. However, violations of such rules are very difficult to detect in normal tests to detect program bugs.

  On the other hand, it is unrealistic for an experienced programmer to examine every source code one by one, requiring a lot of man-hours.

  The present invention has been made in view of the above points, and provides a context violation detection support method, a context violation detection support device, which can appropriately support the detection of a context-inappropriate call for a method in a library, And provide a context violation detection support program.

  Therefore, in order to solve the above problem, the context violation detection support method includes a rule analysis procedure for reading out and analyzing the rule information on the context related to a set of methods stored in the storage unit from the storage unit, and the method set. A history storage program generation procedure for generating a history recording program for recording a history of the execution in response to detection of execution of the method related to the rule information by a program to be used, and checking the history against the rule information, A computer executes a rule verification program generation procedure for generating a verification program for determining whether use of the method by the program satisfies the rule information.

  Appropriate support can be provided for detecting contextually inappropriate calls for methods in a library.

It is a figure which shows the hardware structural example of the context violation detection assistance apparatus in embodiment of this invention. It is a figure which shows the function structural example of the context violation detection assistance apparatus in embodiment of this invention. It is a figure which shows the example of the rule element which comprises a rule description. It is a figure which shows the example of the operator who comprises a rule description. It is a flowchart for demonstrating an example of the process sequence which a rule analysis part performs. It is a figure which shows an example of a 1st rule description. It is a figure which shows an example of the 1st rule description by an XML format. It is a figure which shows the example of a 1st rule element list. It is a flowchart for demonstrating an example of the process sequence which a program production | generation part performs. It is a figure which shows an example of an aspect model. It is a figure which shows notionally an example of the data structure for managing the call history of a library in this Embodiment. It is a figure which shows the specific example of a 1st aspect code. It is a flowchart for demonstrating an example of the process sequence of the history recording program production | generation process regarding a Before rule element. It is a figure which shows an example of a pointcut definition model. It is a figure which shows the 1st specific example of the pointcut definition in a log | history recording program. It is a figure which shows an example of a before advice definition model. It is a figure which shows an example of a log | history recording model. It is a figure which shows the 1st example of a concrete before advice definition. It is a figure which shows the 2nd specific example of the pointcut definition in a log | history recording program. It is a figure which shows an example of an after advice definition model. It is a figure which shows the 1st example of a concrete after advice definition. It is a figure which shows the 3rd specific example of the pointcut definition in a log | history recording program. It is a figure which shows an example of a log | history reference model. It is a figure which shows the 2nd example of a concrete after advice definition. It is a flowchart for demonstrating an example of the process sequence of a rule verification program production | generation process. It is a figure which shows the specific example of the pointcut definition in a rule verification program. It is a figure which shows an example of a rule evaluation model. It is a figure which shows the specific example of the after advice definition in a rule verification program. It is a figure which shows the specific example of the aspect code of the log | history recording program produced | generated regarding the 1st rule description of this Embodiment, and a rule verification program. It is a figure which shows the specific example of the aspect code of the log | history recording program produced | generated regarding the 1st rule description of this Embodiment, and a rule verification program. It is a figure which shows an example of a 2nd rule description. It is a figure which shows the example of a 2nd rule element list. It is a figure which shows the specific example of the aspect code of the log | history recording program produced | generated regarding the 2nd rule description of this Embodiment, and a rule verification program. It is a figure which shows the specific example of the aspect code of the log | history recording program produced | generated regarding the 2nd rule description of this Embodiment, and a rule verification program. It is a flowchart for demonstrating an example of the process sequence of the history recording program production | generation process regarding an After rule element. It is a flowchart for demonstrating an example of the process sequence of the history recording program production | generation process regarding a Call rule element.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating a hardware configuration example of a context violation detection support apparatus according to an embodiment of the present invention. The context violation detection support apparatus 10 in FIG. 1 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, a display device 106, and And an input device 107.

  A program that realizes processing in the context violation detection support apparatus 10 is provided by a recording medium 101 such as a CD-ROM. When the recording medium 101 on which the program is recorded is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 realizes functions related to the context violation detection support apparatus 10 according to a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network. The display device 106 displays a GUI (Graphical User Interface) or the like by a program. The input device 107 is a keyboard, a mouse, or the like, and is used for inputting various operation instructions.

  FIG. 2 is a diagram illustrating a functional configuration example of the context violation detection support apparatus according to the embodiment of the present invention. In the figure, the context violation detection support apparatus 10 includes a rule description storage unit 11, a rule analysis unit 12, a program generation unit 13, a template data storage unit 14, and the like. Each of these units is realized by processing executed by the CPU 104 by a program installed in the context violation detection support apparatus 10.

  The context violation detection support apparatus 10 uses, for example, rules (rules) or restrictions on the context of the library in an application developed using a certain library (hereinafter, unified by “rule”). Help detect violations against A contextual rule is a rule regarding whether or not a function or method included in a library is called, and the context (call order) of the call.

  For example, the rule description storage unit 11 stores a rule description using the auxiliary storage device 102 for a library used by an application. The rule description refers to text data in which contextual rules relating to library use are described in a predetermined format or grammar. In the present embodiment, the rule description is described in an expression format in which rule elements are connected by an operator. A rule element refers to the minimum element of a rule. That is, one rule description can be established even with a single rule element. An operator refers to a symbol indicating a logical relationship between rule elements.

  FIG. 3 is a diagram illustrating an example of rule elements constituting the rule description. The figure shows four rule elements and a description format in the rule description of each rule element. In the figure, lower case alphabets (a to j) indicate functions or methods (hereinafter, referred to as “methods”) included in the library.

  The first is a rule element indicating that the a method is an essential condition before the execution of the b method in the c method. That is, in the c method, when the b method is executed, the rule element indicates that the a method must be executed before the b method is executed. The rule element is described in the rule description in the format of “@Before (a, b, c)”. Hereinafter, the rule element is referred to as “Before rule element”.

  The second is a rule element indicating that the d method is an essential condition after the execution of the e method in the f method. That is, in the f method, when the e method is executed, the rule element indicates that the d method must be executed after the e method is executed. The rule element is described in the rule description in the format of “@After (d, e, c)”. Hereinafter, the rule element is referred to as “After rule element”.

  The third is a rule element indicating that calling the g method within the h method is an essential condition. That is, it is a rule element indicating that the g method must be called in the h method. The rule element is described in the rule description in the format of “@Call (g, h)”. Hereinafter, the rule element is referred to as “Call rule element”.

  The fourth element is a rule element indicating a necessary condition for calling a method in which an argument type is specified. That is, a rule element indicating that a version for which an argument of a specific type is specified for an i method must be called in the j method. The rule element is described in the rule description in the format of “@Call (i (type), j)”. Hereinafter, the rule element is referred to as a “type designation call rule element”.

  FIG. 4 is a diagram illustrating an example of an operator constituting the rule description. The figure shows four operators and the description format in the rule description of each operator.

  The first is an operator for indicating the relationship between (Equation k) and (Equation 1). That is, it is an operator for describing a rule that both (expression k) and (expression 1) must be satisfied. The operator is described in the rule description by “&&”.

  The second is an operator for indicating the relationship of (Expression m) or (Expression n). That is, it is an operator for describing a rule that either (Expression m) or (Expression n) must be satisfied. The operator is described in the rule description by “||”.

  The third is an operator for indicating the relationship of (Expression p) if (Expression o). That is, it is an operator for describing a rule that (Expression p) must be satisfied when (Expression o) is satisfied. The operator is described in the rule description by “−>”.

  The fourth is an operator for indicating negation of (formula q). That is, it is an operator for describing a rule that (formula q) must not be satisfied. The operator is described in the rule description by “!”.

  The rules are different for each library. Therefore, the rule description is created for each library by, for example, a library developer or a library user who is familiar with the library specifications.

