CN110674495A - Detection method, device and equipment for group border crossing access - Google Patents

Abstract

The embodiment of the specification discloses a method, a device and equipment for detecting group border crossing access, wherein the method comprises the following steps: acquiring functions contained in a program code to be detected and call relation information among the functions; if the calling relation information among the functions comprises the target program statements which are not accessed, detecting whether the target program statements need to access the array or not; if the target program statement needs to access an array, acquiring a value range of a preset variable of the array accessed by the target program statement in a program area corresponding to the array; and detecting whether the program code contains array out-of-range access or not based on the value range of the preset variable of the array accessed by the target program statement in the program area corresponding to the array.

Description

A detection method, device and device for out-of-bounds access to an array

technical field

This document relates to the field of computer technology, and in particular, to a detection method, device and device for out-of-bounds access to an array.

Background technique

Array out-of-bounds access is a common program coding defect. Array out-of-bounds access can cause program crashes or incorrect program results. Moreover, it can also lead to serious system security problems. Attackers can use this defect to enhance their attacks. The user's own permissions to read or modify the user's sensitive data.

At present, the method of finding out-of-bounds access to arrays in a program can usually be based on black-box testing or white-box testing, that is, construct test cases to test the execution program and observe whether there is an out-of-bounds access to arrays in program execution. In the above-mentioned method of array out-of-bounds access detection, for the method of black-box testing or white-box testing, it is impossible to construct enough test cases to cover all execution paths of the program code. Therefore, the detection accuracy of this method is low and the detection efficiency is high. Low. To this end, it is necessary to provide a mechanism that can detect cross-function or cross-file array out-of-bounds access, and the detection speed of the mechanism can be faster, the detection accuracy is higher, and the array out-of-bounds access in program code can be detected in a larger range. access defect.

SUMMARY OF THE INVENTION

The purpose of the embodiments of this specification is to provide a detection method, device and device for out-of-bounds access to an array, so as to provide a mechanism that can detect out-of-bounds access to an array across functions or files, and the detection speed of the mechanism can be faster and accurate. It has a higher degree and can detect array out-of-bounds access defects in program code in a wider range.

In order to realize the above technical solutions, the embodiments of this specification are implemented as follows:

A method for detecting array out-of-bounds access provided by the embodiments of this specification includes:

Obtain the functions contained in the program code to be detected, and the calling relationship information between the functions;

If the calling relationship information between the functions includes an unvisited target program statement, then detect whether the target program statement needs to access an array;

If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array;

Based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array.

Optionally, after acquiring the functions contained in the program code to be detected and the calling relationship information between the functions, the method further includes:

Detecting whether the calling relationship information between the functions includes unvisited functions;

If the calling relationship information between the functions includes an unvisited function, use the program statement in the unvisited function as the target program statement;

If the invocation relationship information between the functions does not include unvisited functions, it is detected whether the invocation relation information between the functions includes an unvisited target program statement.

Optionally, the method further includes:

Converting the program code to be detected into program code in a predetermined expression form;

The acquisition of the functions contained in the program code to be detected, and the calling relationship information between the functions, include:

The functions contained in the program code converted into a predetermined expression form and the calling relationship information between the functions are acquired.

Optionally, the method further includes:

Identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result;

If the identification result indicates that the program statement of the function is a loop statement, acquiring the loop induction variable and the loop body corresponding to the program statement of the function;

A range of values for the loop induction variable within the loop body is determined.

Optionally, the method further includes:

If the identification result indicates that the program statement of the function is an IF branch statement, then obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function;

The value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block are respectively determined.

Optionally, the method further includes:

If the identification result indicates that the program statement of the function is a SWITCH selection statement, then obtain the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and selection variable;

Determine the value range of the selection variable within each CASE statement block and the value range within the DEFAULT statement block.

Optionally, the acquiring the calling relationship information between the functions includes:

Analyzing the calling relationship between the functions to obtain a function calling graph, where the function calling graph includes multiple functions and connecting lines between the multiple functions;

Connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information;

The usage and definition relationship between each function in the function call graph of the predetermined global variable is acquired, and the connection information of the usage definition of the global variable is obtained.

Optionally, if the target program statement needs to access an array, obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, including:

If the target program statement needs to access the array, then according to the predetermined use definition relationship information, determine the definition of the array accessed by the target program statement;

According to the predetermined usage definition relationship information and the record information corresponding to the definition of the array accessed by the target program statement, query the value range of each dimension of the predetermined variable in the array accessed by the target program statement in the program area corresponding to the array .

An apparatus for detecting array out-of-bounds access provided by the embodiments of this specification includes:

an information acquisition module, used for acquiring the functions contained in the program code to be detected, and the calling relationship information between the functions;

an array access detection module for detecting whether the target program statement needs to access an array if the calling relationship information between the functions includes an unvisited target program statement;

A value range acquisition module, configured to obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array if the target program statement needs to access the array;

The out-of-bounds access detection module is configured to detect whether the program code includes out-of-bounds access to the array based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array.

