KR102514805B1 - An accelerating system for javascript static analysis via dynamic executions - Google Patents

Abstract

A JavaScript static analysis acceleration system utilizing an optimized executor is disclosed. A static analysis method using dynamic executions performed by an analysis acceleration system according to an embodiment includes converting an area to be analyzed through dynamic executions during static analysis based on an initial analysis result of an input program to be analyzed. step; and performing analysis on the converted region using the dynamic executor.

Description

JavaScript static analysis acceleration system using optimized executor {AN ACCELERATING SYSTEM FOR JAVASCRIPT STATIC ANALYSIS VIA DYNAMIC EXECUTIONS}

The description below relates to static analysis techniques.

As software is widely used in medical devices, autonomous driving, and disaster prevention systems, the severity of problems caused by software defects is becoming more serious. Static program analysis is a technique that rigorously checks in advance whether the written software will run without errors. Static analysis technology can be used to detect software defects and security vulnerabilities, helping to develop safe software. Static analysis is an essential tool for software development by guaranteeing two properties: safety (property of detecting bugs without missing them) and finality (analysis completes within a finite time) based on a solid theoretical basis of abstract interpretation. Be in the spotlight.

However, it is difficult to actually apply static analysis technology to programs implemented in JavaScript, such as websites, web applications, and IoT software, due to the dynamic nature of the JavaScript language. In particular, there is a problem in that the amount of calculation required for static analysis is greatly inflated due to inaccuracies caused by the dynamic nature of language, and the analysis time is too long. These problems are considered a major barrier to applying the technology to large and complex industrial software.

It is possible to provide an analysis acceleration method and system that can dramatically reduce the analysis time of the JavaScript static analyzer.

It is possible to provide a method and system for flexibly switching between abstraction execution and materialization execution during static analysis by utilizing an optimized and fast dynamic executor.

A static analysis method using dynamic executors performed by an analysis acceleration system includes: converting an area to be analyzed through dynamic executors during static analysis based on an initial analysis result of an input program to be analyzed; and performing analysis on the converted region using the dynamic executor.

The transforming step may include converting a current abstraction state of an input program into a shield state corresponding to the current abstract state by performing static analysis, and shield execution obtained by performing shield execution on a dynamic executor in the converted shield state. A step of converting the result into an abstract state corresponding to the result may be included.

The converting step may include defining a shield execution using a shield domain and a materialization map, defining a binding domain of an existing abstraction domain and a shield domain to combine an abstraction execution and a shield execution, and using the defined combining domain. It may include constructing an abstraction state.

The converting may include converting into a shield domain corresponding to an existing abstraction domain by using a plurality of converters for converting between different types of analysis elements; Alternatively, converting to an existing abstraction domain corresponding to the converted shield domain may be included.

The performing step may include performing shield execution including a shield domain using a dynamic executor based on a time limit set in relation to static analysis of a plurality of converters, and if the time limit is exceeded while performing the shield execution. If so, it may include performing an abstraction implementation.

The performing includes performing shield execution including a shield domain on the converted domain using the dynamic executor, and the converting includes abstraction execution as the performed shield execution ends. It may include converting into an area for.

The performing of the analysis may include obtaining an interim analysis result through static analysis using abstraction execution using abstraction semantics or concrete execution using concrete semantics based on the transformed domain, and the obtained interim analysis result is set in advance. A step of determining whether a fixed point has been reached may be included.

In the performing of the analysis, when the obtained interim analysis result reaches a preset fixed point, the obtained interim analysis result is derived as a final analysis result, and the obtained interim analysis result reaches a preset fixed point. If not reached, a step of converting a region to be analyzed through a dynamic executor during the static analysis may be included.

The analysis acceleration system includes at least one processor configured to execute computer readable instructions contained in memory, the at least one processor generating a dynamic executor during static analysis based on an initial analysis result of an input program to be analyzed. A region to be analyzed may be converted through the above process, and analysis may be performed on the converted region using the dynamic executor.

The at least one processor converts a current abstraction state of an input program into a shield state corresponding to the current abstract state as a result of static analysis, and performs shield execution on a dynamic executor in the converted shield state. It can be converted into an abstract state corresponding to the execution result.

The at least one processor defines a shield execution using a shield domain and a materialization map, defines a binding domain of the abstraction domain and the shield domain to combine the abstraction execution with the shield execution, and uses the defined combining domain to You can compose an abstraction state.

The at least one processor converts into a shield domain corresponding to the existing abstraction domain using a plurality of converters for converting between different types of analysis elements, or converts into an existing abstraction domain corresponding to the converted shield domain. can

The at least one processor performs shield execution including a shield domain using a dynamic executor based on a time limit set in relation to static analysis of a plurality of converters, and the limited time exceeds during the shield execution. If you do, you can perform an abstraction implementation.

The at least one processor may perform shield execution including a shield domain on the converted domain using the dynamic executor, and may convert the converted domain into an domain for abstraction execution as the shield execution is terminated.

The at least one processor obtains an intermediate analysis result through static analysis using abstraction execution using abstract semantics or concrete execution using concrete semantics based on the transformed domain, and the obtained intermediate analysis result is preset fixed. It is determined whether a point has been reached, and when the obtained interim analysis result reaches a preset fixed point, the obtained interim analysis result is derived as a final analysis result, and the obtained interim analysis result is a preset fixed point. If it is not reached, the area to be analyzed may be converted through a dynamic executor during the static analysis.

It can be applied to software quality management, defect detection, and security vulnerability detection of JavaScript programs.

When performing static analysis on an input program, it is possible to reduce analysis time and improve the accuracy of static analysis results by searching for parts that can actually be executed in a dynamic executor.

