WO2020114347A1 - Function call relationship detection method, apparatus, device and storage medium - Google Patents

Function call relationship detection method, apparatus, device and storage medium Download PDF

Info

Publication number
WO2020114347A1
WO2020114347A1 PCT/CN2019/122370 CN2019122370W WO2020114347A1 WO 2020114347 A1 WO2020114347 A1 WO 2020114347A1 CN 2019122370 W CN2019122370 W CN 2019122370W WO 2020114347 A1 WO2020114347 A1 WO 2020114347A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
detected
detection point
call
detection
Prior art date
Application number
PCT/CN2019/122370
Other languages
French (fr)
Chinese (zh)
Inventor
李丹
裘绍翔
王佳琦
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2020114347A1 publication Critical patent/WO2020114347A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/75Structural analysis for program understanding
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/443Optimisation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • the invention relates to function calling, and in particular to a method, device, device and storage medium for detecting function calling relationships.
  • stack traceback depends on the characteristics of the compiler and is related to a specific platform. There are usually two methods. Taking the ARM stack traceback implemented by the linux kernel as an example, you can choose APCS or unwind by passing -mapcs or -fununwind-tables to gcc. One performs stack backtracking.
  • APCS ARMProcedureCallStandard
  • the calling standard regulates the use of ARM registers, and the function of pushing and popping out of the stack when the function is called
  • the stack backtracking can be accurately performed according to the standard in the stack, but in APCS, the function of the function Pushing in and pulling out of the stack consumes more of the stack and occupies more registers, and Unwind avoids this problem. Unwind keeps the offset of each function on the stack separately in a segment, and looks up the return address of the parent function on the stack by looking up the table when the stack is traced back.
  • APCS and Unwind are standard methods for stack backtracking, but they cannot solve the function call problem in certain specific scenarios.
  • Stack backtracking needs to be carried out step by step. For the scenario of A->B->C (calling the B function in A and calling the C function in B), sometimes we only pay attention to the calling relationship between A and C. C backtracks to B and then back to A, which is relatively inefficient for multi-level calls or recursive calls.
  • Both methods depend on the compiler. In some situations, only a specific function needs to be backtraced. It is difficult to optimize only some functions during compilation. 3.
  • Unwind determines the starting address of the function through ARM.unwind_idx, both of which determine its parent function through the range of the function address where the LR is located, and the child functions in the same function are doing Ambiguity will occur when calling path detection, and needs to be handled separately for different functions. 4.
  • the Unwind method will save the first addresses of all functions in the kernel, which poses a great security risk. If APCS is configured with a symbol table, the same problem exists.
  • An object of the present invention is to provide a function call relationship detection scheme to solve at least one of the above problems.
  • a method for detecting a function call relationship which is used to detect whether there is a call relationship between a function to be detected and a detection point function, including: adding a static function to the function to be detected, and the static function is defined as When called, an entry including the return address of the current call and the checkpoint function is generated; the action of calling the function to be checked is modified to call a static function, so that the static function calls the function to be checked.
  • the method further includes: renaming the function to be detected to identify the function to be detected.
  • the method further includes: in response to the detection point function being called, saving a mark corresponding to the detection point function.
  • the method further includes: in response to the detection point function being returned after being called, clearing the mark corresponding to the detection point function.
  • the method further includes: adding a detection module to the function to be detected, and the detection module is configured to detect whether a call relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
  • the step of detecting whether there is a calling relationship between the function to be detected and the detection point function includes: according to the return address of the current call, searching for the detection point function in the entry corresponding to the return address of the current call; when the detection point is found In the case of a function, check whether there is a mark corresponding to the detection point function.
  • the method further includes: determining that there is a calling relationship between the function to be detected and the detection point function when a mark corresponding to the detection point function is detected.
  • a method for detecting a function call relationship comprising: acquiring an entry generated during compilation, the entry includes a return address and a detection point function, wherein the entry is in a static state corresponding to the function to be detected Generated when the function is called, the function to be detected is called by calling a static function; according to the return address when the function to be detected is called, the detection point function is searched from the entry corresponding to the return address; based on the search result, the function to be detected is judged Whether there is a calling relationship with the checkpoint function.
  • the step of determining whether the function to be detected has a calling relationship with the detection point function based on the search result includes: when the detection point function is found, detecting whether there is a mark corresponding to the detection point function; when the presence and detection are detected In the case of the mark corresponding to the point function, it is determined that there is a calling relationship between the function to be detected and the detection point function.
  • a function call relationship detection device including: an adding module for adding a static function to the function to be detected, the static function is defined as being called, generating a return address including the current call And the entry of the checkpoint function; and the call adjustment module, which is used to modify the action of calling the function to be checked into calling a static function, so that the static function can call the function to be checked.
  • the device further includes a naming module for renaming the function to be detected to identify the function to be detected.
  • the device further includes: a saving module configured to save a mark corresponding to the detection point function in response to the detection point function being called.
  • the device further includes: a clearing module, configured to clear the mark corresponding to the detection point function in response to returning after the detection point function is called.
  • a clearing module configured to clear the mark corresponding to the detection point function in response to returning after the detection point function is called.
  • the device further includes: a detection module, configured to detect whether a calling relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
  • a detection module configured to detect whether a calling relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
  • the detection module includes: a search module for searching the detection point function in an entry corresponding to the currently called return address according to the return address of the current call; and a check module for finding the detection point function In the case of, check whether there is a mark corresponding to the detection point function.
  • the detection module determines that there is a calling relationship between the function to be detected and the detection point function.
  • a function call relationship detection device including: an acquisition module for acquiring an entry generated during compilation, the entry includes a return address and a detection point function, wherein the entry is in Generated when the static function corresponding to the detection function is called, the function to be detected is called by calling the static function; the search module is used to find the detection point from the entry corresponding to the return address according to the return address when the function to be detected is called Function; and a judgment module for judging whether the function to be detected has a calling relationship with the detection point function based on the search result.
  • the judgment module when the detection point function is found, the judgment module also detects whether a mark corresponding to the detection point function is present, and when a mark corresponding to the detection point function is detected, determines There is a calling relationship between the function to be detected and the function of the detection point.
  • a computing device including: a processor; and a memory on which executable code is stored, and when the executable code is executed by the processor, the processor is executed as in the present invention The method mentioned in the first aspect or the second aspect.
  • a non-transitory machine-readable storage medium on which executable code is stored, and when the executable code is executed by the processor of the electronic device, the processor is executed as The method described in the first aspect or the second aspect of the invention.
  • the invention modifies the specific function to be detected, so that when the function to be detected is called, an item including the return address of the current call and the detection point function can be obtained, so as to detect whether there is a function between the function to be detected and the detection point function
  • the call relationship provides the basis for implementation. In this way, in a scenario where it is only necessary to detect whether there is a calling relationship between specific functions, the present invention only needs to modify specific functions to meet the detection requirements without gradually backtracking to obtain all intermediate calling relationships.
  • FIG. 1 is a schematic flowchart illustrating a method for detecting a function call relationship according to an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart illustrating a method for detecting a function call relationship according to another embodiment of the present invention.
  • FIG. 3 is a schematic diagram illustrating a detection process according to an embodiment of the present invention.
  • FIG. 4 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to an embodiment of the present invention.
  • FIG. 5 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to another embodiment of the present invention.
  • FIG. 6 shows a schematic structural diagram of a computing device that can be used to implement the above function call relationship detection method according to an embodiment of the present invention.
  • Call path The call path of a function is the collection of all functions in the current function stack traceback.
  • Stack backtrace The return address of the function and local variables are stored in the stack. The stack backtrace is used to determine the calling relationship and calling sequence of the function from these return addresses.
  • Function to be detected the function whose function call relationship needs to be detected.
  • Detection point function a function that needs to detect whether there is a calling relationship with the function to be detected.
  • the invention proposes a function calling relationship detection scheme, which is used to detect whether the function to be detected has a calling relationship with the detection point function, that is, to detect whether the function to be detected is on the calling path of the detection point function.
  • the present invention modifies the function to be detected so that when the function to be detected is called, an item including the return address of the current call and the detection point function can be obtained.
  • a static function is defined as being called, an entry including the return address of the current call and the detection point function is generated, and the action of calling the function to be detected is modified to call a static function, so that the static
  • the function calls the function to be detected.
  • the function to be detected can be called by calling a static function, and in this process, items including the return address of the current call and the function of the detection point can be obtained.
  • the function call relationship detection scheme of the present invention can be used to detect whether a specific function has a call relationship between a certain return address and a detection point function. Compared with APCS/Unwind, it is more lightweight and relatively safer. For example, for the calling relationship of A->B->C, when it is only necessary to detect whether there is a calling relationship between function A and function C, the present invention only needs to modify function C to meet the detection requirements , Without having to step back and get all the intermediate call relationships.
  • the present invention can be used to detect the calling path of key functions (especially the key functions in the kernel).
  • the detection functions need to be processed item by item, the number of key functions in the kernel is controllable, so the present invention It also has good practicality and avoids the problems caused by APCS and UNWIND mentioned above.
  • FIG. 1 is a schematic flowchart illustrating a method for detecting a function call relationship according to an embodiment of the present invention.
  • step S110 a static function is added to the function to be detected.
  • the static function is defined as being called, an entry including the return address of the current call and the detection point function is generated.
  • the return address of the current call in the entry generated when the static function is called that is, the return address when the function to be detected is called.
  • the checkpoint function in the entry may be the address of the checkpoint function, such as the first address of the checkpoint function.
  • step S120 the action of calling the function to be detected is modified to call a static function, so that the static function calls the function to be detected.
  • the function that originally called the function to be detected can be called directly by calling the static function.
  • the static function added to the function C to be detected is represented as E
  • the logical calling relationship after performing step S120 is: A->B-> E->C.
  • the static function can be regarded as the inline function of the function to be detected. According to the characteristics of the inline function, the actual calling relationship is still A->B->C, but the call process will generate entries including the return address and the checkpoint function .
  • the return address in the entry generated when the static function E is called is the return address when the function C to be detected is called.
  • the present invention can also rename the function to be detected to identify the function to be detected, for example, before performing step S110, the function to be detected can be renamed.
  • the function to be detected can be renamed based on certain naming rules, which can facilitate the detection of the calling relationship of the function to be detected, such as finding all the calls of the function to be detected during compilation.
  • the mark corresponding to the detection point function may be saved in response to the detection point function being called.
  • the storage location of the mark is not limited by the present invention, for example, it can be stored in the current process stack or process structure.
  • the mark corresponding to the detection point function can be cleared so as not to affect the next detection.
  • the checkpoint function is a function in the kernel, the flag can also be cleared when the system call returns.
  • the function to be checked will also be called when the checkpoint function is called, and when the checkpoint function is called, a mark corresponding to the checkpoint function will be generated.
  • the detection function an entry including the return address of the current call and the detection point function is generated. Therefore, in response to the function to be detected being called, it can be detected whether the detection point function exists in the corresponding entry, and further detecting whether there is a mark corresponding to the detection point function in the entry, so according to the detection result, the function to be detected and the detection can be judged Whether there is a function call relationship between point functions.
  • a detection module can be added to the function to be detected, and optionally, the detection module can be inserted into the function to be detected in the form of a function.
  • the detection module may be used to detect whether there is a calling relationship between the function to be detected and the detection point function in response to the function to be detected being called.
  • the detection module may search for the detection point function in the entry corresponding to the return address of the current call according to the return address of the current call, and in the case of finding the detection point function, may further check Whether there is a mark corresponding to the detection point function, when it is detected that there is a mark corresponding to the detection point function, it can be determined that there is a calling relationship between the function to be detected and the detection point function, that is, the function call path of the function to be detected at the detection point function It can be determined that the function to be detected has a calling relationship with the detection point function at a certain return address.
  • the method shown in FIG. 1 can be executed during program compilation, that is, the calling relationship between functions can be detected during program compilation.
  • the function called in the present invention refers to being used by a compiler to compile it. For example, suppose the function C to be detected has the following calling relationship: A->B->C. When the compiler starts to compile function A, it is considered that function A is called. When the function A is compiled, the function needs to be called B, when compiling function B, it is considered that function B is called.
  • FIG. 2 is a schematic flowchart illustrating a method for detecting a function call relationship according to another embodiment of the present invention.
  • step S210 an entry generated during compilation is obtained, and the entry includes a return address and a checkpoint function.
  • the entry is generated when the static function corresponding to the function to be detected is called.
  • the static function please refer to the related description above, which will not be repeated here.
  • step S220 according to the return address when the function to be detected is called, the detection point function is searched from the entry corresponding to the return address.
  • step S230 based on the search result, it is determined whether the function to be detected has a calling relationship with the detection point function.
  • function C has the following calling relationships: A->B->C; A->D->C
  • the purpose of detection is to check whether function C has a calling relationship with function A
  • function C can be called a function to be tested Function A is called the checkpoint function.
  • the following modification operations can be performed, so as to facilitate subsequent judgment whether the detection function C has a calling relationship with the function A to provide an implementation basis.
  • the function C can be renamed to __btf_C through the macro processing command, so that all calls to the function C can be found during compilation.
  • __btf_C The renamed __btf_C is defined as:
  • the static function can be set as a call to the static function will generate a new entry in the system, the entry can be called __k_bttab, the entry content is the return address of the current call and the checkpoint function (such as the input checkpoint function address).
  • the C function call in the B/D function can be modified through the macro definition as follows:
  • the call in function B is changed from C(p) to BACKTRACECALL(C, AB, p)
  • the call in function D is modified from C(p) to BACKTRACECALL(C, AD, p)
  • a mark corresponding to the function A can be added, indicating that the function A is called, and the result of the mark can be recorded in different locations, such as the current process stack or the process structure.
  • a detection function can be added to the function __btf_C.
  • the detection function can be expressed as BT_CHECK().
  • the detection function can be used to respond to the function __btf_C being called. Check whether the function __btf_C has a calling relationship with the function A. For the detection mechanism, see The above description will not be repeated here. Among them, the specific definition of the detection function can be set according to the actual situation, and will not be repeated here.
  • FIG. 3 is a schematic diagram illustrating a detection process according to an embodiment of the present invention.
  • All __k_bttab segment entries generated during compilation can be obtained through the vmlinux.ld.S script, and then all __k_bttab entries can be sorted for subsequent search, for example, all __k_bttab entries can be sorted during system initialization. Among them, you can sort by the return address in the __k_bttab entry.
  • the function A When the function A is called, you can add the function A called mark (mark A) to the process stack or process structure. When the function A call returns, you can clear the function mark A in the process stack or process structure. Prepare for the next test.
  • the function __btf_C the calling path can be checked by the detection function (BT_CHECK function) in the function __btf_C.
  • the specific detection operation of BT_CHECK is to accurately find the detection point function corresponding to the return address in the __k_bttab table according to the current function return address. If there is no detection point function, the detection fails. If there is a checkpoint function, it is further checked whether the mark of the checkpoint function A exists in the process stack or the process structure. If there is a mark, the stack backtracking detection is successful.
  • the present invention can produce at least the following technical effects:
  • the present invention is implemented for specific functions, and can be compiled and optimized only for key functions that need to perform stack backtracking.
  • the invention can also be implemented as a function call relationship detection device.
  • the function module of the function call relationship detection device may be implemented by hardware, software or a combination of hardware and software that implements the principles of the present invention.
  • the functional modules described in FIG. 4 can be combined or divided into sub-modules, so as to implement the principles of the above invention. Therefore, the description herein may support any possible combination, division, or further definition of the functional modules described herein.
  • FIG. 4 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to an embodiment of the present invention.
  • the function call relationship detection device 400 includes an addition module 410 and a call adjustment module 420.
  • the adding module 410 is used to add a static function to the function to be detected.
  • a static function is defined as being called, an entry including the return address of the current call and the detection point function is generated.
  • the call adjustment module 420 is used to modify the action of calling the function to be detected to call a static function, so that the static function calls the function to be detected.
  • the function call relationship detection apparatus 400 may optionally further include a naming module 430 shown by a dotted frame in the figure.
  • the naming module 430 is used to rename the function to be detected to identify the function to be detected.
  • the function calling relationship detection apparatus 400 may optionally further include a saving module 440 shown by a dotted box in the figure, the saving module 440 is used to save and detect the point function in response to the detection point function being called Corresponding mark.
  • the function call relationship detection apparatus 400 may optionally further include a clearing module 450 shown by a dotted frame in the figure.
  • the clearing module 450 is used to return, clear and detect in response to the detection point function being called The mark corresponding to the point function.
  • the function call relationship detection apparatus 400 may optionally further include a detection module 460 shown by a dotted frame in the figure, which is used to detect the function to be detected and the detection point function in response to the function to be detected being called Whether there is a calling relationship between them.
  • the detection module 460 may include a search module and an inspection module (not shown in the figure). The search module is used to search for the detection point function in the entry corresponding to the return address of the current call according to the return address of the current call, and the check module is used to check whether there is a detection point function corresponding to the detection point function when the detection point function is found mark.
  • the detection module may determine that there is a calling relationship between the function to be detected and the detection point function.
  • FIG. 5 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to another embodiment of the present invention.
  • the function call relationship detection device 500 includes an acquisition module 510, a search module 520 and a judgment module 530.
  • the obtaining module 510 is used to obtain an entry generated during compilation, and the entry includes a return address and a detection point function, wherein the entry is generated when a static function corresponding to the function to be detected is called, and the function to be detected is called by calling the static function .
  • the search module 520 is used to search for the detection point function from the entry corresponding to the return address according to the return address when the function to be detected is called.
  • the judgment module 530 is used to judge whether the function to be detected has a calling relationship with the detection point function based on the search result.
  • the judgment module 530 when the detection point function is found, the judgment module 530 also detects whether there is a mark corresponding to the detection point function, and when a mark corresponding to the detection point function is detected, It is determined that there is a calling relationship between the function to be detected and the function of the detection point.
  • FIG. 6 shows a schematic structural diagram of a computing device that can be used to implement the above function call relationship detection method according to an embodiment of the present invention.
  • the computing device 600 includes a memory 610 and a processor 620.
  • the processor 620 may be a multi-core processor or may include multiple processors.
  • the processor 620 may include a general-purpose main processor and one or more special co-processors, such as a graphics processor (GPU), a digital signal processor (DSP), and so on.
  • the processor 620 may be implemented using a customized circuit, such as an application specific integrated circuit (ASIC, Application Integrated Circuit) or field programmable logic gate array (FPGA, Field Programmable Gate Arrays).
  • ASIC application specific integrated circuit
  • FPGA Field Programmable Gate Arrays
  • the memory 610 may include various types of storage units, such as system memory, read-only memory (ROM), and permanent storage devices.
  • the ROM may store static data or instructions required by the processor 620 or other modules of the computer.
  • the permanent storage device may be a readable and writable storage device.
  • the permanent storage device may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off.
  • the permanent storage device uses a mass storage device (eg, magnetic or optical disk, flash memory) as the permanent storage device.
  • the permanent storage device may be a removable storage device (e.g., floppy disk, optical drive).
  • the system memory can be a read-write storage device or a volatile read-write storage device, such as dynamic random access memory.
  • the system memory can store some or all instructions and data required by the processor during operation.
  • the memory 610 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks, and/or optical disks may also be used.
  • the memory 610 may include readable and/or writeable removable storage devices, such as compact discs (CD), read-only digital versatile discs (eg, DVD-ROM, dual-layer DVD-ROM), Read-only Blu-ray discs, ultra-density discs, flash memory cards (such as SD cards, min SD cards, Micro-SD cards, etc.), magnetic floppy disks, etc.
  • the computer-readable storage medium does not contain carrier waves and instantaneous electronic signals transmitted through wireless or wired.
  • Executable code is stored on the memory 610.
  • the processor 620 can cause the processor 620 to execute the function call relationship detection method described above.
  • the method according to the present invention may also be implemented as a computer program or computer program product, the computer program or computer program product including computer program code instructions for performing the above steps defined in the above method of the present invention.
  • the present invention may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) on which executable code (or computer program, or computer instruction code) is stored ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or computing device, server, etc.), the processor is caused to perform each step of the above method according to the present invention .
  • each block in the flowchart or block diagram may represent a module, program segment, or part of code that contains one or more of the Executable instructions.
  • the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks can actually be executed substantially in parallel, and sometimes they can also be executed in reverse order, depending on the functions involved.
  • each block in the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts can be implemented with dedicated hardware-based systems that perform specified functions or operations Or, it can be realized by a combination of dedicated hardware and computer instructions.