Optionally, the device further includes:

a function detection module, configured to detect whether the calling relationship information between the functions includes unvisited functions;

A function detection result module, configured to use the program statement in the unvisited function as the target program statement if the calling relationship information between the functions includes an unvisited function;

A statement detection module, configured to detect whether the calling relationship information between the functions includes an unvisited target program statement if the calling relationship information between the functions does not include an unvisited function.

Optionally, the device further includes:

a conversion module for converting the program code to be detected into a program code of a predetermined expression form;

The information acquisition module is used for acquiring the functions contained in the program code converted into a predetermined expression form, and the calling relationship information between the functions.

Optionally, the device further includes:

The identification module is used to identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result;

a first statement processing module, configured to acquire a loop induction variable and a loop body corresponding to the program statement of the function if the identification result indicates that the program statement of the function is a loop statement;

The first value range determination module is used for determining the value range of the loop induction variable in the loop body.

Optionally, the device further includes:

The second statement processing module is used to obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function if the recognition result indicates that the program statement of the function is an IF branch statement;

The second value range determination module is configured to respectively determine the value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block.

Optionally, the device further includes:

A third statement processing module, configured to acquire the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and select variable;

The third value range determination module is used for determining the value range of the selection variable in each CASE statement block and the value range in the DEFAULT statement block.

Optionally, the information acquisition module includes:

a call graph determination unit, configured to analyze the calling relationship between the functions to obtain a function call graph, where the function call graph includes multiple functions and connecting lines between the multiple functions;

a parameter connection determination unit, configured to connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information;

The connection information determination unit is configured to acquire the usage and definition relationship between the functions of the predetermined global variables in the function call graph, and obtain the usage definition connection information of the global variables.

Optionally, the value range acquisition module includes:

A definition determining unit is used to determine the definition of the array accessed by the target program statement according to predetermined use definition relationship information if the target program statement needs to access the array;

The value range acquisition unit is used to query the corresponding record information of each dimension of the array accessed by the target program statement according to the predetermined use definition relationship information and the corresponding record information of the definition of the array accessed by the target program statement. range of values within the program area of .

A detection device for out-of-bounds access to an array provided by the embodiments of this specification, the detection device for out-of-bounds access to an array includes:

processor; and

memory arranged to store computer-executable instructions which, when executed, cause the processor to:

Obtain the functions contained in the program code to be detected, and the calling relationship information between the functions;

If the calling relationship information between the functions includes an unvisited target program statement, then detect whether the target program statement needs to access an array;

If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array;

Based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array.

It can be seen from the technical solutions provided by the above embodiments of this specification that the embodiments of this specification obtain the functions contained in the program code to be detected and the calling relationship information between the functions. The accessed target program statement checks whether the target program statement needs to access the array. If the target program statement needs to access the array, obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, based on the target The value range of the predetermined variable of the array accessed by the program statement in the program area corresponding to the array is to detect whether the program code contains array out-of-bounds access. In this way, by detecting the program statement in the calling relationship information between functions , to determine whether the program code contains array out-of-bounds access. Therefore, the detection process can cover all execution paths of the program code, and the detection accuracy is improved. The detection of the statement and the acquisition of the value range of the predetermined variable of the array in the program area corresponding to the array to further detect whether the program code includes out-of-bounds access to the array can make the detection of out-of-bounds access to the array more efficient.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present specification or the prior art, the following briefly introduces the accompanying drawings required in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments described in this specification. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative labor.

Fig. 1 is a kind of detection method embodiment of array out-of-bounds access of this specification;

Fig. 2 is the detection method embodiment of another kind of array out-of-bounds access of this specification;

Fig. 3 is the structural representation of a kind of loop statement of this specification;

Fig. 4 is the structural representation of another kind of loop statement of this specification;

Fig. 5 is the structural representation of another kind of loop statement of this specification;

Fig. 6 is the structural representation of a kind of IF branch statement of this specification;

Fig. 7 is the structural representation of another kind of IF branch statement of this specification;

Fig. 8 is the structural representation of a kind of SWITCH selection statement of this specification;

Fig. 9 is a structural example diagram of a calling relationship graph of this specification;

10 is an embodiment of a detection device for out-of-bounds access to an array of this specification;

FIG. 11 is an embodiment of a detection device for out-of-bounds access to an array in this specification.

Detailed ways

Embodiments of the present specification provide a method, apparatus, and device for detecting out-of-bounds access to an array.

In order to make those skilled in the art better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings in the embodiments of this specification. Obviously, the described The embodiments are only some of the embodiments of the present specification, but not all of the embodiments. Based on the embodiments in this specification, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of this document.

Example 1

As shown in FIG. 1 , an embodiment of this specification provides a detection method for out-of-bounds access to an array. The execution body of the method may be a terminal device or a server, wherein the terminal device may be a mobile phone, a tablet computer, etc., and the server may be a An independent server may also be a server cluster composed of multiple servers, or the like. The server may be a background server of a certain business (such as a transaction business, etc.), or a background server of a certain application (such as a financial application, etc.). The method may specifically include the following steps:

In step S102, the functions included in the program code to be detected and the calling relationship information between the above functions are acquired.

The program code to be detected may be any program code that needs to detect whether there is an out-of-bounds access to the array. The calling relationship information between the above functions may be related information in mutual calls between different functions, and the like.