Highly optimized dynamic executor (commercial JavaScript engine) can be used to improve analysis performance and precision and reduce modeling work for opaque code.

1 is a flowchart for explaining a static analysis operation.
2 is a flowchart illustrating a static analysis operation using a dynamic executor in an analysis acceleration system according to an embodiment.
3 is another flowchart illustrating a static analysis operation using a dynamic executor in an analysis acceleration system according to an embodiment.
4 is a block diagram illustrating a configuration of an analysis acceleration system according to an exemplary embodiment.
5 is a diagram for explaining an abstract value according to an embodiment.
6 is an example for explaining abstraction execution using a binding domain, according to an embodiment.

Hereinafter, an embodiment will be described in detail with reference to the accompanying drawings.

1 is a flowchart for explaining a static analysis operation.

An input program to be analyzed may be received (110). An initial analysis result of the received input program may be generated (120). At this time, an abstract transfer function using abstract semantics may be performed on the current analysis result (130). An intermediate analysis result may be obtained through abstraction execution (140). Analysis results can be updated while executing step by step through abstraction execution. As the analysis result reaches a fixed point where there is no change from the analysis result of the previous step, the analysis is terminated, and a final analysis result may be derived (150, 160).

In this static analysis, all parts of the program are analyzed through abstraction execution. At this time, it is difficult to reduce the execution time because it is very difficult to optimize the abstraction execution.

In the embodiment, a static analysis operation capable of utilizing the high performance of dynamic analysis using a dynamic executor will be described. While ensuring the safety of static analysis, it can improve the analysis speed and at the same time increase the accuracy of the analysis results.

2 is a flowchart illustrating a static analysis operation using a dynamic executor in an analysis acceleration system according to an embodiment.

In an embodiment, a method and system for flexibly switching between abstract execution and concrete execution during static analysis through a dynamic executor may be provided. In detail, switching between abstraction execution and materialization execution through a dynamic executor during static analysis of JavaScript will be described as an example. During static analysis, you can use a dynamic executor that 1) transforms the current abstraction state into a shielded state, 2) performs a shield execution on the transformed shielded state, and 3) transforms into an abstraction state corresponding to the result of the performed shield execution. there is.

In other words, if you don't use abstract values, you want to take advantage of fast instantiation of specific program parts while maintaining sanity. For example, static analysis of the following JavaScript code can be considered.

Since y stores the string "p", y + 1 evaluates to the string "p1" and x = obj[y + 1] assigns the abstract value of v stored in obj.p1 to the variable x. Even if obj contains the abstract value v, the third line does not "use" the value of v, but only "passes" the variable x, so the code can perform materialized execution. Based on this, a shield execution method, which is a concrete execution using a shield value, will be described. A shield value is a symbol that represents an abstract value in a shielded execution, and represents the termination of a dynamic executor when a shielded execution tries to access an abstract value.

The analysis acceleration system may receive an input program to be analyzed (110). The analysis acceleration system may obtain an initial analysis result of the received input program (220). The analysis acceleration system may determine whether to run in the engine (dynamic executor) based on the initial analysis results ( 230 ). In other words, the analysis acceleration system can determine whether or not to guarantee termination upon shield execution. The analysis acceleration system can perform static analysis by detecting parts that can be analyzed by an optimized engine (dynamic executor) during static analysis of a program and by making the engine analyze as many parts as possible.

The analysis acceleration system may perform static analysis using the JavaScript engine according to the decision to execute in the engine, and may perform static analysis through abstract execution according to the determination not to execute in the engine (232, 234).

In detail, the analysis acceleration system may convert the abstraction execution into an area for shield execution as it is determined that termination is guaranteed upon shield execution (231). The analysis acceleration system may perform shield execution through the dynamic executor on the transformed region (232). The analysis acceleration system may convert the shield execution performed through the dynamic executor into an area for abstract execution (233). The analysis acceleration system may perform static analysis through the abstraction execution based on the area for the transformed abstraction execution.

The analysis acceleration system may perform an abstraction execution as it determines that the shield execution does not guarantee termination (234). The analysis acceleration system can perform static analysis through abstraction execution being performed.

The analysis acceleration system may obtain interim analysis results by performing static analysis (240). The analysis acceleration system ends the analysis when the analysis result reaches a fixed point where there is no change from the analysis result of the previous step, and the final analysis result may be derived (250, 260). In this case, the analysis acceleration system may convert the analysis result into an expression that can be executed by the engine, and may perform an operation combining the intermediate analysis result and the like.

3 is another flowchart illustrating a static analysis operation using a dynamic executor in an analysis acceleration system according to an embodiment.

The analysis acceleration system may receive an input program to be analyzed (110). The analysis acceleration system may obtain an initial analysis result of the received input program (220). In this case, the initial analysis result may mean an initial analysis state and may be obtained through a separate analysis. The analysis acceleration system may determine that termination is not guaranteed upon shield execution (310).

As the analysis acceleration system determines that termination is not guaranteed during shield execution, it may convert the abstraction execution into an area for shield execution (320). The analysis acceleration system may perform shield execution through the dynamic executor on the transformed region (330). The analysis acceleration system may perform a shield run including a shield domain using a dynamic executor based on a set time limit associated with static analysis of a plurality of converters.

The analysis acceleration system may determine whether a time limit is exceeded while performing the shield run (340). The analysis acceleration system may perform an abstraction execution if the time limit is exceeded (350). The analysis acceleration system can perform static analysis through abstraction execution being performed. The analysis acceleration system may obtain interim analysis results by performing static analysis (240).

Also, if the time limit is not exceeded, the analysis acceleration system may convert the shield execution performed through the dynamic executor into an area for abstract execution (360). The analysis acceleration system may perform static analysis through the abstraction execution based on the area for the transformed abstraction execution. The analysis acceleration system may obtain interim analysis results by performing static analysis (240).