  The rule analysis unit 12 analyzes the rule description recorded in the rule description storage unit 11, and converts the content of the rule description into a format that can be easily processed by the computer (program generation unit 13). More specifically, the rule analysis unit 12 extracts constituent elements (a rule element list and a formula structure described later) from the rule description. That is, since the rule description can be described by a person, it has a format that is easy for a person to understand. On the other hand, formats that are easy to understand for humans tend to be unsuitable for logical processing by computers. Therefore, the rule analysis unit 12 executes a process for mediating between a person and a computer (program generation unit 13).

  The program generation unit 13 automatically generates a source code of a program for detecting a rule violation based on an analysis result by the rule analysis unit 12 (component of rule description extracted by the rule analysis unit 12). More specifically, the program generation unit 13 includes a history recording program generation unit 131, a rule verification program generation unit 132, and the like. The history recording program generation unit 131 generates the history recording program Pr as part of a program for detecting rule violations. The rule verification program generation unit 132 generates a rule verification program Pc as part of a program for detecting rule violations.

  The history recording program Pr is a program that detects a method call (method execution) by an application to be developed and records a history of the call. The rule verification program Pc is a program for verifying the presence or absence of rule violation based on the history recorded by the history recording program Pr.

  The history recording program Pr and the rule verification program Pc are created based on aspect-oriented programming. This is because one of the features of aspect-oriented programming is suitable for this embodiment. The feature is that it can act on the target program from the outside of the target program (library in the present embodiment). With such a property, it is possible to detect a method call (execution) of a library without changing the library side. In this embodiment, AspectJ is used as an aspect-oriented programming language. However, other languages may be used.

  The template data storage unit 14 uses the auxiliary storage device 102 to store data (model data) that is a template of the source code of the history recording program Pr or the rule verification program Pc.

  Hereinafter, the processing procedure of the context violation detection support apparatus 10 will be described. FIG. 5 is a flowchart for explaining an example of a processing procedure executed by the rule analysis unit. The process shown in the figure is started in response to a process start instruction input by the user, for example. In this instruction, identification information of the rule description to be analyzed is specified. The identification information of the rule description is hereinafter referred to as “rule name”.

  In step S <b> 101, the rule analysis unit 12 reads the rule description relating to the specified rule name from the rule description storage unit 11 into the memory device 103. That is, the rule description is stored in the rule description storage unit 11 in association with the rule name.

  FIG. 6 is a diagram illustrating an example of the first rule description. The rule description rd1 shown in the figure includes a description d11 and a description d12.

  A description d11 indicates a method name that is a target of the rule description rd1. Therefore, it can be seen from the description d11 that the rule description rd1 is a rule description related to the method “SSLSocket.startHandshake ()”. Note that rules relating to a plurality of methods may be described in one rule description. A description indicating the target method name is not essential.

  The description d12 is an expression indicating a rule. In the description d12, two Before rule elements are connected by the “−>” operator. The Before rule element of the first term is “@Before (X509TrustManager.checkServerTrusted (), SSLSocket.startHandshake (), httpServlet.doPost ())”, and the Before rule element of the second term is “@Before (X509Certificate. checkValidity (), SSLSocket.startHandshake (), httpServlet.doPost ())) ”.

  Therefore, the expression related to the description d12 is “in httpServlet.doPost (), if X509TrustManager.checkServerTrusted () is executed before SSLSocket.startHandshake () (if executed), it will be in httpServlet.doPost (). , X509Certificate.checkValidity () must be executed before SSLSocket.startHandshake (). "

  The rule description rd12 describes rules regarding the use of the SSLSocket library in the implementation of an application as a Java (registered trademark) SSL (Secure Socket Layer) client.

  That is, in SSL communication, it is necessary to verify whether or not the server certificate is reliable. In the case of a Java (registered trademark) SSLSocket library, when handshake is started by calling startHandshake (), certificate verification processing is automatically performed, so there is usually no problem. However, if checkServerTrusted () is overridden in the X509TrustManager implementation class, the certificate verification process is overridden. Therefore, in this case, the certificate verification process must be appropriately implemented by the application developer.

  Therefore, the rules regarding the use of the SSLSocket library when an application as an SSL client is implemented are as follows.

Target method: javax.net.ssl.SSLSocket # startHandshake ()
Rule: When checkServerTrusted () of X509TrustManager (implementing class) is executed before javax.net.ssl.SSLSocket # startHandshake () in the process called from the servlet, X509Certificate # checkValidity () The rule description rd1 represents the rule using a rule element and an operator.

  Here, a Web application called from a servlet is an example of an application. HttpServlet.doPost () is a method that is called when a POST command of an HTTP request is received in the Web server. Therefore, “httpServlet.doPost ()” is applied to “processing called from servlet”.

  The rule description may be described in a structured document format such as an XML format in consideration of the convenience of the analysis processing.

  FIG. 7 is a diagram illustrating an example of the first rule description in the XML format. The rule description rd2 in the figure describes the same rules as those defined in the rule description rd1 in FIG. 6 in the XML format.

  The value of the library attribute (“SSLSocket.startHandshake ()”) of the root element (element surrounded by the <rule> tag) indicates the name of the target method. The tag name of the child element rd21 of the rule element ( “->”) Indicates an operator that connects two Before rule elements included as the value of the child element, before element rd22 corresponds to the Before rule element of the first term in the description d12 of FIG. The before element rd23 corresponds to the before rule element of the second term in the description d12 of Fig. 6. That is, in each before element, the proc attribute, the succ element, and the with element are the a method and b method of the Before element, respectively. , C method (see FIG. 3).

  Data in XML format can be easily analyzed by an existing XML parser. Therefore, the processing content of the rule analysis unit 12 can be simplified.

  Subsequently, the rule analysis unit 12 analyzes the structure of the read rule description (S102). Specifically, rule elements and operators in the rule description are disassembled and structured. That is, the rule analysis unit 12 recognizes the logical relationship between each rule element. In the case where the rule description is in the XML format as shown in FIG. 7, reading into the DOM (Document Object Model) format by the XML parser corresponds to the analysis in step S102. Therefore, when the rule description is described in a structured document format, steps S101 and S102 can be substantially one step.

  Subsequently, the rule analysis unit 12 transforms (or converts) the rule description formula as necessary (S103). In the present embodiment, the expression including the operator “->” is transformed (or converted) using the operators “!” And “||”. Specifically, an expression having a structure of “A-> B” is transformed into “! A || B”. In both expressions, the logical relationship between A and B is the same, and the operators “!” And “||” satisfy the evaluation of the logical value (true / false value) of the expression (the rule indicated by the expression is satisfied). This is because it is easy to evaluate whether or not it is present. Here, “A” and “B” indicate one rule element or expression. In step S103, all the operators “->” are resolved (replaced).

  Subsequently, the rule analysis unit 12 extracts a rule element from the analysis result of the rule description rd1 (S104). Subsequently, the rule analysis unit 12 generates (assigns) a variable name for each extracted rule element (S105). The variable name is an identification name for a variable for storing a logical value (true / false value) of the rule element. As long as uniqueness is ensured between rule elements, the naming rules for variable names are not limited to predetermined ones. Subsequently, the rule analysis unit 12 records (outputs) a list of pairs of rule elements and variable names in the auxiliary storage device 102 in association with the rule names (S106). This list is hereinafter referred to as “rule element list”.

  FIG. 8 is a diagram illustrating an example of a first rule element list. The rule element list rL1 in the same figure is a rule element list generated based on the rule description rd1 shown in FIG. In the figure, an example in which the variable name “R1” is assigned (generated) to the Before rule element of the first term and the variable name “R2” is assigned to the Before rule element of the second term. It is shown.

  Subsequently, the rule analysis unit 12 sets an expression structure in which each rule element in the rule description expression is replaced with a variable name corresponding to the rule element (S107). In addition, about the formula deform | transformed in step S103, the formula after deformation | transformation is made into the object of substitution. The formula structure based on the rule element description rd1 in FIG. 6 and the rule element list rL1 in FIG. 8 is as shown in (1) below.