In implementation, out-of-bounds access to an array is a common program coding defect. An out-of-bounds access to an array can cause a program crash or incorrect program execution results. Moreover, it can also lead to serious system security problems. Attackers can exploit The flaw escalates the attacker's own privileges to read or modify a user's sensitive data.

At present, there are usually four methods to find out the out-of-bounds access of arrays in the program: one is the method based on black-box testing or white-box testing, that is, to test the execution program by constructing test cases, and observe whether there is out-of-bounds access to the array in the program execution. . The second is the method of symbolic execution, that is, enumerating all possible input combinations of the program code, then simulating the execution of the program code through the symbolic execution mechanism, and detecting whether there is an array out of bounds in the program code during the process of simulating the execution of the program code access. The third is the detection method when the code instrumentation is running, that is, using the code instrumentation mechanism to insert additional detection code into the program code, and detect whether there is an array out-of-bounds access in the program code execution process. The fourth is the program static detection method, which uses the program static analysis mechanism to analyze whether the subscript is within the permitted range of the array when accessing the array in the program.

Among the above methods for detecting out-of-bounds access to arrays, the disadvantage of black-box testing or white-box testing is that enough test cases cannot be constructed to cover all execution paths of the program code. For the method of symbolic execution, the detection efficiency of this method is low. The detection time is too long, and the memory occupied by the detection is large. For the detection method when the code is instrumented and running, this method significantly reduces the execution speed of the program code. For the program static detection method, the detection range of this method is usually limited to the inside of the function. , it is difficult to find the defect of cross-function or cross-file data cross-boundary access. To this end, the embodiments of this specification need to provide a mechanism that can detect cross-function or cross-file array out-of-bounds access, and the mechanism can have faster acceleration, less memory, and can detect program codes in a wider range. Array out-of-bounds access defect in . The embodiments of this specification provide a related technical solution, which may specifically include the following content:

When it is necessary to perform array out-of-bounds access detection on a certain or multiple pieces of program code, the program code to be detected can be obtained. In practical applications, the program code to be detected can be obtained in various ways, for example, it can be uploaded by the user. Realization, that is, the upload page of the program code can be preset, and the upload page can include a code upload input box, an upload button and a cancel button, etc., the user can input the program code to be detected into the above code upload input box, and the input is completed. Then, the upload button can be clicked. At this time, the terminal device where the upload page is located can obtain the program code input by the user in the code input box, and can send the program code to the server, so that the server can obtain the program code to be detected. The server can analyze the content contained in the program code to be detected, determine the functions contained therein, and obtain the calling relationship information between different functions.

In practical applications, array out-of-bounds access often occurs in functions. Therefore, in order to make the functions in the program code more intuitive, the function call graph between different functions can be generated based on the calling relationship information between different functions. Subsequent corresponding processing can be performed based on the function call graph.

In step S104, if the calling relationship information between the above functions includes the target program statement that has not been accessed, it is detected whether the target program statement needs to access the array.

The target program statement may be any program statement.

In implementation, the detection of array out-of-bounds access can be performed by detecting whether the function call graph also includes unvisited program statements. Specifically, the function call relationship information obtained above can be analyzed, and the server can be searched for among them. Whether it contains the access record information of each program statement in the function call relationship information. If the record information of a program statement being accessed is not found, it means that the program statement has not been accessed. At this time, it can be detected whether the target program statement needs to be accessed. Specifically, whether the target program statement contains preset keywords or keywords, etc., if it contains the above keywords or keywords, it indicates that the target program statement needs to access the array. At this time, you can execute the following In the process of step S106, if the above keywords or keywords are not included, it indicates that the target program statement does not need to access the array. If the record information that all program statements are accessed is found, it indicates that all program statements in the calling relationship information between the above functions are accessed.

It should be noted that the above-mentioned method of detecting whether the target program statement needs to access a predetermined array is only an optional processing method. In practical applications, it can also include a variety of different processing methods, which can be set according to the actual situation. The embodiments of the present specification do not limit this.

In step S106, if the target program statement needs to access the array, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array is obtained.

The predetermined variable may be a variable existing in the subscript of the array, and the predetermined variable may include one or more, wherein the array may include one-dimensional or multi-dimensional arrays, and each dimension of the array may be set to a variable, and the variable may be located in the subscript ( It can also be called a subscript variable) and so on.

In implementation, a variable value range analysis mechanism may be preset, and the program statement included in the calling relationship information between the functions may be analyzed to determine the value range of the variable in different branches. If it is determined through the above processing methods that the target program statement needs to access the array, the definition of the array can be found through the preset traceability mechanism, and then the predetermined variable of the array accessed by the target program statement can be obtained, which can be analyzed through the variable value range analysis. The mechanism determines the value range of the predetermined variables of the array in the program area corresponding to the array.

In step S108 , based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array.

In implementation, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array can be compared with the number of dimensions corresponding to the array to be accessed by the target program statement. The value range of the predetermined variable in the program area corresponding to the array is the same as the number of dimensions corresponding to the array to be accessed by the target program statement, indicating that there is no out-of-bounds access to the array in the target program statement. If the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array is greater than the number of dimensions corresponding to the array to be accessed by the target program statement, it indicates that there is an array out-of-bounds access in the target program statement. Corresponding processing is performed on the target program statement, which may be specifically set according to the actual situation, which is not limited in the embodiment of this specification.