Abstract

A function call relationship detection method, apparatus, device and storage medium, which are used for detecting whether a call relationship exists between a function to be detected and a detection point function, the method comprising: adding a static function for a function to be detected, the static function being defined as generating an entry comprising a currently called return address and a detection point function when called (S110); and modifying an action for calling the function to be detected into calling the static function so as to call the function to be detected by means of the static function (S120). Thus, for a function that originally directly calls a function to be detected, the function to be detected may be called by means of calling a static function, and during the described process, an entry comprising a currently called return address and a detection point function may be obtained, thus a basis of implementation may be provided for detecting whether a call relationship exists between the function to be detected and the detection point function.

Description

函数调用关系检测方法、装置、设备及存储介质Function calling relationship detection method, device, equipment and storage medium
本申请要求2018年12月03日递交的申请号为201811468332.7、发明名称为“函数调用关系检测方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application submitted on December 03, 2018 with the application number 201811468332.7 and the invention titled "function call relationship detection method, device, equipment and storage medium", the entire content of which is incorporated by reference in this application in.
技术领域Technical field
本发明涉及函数调用,特别是涉及一种函数调用关系检测方法、装置、设备及存储介质。The invention relates to function calling, and in particular to a method, device, device and storage medium for detecting function calling relationships.
背景技术Background technique
栈回溯的实现依赖于编译器的特性,与特定的平台相关,通常有两种方法,以linux内核实现的ARM栈回溯为例,通过向gcc传递-mapcs或-fununwind-tables可以选择APCS或unwind之一进行栈回溯。The implementation of stack traceback depends on the characteristics of the compiler and is related to a specific platform. There are usually two methods. Taking the ARM stack traceback implemented by the linux kernel as an example, you can choose APCS or unwind by passing -mapcs or -fununwind-tables to gcc. One performs stack backtracking.
使用APCS(ARMProcedureCallStandard)进行ARM栈回溯的过程中,调用标准规范了ARM寄存器的使用,函数调用时的出栈入栈规定,在栈中根据标准可以准确的进行栈回溯,但APCS中,函数的入栈和出栈对栈的消耗较大,占用的寄存器较多,而Unwind避免了此问题。Unwind将每个函数的入栈时的偏移单独保存在一个段中,在栈回溯的时候通过查表的方式查找父函数在栈中的返回地址。The use of APCS (ARMProcedureCallStandard) in the process of ARM stack backtracking, the calling standard regulates the use of ARM registers, and the function of pushing and popping out of the stack when the function is called, the stack backtracking can be accurately performed according to the standard in the stack, but in APCS, the function of the function Pushing in and pulling out of the stack consumes more of the stack and occupies more registers, and Unwind avoids this problem. Unwind keeps the offset of each function on the stack separately in a segment, and looks up the return address of the parent function on the stack by looking up the table when the stack is traced back.
APCS和Unwind是栈回溯的标准方式,但并不能解决某些特定场景下的函数调用问题。例如:1.栈回溯需要逐步进行,对于A->B->C(A中调用B函数,B中调用C函数)的情景,有时我们只关注A与C的调用关系,此时需要先从C回溯到B,再回溯到A,对于多级调用或递归调用效率相对较低。2.两种方式均依赖于编译器,在某些情境下只需要对特定函数进行栈回溯,在编译期间很难只针对部分函数进行优化。3.APCS需要通过符号表确定函数的起始地址,Unwind通过ARM.unwind_idx确定函数的起始地址,二者均是通过LR所在的函数地址范围确定其父函数,同一函数内的子函数在做调用路径检测时会产生歧义,需要针对不同函数单独处理。4.Unwind方式会在内核保存所有函数的首地址,存在极大的安全隐患,APCS若配置了符号表也存在同样的问题。APCS and Unwind are standard methods for stack backtracking, but they cannot solve the function call problem in certain specific scenarios. For example: 1. Stack backtracking needs to be carried out step by step. For the scenario of A->B->C (calling the B function in A and calling the C function in B), sometimes we only pay attention to the calling relationship between A and C. C backtracks to B and then back to A, which is relatively inefficient for multi-level calls or recursive calls. 2. Both methods depend on the compiler. In some situations, only a specific function needs to be backtraced. It is difficult to optimize only some functions during compilation. 3. APCS needs to determine the starting address of the function through the symbol table, Unwind determines the starting address of the function through ARM.unwind_idx, both of which determine its parent function through the range of the function address where the LR is located, and the child functions in the same function are doing Ambiguity will occur when calling path detection, and needs to be handled separately for different functions. 4. The Unwind method will save the first addresses of all functions in the kernel, which poses a great security risk. If APCS is configured with a symbol table, the same problem exists.
发明内容Summary of the invention
本发明的一个目的在于提供一种函数调用关系检测方案,以解决上述至少一种问题。An object of the present invention is to provide a function call relationship detection scheme to solve at least one of the above problems.
根据本发明的第一个方面,提供了一种函数调用关系检测方法,用于检测待检测函数与检测点函数之间是否具有调用关系,包括:为待检测函数添加静态函数,静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目;将调用待检测函数的动作修改为调用静态函数,以由静态函数调用待检测函数。According to the first aspect of the present invention, a method for detecting a function call relationship is provided, which is used to detect whether there is a call relationship between a function to be detected and a detection point function, including: adding a static function to the function to be detected, and the static function is defined as When called, an entry including the return address of the current call and the checkpoint function is generated; the action of calling the function to be checked is modified to call a static function, so that the static function calls the function to be checked.
可选地,该方法还包括:对待检测函数进行重命名,以标识待检测函数。Optionally, the method further includes: renaming the function to be detected to identify the function to be detected.
可选地,该方法还包括:响应于检测点函数被调用,保存与检测点函数对应的标记。Optionally, the method further includes: in response to the detection point function being called, saving a mark corresponding to the detection point function.
可选地,该方法还包括:响应于检测点函数被调用后返回,清除与检测点函数对应的标记。Optionally, the method further includes: in response to the detection point function being returned after being called, clearing the mark corresponding to the detection point function.
可选地,该方法还包括:在待检测函数中添加检测模块,检测模块用于响应于待检测函数被调用,检测待检测函数与检测点函数之间是否存在调用关系。Optionally, the method further includes: adding a detection module to the function to be detected, and the detection module is configured to detect whether a call relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
可选地,检测待检测函数与检测点函数之间是否存在调用关系的步骤包括:根据当前调用的返回地址,在与当前调用的返回地址对应的条目中查找检测点函数;在查找到检测点函数的情况下,检查是否存在与检测点函数对应的标记。Optionally, the step of detecting whether there is a calling relationship between the function to be detected and the detection point function includes: according to the return address of the current call, searching for the detection point function in the entry corresponding to the return address of the current call; when the detection point is found In the case of a function, check whether there is a mark corresponding to the detection point function.
可选地,该方法还包括:在检测到存在与检测点函数对应的标记的情况下,判定待检测函数与检测点函数存在调用关系。Optionally, the method further includes: determining that there is a calling relationship between the function to be detected and the detection point function when a mark corresponding to the detection point function is detected.
根据本发明的第二个方面,还提供了一种函数调用关系检测方法,包括:获取编译期间生成的条目,条目包括返回地址和检测点函数,其中,条目是在与待检测函数对应的静态函数被调用时生成的,通过调用静态函数,来调用待检测函数;根据待检测函数被调用时的返回地址,从与返回地址对应的条目中查找检测点函数;基于查找结果,判断待检测函数是否与检测点函数存在调用关系。According to the second aspect of the present invention, there is also provided a method for detecting a function call relationship, comprising: acquiring an entry generated during compilation, the entry includes a return address and a detection point function, wherein the entry is in a static state corresponding to the function to be detected Generated when the function is called, the function to be detected is called by calling a static function; according to the return address when the function to be detected is called, the detection point function is searched from the entry corresponding to the return address; based on the search result, the function to be detected is judged Whether there is a calling relationship with the checkpoint function.
可选地,基于查找结果判断待检测函数是否与检测点函数存在调用关系的步骤包括:在查找到检测点函数的情况下,检测是否存在与检测点函数对应的标记;在检测到存在与检测点函数对应的标记的情况下,判定待检测函数与检测点函数存在调用关系。Optionally, the step of determining whether the function to be detected has a calling relationship with the detection point function based on the search result includes: when the detection point function is found, detecting whether there is a mark corresponding to the detection point function; when the presence and detection are detected In the case of the mark corresponding to the point function, it is determined that there is a calling relationship between the function to be detected and the detection point function.
根据本发明的第三个方面,还提供了一种函数调用关系检测装置,包括:添加模块,用于为待检测函数添加静态函数,静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目;和调用调整模块,用于将调用待检测函数的动作修改为调用静态函数,以由静态函数调用待检测函数。According to the third aspect of the present invention, there is also provided a function call relationship detection device, including: an adding module for adding a static function to the function to be detected, the static function is defined as being called, generating a return address including the current call And the entry of the checkpoint function; and the call adjustment module, which is used to modify the action of calling the function to be checked into calling a static function, so that the static function can call the function to be checked.
可选地,该装置还包括:命名模块,用于对所述待检测函数进行重命名,以标识所述待检测函数。Optionally, the device further includes a naming module for renaming the function to be detected to identify the function to be detected.
可选地,该装置还包括:保存模块,用于响应于所述检测点函数被调用,保存与所 述检测点函数对应的标记。Optionally, the device further includes: a saving module configured to save a mark corresponding to the detection point function in response to the detection point function being called.
可选地,该装置还包括:清除模块,用于响应于所述检测点函数被调用后返回,清除与所述检测点函数对应的标记。Optionally, the device further includes: a clearing module, configured to clear the mark corresponding to the detection point function in response to returning after the detection point function is called.
可选地,该装置还包括:检测模块,用于响应于所述待检测函数被调用,检测所述待检测函数与所述检测点函数之间是否存在调用关系。Optionally, the device further includes: a detection module, configured to detect whether a calling relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