  ! R1 || R2 (1)

For each rule element of the rule description rd1, the result of simple substitution with a variable name is
R1-> R2
However, the expression structure extracted from the rule description rd1 by the modification in step S103 is as described in (1) above.

  Subsequently, the rule analysis unit 12 records (outputs) the formula structure in the auxiliary storage device 102 in association with the rule name (S108).

  Subsequently, a processing procedure of the program generation unit 13 will be described. FIG. 9 is a flowchart for explaining an example of a processing procedure executed by the program generation unit. The process shown in the figure is started in response to a process start instruction input by the user, for example. In the instruction, a rule name is specified.

  In step S <b> 201, the program generation unit 13 reads an aspect template (aspect template) from the template data storage unit 14 into the memory device 103.

  FIG. 10 is a diagram illustrating an example of an aspect template. As shown in the figure, the aspect template is a template for defining an aspect in an aspect-oriented programming language (AspectJ). In the aspect template t1 in the figure, the aspect name is parameterized. That is, “<aspect name>” is described in the aspect name, not a specific value. In addition, one line of step s11 is described in the aspect template t1. In step s11, generation of a variable varTable of the MAP <MAP> type in the memory is defined. The MAP <MAP> type refers to a data type that can store a key name and a MAP type variable in association with each other. In the present embodiment, the library method call history (execution history) is managed using such a MAP <MAP> type variable varTable.

  FIG. 11 is a diagram conceptually illustrating an example of a data structure for managing a library call history in the present embodiment.

  In the figure, the variable varTable is represented in a table format for convenience. The variable varTable stores a thread identifier as a key and a history table as a value. The thread identifier is an identifier of a thread in which the history recording program Pr operates when the application verifies the suitability of the library. In a multi-thread environment, the history recording program Pr can be executed in parallel on a plurality of threads. And the rule description about the library (rule about the context) needs to be satisfied for each thread. Therefore, the variable varTable stores a history table in association with each thread. In the case of a library for communication, a history table may be stored for each session (corresponding to a session ID) in the variable varTable. In addition, when the rule description needs to be satisfied in units other than threads or sessions, a history table may be associated with each unit.

  On the other hand, the history table is a variable of the MAP <boolean> type that is referred to by a variable name “currentTable” in the history recording program Pr generated in the present embodiment. The currentTable variable (history table) stores a variable name of a rule element as a key or a variable name assigned to each method in the rule element, and a true / false value indicating whether the rule element is satisfied as a value, or A true / false value indicating whether or not the method is called (executed) is stored.

  Subsequently, the program generation unit 13 applies the rule name specified by the user to the <aspect name> of the aspect template t1 (replaces <aspect name> with the rule name) and relates to the rule name. A specific aspect source code (aspect code) corresponding to the rule description rd1 is generated (S202).

  FIG. 12 is a diagram illustrating a specific example of the first aspect code. In the aspect code ac1 in the figure, “<Aspect name>” in FIG. 10 is replaced with “SSLSocket”. That is, in the present embodiment, it is assumed that the rule name related to the rule description rd1 is “SSLSocket”.

  In step S202, not only the rule name fitting but also a file including the aspect code ac1 to which the rule name is applied is generated in the auxiliary storage device 102.

  Subsequently, the history recording program generation unit 131 reads the rule element list rL1 and the formula structure associated with the designated rule name from the auxiliary storage device 102 into the memory device 103 (S203). Subsequently, the history recording program generation unit 131 sets an unprocessed rule element as a processing target in the read rule element list rL1 (S204). An unprocessed rule element refers to a rule element that is not a processing target in step S205. Therefore, initially, all rule elements included in all the read rule element lists rL1 are unprocessed rule elements.

  Subsequently, the history recording program generation unit 131 executes generation processing of the history recording program Pr for the rule element to be processed (hereinafter referred to as “current rule element”) (S205). In the generation process of the history recording program Pr, the source code as the history recording program Pr is added to the aspect code ac1 generated in step S202 for the current rule element. Step S205 is executed in order for all rule elements included in the read rule element list rL1 (S206).

  Subsequently, the rule verification program generation unit 132 executes generation processing of the rule verification program Pc (S207). In the generation process of the rule verification program Pc, the source code as the rule verification program Pc for the rule description corresponding to the specified rule name is added to the aspect code ac1 generated in step S202. Therefore, the history recording program Pr and the rule verification program Pc are generated as one source code as a file unit (as a source code unit).

  Next, details of the process of generating the history recording program Pr in step S205 will be described. The generation process of the history recording program Pr differs depending on whether the current rule element is a Before rule element, an After rule element, a Call rule element, or a type designation Call rule element. Therefore, the history recording program generation unit 131 determines which type the current rule element is, and branches the process. Hereinafter, each processing procedure after branching will be described.

  First, the generation process of the history storage program regarding the Before rule element (@Before (a, b, c)) will be described. In short, in the generation process, a history program that executes the following process is generated. In the following description, a method, b method, and c method refer to a method, b method, or c method in @Before (a, b, c).

  (1) The execution of the c method is hooked (detected), and the evaluation value of the Before rule element (a true / false value indicating whether the requirement of the element is satisfied) is set to true. Also, it is recorded that the a method is not executed.

  (2) Hook (detect) execution of the a method and record that the a method has been executed.

  (3) The execution of the b method is hooked (detected), and a true / false value indicating whether or not the a method has been executed is set as the evaluation value of the Before rule element.

  Therefore, if the a method is not executed before the b method is executed even though the b method is executed, a history storage program whose evaluation value is false is generated.

  The details of the process of generating the history recording program Pr will be described below.

  FIG. 13 is a flowchart for explaining an example of the processing procedure of the history recording program generation processing regarding the Before rule element. That is, this figure is an example of the processing procedure of the generation process of the history recording program Pr when the current rule element is the Before rule element.

  In step S301, a pointcut definition for hooking the call to the c method of the current rule element is additionally generated in the aspect code ac1. Specifically, the history recording program generation unit 131 acquires the pointcut definition template from the template data storage unit 14, and adds the result of fitting the c method of the current rule element to the pointcut definition template to the aspect code ac1. The point cut definition is a definition of a set of one or more join points in an aspect-oriented programming language. A join point is a point on the code that weaves an aspect. That is, the join point refers to a hook position in the target program.

  FIG. 14 is a diagram illustrating an example of a pointcut definition template. In the pointcut definition template t2 in the figure, the pointcut name and the method name of the method to be the join point are parameterized as <pointcut name> or <method name>, respectively. The point cut type of the point cut definition template t2 is “call”. Accordingly, the pointcut definition template t2 is a pointcut definition template that uses a method call related to <method name> as a join point.

  In step S301, the history recording program generating unit 131 replaces <pointcut name> of the pointcut definition template t2 with an appropriate value, replaces <method name> with the method name of the c method of the current rule element, and A pointcut definition for the c method is generated.

  FIG. 15 is a diagram showing a first specific example of the pointcut definition in the history recording program. The point cut definition pc11 in the figure is applied when the c method of the rule element on the first line in FIG. 8 (hereinafter referred to as “rule element R1”) is applied to the point cut definition template t2 in FIG. Pointcut definition to be generated. That is, it is assumed that the rule element R1 is the current element at the current stage.

  In the point cut definition pc11, <point cut name> of the point cut definition template t2 is replaced with “callR1-c”. Also, <method name> in the pointcut definition template t2 is replaced with the method name “httpServlet.doPost ()” of the c method in the rule element R1. The pointcut name is guaranteed to be unique among the pointcut definitions, and an arbitrary character string may be designated within the scope of the programming language specification. In the present embodiment, the pointcut name for the c method of the Before rule element is generated according to a naming rule “call <variable name of current rule element> -c”. <Variable name of current rule element> is replaced by the variable name for the current rule element. Since the variable name of the rule element R1 is “R1”, it is replaced with “R1”.