The analysis acceleration system ends the analysis when the analysis result reaches a fixed point where there is no change from the analysis result of the previous step, and the final analysis result may be derived (250, 260). In this case, the analysis acceleration system may convert the analysis result into an expression that can be executed by the engine, and may perform an operation combining the intermediate analysis result and the like.

4 is a block diagram illustrating a configuration of an analysis acceleration system according to an exemplary embodiment. The analysis acceleration system 100 may perform an operation of flexibly switching between abstract execution and concrete execution during static analysis by utilizing a dynamic executor. The analysis acceleration system may include a memory 410 and a processor 420 .

Memory 410 may comprise both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. and stores instructions or data related to at least one other component of the analysis acceleration system 100.

Processor 420 may include one or more of a central processing unit, an application processor, or a communication processor. For example, the processor 420 may execute calculations or data processing related to control and/or communication of at least one other component of the analysis acceleration system 100 .

5 is a diagram for explaining an abstract value according to an embodiment.

The analysis acceleration system can define shield executions using shield domains and instantiation maps for dynamic executors. In order to combine sensitive abstraction implementations with shield implementations, a binding domain of sensitive abstraction domains and shield domains can be defined. The integrity and finality of abstraction implementations can be demonstrated using binding domains.

으로 정의할 수 있다. 프로그램은

의 초기 상태에서 시작하며, 전이 관계

는 상태가 다른 상태로 변환되는 방법을 설명한다. 수집된 의미론

는 프로그램 P의 초기 상태부터 도달 가능한 상태로 구성될 수 있다. 전이 함수

를 사용하여 다음과 같이 계산할 수 있다.Program P State Transition System

can be defined as program is

Starting from the initial state of , the transition relation

describes how a state is transformed into another state. collected semantics

can be configured as a state reachable from the initial state of program P. transfer function

can be used to calculate:

는

,

,

를 조인(join)(

), 미트(meet)(

), 파티셜 오더(partial order)(

) 연산자로 사용하는 완전한 격자이다. 상태 셋은 초기 상태

을 나타낸다. Here, the reification domain

Is

,

,

to join(

), meet(

), partial order (

) is a complete lattice used as an operator. state three is the initial state

indicates

는 전이 관계:

를 사용하여 상태를 변환할 수 있다. 예를 들면, 도 5의 코드는 변수 x의 절대값을 부정을 계산하는 간단한 프로그램이다. 상태는

에 저장된 레이블과 정수의 쌍이다. 초기 상태를

으로 가정하면 프로그램이 값이 -42인 변수 x로

에서 시작함을 나타낸다. 그런 다음 다음과 같은 추적이 실행될 수 있다. Stage 1 Execution Steps:

is the transitive relationship:

can be used to transform the state. For example, the code in Figure 5 is a simple program that computes the negation of the absolute value of the variable x. status is

A pair of labels and integers stored in . the initial state

Assuming that the program returns the variable x with value -42

indicates that it starts at A trace like the following could then be run:

)로 근접하게 하여 다음과 같이 무한 반복을 통해 추상화 의미론

을 획득할 수 있다. The abstraction implementation converts the transfer function F to the abstraction transfer function (

), and abstraction semantics through infinite repetition as follows

can be obtained.

를 구체화 함수

와 추상화 함수

로 된 구체화 도메인

와 추상화 도메인

간의 갈로이스(Galois) 연결로 정의할 수 있다. 초기 추상화 상태

는 초기 상태 셋의 추상화

를 나타낸다. 추상화 전이 함수(

)는 추상화 1단계 실행 단계

를 가지는

로 정의될 수 있다. 건전한 상태 추상화를 위해서는 조인 연산자와 추상화 1단계 실행이 다음 조건을 충족해야 한다. state abstraction

materialize function

and abstract function

reification domain in

and abstraction domain

It can be defined as a Galois connection between initial abstraction state

is an abstraction of the set of initial states

indicates Abstraction transition function (

) is the abstraction level 1 execution phase

having

can be defined as For a healthy state abstraction, the join operator and execution of the first level of the abstraction must satisfy the following conditions:

이다. -는 음의 정수, +는 양의 정수, 0은 제로(zero)를 나타낸다. 추상화 도메인과 초기 추상화 상태

를 사용하여 도 5의 코드를 분석할 수 있다. 그러면, x가 x=-x를 실행하여 양의 값을 가질 수 있지만, 프로그램에서 x가 0이 되는 방법이 없기 때문에 분석 결과는 {-,+}가 된다. A simple abstraction domain is a set operator as a domain operator.

am. - indicates a negative integer, + indicates a positive integer, and 0 indicates zero. Abstraction Domains and Initial Abstraction States

The code of FIG. 5 can be analyzed using Then, x can have a positive value by executing x=-x, but since there is no way for x to become 0 in the program, the analysis result is {-,+}.

은 정적 분석 중 도달 가능한 상태에 대한 다중 시점을 제공하는 뷰 추상화(view abstraction)

로 정의될 수 있다. 제한된 수의 뷰

가 상태

셋에 매핑될 수 있다. 각 뷰

는 상태 셋

을 나타내고, 각 상태는 고유의 뷰

를 포함한다(

). 민감도 상태 추상화

는 다음과 같은 구체화 함수를 따르는 구체화 도메인

와 추상화 도메인

사이의 갈로이스 연결이다. Abstraction practices are often defined as analytical sensitivity to increase the precision of static analysis. sensitive abstraction domain

is a view abstraction that provides multiple views into reachable states during static analysis.

can be defined as limited number of views

fall state

can be mapped to a set. each view

is state three

, where each state is a unique view

contains (

). Sensitivity state abstraction

is a reification domain that obeys the reification function

and abstraction domain

is the Galois connection between

:

는 다음과 같이 정의될 수 있다. Abstraction 1 Step Execution Step with Analytical Sensitivity Here

:

can be defined as:

는 뷰

에서 다른 뷰

로의 뷰 전환에 대한 추상화 의미이다. 분석 건전성을 위해 다음과 같은 조건을 만족해야 한다. here,

is the view

another view from

It is an abstract semantics for view transition to . For analytical integrity, the following conditions must be satisfied:

로 정의된 흐름 민감도이다. 여기서,

이다. One of the most widely used analytics sensitivities is the flow-sensitive view abstraction.

is the flow sensitivity defined by here,

am.