可选地,检测模块包括:查找模块,用于根据当前调用的返回地址,在与当前调用的返回地址对应的条目中查找检测点函数;和检查模块,用于在查找到所述检测点函数的情况下,检查是否存在与所述检测点函数对应的标记。Optionally, the detection module includes: a search module for searching the detection point function in an entry corresponding to the currently called return address according to the return address of the current call; and a check module for finding the detection point function In the case of, check whether there is a mark corresponding to the detection point function.
可选地,在检测到存在与所述检测点函数对应的标记的情况下,检测模块判定所述待检测函数与所述检测点函数存在调用关系。Optionally, when a mark corresponding to the detection point function is detected, the detection module determines that there is a calling relationship between the function to be detected and the detection point function.
根据本发明的第四个方面,还提供了一种函数调用关系检测装置,包括:获取模块,用于获取编译期间生成的条目,条目包括返回地址和检测点函数,其中,条目是在与待检测函数对应的静态函数被调用时生成的,通过调用静态函数,来调用待检测函数;查找模块,用于根据待检测函数被调用时的返回地址,从与返回地址对应的条目中查找检测点函数;以及判断模块,用于基于查找结果,判断待检测函数是否与检测点函数存在调用关系。According to a fourth aspect of the present invention, there is also provided a function call relationship detection device, including: an acquisition module for acquiring an entry generated during compilation, the entry includes a return address and a detection point function, wherein the entry is in Generated when the static function corresponding to the detection function is called, the function to be detected is called by calling the static function; the search module is used to find the detection point from the entry corresponding to the return address according to the return address when the function to be detected is called Function; and a judgment module for judging whether the function to be detected has a calling relationship with the detection point function based on the search result.
可选地,在查找到所述检测点函数的情况下,判断模块还检测是否存在与所述检测点函数对应的标记,在检测到存在与所述检测点函数对应的标记的情况下,判定所述待检测函数与所述检测点函数存在调用关系。Optionally, when the detection point function is found, the judgment module also detects whether a mark corresponding to the detection point function is present, and when a mark corresponding to the detection point function is detected, determines There is a calling relationship between the function to be detected and the function of the detection point.
根据本发明的第五个方面,还提供了一种计算设备,包括:处理器;以及存储器,其上存储有可执行代码,当可执行代码被处理器执行时,使处理器执行如本发明第一个方面或第二个方面述及的方法。According to a fifth aspect of the present invention, there is also provided a computing device, including: a processor; and a memory on which executable code is stored, and when the executable code is executed by the processor, the processor is executed as in the present invention The method mentioned in the first aspect or the second aspect.
根据本发明的第六个方面,还提供了一种非暂时性机器可读存储介质,其上存储有可执行代码,当可执行代码被电子设备的处理器执行时,使处理器执行如本发明第一个方面或第二个方面述及的方法。According to the sixth aspect of the present invention, there is also provided a non-transitory machine-readable storage medium on which executable code is stored, and when the executable code is executed by the processor of the electronic device, the processor is executed as The method described in the first aspect or the second aspect of the invention.
本发明通过对特定的待检测函数进行修改,使得待检测函数被调用时,可以得到包括当前调用的返回地址和检测点函数的条目,从而可以为检测待检测函数与检测点函数之间是否具有调用关系提供实现基础。如此,在只需要对特定的函数间是否存在调用关系进行检测的场景下,本发明只需对具体函数进行修改,就可以满足检测需求,而无需逐步回溯获取所有的中间调用关系。The invention modifies the specific function to be detected, so that when the function to be detected is called, an item including the return address of the current call and the detection point function can be obtained, so as to detect whether there is a function between the function to be detected and the detection point function The call relationship provides the basis for implementation. In this way, in a scenario where it is only necessary to detect whether there is a calling relationship between specific functions, the present invention only needs to modify specific functions to meet the detection requirements without gradually backtracking to obtain all intermediate calling relationships.
附图说明BRIEF DESCRIPTION
通过结合附图对本公开示例性实施方式进行更详细的描述,本公开的上述以及其它目的、特征和优势将变得更加明显,其中,在本公开示例性实施方式中,相同的参考标号通常代表相同部件。The above and other objects, features, and advantages of the present disclosure will become more apparent by describing the exemplary embodiments of the present disclosure in more detail in conjunction with the accompanying drawings. In the exemplary embodiments of the present disclosure, the same reference numerals generally represent The same parts.
图1是示出了根据本发明一实施例的函数调用关系检测方法的示意性流程图。FIG. 1 is a schematic flowchart illustrating a method for detecting a function call relationship according to an embodiment of the present invention.
图2是示出了根据本发明另一实施例的函数调用关系检测方法的示意性流程图。2 is a schematic flowchart illustrating a method for detecting a function call relationship according to another embodiment of the present invention.
图3是示出了根据本发明一实施例的检测流程示意图。FIG. 3 is a schematic diagram illustrating a detection process according to an embodiment of the present invention.
图4是示出了根据本发明一实施例的函数调用关系检测装置的结构的示意性方框图。4 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to an embodiment of the present invention.
图5是示出了根据本发明另一实施例的函数调用关系检测装置的结构的示意性方框图。FIG. 5 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to another embodiment of the present invention.
图6示出了根据本发明一实施例可用于实现上述函数调用关系检测方法的计算设备的结构示意图。FIG. 6 shows a schematic structural diagram of a computing device that can be used to implement the above function call relationship detection method according to an embodiment of the present invention.
具体实施方式detailed description
下面将参照附图更详细地描述本公开的优选实施方式。虽然附图中显示了本公开的优选实施方式,然而应该理解,可以以各种形式实现本公开而不应被这里阐述的实施方式所限制。相反,提供这些实施方式是为了使本公开更加透彻和完整,并且能够将本公开的范围完整地传达给本领域的技术人员。Hereinafter, preferred embodiments of the present disclosure will be described in more detail with reference to the accompanying drawings. Although the drawings show preferred embodiments of the present disclosure, it should be understood that the present disclosure can be implemented in various forms and should not be limited by the embodiments set forth herein. On the contrary, these embodiments are provided to make the present disclosure more thorough and complete, and to fully convey the scope of the present disclosure to those skilled in the art.
【术语解释】【Term Explanation】
调用路径:函数的调用路径是当前函数栈回溯中所有函数的集合。Call path: The call path of a function is the collection of all functions in the current function stack traceback.
栈回溯:栈中保存着函数的返回地址、局部变量等,栈回溯即是用于从这些返回地址来确定函数的调用关系、调用顺序。Stack backtrace: The return address of the function and local variables are stored in the stack. The stack backtrace is used to determine the calling relationship and calling sequence of the function from these return addresses.
待检测函数:需要检测其函数调用关系的函数。Function to be detected: the function whose function call relationship needs to be detected.
检测点函数:需要检测是否与待检测函数存在调用关系的函数。Detection point function: a function that needs to detect whether there is a calling relationship with the function to be detected.
返回地址:函数调用结束后下一条执行语句的地址。Return address: The address of the next execution statement after the function call ends.
【方案概述】[Overview of the program]
本发明提出了一种函数调用关系检测方案,用于检测待检测函数是否与检测点函数存在调用关系,也即检测待检测函数是否在检测点函数的调用路径上。The invention proposes a function calling relationship detection scheme, which is used to detect whether the function to be detected has a calling relationship with the detection point function, that is, to detect whether the function to be detected is on the calling path of the detection point function.
本发明通过对待检测函数进行修改,使得待检测函数被调用时,可以得到包括当前调用的返回地址和检测点函数的条目。例如,可以为待检测函数添加静态函数,静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目,并且将调用待检测函数的动作修改为调用静态函数,以由静态函数调用待检测函数。由此,对于原本直接调用待检测函数的函数,可以通过调用静态函数来调用待检测函数,并且在这一过程中,可以得到包括当前调用的返回地址和检测点函数的条目。The present invention modifies the function to be detected so that when the function to be detected is called, an item including the return address of the current call and the detection point function can be obtained. For example, you can add a static function to the function to be detected. When a static function is defined as being called, an entry including the return address of the current call and the detection point function is generated, and the action of calling the function to be detected is modified to call a static function, so that the static The function calls the function to be detected. Thus, for the function that originally called the function to be detected directly, the function to be detected can be called by calling a static function, and in this process, items including the return address of the current call and the function of the detection point can be obtained.
对于检测点函数,则可以在其被调用时,保存与检测点函数对应的标记。如此,在待检测函数被调用时,可以基于当前调用的返回地址,从条目中查找是否存在检测点函数,并在查找到存在检测点函数的情况下,进一步查找是否存在与检测点函数对应的标记,以确定待检测函数与检测点函数之间是否存在调用关系,即待检测函数是否在检测点函数的调用路径上。For the checkpoint function, you can save the mark corresponding to the checkpoint function when it is called. In this way, when the function to be detected is called, based on the return address of the current call, it can be found from the entry whether there is a detection point function, and if there is a detection point function, further search for whether there is a corresponding detection point function Mark to determine whether there is a calling relationship between the function to be detected and the detection point function, that is, whether the function to be detected is on the call path of the detection point function.
本发明的函数调用关系检测方案可以用于检测特定函数在某个返回地址与检测点函数之间是否存在调用关系,与APCS/Unwind相比,更加轻量级,同时相对更加安全。例如,对于A->B->C这一调用关系而言,在只需要对函数A和函数C间是否存在调用关系进行检测时,本发明只需对函数C进行修改,就可以满足检测需求,而无需逐步回溯获取所有的中间调用关系。The function call relationship detection scheme of the present invention can be used to detect whether a specific function has a call relationship between a certain return address and a detection point function. Compared with APCS/Unwind, it is more lightweight and relatively safer. For example, for the calling relationship of A->B->C, when it is only necessary to detect whether there is a calling relationship between function A and function C, the present invention only needs to modify function C to meet the detection requirements , Without having to step back and get all the intermediate call relationships.
作为示例,本发明可以用于对关键函数(特别是内核中的关键函数)的调用路径的检测,虽然需要对待检测函数逐项处理,但由于在内核中关键函数的数量可控,因此本发明也具有较好的实性,同时避免前面提到APCS、UNWIND带来的问题。As an example, the present invention can be used to detect the calling path of key functions (especially the key functions in the kernel). Although the detection functions need to be processed item by item, the number of key functions in the kernel is controllable, so the present invention It also has good practicality and avoids the problems caused by APCS and UNWIND mentioned above.
下面就本发明涉及的各方面做进一步说明。The following further describes various aspects related to the present invention.
【函数调用关系检测方法】[Method of detecting function call relationship]
图1是示出了根据本发明一实施例的函数调用关系检测方法的示意性流程图。FIG. 1 is a schematic flowchart illustrating a method for detecting a function call relationship according to an embodiment of the present invention.