  Subsequently, the history recording program generation unit 131 additionally generates before advice definition ad11 (see FIG. 33) for the point cut definition pc11 in the aspect code ac1 (S302). Specifically, the history recording program generation unit 131 acquires a before advice definition template from the template data storage unit 14, and generates a before advice definition based on the before advice definition template.

  Advice refers to processing executed on a joint point in an aspect-oriented programming language. Among advices, before advice means “pre-processing”. That is, the before advice is a process that is woven (incorporated) before the joint point is executed.

  FIG. 16 is a diagram illustrating an example of a before advice definition template. In the before advice definition t5 in the figure, the point cut name is parameterized as <point cut name>.

  Also, the before advice definition template t5 includes three processing steps. Includes three processing steps. Step s51 obtains the identifier of the current thread. In step s52, the history table corresponding to the current thread is acquired from the variable varTable (see FIG. 11), and is substituted into the variable currentTable. Step s53 generates a history table corresponding to the current thread if it has not yet been generated, and substitutes the generated history table into the variable currentTable.

  In step S302, the history recording program generating unit 131 generates a before advice definition by replacing <point cut name> of the before advice definition template t5 with the point cut name ("callR1-c") generated in step S301. To do.

  Subsequently, the history recording program generation unit 131 adds a step for temporarily recording in the history table (variable currentTable) that the requirements of the current rule element are satisfied to the before advice definition (S303). Specifically, the history recording program generation unit 131 acquires a history recording template from the template data storage unit 14, and adds a step related to recording processing to the history table based on the history recording template.

  FIG. 17 is a diagram illustrating an example of a history recording template. In the history record template t4 in the figure, the key name and the value recorded (set) in the history table (variable currentTable) are parameterized as <key name> and <value>, respectively. In step S303, the history recording program generating unit 131 replaces <key name> with the variable name (R1) for the c method of the current rule element (rule element R1), and replaces <value> with true before. Add to advice definition. Details of steps s41 and s42 will be described later.

  Subsequently, the history recording program generation unit 131 adds a step for recording in the history table (variable currentTable) that the a method has not been executed to the before advice definition (S304). Specifically, the history recording program generation unit 131 replaces <key name> of the history recording template t4 with the variable name for the a method of the current rule element (rule element R1), and replaces <value> with false. Add the result to the before advice definition. In the present embodiment, the variable name for the a method is generated according to the naming rule “<variable name of current rule element> -pred”. Therefore, for the a method of rule element R1, <key name> is replaced by the value "R1-pred".

  By executing step S304, a specific before advice definition for the pointcut definition generated in step S301 is completed. FIG. 18 is a diagram illustrating a first example of specific before advice definition.

  For each step included in the before advice definition ad11 in the figure, the same step number is assigned to the step in FIG. 16 or FIG.

  Steps s51 to s53 are as described in FIG. In step s41-1, true is recorded in the history table for the key name of the variable name “R1” of the current rule element. That is, it is temporarily recorded in the history table that the requirement of the rule element R1 is satisfied before the c method is executed. This is because the before advice definition ad11 shown in the figure is executed before the execution of the c method by the action of the pointcut definition pc11. Step s42-1 stores the history table in the variable varTable in association with the identifier of the current thread. As a result, the fact that the requirement of the rule element R1 is satisfied in the current thread is provisionally recorded in the variable varTable.

  Step s41-2 records false for the variable name ("R1-pred") for the a method of the current rule element in the history table (currentTable). That is, it is recorded in the history table that the a method has not been executed. In step s42-2, the history table is stored in the variable varTable in association with the identifier of the current thread. As a result, it is recorded in the variable varTable that the a method is not executed in the current thread.

  Subsequently, the history recording program generation unit 131 additionally generates a pointcut definition for hooking the call of the a method of the current rule element in the aspect code ac1 (S305). Specifically, the history recording program generation unit 131 replaces <point cut name> in the point cut definition template t2 (FIG. 14) with an appropriate value, and replaces <method name> with the method name of the a method of the current rule element. To generate a pointcut definition for the a method.

  FIG. 19 is a diagram showing a second specific example of the pointcut definition in the history recording program. The point cut definition pc12 in the figure is a point cut definition generated when the a method of the rule element R1 (FIG. 8) is applied to the point cut definition template t2 in FIG.

  In the point cut definition pc12, <point cut name> of the point cut definition template t2 is replaced with “callR1-pred”. Also, the <method name> of the pointcut definition template t2 is replaced with the method name “X509TrustManager.checkServerTrusted ()” of the a method in the rule element R1. Note that the point cut name for the a method of the Before rule element is generated according to a naming rule of “call <variable name of current rule element> -pred”.

  Subsequently, the history recording program generation unit 131 additionally generates an after advice definition for the point cut definition generated in step S305 in the aspect code ac1 (S306). Specifically, the history recording program generation unit 131 acquires an after advice definition template from the template data storage unit 14, and generates an after advice definition based on the after advice definition template.

  After advice means “post processing”. That is, the after advice is a process to be incorporated (incorporated) after the joint point is executed.

  FIG. 20 is a diagram illustrating an example of an after advice definition template. In the after advice definition template t3 in the figure, the point cut name is parameterized as <point cut name>.

  The after advice definition template t3 includes three processing steps. Step s31 obtains the identifier of the current thread. In step s32, the history table corresponding to the current thread is acquired from the variable varTable (see FIG. 11), and is substituted into the variable currentTable. A step s33 generates a history table corresponding to the current thread if it has not been generated yet, and substitutes the generated history table into a variable currentTable.

  In step S306, the history recording program generation unit 131 generates an after advice definition by replacing <point cut name> of the after advice definition template t3 with the point cut name ("callR1-pred") generated in step S305. To do.

  Subsequently, the history recording program generation unit 131 adds a step for recording that the a method has been called to the history table (variable currentTable) to the after advice definition generated in step S306 (S307). . Specifically, the history recording program generation unit 131 acquires the history recording template t4 (FIG. 17) from the template data storage unit 14, and adds a step related to the recording process to the history table based on the history recording template t4. . That is, the history recording program generation unit 131 replaces <key name> of the history recording template t4 with the variable name (R1-pred) for the a method of the current rule element (rule element R1), and <value> by true. The replacement result is added to the after advice definition.

  By executing step S307, a specific after advice definition for the pointcut definition generated in step S305 is completed.

  FIG. 21 is a diagram illustrating a first example of a specific after advice definition. About each step contained in the after advice definition ad12 of the same figure, the same step number is attached | subjected to the same step as FIG. 17 or FIG.

  Steps s31 to s33 are as described in FIG. In step s41, true is obtained for the variable name (“R1-pred”) for the a method of the current rule element in the history table (currentTable) acquired from the variable vaTable (s32) or newly generated (s33). Record. That is, the fact that the a method has been called is recorded in the history table. In step s42, the history table is stored in the variable varTable in association with the identifier of the current thread. As a result, the fact that the a method has been called in the current thread is recorded in the variable varTable.

  Subsequently, the history recording program generation unit 131 additionally generates a point cut definition for hooking the call of the b method of the current rule element in the aspect code ac1 (S308). Specifically, the history recording program generation unit 131 acquires the pointcut definition template t2 (FIG. 14) from the template data storage unit 14, and applies the b method of the current rule element to the pointcut definition template t2. Add to code ac1. As a result, the point cut definition shown in FIG. 22 is added to the aspect code ac1.

  FIG. 22 is a diagram showing a third specific example of the pointcut definition in the history recording program. The point cut definition pc13 in the figure is a point cut definition generated when the b method of the rule element R1 is applied to the point cut definition template t2 in FIG.

  In the pointcut definition pc13, <pointcut name> of the pointcut definition template t2 is replaced with “callR1-succ”. Also, the <method name> of the pointcut definition template t2 is replaced with the method name “SSLSocket.startHandshake ()” of the b method in the rule element R1. In the present embodiment, the pointcut name for the b method of the Before rule element is generated according to a naming rule “call <variable name of current rule element> -succ”.