로 흐름 민감도를 적용한 분석 결과는 다음과 같이 나타낼 수 있다. In the example above, the initial abstraction state

The analysis result applying the flow sensitivity as , can be expressed as follows.

를 실행 실드 상태에서 실드 전이 관계

로 확장함으로써 실드 실행이 정의될 수 있다. 상세하게는, 구체화 상태

를 실드 값

으로 값

를 확장함으로써 구체화 상태

를 실드 상태

로 확장할 수 있다. 실드 전이 관계

도 정의될 수 있다.

가 다른 실드 상태로 다른 실드 전이를 가지지 않을 때

의 k반복에 대하여 표기법

을 사용하고

라고 쓴다. 다음과 같이 실드 실행의 유효성을 정의할 수 있다. transitive relationship

The shield transition relationship in the shield state

Shield execution can be defined by extending Specifically, the materialization state

to the shield value

value as

materialize state by expanding

shield state

can be extended to shield transition relationship

can also be defined.

does not have another shield transition to a different shield state

notation for k iterations of

is using

write You can define the validity of shield execution as follows:

,

에 대해 다음 조건이 충족될 때 유효하다. The shield transition relation is the shield state

,

is valid when the following conditions are met:

은 실드 값에서 구체화 값까지의 인스턴스화 맵을 나타내며,

은 인스턴스화 맵

을 사용하여 실드 상태

에서 각 실드 값

을 해당 값

으로 대체하여 생성된 상태를 나타낸다. here,

denotes the instantiation map from the shield value to the materialized value,

is the instantiation map

Shield state using

Each shield value in

to that value

to indicate the created state.

Sealed execution differs from traditional symbolic execution in that it supports only shield values instead of symbolic expressions and path constraints. For example, the following trace shows the traditional symbolic implementation for the implementation example of FIG.

을

에서 변수 x에 할당한다. 조건부 분기의 경우, 각각 참 및 거짓 분기의 경로 조건

과

이 다른 두 개의 기호 상태를 생성한다. x=x, x=-x 명령문을 실행한 후, 변수 x는 각각

에서 기호 표현식

,

를 저장할 수 있다. 단, 실드 실행은 다음과 같이

에서 정지될 수 있다. distant, symbolic value

second

assign to the variable x. For conditional branches, path conditions for true and false branches respectively

class

creates two other symbolic states. After executing the statements x=x, x=-x, the variable x is respectively

symbolic expression in

,

can be saved. However, the shield execution is as follows

can be stopped at

의 실제 값이 필요하기 때문이다. 실드 상태를 포함하는 추상화 도메인을 정의하기 위하여 실드 값에서 추상값으로 실체화 맵

을 정의할 수 있다. 구체화 함수

는 구체화 함수

로 정의하며 다음과 같은 값을 가질 수 있다.Shield value in quarter

because we need the actual value of A realization map from shield values to abstract values to define abstraction domains that contain shield states.

can define reification function

is the materialization function

and can have the following values.

의 실체화 맵

은 다음과 같이 정의될 수 있다. given shield state

materialized map of

can be defined as:

)은 다음과 같이 구체화 함수

와 실드 1단계 실행 단계(

)로 정의될 수 있다.shield domain (

) is the materialization function as

and shield stage 1 execution stage (

) can be defined as

Combining domains of designated critical abstraction domains can be defined as shield domains and first-level implementations.

이며, 구체화 함수

및 조인 연산자는 다음과 같이 정의될 수 있다.binding domain

is a reification function

and the join operator can be defined as:

By introducing an element of analysis before defining the first-level implementation for the binding domain, different types of abstraction states can be easily constructed in the sensitive and shield domains.

는 민감한 추상화 도메인

에서 추상화 상태와 뷰의 쌍, 실드 도메인

에서 실드 상태와 실체화 맵의 쌍 중 어느 하나이다. 구체화 함수

는 다음과 같이 정의될 수 있다.analysis element

is a sensitive abstraction domain

pair of abstraction state and view in shield domain

is one of a pair of shield state and materialization map in . reification function

can be defined as:

Also, two converters can be defined to freely convert between different types of analysis elements.

는 전체인 반면, 다른 하나인

는 부분이다. 따라서, 컨버터

가

로 정의되어 있는 경우에만 민감한 추상화 도메인의 분석 요소

를 실드 도메인의 다른 분석 요소로 변환할 수 있다. 또한, 모든

에 대한 정보 손실없이 주어진 분석 요소를 변환해야 한다.converter

is the whole, while the other

is part. Thus, the converter

go

An analysis element in an abstraction domain that is sensitive only if it is defined as

can be converted into other analysis elements in the shield domain. Also, all

Transform a given element of analysis without loss of information about .