参见图1,在步骤S110,为待检测函数添加静态函数,静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目。Referring to FIG. 1, in step S110, a static function is added to the function to be detected. When the static function is defined as being called, an entry including the return address of the current call and the detection point function is generated.
静态函数被调用时生成的条目中的当前调用的返回地址,也即待检测函数被调用时的返回地址。条目中的检测点函数可以是检测点函数的地址,如可以是检测点函数的首地址。The return address of the current call in the entry generated when the static function is called, that is, the return address when the function to be detected is called. The checkpoint function in the entry may be the address of the checkpoint function, such as the first address of the checkpoint function.
在步骤S120,将调用待检测函数的动作修改为调用静态函数,以由静态函数调用待检测函数。In step S120, the action of calling the function to be detected is modified to call a static function, so that the static function calls the function to be detected.
通过为待检测函数添加静态函数,并将调用待检测函数的动作修改为调用静态函数, 使得原本直接调用待检测函数的函数,可以通过调用静态函数,来调用待检测函数。例如,假设待检测函数C存在如下调用关系:A->B->C,为待检测函数C添加的静态函数表示为E,那么执行步骤S120后的逻辑调用关系为:A->B->E->C。静态函数可以视为待检测函数的内联函数,根据内联函数的特性,实际存在的调用关系仍为A->B->C,只是调用过程中会生成包括返回地址和检测点函数的条目。其中,静态函数E被调用时生成的条目中的返回地址,即为待检测函数C被调用时的返回地址。By adding a static function to the function to be detected, and modifying the action of calling the function to be detected to call the static function, the function that originally called the function to be detected can be called directly by calling the static function. For example, assuming that the function C to be detected has the following calling relationship: A->B->C, the static function added to the function C to be detected is represented as E, then the logical calling relationship after performing step S120 is: A->B-> E->C. The static function can be regarded as the inline function of the function to be detected. According to the characteristics of the inline function, the actual calling relationship is still A->B->C, but the call process will generate entries including the return address and the checkpoint function . The return address in the entry generated when the static function E is called is the return address when the function C to be detected is called.
本发明还可以对待检测函数进行重命名,以标识待检测函数,如可以在执行步骤S110之前,对待检测函数进行重命名。例如,可以基于一定的命名规则,对待检测函数进行重命名,如此可以便于检测待检测函数的调用关系,如可以便于在编译期间发现所有对待检测函数的调用。The present invention can also rename the function to be detected to identify the function to be detected, for example, before performing step S110, the function to be detected can be renamed. For example, the function to be detected can be renamed based on certain naming rules, which can facilitate the detection of the calling relationship of the function to be detected, such as finding all the calls of the function to be detected during compilation.
对于检测点函数,可以响应于检测点函数被调用,保存与检测点函数对应的标记。对于标记的存储位置,本发明不做限定,如可以保存在当前进程栈或进程结构体中。并且,响应于检测点函数被调用后返回,可以清除与检测点函数对应的标记,以不影响下一次检测。其中,在检测点函数是内核中的函数的情况下,还可以在系统调用返回时,清除标记。For the detection point function, the mark corresponding to the detection point function may be saved in response to the detection point function being called. The storage location of the mark is not limited by the present invention, for example, it can be stored in the current process stack or process structure. And, in response to the detection point function being returned after being called, the mark corresponding to the detection point function can be cleared so as not to affect the next detection. Among them, when the checkpoint function is a function in the kernel, the flag can also be cleared when the system call returns.
如果检测点函数的调用路径包括待检测函数,那么在检测点函数被调用的过程中,待检测函数也会被调用,而检测点函数被调用时,会生成与检测点函数对应的标记,待检测函数被调用时,会生成包括当前调用的返回地址和检测点函数的条目。因此,可以响应于待检测函数被调用,检测对应的条目中是否存在检测点函数,并进一步检测是否存在与条目中的检测点函数对应的标记,如此根据检测结果,可以判断待检测函数与检测点函数之间是否存在函数调用关系。If the call path of the checkpoint function includes the function to be checked, the function to be checked will also be called when the checkpoint function is called, and when the checkpoint function is called, a mark corresponding to the checkpoint function will be generated. When the detection function is called, an entry including the return address of the current call and the detection point function is generated. Therefore, in response to the function to be detected being called, it can be detected whether the detection point function exists in the corresponding entry, and further detecting whether there is a mark corresponding to the detection point function in the entry, so according to the detection result, the function to be detected and the detection can be judged Whether there is a function call relationship between point functions.
基于上述分析,本发明提出,可以在待检测函数中添加检测模块,可选地,检测模块可以以函数的形式插入在待检测函数中。检测模块可以用于响应于待检测函数被调用,检测待检测函数与检测点函数之间是否存在调用关系。具体地,响应于待检测函数被调用,检测模块可以根据当前调用的返回地址,在与当前调用的返回地址对应的条目中查找检测点函数,在查找到检测点函数的情况下,可以进一步检查是否存在与检测点函数对应的标记,在检测到存在与检测点函数对应的标记的情况下,可以判定待检测函数与检测点函数存在调用关系,即待检测函数在检测点函数的函数调用路径上,并且可以判定待检测函数在某个返回地址与检测点函数具有调用关系。Based on the above analysis, the present invention proposes that a detection module can be added to the function to be detected, and optionally, the detection module can be inserted into the function to be detected in the form of a function. The detection module may be used to detect whether there is a calling relationship between the function to be detected and the detection point function in response to the function to be detected being called. Specifically, in response to the function to be detected being called, the detection module may search for the detection point function in the entry corresponding to the return address of the current call according to the return address of the current call, and in the case of finding the detection point function, may further check Whether there is a mark corresponding to the detection point function, when it is detected that there is a mark corresponding to the detection point function, it can be determined that there is a calling relationship between the function to be detected and the detection point function, that is, the function call path of the function to be detected at the detection point function It can be determined that the function to be detected has a calling relationship with the detection point function at a certain return address.
至此,结合图1就本发明的函数调用关系检测方案的实现流程做了说明。其中,图 1所示的方法可以在程序编译期间执行,即可以在程序编译期间,检测函数间的调用关系。在程序编译期间执行本发明的函数调用关系检测方案时,本发明中述及的函数被调用是指被编译器使用以对其进行编译。例如,假设待检测函数C存在如下调用关系:A->B->C,当编译器开始对函数A编译时,则认为函数A被调用,当对函数A进行编译的过程中,需要调用函数B,以对函数B进行编译时,则认为函数B被调用。So far, the implementation process of the function call relationship detection scheme of the present invention has been described with reference to FIG. 1. Among them, the method shown in FIG. 1 can be executed during program compilation, that is, the calling relationship between functions can be detected during program compilation. When the function call relationship detection scheme of the present invention is executed during program compilation, the function called in the present invention refers to being used by a compiler to compile it. For example, suppose the function C to be detected has the following calling relationship: A->B->C. When the compiler starts to compile function A, it is considered that function A is called. When the function A is compiled, the function needs to be called B, when compiling function B, it is considered that function B is called.
图2是示出了根据本发明另一实施例的函数调用关系检测方法的示意性流程图。2 is a schematic flowchart illustrating a method for detecting a function call relationship according to another embodiment of the present invention.
参见图2,在步骤S210,获取编译期间生成的条目,条目包括返回地址和检测点函数。其中,条目是在与待检测函数对应的静态函数被调用时生成的,关于静态函数的描述,可以参见上文相关描述,此处不再赘述。Referring to FIG. 2, in step S210, an entry generated during compilation is obtained, and the entry includes a return address and a checkpoint function. Wherein, the entry is generated when the static function corresponding to the function to be detected is called. For the description of the static function, please refer to the related description above, which will not be repeated here.
在步骤S220,根据待检测函数被调用时的返回地址,从与返回地址对应的条目中查找检测点函数。In step S220, according to the return address when the function to be detected is called, the detection point function is searched from the entry corresponding to the return address.
如果所有的条目中没有与待检测函数被调用时的返回地址对应的条目,则可以判定待检测函数与检测点函数不存在调用关系。If there is no entry corresponding to the return address when the function to be detected is called among all the entries, it can be determined that there is no calling relationship between the function to be detected and the detection point function.
在步骤S230,基于查找结果,判断待检测函数是否与检测点函数存在调用关系。In step S230, based on the search result, it is determined whether the function to be detected has a calling relationship with the detection point function.
在查找到与待检测函数被调用时的返回地址对应的条目的情况下,可以进一步检测是否存在与查找到的条目中的检测点函数对应的标记,在检测到存在与检测点函数对应的标记的情况下,可以判定待检测函数与检测点函数存在调用关系。When an entry corresponding to the return address when the function to be detected is called is found, it may be further detected whether a mark corresponding to the detection point function in the found entry is present, and when a mark corresponding to the detection point function is detected In the case of, it can be determined that there is a calling relationship between the function to be detected and the detection point function.
【具体应用例】【Specific application example】
假设函数C存在如下调用关系:A->B->C;A->D->C,检测目的为检测函数C是否与函数A具有调用关系,则可以将函数C称为待检测函数,将函数A称为检测点函数。Assuming that function C has the following calling relationships: A->B->C; A->D->C, the purpose of detection is to check whether function C has a calling relationship with function A, then function C can be called a function to be tested Function A is called the checkpoint function.
修改操作Modify operation
首先可以执行如下修改操作,以便于后续判断检测函数C是否与函数A具有调用关系提供实现基础。First, the following modification operations can be performed, so as to facilitate subsequent judgment whether the detection function C has a calling relationship with the function A to provide an implementation basis.
1、首先可以通过宏处理命令将函数C重命名为__btf_C,以便于编译期间发现所有对函数C的调用。1. First, the function C can be renamed to __btf_C through the macro processing command, so that all calls to the function C can be found during compilation.
假设函数C的定义为:Suppose the definition of function C is:
int C(int*p);intC(int*p);
重命名后的__btf_C定义为:The renamed __btf_C is defined as:
#define BACKTRACE_FUNCTION(x)__btf_##x#define BACKTRACE_FUNCTION(x)__btf_##x
int BACKTRACE_FUNCTION(C)(int*p)int BACKTRACE_FUNCTION(C)(int*p)
其中,关于函数各部分字段的具体定义,此处不再赘述。如此,修改后将不存在C函数,而是被重命名为__btf_C。Among them, the specific definitions of the various fields of the function will not be repeated here. In this way, the C function will not exist after the modification, but will be renamed to __btf_C.
2、可以通过宏定义为__btf_C函数添加两处静态函数:__btf_C_AB和__btf_C_AD,可以分别表示为:2. You can add two static functions for the __btf_C function through macro definition: __btf_C_AB and __btf_C_AD, which can be expressed as:
BACKTRACECALL_DEFINE1(int,C,AB,int*,p)BACKTRACECALL_DEFINE1(int,C,AB,int*,p)