The embodiments of this specification provide a method for detecting array out-of-bounds access. By acquiring functions included in the program code to be detected, and calling relationship information between the functions, if the calling relationship information between the functions includes unaccessed If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, based on the target program statement The value range of the predetermined variable of the accessed array in the program area corresponding to the array is detected, whether the program code contains array out-of-bounds access, so that by detecting the program statement in the calling relationship information between functions, It is determined whether the program code contains array out-of-bounds access. Therefore, the detection process can cover all execution paths of the program code, and the detection accuracy is improved. Detecting and obtaining the value range of the predetermined variable of the array in the program area corresponding to the array to further detect whether the program code includes out-of-bounds access to the array can make the detection of out-of-bounds access to the array more efficient.

Embodiment 2

As shown in FIG. 2 , an embodiment of this specification provides a method for detecting out-of-bounds access to an array. The execution body of the method may be a terminal device or a server, wherein the terminal device may be a mobile phone, a tablet computer, etc., and the server may be a An independent server may also be a server cluster composed of multiple servers, or the like. The server may be a background server of a certain business (such as a transaction business, etc.), or a background server of a certain application (such as a financial application, etc.). The method may specifically include the following steps:

In step S202, the program code to be detected is converted into a program code in a predetermined expression form.

The predetermined expression form may be any preset expression form, that is, multiple different expression modes of the same thing may be unified into a predetermined expression form.

In implementation, in order to simplify the subsequent processing process, the program code to be detected can be converted into a program code of a unified predetermined expression form, so that the same thing can have the same expression mode, which is convenient for subsequent program code processing. For example, for whether there is an array out-of-bounds access in the program code to be detected, the involved array can be converted into a unified expression form, for example, the array can be expressed as base[subscript.1][subscript.2]…[subscript.N ] form, where base is an n-dimensional array, n is a positive integer, and subscript.1 to subscript.N are the subscripts of each dimensional array.

In step S204, the functions contained in the program code converted into a predetermined expression form are acquired.

In implementation, since the program code to be detected is converted into a unified expression form, different functions can be represented by setting keywords and/or structural formats, so that when a program converted into a predetermined expression form is obtained After coding, based on the keywords and/or structure formats corresponding to different functions, it can be determined which functions are included in the program code converted into the predetermined expression form, so that the functions included in the program code converted into the predetermined expression form can be obtained.

In step S206, the structure of the program statement of the function included in the converted program code is recognized, and the recognition result is obtained.

In implementation, in order to determine the variables contained in the program statement, it is necessary to identify the structure of the program statement of the function contained in the converted program code, so as to determine which specific statements (such as loop statements or branches) are contained in the program statements of the function. Statements, etc.), for this purpose, the recognition mechanism of program statements can be preset, and the recognition mechanism can be set in various ways. For example, the recognition mechanism can be set according to the characteristics or characteristics of different specific statements. For example, characteristic statements can be obtained. Specific keywords, keywords or key fields, etc. contained in the statement, and can set the structural characteristics or structural characteristics of specific statements, and then set based on specific keywords, keywords or key fields, and structural characteristics or structural characteristics the identification mechanism. Then, the program statement of the function can be matched with keywords, keywords or key fields, and structural features or structural features in the identification mechanism, and a matching result can be obtained as the identification result.

In step S208, if the identification result indicates that the program statement of the function is a loop statement, the loop induction variable and loop body corresponding to the program statement of the function are acquired.

In the implementation, the identification mechanism of the program statement can identify the structure of the program statement of the function, and if the result of the identification is a loop statement, it can identify the loop structure in the function and the loop induction variable used in the loop structure or self-increment, self-decrement Variables, and can determine the loop entry, loop exit and loop body, as well as the initial value of the induction variable, termination conditions and loop step size.

In step S210, the value range of the loop induction variable in the loop body is determined.

In the implementation, the variable value range analysis mechanism can also be preset, and the judgment conditions of the program statements in the function can be analyzed through the variable value range analysis mechanism to determine the value range of the variable in different branch regions, and the result of the loop analysis can be used to determine The value range of the variable in different regions. For different types of loop statements, the specific processing of the above steps S208 and S210 may be different, for example:

As shown in Figure 3, where the loop statement is a regular loop statement, the loop entry, loop back edge, loop exit and loop body in the function can be identified based on the identification mechanism of the program statement, and the loop induction variable can also be identified as I, there are initial values, constraints and self-increasing assignments, and the number of loops is (end-start)/step. The variable value range analysis mechanism can determine that the value range of the loop induction variable I in the loop body is [start, end), and can determine that the value range of the loop induction variable I after leaving the loop is (start+((end-start)/step+1 )*step).