와

를 가지는 결합 1단계 실행

을 정의한다. 새로운 실드 실행이 시작되거나 기존 실행이 중지될 경우 분석 요소를 변환하는 리폼(reform) 단계, 실행 단계는 민감한 추상화 도메인에서 추상화 1단계 실행 단계와 실드 도메인에서 실드 1단계 실행을 사용하여 각 분석 요소의 실행을 수행하는 실행 단계로 구성될 수 있다.Two converters combined

and

Combining step 1 execution with

define When a new shield run is started or an existing run is stopped, the reform phase transforms the analytic element. The run phase uses an abstraction phase 1 run phase in the sensitive abstraction domain and a shield phase 1 run in the shield domain to determine the performance of each analytic element. It can consist of execution steps that perform execution.

는 다음과 같이 정의될 수 있다.Running step 1 of combining

can be defined as:

이다. here,

am.

에서 새로운 실드 실행이 시작되거나 기존의 실드 실행이 종료되는 경우 분석 요소를 만들어 변환한다. 특히, 민감한 추상화 도메인의 분석 요소

에 대해 컨버터

가 정의되어 있다면, 리폼은 실드 도메인에 해당하는 분석 요소

로 변환하여 새로운 실드 실행을 도입할 수 있다. 반면에, 실드 도메인에 있는 분석 요소

일 경우,

로 변환될 실드 상태가 없으면

에 대한 실드 실행이 종료된다. 중요한 추상화 도메인에서 분석 요소를 해당하는 분석 요소

로 변환하고

와 함께

에 저장된 현재 추상화 상태로 병합할 수 있다.The reform function is given a combined state

When a new shield run is started or an existing shield run is terminated, an analysis element is created and converted. In particular, the analytic elements of sensitive abstraction domains

About converter

is defined, the reform is an analysis element corresponding to the shield domain.

to introduce a new shield implementation. On the other hand, analysis elements in the shield domain

In case of

If there is no shield state to be converted to

The shield execution for is terminated. Analytical Elements Corresponding Analytical Elements in Critical Abstraction Domains

convert to

with

can be merged into the current abstraction state stored in

함수를 정의할 수 있다.To formally define the reform function, we first use two converters to

functions can be defined.

는 다음과 같이 정의될 수 있다.Reform functions for analytic elements

can be defined as:

는 다음과 같이 정의될 수 있다. Reform function:

can be defined as:

이고, 점 표기법

는 함수

의 요소별 확장 함수를 나타낸다. here,

, and dot notation

is a function

represents the element-wise expansion function of .

Shows an example of an abstraction implementation with binding domains. Figure 6 shows the analysis flow for the implementation example of Figure 5 with three sets of initial values for the variable x. It uses abstraction domains (-, 0, +) for integers stored in X, and uses flow sensitivity that utilizes state labels as views. For brevity, we can use abstract-value linkage so that -0 represents the set {-, 0}.

과 추상화 상태

의 쌍인 분석 요소를 나타낸다. 꺽쇠괄호로 묶인 쌍은 추상화 인스턴스화 맵

과 실드 상태

의 쌍인 분석 요소를 나타낸다. 실제로 그래프에서 각 쌍의 실드 상태 부분(오른쪽)에는 레이블이 없는 x 변수값만 포함된다. 간결성을 위해 레이블이 있는 노드 옆에 배치하여 레이블을 나타낸다. 실선은 레이블

에서 다른 레이블

로의 뷰 전이(

)이다. 점선은 실드 전이

이다. 레이블이 원으로 표시된 3개의 실선은 두 개의 컨버터

및 조인 연산자를 나타낸다.6(a) shows the notation used in each graph. solid box labels

and abstraction state

Represents an analysis element that is a pair of . Pairs enclosed in angle brackets are abstraction instantiation maps.

and shield state

Represents an analysis element that is a pair of . In fact, the shield state portion of each pair in the graph (right) contains only unlabeled values of the x variable. For brevity, you indicate the label by placing it next to the labeled node. The solid line is the label

different labels from

view transition to (

)am. Dotted line is shield transition

am. The three solid lines labeled with circles represent the two converters.

and a join operator.

는

을 레이블로 하여 분석 요소

를

로 변환한다. 값은 단일값만 나타내기 때문에 실드 값은 포함되지 않는다. 프로그램이 끝날 때까지

으로부터 실드 실행이 성공적으로 계속된다. 실드 상태

에 대해 더 이상 실드 전환이 불가능하므로 컨버터

를 통해

으로 변환된다.Figure 6 (b) shows the analysis using the binding domain when the initial value x is 0. First, the converter in the reforming stage

Is

as the label for the analysis element

cast

convert to Shield values are not included because the value only represents a single value. until the end of the program

The shield execution from continues successfully. shield state

Since shield conversion is no longer possible for

Through the

is converted to

의 초기 추상값은 +이며, 다음 프로그램 명령문은 분기 조건

에 대해 변수 x에 저장된 실제 값을 요구하기 때문에 실드값으로 변환할 수 없다. 따라서, 추상값 +에 대해 레이블

에서 다른 레이블

로 뷰 전이

를 수행한 결과도 +이다. 레이블

를 사용하여 분석 요소

를

으로 변환할 수 있다. 다음 문장은 x=-x이고 음의 연산자는 실제 값 x를 필요로 하므로, 실드 실행 단계는 레이블

에서 종료된다. 컨버터

를 통해

로 변환되고 뷰 전이가 수행되며

결과가 도출될 수 있다.Instead of a single value, let's assume that the initial value of x is one of the positive integers. Figure 6(c) explains the analysis flow of the case. label

The initial abstract value of is +, and the following program statement is a branch condition

Since it requires the actual value stored in the variable x for , it cannot be converted to a shield value. Thus, for the abstract value +, the label

different labels from

low view transition

The result of executing is also +. label

Analysis element using

cast

can be converted to Since the following statement x=-x and the negative operator needs the real value x, the shield execution step is

ends in converter

Through the

and view transition is performed,

results can be drawn.