  Subsequently, the history recording program generation unit 131 additionally generates an after advice definition for the point cut definition generated in step S308 in the aspect code ac1 (S309). Specifically, the history recording program generation unit 131 replaces the <point cut name> of the after advice definition template t3 with the point cut name (“callR1-suc”) generated in step S308, thereby changing the after advice definition. Generate.

  Subsequently, the program generation unit 13 adds a step for referring to the call history (execution history) related to the a method that should be called before the b method to the after advice definition generated in step S309 (S310). ). This step is generated based on the history reference template acquired from the template data storage unit 14.

  FIG. 23 is a diagram illustrating an example of a history reference template. In the history reference template t6 in the figure, the key name for acquiring a value from the history table (variable currentTable) and the variable name of the variable for storing the acquired value (reference variable) are <key name> and < Parameterized as reference variable name>. In step S310, the history recording program generation unit 131 replaces <reference variable name> with an appropriate value, and replaces <key name> with a variable name for the a method (here, "R1-pred"). Is added to the after advice definition. In the present embodiment, the variable name for referring to the value corresponding to the variable name of the a method is “r1”. Therefore, <reference variable name> is replaced with “r1”. Details of steps s61 and s62 will be described later.

  Subsequently, the program generation unit 13 uses the history recording template t4 (FIG. 17) to add a step for recording the evaluation value of the current rule element in the variable varTable to the after advice definition generated in step S309. (S311). Specifically, the <key name> of the history record template t4 is replaced with the variable name (“R1”) of the current rule element, and the <value> is <reference variable name> of the history record template t4 (FIG. 23). The result of replacement with the same variable name (“r1”) as the replacement destination is added to the after advice.

  By executing step S311, a specific after advice definition for the pointcut definition generated in step S308 is completed.

  FIG. 24 is a diagram illustrating a second example of a specific after advice definition. For each step included in the after advice definition ad13 in the figure, the same step number is assigned to the same step as in FIG. 16, FIG. 23, or FIG.

  Steps s31 to s33 are as described in FIG. In step s61, a value recorded for the key name “R1-pred” in the history table (variable currentTable) corresponding to the current thread is acquired and substituted into the variable r1. That is, a true / false value indicating whether or not the a method of the current rule element has been executed is assigned to the variable r1.

  Step s62 assigns false to the variable r1 when the value of the variable r1 is null (that is, when the before advice definition ad11 and the after advice definition ad12 are not executed). Therefore, when the advice definition ad13 is executed after the a method is executed, the variable r1 is in a state where true is substituted. In other cases, the variable r1 is in a state where false is substituted. The after advice definition ad13 is a process executed after the b method is executed. Therefore, the case where the advice definition ad13 is executed after the a method is executed corresponds to the case where the b method is executed after the a method is executed. This means that the requirement of the current rule element which is the Before element is satisfied.

  In step s41, the value of the variable r1 is recorded in the history table for the key name of the variable name “R1” of the current rule element. That is, the value of the variable r1 is recorded in the history table as the evaluation value of the current rule element. This is because the value of the variable r1 indicates whether or not the requirement of the current rule element is satisfied as described above.

  In step s42, the history table is stored in the variable varTable in association with the identifier of the current thread. As a result, whether or not the requirements of the current rule element are satisfied in the current thread is recorded in the variable varTable.

  This is the end of the processing procedure when the current rule element is the Before rule element. As shown in FIG. 8, in the case of the present embodiment, the second rule element (rule element R2) in the rule element list rL1 in FIG. 8 is also a Before rule element. Therefore, the processing procedure shown in FIG. 13 is subsequently executed for the rule element R2. As a result, the evaluation value of the rule element R2 is recorded in the history table of the current thread for the variable name R2, and the history table is stored in the variable varTable. The description of the processing procedure is omitted because it is self-evident from the above.

  Next, the rule verification program Pc generation process in step S207 in FIG. 9 will be described based on the rule element list rL1 in FIG. Note that the description of the processing procedure of the history recording program Pr generation process when the current element is an After rule element, a Call rule element, or a type designation Call rule element will be deferred for convenience.

  FIG. 25 is a flowchart for explaining an example of the processing procedure of the rule verification program generation processing.

  In step S401, the rule verification program generation unit 132 hooks the method specified as the last argument of each rule element in the rule element list rL1 (hereinafter referred to as “calling method”). Is added to the aspect code ac1. That is, the c method for the Before rule element, the f method for the After rule element, the h method for the Call rule element, and the j method for the type-specified Call rule element correspond to the caller method. In the present embodiment, the caller method of each rule element in one rule needs to be common. This is because the verification of whether or not the rule is satisfied needs to be performed at one place after execution of the caller method. The point cut definition template t2 (FIG. 14) is used for generating the point cut definition in step S401.

  FIG. 26 is a diagram illustrating a specific example of the pointcut definition in the rule verification program.

  In the point cut definition pc17 of FIG. 14, <point cut name> of the point cut definition template t2 of FIG. 14 is replaced with “callLib”. Also, <method name> is replaced by the method name (“httpServlet.doPost ()”) of the target method of the rule description rd1. Note that the pointcut name in the pointcut definition for the target method is fixedly replaced with “callLib” in the present embodiment. However, the point cut name may be arbitrarily determined within the specification range of the programming language.

  Subsequently, using the after advice definition template t3, the rule verification program generating unit 132 additionally generates an after advice definition for the pointcut definition generated in step S401 in the aspect code ac1 (S402). Specifically, the result obtained by replacing the <point cut name> of the after advice definition template t3 with the point cut name (“callLib”) that is the replacement destination in step S401 is added to the aspect code ac1.

  Subsequently, for each variable name included in the expression structure (! R1 || R2) of the rule description rd1, the rule verification program generation unit 132 sets a step for referring to the value for the variable name to the aspect code ac1. It is added (S403). Specifically, the rule verification program generation unit 132 acquires the history reference template t6 (FIG. 23) from the template data storage unit 14, and assigns the variable name to the history reference template t6 for each variable name. Add to code ac1.

  The expression structure (! R1 || R2) includes a variable name R1 and a variable name R2. Therefore, the result obtained by replacing <reference variable name> in the history reference template t6 with “r1” and replacing <key name> with “R1” is added. Further, the result of replacing <reference variable name> with “r2” and replacing <key name> with “R2” in the history reference template t6 is added.

  Subsequently, the rule verification program generation unit 132 performs a step of generating an exception according to the true / false value of the expression generated as a result of applying the value of the variable name to each variable name of the expression structure. (S404). This step is generated using the rule evaluation template acquired from the template data storage unit 14.

  FIG. 27 is a diagram illustrating an example of a rule evaluation template. In the rule evaluation template t7 in the figure, <expression> is replaced with an expression in which each variable name in the expression structure is replaced with the variable name of the reference variable to which the value for the variable name is assigned. Details of step s71 will be described later.

  By executing step S404, the after advice definition generated in step S402 is completed as shown in FIG.

  FIG. 28 is a diagram illustrating a specific example of after advice definition in the rule verification program. For each step included in the after advice definition ad17 in the same figure, the same step number is assigned to the same step as in FIG. 20, FIG. 23, or FIG.

  Steps s31 to s33 are as described in FIG. 20, and are generated in step S402. Steps s61-1 to s62-2 are generated in step S403. In step s61-1, a value recorded for the key name “R1” in the history table (variable currentTable) corresponding to the current thread is acquired and substituted into the variable r1. That is, a true / false value indicating the evaluation value of the rule element R1 is substituted into the variable r1. Step s62-1 assigns false to the variable r1 when the value of the variable r1 is null (empty). Therefore, when the requirement of the rule element R1 is satisfied, true is assigned to the variable r1, and when the requirement of the rule element R1 is not satisfied, false is assigned to the variable r1.