As shown in Figure 4, where the loop statement is a loop statement that can be terminated early, the loop entry, loop exit and loop body in the function can be identified based on the identification mechanism of the program statement, and it can be identified that the loop statement can be terminated early, etc. , and can also recognize that the loop induction variable is I, there are initial values, constraints and self-increasing assignments, and the number of loops is (end-start)/step. The variable value range analysis mechanism can determine that the value range of the loop induction variable I in the loop body is [start, end), and can determine that the value range of the loop induction variable I after leaving the loop is [start, (start+((end-start)/ step+1)*step)), or approximately [start,end+step].

As shown in Figure 5, where the loop statement is a loop-free induction variable loop statement, the loop entry, loop exit, loop body, etc. in the function can be identified based on the identification mechanism of the program statement, and self-increment/self-decrement can also be identified. The variable is I. Since the loop termination condition does not contain I, there is no induction variable in the loop statement, and the number of loops is unknown. The variable value range analysis mechanism can determine that the value range of the self-increasing variable I before assigning the initial value is (I_min, I_max), the value range of I in the loop body is [start, I_max), and the loop induction variable I can be determined to leave the loop. The range of post values is [start, I_max).

In step S212, if the identification result indicates that the program statement of the function is an IF branch statement, the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function are obtained.

In implementation, the identification mechanism of the program statement can identify the structure of the program statement of the function, and if the identified result is an IF branch statement, the branch structure in the function and the THEN statement block, ELSE statement block and the THEN statement block used in the branch structure can be identified. Conditional judgment variables, etc.

In step S214, the value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block are respectively determined.

In implementation, the variable value range analysis mechanism can also analyze the judgment condition of the branch statement in the function to determine the value range of the variable in different areas of the branch, and use the result of the loop analysis to determine the value range of the variable in the different areas of the loop. For different types of IF branch statements, the specific processing of the above steps S208 and S210 may be different, for example:

As shown in FIG. 6 , where the branch statement is an IF branch statement, then the THEN statement block, the ELSE statement block and the condition judgment variable I etc. in the function can be identified based on the identification mechanism of the program statement. If the conditional judgment variable I has a value range of (I_min, I_max) before the IF branch statement, it is determined that the value range of I in the THEN statement block is (I_min, cond), and the value range in the ELSE statement block is [cond, I_max).

As shown in FIG. 7 , where the branch statement is a nested IF branch statement, then the THEN statement block, the ELSE statement block and the condition judgment variable I etc. in the function can be identified based on the identification mechanism of the program statement. Specifically, the top-level IF branch structure, the THEN statement block 1, the ELSE statement block 1, and the conditional judgment variable I can be identified, and the IF branch structure in the THEN statement block can also be identified, wherein the THEN statement block 2, ELSE Statement block 2 and conditional judgment variable I can also identify the IF branch structure in the ELSE statement block, including THEN statement block 3, ELSE statement block 3 and conditional judgment variable I, etc.

Among them, if the conditional judgment variable I has a value range of (I_min, I_max) before the IF branch statement, it is determined that the value range of I in THEN statement block 1 is (I_min, cond_1), and the value range in the ELSE statement block 1 is [cond_1 ,I_max). It can be determined that the value of I in THEN statement block 2 is (cond_2), and the value range in the ELSE statement block is (I_min, cond_2) U(cond_2, cond_1). It can be determined that the value range of I in THEN statement block 3 is (cond_3, I_max), and the value range in the ELSE statement block is [cond_1, cond_3].

In step S216, if the identification result indicates that the program statement of the function is a SWITCH selection statement, the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and selection variable are obtained.

In implementation, the identification mechanism of the program statement can identify the structure of the program statement of the function, and if the identified result is a SWITCH option statement, it can identify the CASE statement value in the function and its SWITCH option statement.

In step S218, the value range of the selection variable in each CASE statement block and the value range in the DEFAULT statement block are determined.

In the implementation, as shown in FIG. 8 , where the selection statement is a SWITCH selection statement, the CASE statement value and the corresponding CASE statement block in the function, as well as the DEFAULT statement block and the selection variable I can be identified based on the identification mechanism of the program statement. Wait. You can set the value range of I in each CASE statement block to its corresponding CASE statement value, and set the value range of I in the DEFAULT statement block to the value range of I before entering the SWITCH selection structure. Remove the remaining set of all CASE statement values. .

In addition, in addition to the above processing to obtain the variable value range, the relationship between the use and definition of variables in the function can also be obtained. Specifically, the relationship between the use and definition of variables in the function can be analyzed through the pre-set variable use definition analysis mechanism in the function. Establish use-definition relationship information (in practical applications, it can be a relationship chain), so that the use of each variable in the function can be traced to the definition of the variable along the relationship chain, and the definition of the variable can come from global variables , the formal parameters of the function, or the return value of other functions called by the function, etc.

The above is to analyze the program statement in the function to determine the variable value range in the function. In practical application, the relationship between the functions can also be analyzed. For details, please refer to the following steps S220 to S224.

In step S220, the calling relationship between the above functions is analyzed to obtain a function calling graph, where the function calling graph includes multiple functions and connecting lines between the multiple functions.

In implementation, a function call relationship analysis mechanism can be preset, and the function call relationship analysis mechanism can analyze the call relationship between functions to generate a function call graph, where the function call graph includes multiple functions and representations between multiple functions The connection line of the call relationship, each node on the function call graph can be a function, and each connection line (or edge) can be a call point.