의 잘못된 분기에 도달하는 동안 거짓 분기에서 문장은 x=-x이기 때문에 동적 실행기를 수행할 수 없다. 레이블

에서 두 분석 요소가 있다.

는 -로 레이블

로부터 뷰 전이에 의해 도입되고,

는 레이블

에서 시작된 실드 실행에서 레이블

과 함께 도입되었다. 두 요소 모두 실드 실행이 불가능하기 때문에 두번째 요소는

로 변환되고 조인 연산자를 통해 레이블

에서 +와 병합된다. 마지막으로, 레이블

에서 레이블

로의 뷰 전이

가 병합된 추상화 상태 0+로 수행되고 결과는 -0이다. It is assumed that all integers are possible for the initial value of the variable x described in FIG. 6(d). Unlike the previous case, the label

While reaching the wrong branch of , the statement at the false branch cannot execute the dynamic executor because x=-x. label

There are two analysis elements in

is labeled as -

is introduced by the view transition from

is the label

Labels from shield runs started at

was introduced with Since both elements cannot be shielded, the second element

, and labeled via the join operator

is merged with + in Finally, the label

label from

view transition to

is performed with merged abstraction state 0+ and the result is -0.

와 실드 전이

는 실드 실행의 시작 및 종료를 구성할 수 있다. 민간한 추상화 도메인과 실드 도메인의 결합으로 정의된 추상화 실행의 건전성과 종료를 보장하기 위해 다음의 조건이 충족되어야 한다. converter

and shield transfer

can configure the start and end of shield execution. The following conditions must be met to ensure the integrity and termination of the abstraction implementation defined by the combination of the private abstraction domain and the shield domain.

Execution of an abstraction using a dynamic executor is reasonable and can be terminated in finite time if:

는 건전하며, 민감한 추상화 도메인

은 유효한 높이를 가지며, 실드 전이

는 유효하고, 다음과 같은 < Δ가 존재한다.abstraction transition function

is a sound, sensitive abstraction domain

has an effective height, shield transition

is valid, and the following < Δ exists.

We will introduce the core language of JavaScript, and define the core language's sealed execution for dynamic executors. We will present the main design.

Program P is a labeled sequence of instructions. Instruction i is an expression assignment, object creation, function call, return instruction or branch. Reference r is a variable or property access of an object. The expression e is an operator between primitives, lambda functions, references, or other expressions.

위치에서 값으로의 유한 매핑이다. 컨텍스트

는 환경 주소에서 환경 주소의 튜플, 반환 레이블 및 왼쪽 위치로의 유한 매핑이다. 위치

은 변수 또는 객체 속성이다. 변수 위치는 환경 주소와 이름으로 구성되며, 객체 속성 위치는 객체 주소와 문자열 값으로 구성된다. 값

은 프리미티브, 주소 또는 함수값이다. 주소

는 환경 주소 또는 객체 주소이다. 함수값

은 매개변수 이름과 본문 레이블로 구성된다. 핵심 언어에서는 간결함을 위해 함수에 폐쇄 범위를 사용하므로 함수 본문에서 매개변수와 지역 변수만 액세스할 수 있다. State S consists of label L, memory M, context C, and environment address Aenv. Memory

It is a finite mapping from position to value. context

is a finite mapping from an environment address to a tuple of environment addresses, a return label, and a left position. location

is a variable or object property. A variable location consists of an environment address and a name, and an object property location consists of an object address and a string value. value

is a primitive, address or function value. address

is the environment address or object address. function value

consists of a parameter name and a body label. For brevity, the core language uses closed scopes for functions, so that only parameters and local variables are accessible from the body of the function.

와

의 두 가지의 다른 형식을 사용하는 참조와 표현의 의미론으로 정의될 수 있다. 초기 상태는

이고, 여기서,

은 초기 레이블,

는 빈 맵(empty map),

는 최상위 환경 주소를 나타낸다.The reification semantics of the core language can be formulated. The transition relationship between the materialization states is

and

can be defined as the semantics of reference and expression using two different forms of the initial state is

and, here,

is the initial label,

is an empty map,

represents the top-level environment address.

와 함께 흐름 민감도가 사용될 수 있다(

). 민감한 추상화 도메인은

로 정의될 수 있다. 추상화 상태

는 추상화 메모리, 추상화 컨텍스트, 추상화 주소 및 추상화 카운터의 튜플로서 다음과 같이 정의될 수 있다.A flow-sensitive view abstraction that uses labels in the abstraction semantics of the core language to demarcate state.

Flow sensitivity can be used with (

). A sensitive abstraction domain is

can be defined as abstraction state

is a tuple of abstraction memory, abstraction context, abstraction address, and abstraction counter, which can be defined as:

은 추상화 위치

에서 추상값

으로의 유한 매핑이다. 추상화 위치

은 변수 이름 또는 문자열 값을 가진 추상화 주소의 쌍이다. 추상화 주소

은 할당 사이트

에 따라 구체화 주소

를 지정하는 할당 사이트 추상화로 정의될 수 있다. 추상화 컨텍스트

는 추상화 주소에서 추상화 주소, 뷰 및 추상 위치의 파워셋에 대한 유한 맵이다. 정적 분석에서 추상화 카운팅을 위해 추상화 주소에서 각 추상화 주소가 할당된 카운트를 나타내는 추상화 카운트로의 매핑인 추상 카운터

를 정의한다. 0^#은 할당되지 않은 주소, 1^#은 한 번,

2^#는 두 번 이상임을 나타낸다.abstraction memory

where is the abstraction

abstract value from

is a finite mapping to location of abstraction

is a pair of abstraction addresses with variable names or string values. abstraction address

is the allocation site

Address specified according to

It can be defined as an allocation site abstraction that specifies abstraction context

is a finite map from an abstraction address to a power set of abstraction addresses, views, and abstract locations. For abstraction counting in static analysis, abstract counters, which are mappings from abstraction addresses to abstraction counts representing the count each abstraction address is assigned to.

define 0 ^# is an unassigned address, 1 ^# is once,

2 ^# indicates more than once.