  In step s61-2, the value recorded for the key name “R2” in the history table (variable currentTable) corresponding to the current thread is acquired and substituted into the variable r2. That is, a true / false value indicating the evaluation value of the rule element R2 is substituted into the variable r2. Step s62-2 assigns false to the variable r2 when the value of the variable r2 is null (empty). Therefore, when the requirement of the rule element R2 is satisfied, true is assigned to the variable r2, and when the requirement of the rule element R2 is not satisfied, false is assigned to the variable r2.

  Step s71 is generated in step S404. In step s71, “! (! R1 || r2)” is evaluated, and if the evaluation value is true (that is, if (! R1 || r2) is false), an exception (RuntimeException) is generated. If the evaluation value is false (that is, if (! R1 || r2) is true), nothing is done. Note that “! (! R1 || r2)” means negation of the logical sum of the value of r1 and the value of r2.

  The generation of the source code (aspect code ac1) of the history recording program Pr and the rule verification program Pc for the rule description rd1 is thus completed. As a result, the aspect code ac1 is as shown in FIGS.

  FIGS. 29 and 30 are diagrams showing specific examples of aspect codes of the history recording program and the rule verification program generated with respect to the first rule description of the present embodiment. 29 and 30 show one aspect code ac1 divided into two drawings for convenience.

  In FIG. 29, the same reference numerals are assigned to the same pointcut definition or advice definition as in FIG. 15, FIG. 18, FIG. 19, FIG. 21, FIG. That is, FIG. 29 shows a pointcut definition or an advice definition related to the rule element R1 extracted from the rule description rd1.

  In FIG. 30, the same reference numerals are assigned to the same pointcut definition or advice definition as in FIG.

  In FIG. 30, a pointcut definition pc14 and an after advice definition ad14 are pointcut definitions or advice definitions generated by executing steps S301 to S304 of FIG. 13 for the rule element R2. The point cut definition pc15 and the after advice definition ad15 are point cut definitions or advice definitions generated by executing steps S305 to S307 in FIG. 13 with respect to the rule element R2. The pointcut definition pc16 and the after advice definition ad16 are pointcut definitions or advice definitions generated by executing steps S308 to S311 in FIG. 13 for the rule element R2.

  The aspect code ac1 generated as shown in the figure functions as a history recording program Pr and a rule verification program Pc by being compiled and applied to an application using a library. Calling library methods by the application is hooked by the pointcut definition in the history recording program Pr. The advice definition in the history recording program Pr is executed according to the hook of the call, and the history regarding the call is recorded in the variable varTable. Further, after the call source method of the rule description rd1 is executed, the advice definition in the rule verification program Pc is executed to evaluate whether or not the requirement of the rule description rd1 is satisfied. If the requirement is not met (if false), an exception occurs. The occurrence of the exception allows the user to recognize that the library is inappropriately used.

  Next, the case where the current rule element is an after rule element, which is deferred for convenience, will be described with respect to the process of generating the history recording program Pr in step S205 of FIG. Here, it is assumed that the rule description shown in FIG. 31 is read by the rule analysis unit 12 in step S101 of FIG.

  FIG. 31 is a diagram illustrating an example of the second rule description. In the expression indicating the rule of the rule description rd2 shown in the same drawing, two After rule elements are connected by the “||” operator. The After rule element of the first term is "@After (java.io.File.delete (), java.io.File.createTempFile (), httpServlet.doPost ())", and the After rule element of the second term Is "@After (java.io.File.deleteOnExit (), java.io.File.createTempFile (), httpServlet.doPost ())".

  Therefore, the expression related to the rule description rd2 is “if java.io.File.createTempFile () is called in httpServlet.doPost (), then java.io.File.createTempFile () will be called after java.io.File.createTempFile ()”. File.delete () must be called, or if java.io.File.createTempFile () is called in httpServlet.doPost (), call java.io.File.createTempFile () Later, java.io.File.deleteOnExit () must be called. "

  The rule description rd2 is defined in the present embodiment in consideration that there is a possibility of information leakage if a file is temporarily generated in the application unless the file is deleted at the end of the application. is there.

  In order for the file to be deleted appropriately, a rule that delete () or deleteOnExit () needs to be executed after execution of Java.io.File # createTempFile () may be defined. A rule description rd2 represents the rule using a rule element and an operator.

  As a result of executing Steps S102 to S106 for the rule description rd2, the rule element list shown in FIG. 32 is recorded (output) in the auxiliary storage device 102.

  FIG. 32 is a diagram illustrating an example of a second rule element list. In the figure, an example in which the variable name “R3” is assigned (generated) to the After rule element of the first term and the variable name “R4” is assigned to the After rule element of the second term. It is shown. Hereinafter, the after rule element of the first term is referred to as “rule element R3”, and the after rule element of the second term is referred to as “rule element R4”.

  Subsequently, in step S107, the following formula structure (2) is generated.

  R3 || R4 (2)

  Subsequently, the process described in FIG. 9 is executed by the program generation unit 13 with respect to the rule description rd2. In step S202, a part of the aspect code related to the rule description rd2 is generated.

  FIG. 33 and FIG. 34 are diagrams showing specific examples of aspect codes of the history recording program and the rule verification program generated with respect to the second rule description of the present embodiment.

  In the drawing, the completed form of the aspect code ac2 generated for the rule description rd2 is shown. The part generated in step S202 is the definition of the aspect and step s11. That is, the content is the same as the aspect code ac1 shown in FIG. Step s11 is the same as step s11 in the aspect code ac1 of FIG. That is, the data structure for recording the history (see FIG. 11) is the same regardless of the type of rule element.

  Next, step S205 in FIG. 9 will be described. The rule elements included in the rule element list rL2 are all After rule elements. Therefore, the history recording program generation unit 131 executes a process for generating the history recording program Pr related to the After rule element as the generation process of the history recording program Pr. In short, in the generation process, a history storage program that executes the following process is generated. In the following description, d method, e method, and f method refer to d method, e method, and f method in @After (d, e, f).

  (1) The execution of the f method is hooked, and the evaluation value of the After rule element is set to true.

  (2) The execution of the e method is hooked and the evaluation value is set to false.

  (3) The execution of the d method is hooked, and the evaluation value is set to true.

  As described above, when the e method is executed, if the d method is not executed after that, the history recording program Pr having the evaluation value of the After rule element as false is generated.

  The details of the process of generating the history recording program Pr will be described below.

  FIG. 35 is a flowchart for explaining an example of the processing procedure of the history recording program generation processing regarding the After rule element. In the following description, regarding the rule description rd2, the aspect code generated in step S202 of FIG. 9 is referred to as “aspect code ac2”. The state of the aspect code ac2 at the start time in FIG. 35 is the same as the aspect code ac1 shown in FIG.

  In step S501, the history recording program generation unit 131 uses the pointcut definition template t2 (FIG. 14) to generate the aspect code of the pointcut definition pc21 for hooking the call of the f method of the current rule element (rule element R3). Generate additional to ac2. Specifically, the history recording program generation unit 131 replaces <pointcut name> of the pointcut definition template t2 with “callR3-f”, and replaces <method name> with the method name of the f method of the current rule element (“ httpServlet.doPost () "), and a pointcut definition pc21 (see FIG. 33) for the f method is generated. In the present embodiment, the pointcut name for the f method of the After rule element is generated according to the naming rule “call <variable name of current rule element> -f”.

  Subsequently, the history recording program generation unit 131 generates a before advice definition ad21 (see FIG. 33) for the pointcut definition pc21 using the before advice definition template t5 (FIG. 16), and adds it to the aspect code ac2 (S502). ). In step S502, steps s51 to s53 are generated in the before advice definition ad21. The step number corresponds to FIG.

  Subsequently, the history recording program generation unit 131 adds a step for temporarily recording in the history table (variable currentTable) that the requirement of the current rule element is satisfied to the before advice definition ad21 (S503). ). The history recording template t4 (FIG. 17) is used to add the step. The added steps correspond to s41 and 42 in the advice definition ad21 (FIG. 33).