BACKTRACECALL_DEFINE1(int,C,AD,int*,p)BACKTRACECALL_DEFINE1(int,C,AD,int*,p)
静态函数可以被设定为,对静态函数的调用会在系统生成新的条目,该条目可以称为__k_bttab,条目内容为当前调用的返回地址和检测点函数(如可以是输入的检测点函数地址)。The static function can be set as a call to the static function will generate a new entry in the system, the entry can be called __k_bttab, the entry content is the return address of the current call and the checkpoint function (such as the input checkpoint function address).
关于静态函数的具体定义,可以根据实际情况设定,此处不再赘述。The specific definition of the static function can be set according to the actual situation, and will not be repeated here.
3、可以通过宏定义修改B/D函数中C函数的调用,如下:3. The C function call in the B/D function can be modified through the macro definition as follows:
在函数B中的调用由C(p)修改为BACKTRACECALL(C,AB,p)The call in function B is changed from C(p) to BACKTRACECALL(C, AB, p)
在函数D中的调用由C(p)修改为BACKTRACECALL(C,AD,p)The call in function D is modified from C(p) to BACKTRACECALL(C, AD, p)
修改后系统中存在以下逻辑调用关系:The following logic calling relationship exists in the modified system:
1)A->B->__btf_C_AB->__btf_C1) A->B->__btf_C_AB->__btf_C
2)A->B->__btf_C_AD->__btf_C2) A->B->__btf_C_AD->__btf_C
而由于内联函数的特性,系统中实际存在的调用关系为:Due to the characteristics of inline functions, the actual calling relationship in the system is:
1)A->B->__btf_C1) A->B->__btf_C
2)A->D->__btf_C2) A->D->__btf_C
同时此两处调用会在系统增加两个__k_bttab段条目,分别为:At the same time, these two calls will add two __k_bttab section entries to the system, which are:
{__btf_C函数在函数B中的返回地址__btf_C_LRB,函数A的地址}{__btf_C function return address in function B __btf_C_LRB, function A address}
{__btf_C函数在函数D中的返回地址__btf_C_LRD,函数A的地址}{__btf_C function return address in function D __btf_C_LRD, address of function A}
4、在函数A中做标记,表示当前函数A被调用4. Make a mark in function A to indicate that the current function A is called
在函数A调用时可以添加与函数A对应的标记,表示函数A被调用到,标记的结果可以记录在不同位置,如当前进程栈或进程结构体中。When the function A is called, a mark corresponding to the function A can be added, indicating that the function A is called, and the result of the mark can be recorded in different locations, such as the current process stack or the process structure.
5、可以在函数__btf_C中添加检测函数,检测函数可以表示为BT_CHECK(),检测函数可以用于响应于函数__btf_C被调用,检测函数__btf_C是否与函数A存在调用关系,检测机制可以参见上文描述,此处不再赘述。其中,关于检测函数的具体定义,可以根据实际情况设定,此处不再赘述。5. A detection function can be added to the function __btf_C. The detection function can be expressed as BT_CHECK(). The detection function can be used to respond to the function __btf_C being called. Check whether the function __btf_C has a calling relationship with the function A. For the detection mechanism, see The above description will not be repeated here. Among them, the specific definition of the detection function can be set according to the actual situation, and will not be repeated here.
检测流程Testing process
图3是示出了根据本发明一实施例的检测流程示意图。FIG. 3 is a schematic diagram illustrating a detection process according to an embodiment of the present invention.
可以通过vmlinux.ld.S脚本获取编译期间生成的所有__k_bttab段条目,然后可以对所有__k_bttab条目进行排序,以便于后续查找,如可以在系统初始化阶段对所有__k_bttab条目进行排序。其中,可以根据__k_bttab条目中的返回地址进行排序。All __k_bttab segment entries generated during compilation can be obtained through the vmlinux.ld.S script, and then all __k_bttab entries can be sorted for subsequent search, for example, all __k_bttab entries can be sorted during system initialization. Among them, you can sort by the return address in the __k_bttab entry.
在函数A被调用时,可以在进程栈或进程结构体中添加函数A被调用的标记(标记A),在函数A调用返回时,可以清除进程栈或进程结构体中的函数标记A,为下一次检测做准备。另外在函数__btf_C被调用时,可以通过函数__btf_C内的检测函数(BT_CHECK函数)检查其调用路径。When the function A is called, you can add the function A called mark (mark A) to the process stack or process structure. When the function A call returns, you can clear the function mark A in the process stack or process structure. Prepare for the next test. In addition, when the function __btf_C is called, the calling path can be checked by the detection function (BT_CHECK function) in the function __btf_C.
作为示例,BT_CHECK具体检测操作为:根据当前函数返回地址在__k_bttab表中精确查找返回地址对应的检测点函数,若无检测点函数,则检测失败。若存在检测点函数,则进一步检查进程栈或进程结构体中是否存在检测点函数A的标记,若存在标记,则栈回溯检测成功。As an example, the specific detection operation of BT_CHECK is to accurately find the detection point function corresponding to the return address in the __k_bttab table according to the current function return address. If there is no detection point function, the detection fails. If there is a checkpoint function, it is further checked whether the mark of the checkpoint function A exists in the process stack or the process structure. If there is a mark, the stack backtracking detection is successful.
如图3所示,在函数B通过调用静态函数__btf_C_AB(图中未示出)调用_btf_C函数时,当前返回地址为返回地址1,返回地址1可以表示为__btf_C_LRB,在函数D通过调用静态函数__btf_C_AD(图中未示出)调用_btf_C函数时,当前返回地址为返回地址2,返回地址2可以表示为__btf_C_LRD。响应于_btf_C函数被调用,__k_bttab表中可以记录返回地址1和函数A、返回地址2和函数A。可以通过设置在_btf_C函数中的检测函数,根从__k_bttab表中查找与当前返回地址对应的检测点函数A,然后再从保存的标记中查找是否存在检测点函数A的标记,在查找到检测点函数A的标记的情况下,表明检测点函数A与函数C之间存在调用关系,且可以进一步判定函数B、D均在检测点函数A的调用路径上。As shown in Figure 3, when function B calls the _btf_C function by calling the static function __btf_C_AB (not shown in the figure), the current return address is return address 1, and return address 1 can be expressed as __btf_C_LRB. When the static function __btf_C_AD (not shown in the figure) calls the _btf_C function, the current return address is return address 2, and return address 2 can be expressed as __btf_C_LRD. In response to the _btf_C function being called, the return address 1 and function A, return address 2 and function A can be recorded in the __k_bttab table. You can use the detection function set in the _btf_C function to find the detection point function A corresponding to the current return address from the __k_bttab table, and then find whether the mark of the detection point function A exists from the saved tags. In the case of the mark of the detection point function A, it indicates that there is a calling relationship between the detection point function A and the function C, and it can be further determined that the functions B and D are both on the calling path of the detection point function A.
与现有的栈回溯方案相比,本发明至少可以产生如下技术效果:Compared with the existing stack backtracking solution, the present invention can produce at least the following technical effects:
1.栈回溯需要逐步进行,对于A->B->C(A中调用B函数,B中调用C函数)的情景,有时我们只关注A与C的调用关系,此时需要先从C回溯到B,再回溯到A,对于多级调用或递归调用效率相对较低。本方案中适用于对内核关键函数的检测,可以指定要检测函数C在某点(某个返回地址)与函数A的调用关系。2.两种方式均依赖于编译器,在某些情境下只需要对特定函数进行栈回溯,在编译期间很难只针对部分函数进行优化。本发明是针对具体函数实施的,可以只针对需要进行栈回溯的关键函数进行编译优化。3.APCS需要通过符号表确定函数的起始地址,Unwind通过ARM.unwind_idx确定函数的起始地址,二者均是通过LR(连接寄存器)所在的函数地址范围确定其父函数,同一 函数内的子函数在做调用路径检测时会产生歧义,需要针对不同函数单独处理。本发明可以精确匹配到具体返回地址,针对不同的返回地址,可指定不同的匹配函数,不会产生歧义。4.Unwind方式会在内核保存所有函数的首地址,存在极大的安全隐患,APCS若配置了符号表也存在同样的问题。本发明可以只在内核中保存使用到的函数的首地址,缓解了以上方式带来的安全隐患。1. Stack backtracking needs to be carried out step by step. For the scenario of A->B->C (calling B function in A and calling C function in B), sometimes we only pay attention to the calling relationship between A and C. At this time, we need to backtrack from C Going back to B and then back to A is relatively inefficient for multi-level calls or recursive calls. This scheme is applicable to the detection of key functions of the kernel. You can specify that the calling relationship between function C and function A at a certain point (a certain return address) should be detected. 2. Both methods depend on the compiler. In some situations, only a specific function needs to be backtraced. It is difficult to optimize only some functions during compilation. The present invention is implemented for specific functions, and can be compiled and optimized only for key functions that need to perform stack backtracking. 3. APCS needs to determine the starting address of the function through the symbol table, and Unwind determines the starting address of the function through ARM.unwind_idx, both of which determine its parent function through the function address range where the LR (connection register) is located. Sub-functions will produce ambiguity when calling path detection, and need to be handled separately for different functions. The invention can accurately match the specific return address, and for different return addresses, different matching functions can be specified without ambiguity. 4. The Unwind method will save the first addresses of all functions in the kernel, which poses a great security risk. If APCS is configured with a symbol table, the same problem exists. The invention can only save the first address of the used function in the kernel, which alleviates the security risks brought by the above methods.
【函数调用关系检测装置】【Function call relationship detection device】
本发明还可以实现为一种函数调用关系检测装置。其中,函数调用关系检测装置的功能模块可以由实现本发明原理的硬件、软件或硬件和软件的结合来实现。本领域技术人员可以理解的是,图4所描述的功能模块可以组合起来或者划分成子模块,从而实现上述发明的原理。因此,本文的描述可以支持对本文描述的功能模块的任何可能的组合、或者划分、或者更进一步的限定。The invention can also be implemented as a function call relationship detection device. Among them, the function module of the function call relationship detection device may be implemented by hardware, software or a combination of hardware and software that implements the principles of the present invention. Those skilled in the art can understand that the functional modules described in FIG. 4 can be combined or divided into sub-modules, so as to implement the principles of the above invention. Therefore, the description herein may support any possible combination, division, or further definition of the functional modules described herein.
函数调用关系检测装置可以具有的功能模块以及各功能模块可以执行的操作做简要说明,对于其中涉及的细节部分可以参见上文描述,这里不再赘述。The function modules that the function call relationship detection device can have and the operations that each function module can perform are briefly described. For the details involved, please refer to the above description, which will not be repeated here.
图4是示出了根据本发明一实施例的函数调用关系检测装置的结构的示意性方框图。4 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to an embodiment of the present invention.
参见图4,函数调用关系检测装置400包括添加模块410和调用调整模块420。Referring to FIG. 4, the function call relationship detection device 400 includes an addition module 410 and a call adjustment module 420.
添加模块410用于为待检测函数添加静态函数,静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目。调用调整模块420用于将调用待检测函数的动作修改为调用静态函数,以由静态函数调用待检测函数。The adding module 410 is used to add a static function to the function to be detected. When the static function is defined as being called, an entry including the return address of the current call and the detection point function is generated. The call adjustment module 420 is used to modify the action of calling the function to be detected to call a static function, so that the static function calls the function to be detected.
在本发明的一个实施例中,函数调用关系检测装置400还可以可选地包括图中虚线框所示的命名模块430,命名模块430用于对待检测函数进行重命名,以标识待检测函数。In an embodiment of the present invention, the function call relationship detection apparatus 400 may optionally further include a naming module 430 shown by a dotted frame in the figure. The naming module 430 is used to rename the function to be detected to identify the function to be detected.