으로 여러 추상화 위치의 업데이트를 나타내기 위해 표기법

을 사용한다. 추상화 위치

에 대한 추상화 주소가 싱글톤(singleton)

이면 강한 업데이트를 수행하고, 그렇지 않다면 분석 건전성을 위해 약한 업데이트를 수행할 수 있다. 다음과 같이 정의된 추상화 카운터의 증분 함수

를 사용한다.You can define the semantics of view transitions for the core language. For abstraction memory, the abstract value in L

notation to indicate the update of multiple abstraction locations with

Use location of abstraction

The abstraction address for a singleton

If so, a strong update can be performed, and if not, a weak update can be performed for analytical health. The increment function of the abstraction counter defined as

Use

으로 구체화 값

를 확장할 뿐만 아니라 추상화 카운터

를 추가하여 실드 상태를 정의할 수 있다.shield value

materialize as value

as well as extending the abstraction counter

can be added to define the shield state.

를 사용하여 상태를 보강할 수 있다.JavaScript provides open objects, so you can dynamically add or remove properties of an object. Also, because object properties are string values that can be configured at runtime, it is difficult to perform robust updates in static analysis. An abstraction counter to determine the likelihood of strong updates occurring during shield execution.

can be used to reinforce the condition.

가 이를 유지하며, 그렇지 않으면 컨버터

가 추상값을 고유 식별자로 대체하고 고유 식별자에서 추상값으로의 매핑을 유지하여 추상화 맵을 구축할 수 있다. 역컨버터

는 실체화 맵을 사용하여 고유 식별자에서 추상값을 복구할 수 있다. 다음 단계에서 실드값의 실제 값이 필요하지 않은 경우에만 실드 전이 관계

를 정의한다. 그렇지 않으면, 주어진 실드 상태를 적용할 실드 전이는 없다. 예를 들면, 다음 ret 상태에 대하여 규칙을 추가할 수 있다. For each abstract value of a given abstraction state, if the abstract value represents one concrete value, then the converter

retains it, otherwise the converter

may construct an abstraction map by replacing abstract values with unique identifiers and maintaining a mapping from unique identifiers to abstract values. reverse converter

can recover an abstract value from a unique identifier using a materialization map. The shield transition relationship only if the actual value of the shield value is not needed in the next step.

define Otherwise, there is no shield transition to apply the given shield state to. For example, you can add a rule for the next ret state.

Each rule of the reification semantics can be extended to support the behavior of the shield value.

As an example, proxy objects introduced in ECMAScript 6 (2015, ES6) can be used to represent abstract values. This allows internal operations of specific objects, such as reading and writing properties and implicit conversions, to be handled.

The dynamic analyzer can create a proxy object representing an abstract value through the following getSealedValue function when configuring the execution environment at the start of the dynamic executor.

This function can use the access detection function to create a shield value as a proxy object with handlers and dummy function objects for all 13 traps. The shield value allows you to determine whether an object is shielded by calling the detection function when one of the 13 predefined traps is triggered on the object. For example, the variable y successfully points to the same shield value stored in x, but since x+1 requires the actual value of the shield value, the program can call the detect function on line 9.

It also measures unary and binary operations to detect any access to shield values exceeding 13 traps. This allows you to successfully extend your JavaScript engine to support shield execution.

Synchronization of control points on both sides is necessary for smooth interaction between static analysis and shield execution.

Static and dynamic analyzers have their own notation for control points that are not directly compatible. The source code location of the target program can be used as a key for synchronization. Instead, the closest match of the source code location can be used to synchronize the control points of the static and dynamic analyzers.

A dynamic executor can be activated if the current abstraction state passes the filter checker. Since each analyzer is implemented in a different language, the abstract state can be expressed as follows. Communication can be done between analyzers by representing the abstract state as a JSON object and passing the JSON object through the localhost server. If the filter allows dynamic executors, the analysis may suffer from frequent communication between the static and dynamic analyzers. To balance this burden, you can enable dynamic executors on function entry and disable exit functions to support only function-level dynamic executors.

가 시간 제한 N에서 종료될 때만 분석 요소

를 전달해야 한다. 종료 속성을 정적으로 확인하는 것은 어렵기 때문에 미리 정해진 시간(예를 들면, 5초)의 제한 시간에서 실드 실행만 수행할 수 있다. 시간이 초과되면 변환 실패로 처리할 수 있다. 그렇지 않으면 실드 실행의 결과를 사용할 수 있다. Converter to ensure termination of static analysis using dynamic executor

analytic element only when ends at time limit N

should convey Since it is difficult to statically check the end attribute, only shield execution can be performed within a predetermined time limit (eg, 5 seconds). If the time is exceeded, it can be treated as a conversion failure. Otherwise, the result of the shield run can be used.

The devices described above may be implemented as hardware components, software components, and/or a combination of hardware components and software components. For example, devices and components described in the embodiments may include, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA) , a programmable logic unit (PLU), microprocessor, or any other device capable of executing and responding to instructions. A processing device may run an operating system (OS) and one or more software applications running on the operating system. A processing device may also access, store, manipulate, process, and generate data in response to execution of software. For convenience of understanding, there are cases in which one processing device is used, but those skilled in the art will understand that the processing device includes a plurality of processing elements and/or a plurality of types of processing elements. It can be seen that it can include. For example, a processing device may include a plurality of processors or a processor and a controller. Other processing configurations are also possible, such as parallel processors.