  In step s41 in the advice definition ad21, the variable name (“R3”) of the current rule element (rule element R3) is added to the history table (currentTable) acquired from the variable vaTable (s52) or newly generated (s53). ) For true. That is, the fact that the requirement of the rule element R3 is satisfied is temporarily recorded in the history table before the f method is executed. In step s42, the history table is stored in the variable varTable in association with the identifier of the current thread. As a result, the fact that the requirement of the rule element R3 is satisfied in the current thread is temporarily recorded in the variable varTable.

  Subsequently, the history recording program generation unit 131 uses the pointcut definition template t2 (FIG. 14) to generate the pointcut definition pc22 for hooking the call of the e method of the current rule element (rule element R3) with the aspect code ac2 (S504). Specifically, the history recording program generation unit 131 replaces <point cut name> of the point cut definition template t2 with “R3-pred”, and replaces <method name> with the method name of the e method of the current rule element (“ java.io.File.createTempFile () ”) to generate a pointcut definition pc22 (see FIG. 33) for the e method. In the present embodiment, the pointcut name for the e method of the After rule element is generated according to a naming rule “call <variable name of current rule element> -pred”.

  Subsequently, the history recording program generation unit 131 generates an after advice definition ad22 (see FIG. 33) for the pointcut definition pc22 using the after advice definition template t3 (FIG. 20) and adds it to the aspect code ac2 (S505). ). In step S505, steps s31 to s33 are generated in the after advice definition ad22. The step number corresponds to FIG.

  Subsequently, the history recording program generation unit 131 adds a step for temporarily recording in the history table (variable currentTable) that the current rule element is not satisfied to the after advice definition ad22 (S506). . The history recording template t4 (FIG. 17) is used to add the step. The added steps correspond to s41 and s42 in the advice definition ad22 (FIG. 33).

  Step s41 in the advice definition ad22 is false for the variable name (“R3”) of the rule element R3 in the history table (currentTable) acquired from the variable vaTable (s32) or newly generated (s33). Record. That is, after the e method is executed, the fact that the requirement of the rule element R3 is not satisfied is temporarily recorded in the history table. In step s42, the history table is stored in the variable varTable in association with the identifier of the current thread. As a result, it is temporarily recorded in the variable varTable that the requirement of the rule element R3 is not satisfied in the current thread.

  In subsequent steps S507 and S508, the history recording program generation unit 131 executes the processing described in steps S504 and S505 for the d method. As a result, the point cut definition pc23 and the after advice definition ad23 from s31 to s33 are generated. In the present embodiment, the pointcut name for the d method of the After rule element is generated according to the naming rule “call <variable name of current rule element> -succ”.

  Subsequently, the history recording program generation unit 131 adds a step for recording in the history table (variable currentTable) that the current rule element is satisfied to the after advice definition ad23 (S509). The history recording template t4 (FIG. 17) is used to add the step. The added steps correspond to s41 and s42 in the advice definition ad23 (FIG. 33).

  This is the end of the processing procedure when the current rule element is an After rule element. As shown in FIG. 32, in the case of the present embodiment, the second rule element (rule element R4) in the rule element list rL2 of FIG. 8 is also an After rule element. Therefore, the processing procedure shown in FIG. 13 is subsequently executed for the rule element R4. As a result, the evaluation value of the rule element R4 is recorded in the history table of the current thread for the variable name R4, and the history table is stored in the variable varTable. The description of the processing procedure is omitted because it is self-evident from the above.

  Next, regarding the generation process of the history recording program Pr in step S205 of FIG. 5, a case where the current rule element is a Call rule element will be described.

  FIG. 36 is a flowchart for explaining an example of the processing procedure of the history recording program generation processing regarding the Call rule element. In the following description, the g method and h method refer to the g method or h method in @Call (g, h).

  In step S601, the history recording program generation unit 131 additionally generates a pointcut definition for hooking the call to the h method of the current rule element using the pointcut definition template t2 (FIG. 14). To do.

  Subsequently, the history recording program generation unit 131 generates a before advice definition for the pointcut definition using the before advice definition template t5 (FIG. 16) and adds it to the aspect code (S602).

  Subsequently, the history recording program generation unit 131 adds a step for temporarily recording an evaluation value indicating that the requirement of the current rule element is not satisfied to the history table (variable currentTable) to the before advice definition. (S603).

  Subsequently, the history recording program generation unit 131 uses the pointcut definition template t2 (FIG. 14) to add a pointcut definition for hooking the g method call of the current rule element (rule element R3) to the aspect code. Generate (S604).

  Subsequently, the history recording program generation unit 131 generates an after advice definition for the pointcut definition using the after advice definition template t3 (FIG. 20) and adds it to the aspect code (S605).

  Subsequently, the history recording program generation unit 131 adds a step for recording an evaluation value indicating that the current rule element is satisfied in the history table (variable currentTable) to the after advice definition (S606). The history recording template t4 (FIG. 17) is used to add the step.

  Thus, for the Call rule element, the evaluation value is set to false in response to detection of execution of the h method, and the evaluation value is set to true in response to detection of execution of the g method. Therefore, the evaluation value is true only when the g method is called.

  The generation process of the history recording program Pr related to the type designation Call rule element may be performed, for example, as long as the h method in FIG. 36 is replaced with the j method and the g method is replaced with the i method. .

  As described above, according to the context violation detection support apparatus 10 of the present embodiment, by creating a rule description, the history recording program Pr and the rule verification program Pc are automatically generated based on the rule description. By applying the history recording program Pr and the rule verification program Pc to an application that uses the library, it is possible to check whether or not the library is used by the application. Therefore, the context violation detection support apparatus 10 can appropriately support detection of violations of rules on the context of the library.

  More specifically, the history recording program Pr collects and records a library method call history. The rule verification program Pc determines whether or not the content of the history conforms to a rule in the library context. Therefore, it is possible to detect not only the call stack (call parent-child relationship) but also a rule violation related to the presence or absence of the call or the context as in the debugger.

  In the present embodiment, a dynamic hook mechanism is employed for method invocation, and library invocation by an application is detected. Therefore, there is no need to modify the library or application source code. As a result, for example, after the library is created, a rule can be created later and can be provided integrally with the library. By doing so, it is possible to automatically detect contextual rule violations in the course of application testing without providing a separate inspection tool.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