在本发明的一个实施例中,函数调用关系检测装置400还可以可选地包括图中虚线框所示的保存模块440,保存模块440用于响应于检测点函数被调用,保存与检测点函数对应的标记。In an embodiment of the present invention, the function calling relationship detection apparatus 400 may optionally further include a saving module 440 shown by a dotted box in the figure, the saving module 440 is used to save and detect the point function in response to the detection point function being called Corresponding mark.
在本发明的一个实施例中,函数调用关系检测装置400还可以可选地包括图中虚线框所示的清除模块450,清除模块450用于响应于检测点函数被调用后返回,清除与检测点函数对应的标记。In an embodiment of the present invention, the function call relationship detection apparatus 400 may optionally further include a clearing module 450 shown by a dotted frame in the figure. The clearing module 450 is used to return, clear and detect in response to the detection point function being called The mark corresponding to the point function.
在本发明的一个实施例中,函数调用关系检测装置400还可以可选地包括图中虚线框所示的检测模块460,用于响应于待检测函数被调用,检测待检测函数与检测点函数 之间是否存在调用关系。可选地,检测模块460可以包括查找模块和检查模块(图中未示出)。查找模块用于根据当前调用的返回地址,在与当前调用的返回地址对应的条目中查找检测点函数,检查模块用于在查找到检测点函数的情况下,检查是否存在与检测点函数对应的标记。可选地,在检测到存在与检测点函数对应的标记的情况下,检测模块可以判定待检测函数与检测点函数存在调用关系。In an embodiment of the present invention, the function call relationship detection apparatus 400 may optionally further include a detection module 460 shown by a dotted frame in the figure, which is used to detect the function to be detected and the detection point function in response to the function to be detected being called Whether there is a calling relationship between them. Optionally, the detection module 460 may include a search module and an inspection module (not shown in the figure). The search module is used to search for the detection point function in the entry corresponding to the return address of the current call according to the return address of the current call, and the check module is used to check whether there is a detection point function corresponding to the detection point function when the detection point function is found mark. Optionally, in the case where a mark corresponding to the detection point function is detected, the detection module may determine that there is a calling relationship between the function to be detected and the detection point function.
图5是示出了根据本发明另一实施例的函数调用关系检测装置的结构的示意性方框图。FIG. 5 is a schematic block diagram showing the structure of a function call relationship detection apparatus according to another embodiment of the present invention.
参见图5,函数调用关系检测装置500包括获取模块510、查找模块520和判断模块530。获取模块510用于获取编译期间生成的条目,条目包括返回地址和检测点函数,其中,条目是在与待检测函数对应的静态函数被调用时生成的,通过调用静态函数,来调用待检测函数。查找模块520用于根据待检测函数被调用时的返回地址,从与返回地址对应的条目中查找检测点函数。判断模块530用于基于查找结果,判断待检测函数是否与检测点函数存在调用关系。Referring to FIG. 5, the function call relationship detection device 500 includes an acquisition module 510, a search module 520 and a judgment module 530. The obtaining module 510 is used to obtain an entry generated during compilation, and the entry includes a return address and a detection point function, wherein the entry is generated when a static function corresponding to the function to be detected is called, and the function to be detected is called by calling the static function . The search module 520 is used to search for the detection point function from the entry corresponding to the return address according to the return address when the function to be detected is called. The judgment module 530 is used to judge whether the function to be detected has a calling relationship with the detection point function based on the search result.
可选地,在查找到所述检测点函数的情况下,判断模块530还检测是否存在与所述检测点函数对应的标记,在检测到存在与所述检测点函数对应的标记的情况下,判定所述待检测函数与所述检测点函数存在调用关系。Optionally, when the detection point function is found, the judgment module 530 also detects whether there is a mark corresponding to the detection point function, and when a mark corresponding to the detection point function is detected, It is determined that there is a calling relationship between the function to be detected and the function of the detection point.
【计算设备】【Computer equipment】
图6示出了根据本发明一实施例可用于实现上述函数调用关系检测方法的计算设备的结构示意图。FIG. 6 shows a schematic structural diagram of a computing device that can be used to implement the above function call relationship detection method according to an embodiment of the present invention.
参见图6,计算设备600包括存储器610和处理器620。Referring to FIG. 6, the computing device 600 includes a memory 610 and a processor 620.
处理器620可以是一个多核的处理器,也可以包含多个处理器。在一些实施例中,处理器620可以包含一个通用的主处理器以及一个或多个特殊的协处理器,例如图形处理器(GPU)、数字信号处理器(DSP)等等。在一些实施例中,处理器620可以使用定制的电路实现,例如特定用途集成电路(ASIC,Application Specific Integrated Circuit)或者现场可编程逻辑门阵列(FPGA,Field Programmable Gate Arrays)。The processor 620 may be a multi-core processor or may include multiple processors. In some embodiments, the processor 620 may include a general-purpose main processor and one or more special co-processors, such as a graphics processor (GPU), a digital signal processor (DSP), and so on. In some embodiments, the processor 620 may be implemented using a customized circuit, such as an application specific integrated circuit (ASIC, Application Integrated Circuit) or field programmable logic gate array (FPGA, Field Programmable Gate Arrays).
存储器610可以包括各种类型的存储单元,例如系统内存、只读存储器(ROM),和永久存储装置。其中,ROM可以存储处理器620或者计算机的其他模块需要的静态数据或者指令。永久存储装置可以是可读写的存储装置。永久存储装置可以是即使计算机断电后也不会失去存储的指令和数据的非易失性存储设备。在一些实施方式中,永久性存储装置采用大容量存储装置(例如磁或光盘、闪存)作为永久存储装置。另外一些实 施方式中,永久性存储装置可以是可移除的存储设备(例如软盘、光驱)。系统内存可以是可读写存储设备或者易失性可读写存储设备,例如动态随机访问内存。系统内存可以存储一些或者所有处理器在运行时需要的指令和数据。此外,存储器610可以包括任意计算机可读存储媒介的组合,包括各种类型的半导体存储芯片(DRAM,SRAM,SDRAM,闪存,可编程只读存储器),磁盘和/或光盘也可以采用。在一些实施方式中,存储器610可以包括可读和/或写的可移除的存储设备,例如激光唱片(CD)、只读数字多功能光盘(例如DVD-ROM,双层DVD-ROM)、只读蓝光光盘、超密度光盘、闪存卡(例如SD卡、min SD卡、Micro-SD卡等等)、磁性软盘等等。计算机可读存储媒介不包含载波和通过无线或有线传输的瞬间电子信号。The memory 610 may include various types of storage units, such as system memory, read-only memory (ROM), and permanent storage devices. The ROM may store static data or instructions required by the processor 620 or other modules of the computer. The permanent storage device may be a readable and writable storage device. The permanent storage device may be a non-volatile storage device that does not lose stored instructions and data even after the computer is powered off. In some embodiments, the permanent storage device uses a mass storage device (eg, magnetic or optical disk, flash memory) as the permanent storage device. In other embodiments, the permanent storage device may be a removable storage device (e.g., floppy disk, optical drive). The system memory can be a read-write storage device or a volatile read-write storage device, such as dynamic random access memory. The system memory can store some or all instructions and data required by the processor during operation. In addition, the memory 610 may include any combination of computer-readable storage media, including various types of semiconductor memory chips (DRAM, SRAM, SDRAM, flash memory, programmable read-only memory), magnetic disks, and/or optical disks may also be used. In some embodiments, the memory 610 may include readable and/or writeable removable storage devices, such as compact discs (CD), read-only digital versatile discs (eg, DVD-ROM, dual-layer DVD-ROM), Read-only Blu-ray discs, ultra-density discs, flash memory cards (such as SD cards, min SD cards, Micro-SD cards, etc.), magnetic floppy disks, etc. The computer-readable storage medium does not contain carrier waves and instantaneous electronic signals transmitted through wireless or wired.
存储器610上存储有可执行代码,当可执行代码被处理器620处理时,可以使处理器620执行上文述及的函数调用关系检测方法。Executable code is stored on the memory 610. When the executable code is processed by the processor 620, the processor 620 can cause the processor 620 to execute the function call relationship detection method described above.
上文中已经参考附图详细描述了根据本发明的函数调用关系检测方法、装置及设备。The function calling relationship detection method, device and device according to the present invention have been described in detail above with reference to the drawings.
此外,根据本发明的方法还可以实现为一种计算机程序或计算机程序产品,该计算机程序或计算机程序产品包括用于执行本发明的上述方法中限定的上述各步骤的计算机程序代码指令。In addition, the method according to the present invention may also be implemented as a computer program or computer program product, the computer program or computer program product including computer program code instructions for performing the above steps defined in the above method of the present invention.
或者,本发明还可以实施为一种非暂时性机器可读存储介质(或计算机可读存储介质、或机器可读存储介质),其上存储有可执行代码(或计算机程序、或计算机指令代码),当所述可执行代码(或计算机程序、或计算机指令代码)被电子设备(或计算设备、服务器等)的处理器执行时,使所述处理器执行根据本发明的上述方法的各个步骤。Alternatively, the present invention may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) on which executable code (or computer program, or computer instruction code) is stored ), when the executable code (or computer program, or computer instruction code) is executed by the processor of the electronic device (or computing device, server, etc.), the processor is caused to perform each step of the above method according to the present invention .
本领域技术人员还将明白的是,结合这里的公开所描述的各种示例性逻辑块、模块、电路和算法步骤可以被实现为电子硬件、计算机软件或两者的组合。Those skilled in the art will also understand that the various exemplary logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or a combination of both.
附图中的流程图和框图显示了根据本发明的多个实施例的系统和方法的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标记的功能也可以以不同于附图中所标记的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the drawings show the possible implementation architecture, functions, and operations of systems and methods according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagram may represent a module, program segment, or part of code that contains one or more of the Executable instructions. It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks can actually be executed substantially in parallel, and sometimes they can also be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and/or flowcharts, and combinations of blocks in the block diagrams and/or flowcharts, can be implemented with dedicated hardware-based systems that perform specified functions or operations Or, it can be realized by a combination of dedicated hardware and computer instructions.
以上已经描述了本发明的各实施例,上述说明是示例性的,并非穷尽性的,并且也不限于所披露的各实施例。在不偏离所说明的各实施例的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实施例的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其它普通技术人员能理解本文披露的各实施例。The embodiments of the present invention have been described above. The above description is exemplary, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and changes will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the illustrated embodiments. The selection of terms used herein is intended to best explain the principles, practical applications or improvements to the technology in the embodiments of the embodiments, or to enable other persons of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (13)