Software may include a computer program, code, instructions, or a combination of one or more of the foregoing, which configures a processing device to operate as desired or processes independently or collectively. You can command the device. Software and/or data may be any tangible machine, component, physical device, virtual equipment, computer storage medium or device, intended to be interpreted by or provide instructions or data to a processing device. can be embodied in Software may be distributed on networked computer systems and stored or executed in a distributed manner. Software and data may be stored on one or more computer readable media.

The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer readable medium. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program commands recorded on the medium may be specially designed and configured for the embodiment or may be known and usable to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical media such as CD-ROMs and DVDs, and magnetic media such as floptical disks. - includes hardware devices specially configured to store and execute program instructions, such as magneto-optical media, and ROM, RAM, flash memory, and the like. Examples of program instructions include high-level language codes that can be executed by a computer using an interpreter, as well as machine language codes such as those produced by a compiler.

As described above, although the embodiments have been described with limited examples and drawings, those skilled in the art can make various modifications and variations from the above description. For example, the described techniques may be performed in an order different from the method described, and/or components of the described system, structure, device, circuit, etc. may be combined or combined in a different form than the method described, or other components may be used. Or even if it is replaced or substituted by equivalents, appropriate results can be achieved.

Therefore, other implementations, other embodiments, and equivalents of the claims are within the scope of the following claims.

Claims (15)

In the static analysis method using dynamic executions performed by the analysis acceleration system,
converting a region to be analyzed through a dynamic executor during static analysis based on an initial analysis result of an input program to be analyzed; and
and performing analysis on the converted region using the dynamic executor. According to claim 1,
The conversion step is
As static analysis is performed, the current abstraction state of the input program is converted into a shield state corresponding to the current abstract state, and in the converted shield state, shield execution is performed on the dynamic executor, resulting in an abstraction state corresponding to the obtained shield execution result. steps to convert to
A static analysis method comprising a. According to claim 2,
The conversion step is
Defining a shield execution using a shield domain and a materialization map, defining a binding domain of an existing abstraction domain and a shield domain to combine an abstraction execution with a shield execution, and constructing an abstraction state using the defined combining domain.
A static analysis method comprising a. According to claim 3,
The conversion step is
converting into a shield domain corresponding to an existing abstraction domain by using a plurality of converters for converting between different types of analysis elements; or converting to an existing abstraction domain corresponding to the converted shield domain.
A static analysis method comprising a. According to claim 1,
The above steps are
A shield execution including a shield domain is performed using a dynamic executor based on a time limit set in relation to static analysis of a plurality of converters, and if the time limit is exceeded during the shield execution, an abstraction execution is performed. step to do
A static analysis method comprising a. According to claim 1,
The above steps are
performing a shield execution including a shield domain on the converted region using the dynamic executor;
including,
The conversion step is
Converting to an area for abstraction execution as the performed shield execution is terminated
A static analysis method comprising a. According to claim 1,
The step of performing the analysis is,
An intermediate analysis result is obtained through static analysis using abstraction execution using abstract semantics or concrete execution using concrete semantics based on the transformed domain, and it is determined whether the obtained intermediate analysis result has reached a preset fixed point. step to do
A static analysis method comprising a. According to claim 7,
The step of performing the analysis is,
When the obtained interim analysis result reaches a preset fixed point, the obtained interim analysis result is derived as a final analysis result, and when the obtained interim analysis result does not reach the preset fixed point, the static analysis result is determined. Steps to transform the area to be analyzed via the dynamic executor during analysis
A static analysis method comprising a. In the analysis acceleration system,
at least one processor configured to execute computer readable instructions contained in memory;
including,
The at least one processor,
Transforming the area to be analyzed through a dynamic executor during static analysis based on the initial analysis result of the input program to be analyzed;
Analyzing the converted area using the dynamic executor
Analysis Acceleration System. According to claim 9,
The at least one processor,
As static analysis is performed, the current abstraction state of the input program is converted into a shield state corresponding to the current abstract state, and in the converted shield state, shield execution is performed on the dynamic executor, resulting in an abstraction state corresponding to the obtained shield execution result. to convert to
Analysis acceleration system, characterized in that. According to claim 10,
The at least one processor,
Defining a shield execution using a shield domain and a materialization map, defining a binding domain of an abstraction domain and a shield domain to combine an abstraction execution and a shield execution, and constructing an abstraction state using the defined combining domain.
Analysis acceleration system, characterized in that. According to claim 11,
The at least one processor,
Conversion into a shield domain corresponding to the existing abstraction domain by using a plurality of converters for conversion between different types of analysis elements, or conversion into an existing abstraction domain corresponding to the converted shield domain
Analysis acceleration system, characterized in that. According to claim 9,
The at least one processor,
A shield execution including a shield domain is performed using a dynamic executor based on a time limit set in relation to static analysis of a plurality of converters, and if the time limit is exceeded during the shield execution, an abstraction execution is performed. doing
Analysis acceleration system, characterized in that. According to claim 9,
The at least one processor,
Performing shield execution including a shield domain on the converted area using the dynamic executor, and converting the converted area into an area for abstraction execution as the performed shield execution is terminated.
Analysis acceleration system, characterized in that. According to claim 9,
The at least one processor,
An intermediate analysis result is obtained through static analysis using abstraction execution using abstract semantics or concrete execution using concrete semantics based on the transformed domain, and it is determined whether the obtained intermediate analysis result has reached a preset fixed point. and when the obtained interim analysis result reaches a preset fixed point, the obtained interim analysis result is derived as a final analysis result, and when the obtained interim analysis result does not reach the preset fixed point, Converting the area to be analyzed through the dynamic executor during the static analysis
Analysis acceleration system, characterized in that.

Images