Regarding the above description, the following items are further disclosed.
(Appendix 1)
A rule analysis procedure for reading out and analyzing contextual rule information on a set of methods stored in the storage means from the storage means;
A history storage program generating procedure for generating a history recording program for recording a history of the execution in response to detection of execution of the method related to the rule information by a program using the set of methods;
Context violation detection in which a computer executes a rule verification program generation procedure for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information Support method.
(Appendix 2)
The rule information includes rule elements that define requirements for calling the method or requirements for the calling order of the methods, and a logical relationship between the plurality of rule elements,
The history storage program generation procedure records the execution history in response to detection of the execution of the method relating to the rule element, and whether or not the requirements stipulated in the rule element are satisfied based on the history And generating the history recording program for recording the determination result,
The context according to claim 1, wherein the rule verification program generation procedure generates the verification program by applying the determination result to the logical relationship and determining whether a call to the method by the program satisfies the rule information. Violation detection support method.
(Appendix 3)
The rule element specifies that in the c method, if the b method is executed, the a method must be executed before the b method is executed.
The history storage program generation procedure records that the a method has not been called in response to detection of execution of the c method, records that the a method has been executed in response to detection of execution of the a method, and b In response to detecting the execution of the method, it is determined whether or not the requirement defined in the rule element is satisfied based on whether or not the method a is executed, and the history recording program for recording the determination result is generated. The context violation detection support method according to attachment 2.
(Appendix 4)
The rule element specifies that in the f method, if the e method is executed, the d method must be executed after the execution of the e method.
The history storage program generation procedure records that the requirement specified in the rule element is satisfied according to the detection of the execution of the f method, and the requirement is satisfied according to the detection of the execution of the e method. The context violation detection support method according to supplementary note 2, wherein the history recording program is recorded to record that the requirement is satisfied in response to detection of execution of the d method.
(Appendix 5)
The rule element specifies that the g method must be executed within the h method,
The history storage program generation procedure records that the requirement defined in the rule element is not satisfied according to the detection of execution of the h method, and the requirement is satisfied according to detection of the execution of the g method. 3. The context violation detection support method according to appendix 2, wherein the history recording program for recording the fact is recorded.
(Appendix 6)
Rule analysis means for reading out and analyzing contextual rule information about a set of methods stored in the storage means from the storage means;
A history storage program generating means for generating a history recording program for recording a history of the execution in response to detection of the execution of the method related to the rule information by a program using the method set;
A context violation detection support apparatus comprising rule verification program generation means for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information.
(Appendix 7)
The rule information includes rule elements that define requirements for calling the method or requirements for the calling order of the methods, and a logical relationship between the plurality of rule elements,
The history storage program generation means records the execution history in response to detection of the execution of the method relating to the rule element, and whether or not the requirements stipulated in the rule element are satisfied based on the history And generating the history recording program for recording the determination result,
The context according to appendix 6, wherein the rule verification program generation unit generates the verification program by applying the determination result to the logical relationship and determining whether a call to the method by the program satisfies the rule information. Violation detection support device.
(Appendix 8)
The rule element specifies that in the c method, if the b method is executed, the a method must be executed before the b method is executed.
The history storage program generation unit records that the a method is not called in response to detection of execution of the c method, records that the a method has been executed in response to detection of execution of the a method, and b In response to detecting the execution of the method, it is determined whether or not the requirement defined in the rule element is satisfied based on whether or not the method a is executed, and the history recording program for recording the determination result is generated. The context violation detection support apparatus according to appendix 7.
(Appendix 9)
The rule element specifies that in the f method, if the e method is executed, the d method must be executed after the execution of the e method.
The history storage program generation unit records that the requirement defined in the rule element is satisfied according to the detection of the execution of the f method, and the requirement is satisfied according to the detection of the execution of the e method. The context violation detection support device according to appendix 7, wherein the history recording program is recorded to record that the requirement is satisfied in response to detection of execution of the d method.
(Appendix 10)
The rule element specifies that the g method must be executed within the h method,
The history storage program generation unit records that the requirement defined in the rule element is not satisfied in response to detection of execution of the h method, and the requirement is satisfied in response to detection of execution of the g method. The context violation detection support device according to appendix 7, which generates the history recording program for recording the fact that there is an event.
(Appendix 11)
A rule analysis procedure for reading out and analyzing contextual rule information on a set of methods stored in the storage means from the storage means;
A history storage program generating procedure for generating a history recording program for recording a history of the execution in response to detection of execution of the method related to the rule information by a program using the set of methods;
Context violation detection for causing a computer to execute a rule verification program generation procedure for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information Support program.
(Appendix 12)
The rule information includes rule elements that define requirements for calling the method or requirements for the calling order of the methods, and a logical relationship between the plurality of rule elements,
The history storage program generation procedure records the execution history in response to detection of the execution of the method relating to the rule element, and whether or not the requirements stipulated in the rule element are satisfied based on the history And generating the history recording program for recording the determination result,
The context according to appendix 11, wherein the rule verification program generation procedure generates the verification program by applying the determination result to the logical relationship and determining whether a call to the method by the program satisfies the rule information. Violation detection support program.
(Appendix 13)
The rule element specifies that in the c method, if the b method is executed, the a method must be executed before the b method is executed.
The history storage program generation procedure records that the a method has not been called in response to detection of execution of the c method, records that the a method has been executed in response to detection of execution of the a method, and b In response to detecting the execution of the method, it is determined whether or not the requirement defined in the rule element is satisfied based on whether or not the method a is executed, and the history recording program for recording the determination result is generated. The context violation detection support program according to attachment 12.
(Appendix 14)
The rule element specifies that in the f method, if the e method is executed, the d method must be executed after the execution of the e method.
The history storage program generation procedure records that the requirement specified in the rule element is satisfied according to the detection of the execution of the f method, and the requirement is satisfied according to the detection of the execution of the e method. 13. The context violation detection support program according to appendix 12, wherein the history recording program is recorded to record that the requirement is satisfied in response to detection of execution of the d method.
(Appendix 15)
The rule element specifies that the g method must be executed within the h method,
The history storage program generation procedure records that the requirement defined in the rule element is not satisfied according to the detection of execution of the h method, and the requirement is satisfied according to detection of the execution of the g method. 13. The context violation detection support program according to appendix 12, which generates the history recording program for recording the presence of information.

DESCRIPTION OF SYMBOLS 10 Context violation detection support apparatus 11 Rule description storage part 12 Rule analysis part 13 Program generation part 14 and model data storage part 100 Drive apparatus 101 Recording medium 102 Auxiliary storage apparatus 103 Memory apparatus 104 CPU
105 Interface Device 106 Display Device 107 Input Device 131 History Recording Program Generation Unit 132 Rule Verification Program Generation Unit B Bus Pr History Recording Program Pc Rule Verification Program

Claims (7)

A rule analysis procedure for reading out and analyzing contextual rule information on a set of methods stored in the storage means from the storage means;
A history storage program generating procedure for generating a history recording program for recording a history of the execution in response to detection of execution of the method related to the rule information by a program using the set of methods;
Context violation detection in which a computer executes a rule verification program generation procedure for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information Support method. The rule information includes rule elements that define requirements for calling the method or requirements for the calling order of the methods, and a logical relationship between the plurality of rule elements,
The history storage program generation procedure records the execution history in response to detection of the execution of the method relating to the rule element, and whether or not the requirements stipulated in the rule element are satisfied based on the history And generating the history recording program for recording the determination result,
The rule verification program generation procedure generates the verification program by applying the determination result to the logical relationship and determining whether a call to the method by the program satisfies the rule information. Context violation detection support method. The rule element specifies that in the c method, if the b method is executed, the a method must be executed before the b method is executed.
The history storage program generation procedure records that the a method has not been called in response to detection of execution of the c method, records that the a method has been executed in response to detection of execution of the a method, and b In response to detecting the execution of the method, it is determined whether or not the requirement defined in the rule element is satisfied based on whether or not the method a is executed, and the history recording program for recording the determination result is generated. The context violation detection support method according to claim 2. The rule element specifies that in the f method, if the e method is executed, the d method must be executed after the execution of the e method.
The history storage program generation procedure records that the requirement specified in the rule element is satisfied according to the detection of the execution of the f method, and the requirement is satisfied according to the detection of the execution of the e method. 3. The context violation detection support method according to claim 2, wherein the history recording program is recorded to record that the requirement is satisfied in response to detection of execution of the d method. The rule element specifies that the g method must be executed within the h method,
The history storage program generation procedure records that the requirement defined in the rule element is not satisfied according to the detection of execution of the h method, and the requirement is satisfied according to detection of the execution of the g method. The context violation detection support method according to claim 2, wherein the history recording program for recording the fact is recorded. Rule analysis means for reading out and analyzing contextual rule information about a set of methods stored in the storage means from the storage means;
A history storage program generating means for generating a history recording program for recording a history of the execution in response to detection of the execution of the method related to the rule information by a program using the method set;
A context violation detection support apparatus comprising rule verification program generation means for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information. A rule analysis procedure for reading out and analyzing contextual rule information on a set of methods stored in the storage means from the storage means;
A history storage program generating procedure for generating a history recording program for recording a history of the execution in response to detection of execution of the method related to the rule information by a program using the set of methods;
Context violation detection for causing a computer to execute a rule verification program generation procedure for generating a verification program for checking whether or not use of the method by the program satisfies the rule information by comparing the history with the rule information Support program.

Images