In step S222, the formal parameters of the function in the function call graph are connected with the actual parameters of the function in the function call graph to obtain parameter connection information.

In the implementation, the actual parameters of the function call and the formal parameter analysis mechanism can also be preset, and an auxiliary data structure can be established through the actual parameters of the function call and the formal parameter analysis mechanism to associate the formal parameters of the function with the function at each call point. The actual parameters are connected to obtain parameter connection information.

In step S224, the usage and definition relationship between the functions in the function call graph of the predetermined global variable is acquired, and the connection information of the usage definition of the global variable is obtained.

In the implementation, the definition and usage analysis mechanism of global variables between functions can also be preset, and the relationship between the usage and definition of global variables between functions can be analyzed through the usage analysis mechanism of global variable definitions among functions, and the usage and definitions of global variables across functions can be compared with each other. Define the connection. The connection information used and defined for parameters, return values and global variables can be stored in a predetermined additional data table. The labeling can be shown in Figure 9.

In addition, the path tracking mechanism can also be preset, and the path tracking mechanism can be used to record the path information selected during the process of program code analysis for loops, branches or function calls. The path tracking mechanism can avoid loops, branches or functions. Missed or repeated visits ensure that cross-function analysis returns to the correct function call site.

In step S226, it is detected whether the calling relationship information between functions includes functions that have not been accessed.

In implementation, in order to improve processing efficiency, the access records of each function in the function call graph (that is, the call relationship information between functions) may be traversed first to determine whether the function call graph includes unvisited functions.

In step S228, if the calling relationship information between functions includes an unvisited function, the program statement in the unvisited function is used as the target program statement.

In implementation, if the calling relationship information between functions (that is, the function call graph) includes an unvisited function, it means that none of the program statements in the function have been accessed, and the program statement in the function is used as the target program statement .

In step S230, if the calling relationship information between functions does not include unvisited functions, it is detected whether the calling relation information between functions includes unvisited target program statements.

In step S232, if the calling relationship information between functions includes the target program statement that has not been accessed, it is detected whether the target program statement needs to access the array.

In implementation, for each target program statement, it can be identified whether it contains a predetermined array access structure, such as base[subscript.1][subscript.2]...[subscript.N], if it is identified that a certain target program statement contains a predetermined array access structure Contains a predetermined array access structure (such as base[subscript.1][subscript.2]...[subscript.N], etc.), then for each data access structure, first define the relationship information along the use of the array (such as use definition relationship chain) to find all definitions of the array, that is, execute the processing of the following step S234.

In step S234, if the target program statement needs to access the array, the definition of the array accessed by the target program statement is determined according to the predetermined usage definition relationship information.

The usage definition relationship information can be determined through the above-mentioned variable usage definition analysis mechanism in the function, and the specific processing can refer to the above-mentioned related content, which will not be repeated here.

In step S236, according to the predetermined usage definition relationship information and the record information corresponding to the definition of the array accessed by the target program statement, query the value range of each dimension of the predetermined variable in the array accessed by the target program statement in the program area corresponding to the array .

In the implementation, for the definition of each array, the size of each dimension corresponding to the array under the definition can be obtained, and the defined path of the array accessed by the target program statement is recorded through the path tracking mechanism, and then, according to the array The defined path used finds the value range of each predetermined variable in the program area that the path passes through.

In step S238, based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes array out-of-bounds access.

In implementation, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array can be compared with the size of the dimension corresponding to the array. If the predetermined variable of the array is in the program area corresponding to the array If the value range in the array exceeds the size of the corresponding dimension of the array, the array out-of-bounds access error can be determined and the path tracking information can be output.

It should be noted that, in the above processing process, each function and each program statement are accessed only once. When checking the access of each array, you can find the definition of the corresponding array along the use of the definition relationship information, and use the definition relationship information to find the definition of the corresponding array. The length usually has a fixed upper bound on the length. When verifying whether the predetermined variable is within the value range of the program area corresponding to the array along the defined path of the array, only the statement block less than the length of the path needs to be queried, so the time complexity of the above process can be considered as linear .

The embodiments of this specification provide a method for detecting array out-of-bounds access. By acquiring functions included in the program code to be detected, and calling relationship information between the functions, if the calling relationship information between the functions includes unaccessed If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, based on the target program statement The value range of the predetermined variable of the accessed array in the program area corresponding to the array is detected, whether the program code contains array out-of-bounds access, so that by detecting the program statement in the calling relationship information between functions, It is determined whether the program code contains array out-of-bounds access. Therefore, the detection process can cover all execution paths of the program code, and the detection accuracy is improved. Detecting and obtaining the value range of the predetermined variable of the array in the program area corresponding to the array to further detect whether the program code includes out-of-bounds access to the array can make the detection of out-of-bounds access to the array more efficient.

Embodiment 3

The method for detecting array out-of-bounds access provided by the above embodiments of this specification is based on the same idea, and an embodiment of this specification also provides a detection device for out-of-bounds access to an array, as shown in FIG. 10 .