  1. 一种函数调用关系检测方法,用于检测待检测函数与检测点函数之间是否具有调用关系,其特征在于,包括:A function call relationship detection method, used to detect whether there is a call relationship between the function to be detected and the detection point function, which is characterized by including:
    为待检测函数添加静态函数,所述静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目;Add a static function to the function to be detected, the static function is defined as being called, generating an entry including the return address of the current call and the detection point function;
    将调用所述待检测函数的动作修改为调用所述静态函数,以由所述静态函数调用所述待检测函数。Modifying the action of calling the function to be detected to call the static function to call the function to be detected by the static function.
  2. 根据权利要求1所述的函数调用关系检测方法,其特征在于,还包括:The function call relationship detection method according to claim 1, further comprising:
    对所述待检测函数进行重命名,以标识所述待检测函数。Rename the function to be detected to identify the function to be detected.
  3. 根据权利要求1所述的函数调用关系检测方法,其特征在于,还包括:The function call relationship detection method according to claim 1, further comprising:
    响应于所述检测点函数被调用,保存与所述检测点函数对应的标记。In response to the detection point function being called, a mark corresponding to the detection point function is saved.
  4. 根据权利要求3所述的函数调用关系检测方法,其特征在于,还包括:The method for detecting a function call relationship according to claim 3, further comprising:
    响应于所述检测点函数被调用后返回,清除与所述检测点函数对应的标记。In response to the detection point function being returned after being called, the mark corresponding to the detection point function is cleared.
  5. 根据权利要求3所述的函数调用关系检测方法,其特征在于,还包括:The method for detecting a function call relationship according to claim 3, further comprising:
    在所述待检测函数中添加检测模块,所述检测模块用于响应于所述待检测函数被调用,检测所述待检测函数与所述检测点函数之间是否存在调用关系。A detection module is added to the function to be detected, and the detection module is configured to detect whether a calling relationship exists between the function to be detected and the detection point function in response to the function to be detected being called.
  6. 根据权利要求5所述的函数调用关系检测方法,其特征在于,所述检测所述待检测函数与所述检测点函数之间是否存在调用关系的步骤包括:The function call relationship detection method according to claim 5, wherein the step of detecting whether a call relationship exists between the function to be detected and the detection point function includes:
    根据当前调用的返回地址,在与当前调用的返回地址对应的条目中查找检测点函数;According to the return address of the current call, find the checkpoint function in the entry corresponding to the return address of the current call;
    在查找到所述检测点函数的情况下,检查是否存在与所述检测点函数对应的标记。When the detection point function is found, it is checked whether there is a mark corresponding to the detection point function.
  7. 根据权利要求6所述的函数调用关系检测方法,其特征在于,还包括:The method for detecting a function call relationship according to claim 6, further comprising:
    在检测到存在与所述检测点函数对应的标记的情况下,判定所述待检测函数与所述检测点函数存在调用关系。When it is detected that there is a mark corresponding to the detection point function, it is determined that the function to be detected and the detection point function have a calling relationship.
  8. 一种函数调用关系检测方法,其特征在于,包括:A method for detecting function call relationships, which is characterized by:
    获取编译期间生成的条目,所述条目包括返回地址和检测点函数,其中,所述条目是在与待检测函数对应的静态函数被调用时生成的,通过调用所述静态函数,来调用所述待检测函数;Obtain an entry generated during compilation, the entry including a return address and a checkpoint function, wherein the entry is generated when a static function corresponding to the function to be detected is called, and the static function is called to call the Function to be detected;
    根据所述待检测函数被调用时的返回地址,从与所述返回地址对应的所述条目中查找检测点函数;Searching for the detection point function from the entry corresponding to the return address according to the return address when the function to be detected is called;
    基于查找结果,判断所述待检测函数是否与所述检测点函数存在调用关系。Based on the search result, it is determined whether the function to be detected has a calling relationship with the detection point function.
  9. 根据权利要求8所述的函数调用关系检测方法,其特征在于,所述基于查找结果判断所述待检测函数是否与所述检测点函数存在调用关系的步骤包括:The function call relationship detection method according to claim 8, wherein the step of determining whether the function to be detected has a call relationship with the detection point function based on the search result includes:
    在查找到所述检测点函数的情况下,检测是否存在与所述检测点函数对应的标记;When the detection point function is found, detecting whether there is a mark corresponding to the detection point function;
    在检测到存在与所述检测点函数对应的标记的情况下,判定所述待检测函数与所述检测点函数存在调用关系。When it is detected that there is a mark corresponding to the detection point function, it is determined that the function to be detected and the detection point function have a calling relationship.
  10. 一种函数调用关系检测装置,其特征在于,包括:A function call relationship detection device, which is characterized by comprising:
    添加模块,用于为待检测函数添加静态函数,所述静态函数定义为被调用时,生成包括当前调用的返回地址和检测点函数的条目;和Adding a module for adding a static function to the function to be detected, the static function being defined as being called, generating an entry including the return address of the current call and the detection point function; and
    调用调整模块,用于将调用所述待检测函数的动作修改为调用所述静态函数,以由所述静态函数调用所述待检测函数。The call adjustment module is configured to modify the action of calling the function to be detected to call the static function to call the function to be detected by the static function.
  11. 一种函数调用关系检测装置,其特征在于,包括:A function call relationship detection device, which is characterized by comprising:
    获取模块,用于获取编译期间生成的条目,所述条目包括返回地址和检测点函数,其中,所述条目是在与待检测函数对应的静态函数被调用时生成的,通过调用所述静态函数,来调用所述待检测函数;An acquisition module for acquiring an entry generated during compilation, the entry including a return address and a checkpoint function, wherein the entry is generated when a static function corresponding to the function to be detected is called, by calling the static function To call the function to be detected;
    查找模块,用于根据所述待检测函数被调用时的返回地址,从与所述返回地址对应的所述条目中查找检测点函数;以及A search module, configured to search for a detection point function from the entry corresponding to the return address according to the return address when the function to be detected is called; and
    判断模块,用于基于查找结果,判断所述待检测函数是否与所述检测点函数存在调用关系。The judgment module is used for judging whether the function to be detected has a calling relationship with the detection point function based on the search result.
  12. 一种计算设备,包括:A computing device, including:
    处理器;以及Processor; and
    存储器,其上存储有可执行代码,当所述可执行代码被所述处理器执行时,使所述处理器执行如权利要求1-9中任何一项所述的方法。A memory on which executable code is stored, and when the executable code is executed by the processor, causes the processor to perform the method according to any one of claims 1-9.
  13. 一种非暂时性机器可读存储介质,其上存储有可执行代码,当所述可执行代码被电子设备的处理器执行时,使所述处理器执行如权利要求1至9中任一项所述的方法。A non-transitory machine-readable storage medium having executable code stored thereon, when the executable code is executed by a processor of an electronic device, the processor is caused to execute any one of claims 1 to 9. The method.
PCT/CN2019/122370 2018-12-03 2019-12-02 Function call relationship detection method, apparatus, device and storage medium WO2020114347A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811468332.7A CN111258630B (en) 2018-12-03 2018-12-03 Function call relation detection method, device, equipment and storage medium
CN201811468332.7 2018-12-03