The detection device for array out-of-bounds access includes: an information acquisition module 1001, an array access detection module 1002, a value range acquisition module 1003 and an out-of-bounds access detection module 1004, wherein:

The information acquisition module 1001 is used to acquire the functions contained in the program code to be detected, and the calling relationship information between the functions;

an array access detection module 1002, configured to detect whether the target program statement needs to access an array if the calling relationship information between the functions includes an unvisited target program statement;

A value range obtaining module 1003, configured to obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array if the target program statement needs to access an array;

The out-of-bounds access detection module 1004 is configured to detect whether the program code includes an out-of-bounds access to an array based on the value range of a predetermined variable of the array accessed by the target program statement in the program area corresponding to the array.

In the embodiment of this specification, the device further includes:

a function detection module, configured to detect whether the calling relationship information between the functions includes unvisited functions;

A function detection result module, configured to use the program statement in the unvisited function as the target program statement if the calling relationship information between the functions includes an unvisited function;

A statement detection module, configured to detect whether the calling relationship information between the functions includes an unvisited target program statement if the calling relationship information between the functions does not include an unvisited function.

In the embodiment of this specification, the device further includes:

a conversion module for converting the program code to be detected into a program code of a predetermined expression form;

The information acquisition module is used for acquiring the functions contained in the program code converted into a predetermined expression form, and the calling relationship information between the functions.

In the embodiment of this specification, the device further includes:

The identification module is used to identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result;

a first statement processing module, configured to acquire a loop induction variable and a loop body corresponding to the program statement of the function if the identification result indicates that the program statement of the function is a loop statement;

The first value range determination module is used for determining the value range of the loop induction variable in the loop body.

In the embodiment of this specification, the device further includes:

The second statement processing module is used to obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function if the recognition result indicates that the program statement of the function is an IF branch statement;

The second value range determination module is configured to respectively determine the value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block.

In the embodiment of this specification, the device further includes:

A third statement processing module, configured to acquire the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and select variable;

The third value range determination module is used for determining the value range of the selection variable in each CASE statement block and the value range in the DEFAULT statement block.

In the embodiment of this specification, the information acquisition module 1001 includes:

a call graph determination unit, configured to analyze the calling relationship between the functions to obtain a function call graph, where the function call graph includes multiple functions and connecting lines between the multiple functions;

a parameter connection determination unit, configured to connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information;

The connection information determination unit is configured to acquire the usage and definition relationship between the functions of the predetermined global variables in the function call graph, and obtain the usage definition connection information of the global variables.

In the embodiment of this specification, the value range obtaining module 1003 includes:

A definition determining unit is used to determine the definition of the array accessed by the target program statement according to predetermined use definition relationship information if the target program statement needs to access the array;

The value range acquisition unit is used to query the corresponding record information of each dimension of the array accessed by the target program statement according to the predetermined use definition relationship information and the corresponding record information of the definition of the array accessed by the target program statement. range of values within the program area of .

An embodiment of the present specification provides a detection device for out-of-bounds access to an array. By acquiring the functions contained in the program code to be detected, and the calling relationship information between the functions, if the calling relationship information between the functions includes unaccessed If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, based on the target program statement The value range of the predetermined variable of the accessed array in the program area corresponding to the array is detected, whether the program code contains array out-of-bounds access, so that by detecting the program statement in the calling relationship information between functions, It is determined whether the program code contains array out-of-bounds access. Therefore, the detection process can cover all execution paths of the program code, and the detection accuracy is improved. Detecting and obtaining the value range of the predetermined variable of the array in the program area corresponding to the array to further detect whether the program code includes out-of-bounds access to the array can make the detection of out-of-bounds access to the array more efficient.

Embodiment 4

The detection device for out-of-bounds access of an array provided in the above embodiments of the present specification is based on the same idea, and an embodiment of the present specification also provides a detection device for out-of-bounds access of an array, as shown in FIG. 11 .

The detection device for out-of-bounds access to the array may be the server provided in the above embodiment.

The detection device for array out-of-bounds access may vary greatly due to different configurations or performance, and may include one or more processors 1101 and memory 1102, and the memory 1102 may store one or more storage applications or data. Among them, the memory 1102 may be short-lived storage or persistent storage. An application program stored in memory 1102 may include one or more modules (not shown), each module may include a series of computer-executable instructions in a device for detecting out-of-bounds access to an array. Still further, the processor 1101 may be arranged to communicate with the memory 1102 to execute a series of computer-executable instructions in the memory 1102 on a device for detecting out-of-bounds array accesses. The detection device for array out-of-bounds access may also include one or more power supplies 1103 , one or more wired or wireless network interfaces 1104 , one or more input and output interfaces 1105 , and one or more keyboards 1106 .

Specifically in this embodiment, the detection device for array out-of-bounds access includes a memory, and one or more programs, wherein one or more programs are stored in the memory, and one or more programs may include one or more modules, And each module may include a series of computer-executable instructions in a device for detecting out-of-bounds access to an array, and the one or more programs configured to be executed by one or more processors include computer-executable instructions for performing the following:

Obtain the functions contained in the program code to be detected, and the calling relationship information between the functions;

If the calling relationship information between the functions includes an unvisited target program statement, then detect whether the target program statement needs to access an array;

If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array;

Based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array.