Publications (1)

Publication Number Publication Date
WO2020114347A1 true WO2020114347A1 (en) 2020-06-11

Family

ID=70946623

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/122370 WO2020114347A1 (en) 2018-12-03 2019-12-02 Function call relationship detection method, apparatus, device and storage medium

Country Status (3)

Country Link
CN (1) CN111258630B (en)
TW (1) TW202022603A (en)
WO (1) WO2020114347A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130061212A1 (en) * 2011-09-06 2013-03-07 Microsoft Corporation Modern Application Tracing
CN103761089A (en) * 2014-01-14 2014-04-30 清华大学 Method for determining dynamic function call relation based on register transfer languages
CN103970659A (en) * 2014-05-16 2014-08-06 刘玉光 Android application software automation testing method based on pile pitching technology
CN105468508A (en) * 2014-09-04 2016-04-06 阿里巴巴集团控股有限公司 Code testing method and apparatus

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100478915C (en) * 2007-09-20 2009-04-15 福建星网锐捷网络有限公司 CPU abnormal point positioning diagnosis method based MIPS structure
CN103019787B (en) * 2012-12-14 2016-08-10 华为技术有限公司 Function calling relationship determines method, hot patch upgrade method and device
US9250881B1 (en) * 2014-09-30 2016-02-02 International Business Machines Corporation Selection of an entry point of a function having multiple entry points

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130061212A1 (en) * 2011-09-06 2013-03-07 Microsoft Corporation Modern Application Tracing
CN103761089A (en) * 2014-01-14 2014-04-30 清华大学 Method for determining dynamic function call relation based on register transfer languages
CN103970659A (en) * 2014-05-16 2014-08-06 刘玉光 Android application software automation testing method based on pile pitching technology
CN105468508A (en) * 2014-09-04 2016-04-06 阿里巴巴集团控股有限公司 Code testing method and apparatus

Also Published As

Publication number Publication date
CN111258630A (en) 2020-06-09
TW202022603A (en) 2020-06-16
CN111258630B (en) 2023-05-30

Similar Documents

Publication Publication Date Title
US10019240B2 (en) Method and apparatus for detecting code change
US8468497B2 (en) Automated defect classification
NL2029881A (en) Methods and apparatus for automatic detection of software bugs
US9134977B2 (en) Compiler operation for handling conditional statements
US8141050B2 (en) Deadlock detection by lock classification
CN110287696A (en) A kind of detection method, device and the equipment of the shell process that rebounds
CN105760292A (en) Assertion verification method and device for unit testing
CN111027054A (en) Method and system for judging running of application program in multi-open environment based on android system
US9471583B2 (en) Data race analysis with improved detection filtering
CN107589960B (en) DSP instruction simulation method based on register access conflict detection
US10545763B2 (en) Detecting data dependencies of instructions associated with threads in a simultaneous multithreading scheme
CN111949513A (en) Configuration file loading method and device, electronic equipment and readable storage device
JP6352386B2 (en) Method and apparatus for transferring literally generated data to dependent instructions more efficiently using a constant cache
CN106201859A (en) A kind of regression testing method and system
CN113157477B (en) Memory leakage attribution method, device, electronic equipment and storage medium
WO2020114347A1 (en) Function call relationship detection method, apparatus, device and storage medium
US20140095142A1 (en) Resilient mock object creation for unit testing
US9588747B2 (en) Method and apparatus for converting programs
US8966455B2 (en) Flow analysis in program execution
CN113778838A (en) Binary program dynamic taint analysis method and device
CN116483888A (en) Program evaluation method and device, electronic equipment and computer readable storage medium
US8427854B2 (en) Utilization of memory refresh cycles for pattern matching
US11449317B2 (en) Detection of semantic equivalence of program source codes
CN108959085B (en) Method and system for detecting sleep error of kernel module in atomic context
US8561031B2 (en) Synchronization coverage in logic code

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19892022

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19892022

Country of ref document: EP

Kind code of ref document: A1