In the embodiment of the present specification, after acquiring the functions included in the program code to be detected and the calling relationship information between the functions, the method further includes:

Detecting whether the calling relationship information between the functions includes unvisited functions;

If the calling relationship information between the functions includes an unvisited function, use the program statement in the unvisited function as the target program statement;

If the invocation relationship information between the functions does not include unvisited functions, it is detected whether the invocation relation information between the functions includes an unvisited target program statement.

In the embodiment of this specification, it also includes:

Converting the program code to be detected into program code in a predetermined expression form;

The acquisition of the functions contained in the program code to be detected, and the calling relationship information between the functions, include:

The functions contained in the program code converted into a predetermined expression form and the calling relationship information between the functions are acquired.

In the embodiment of this specification, it also includes:

Identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result;

If the identification result indicates that the program statement of the function is a loop statement, acquiring the loop induction variable and the loop body corresponding to the program statement of the function;

A range of values for the loop induction variable within the loop body is determined.

In the embodiment of this specification, it also includes:

If the identification result indicates that the program statement of the function is an IF branch statement, then obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function;

The value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block are respectively determined.

In the embodiment of this specification, it also includes:

If the identification result indicates that the program statement of the function is a SWITCH selection statement, then obtain the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and selection variable;

Determine the value range of the selection variable within each CASE statement block and the value range within the DEFAULT statement block.

In the embodiment of this specification, the obtaining of the calling relationship information between the functions includes:

Analyzing the calling relationship between the functions to obtain a function calling graph, where the function calling graph includes multiple functions and connecting lines between the multiple functions;

Connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information;

The usage and definition relationship between each function in the function call graph of the predetermined global variable is acquired, and the connection information of the usage definition of the global variable is obtained.

In the embodiment of this specification, if the target program statement needs to access an array, the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array is obtained, including:

If the target program statement needs to access the array, then according to the predetermined use definition relationship information, determine the definition of the array accessed by the target program statement;

According to the predetermined usage definition relationship information and the record information corresponding to the definition of the array accessed by the target program statement, query the value range of each dimension of the predetermined variable in the array accessed by the target program statement in the program area corresponding to the array .

An embodiment of the present specification provides a detection device for out-of-bounds access to an array. By acquiring the functions contained in the program code to be detected, and the calling relationship information between the functions, if the calling relationship information between the functions includes unaccessed If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, based on the target program statement The value range of the predetermined variable of the accessed array in the program area corresponding to the array is detected, whether the program code contains array out-of-bounds access, so that by detecting the program statement in the calling relationship information between functions, It is determined whether the program code contains array out-of-bounds access. Therefore, the detection process can cover all execution paths of the program code, and the detection accuracy is improved. Detecting and obtaining the value range of the predetermined variable of the array in the program area corresponding to the array to further detect whether the program code includes out-of-bounds access to the array can make the detection of out-of-bounds access to the array more efficient.

The foregoing describes specific embodiments of the present specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. Additionally, the processes depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

In the 1990s, improvements in a technology could be clearly differentiated between improvements in hardware (eg, improvements to circuit structures such as diodes, transistors, switches, etc.) or improvements in software (improvements in method flow). However, with the development of technology, the improvement of many methods and processes today can be regarded as a direct improvement of the hardware circuit structure. Designers almost get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by hardware entity modules. For example, a Programmable Logic Device (PLD) (eg, Field Programmable Gate Array (FPGA)) is an integrated circuit whose logic function is determined by user programming of the device. It is programmed by the designer to "integrate" a digital system on a PLD without having to ask the chip manufacturer to design and manufacture a dedicated integrated circuit chip. And, instead of making integrated circuit chips by hand, these days, much of this programming is done using software called a "logic compiler", which is similar to the software compiler used in program development and writing, but before compiling The original code also has to be written in a specific programming language, which is called Hardware Description Language (HDL), and there is not only one HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (RubyHardware Description Language), etc. The most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that a hardware circuit for implementing the logic method process can be easily obtained by simply programming the method process in the above-mentioned several hardware description languages and programming it into the integrated circuit.

The controller may be implemented in any suitable manner, for example, the controller may take the form of eg a microprocessor or processor and a computer readable medium storing computer readable program code (eg software or firmware) executable by the (micro)processor , logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers and embedded microcontrollers, examples of controllers include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art also know that, in addition to implementing the controller in the form of pure computer-readable program code, the controller can be implemented as logic gates, switches, application-specific integrated circuits, programmable logic controllers and embedded devices by logically programming the method steps. The same function can be realized in the form of a microcontroller, etc. Therefore, such a controller can be regarded as a hardware component, and the devices included therein for realizing various functions can also be regarded as a structure within the hardware component. Or even, the means for implementing various functions can be regarded as both a software module implementing a method and a structure within a hardware component.

The systems, devices, modules or units described in the above embodiments may be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, the computer can be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or A combination of any of these devices.

For the convenience of description, when describing the above device, the functions are divided into various units and described respectively. Of course, when implementing one or more embodiments of the present specification, the functions of each unit may be implemented in one or more software and/or hardware.

As will be appreciated by one skilled in the art, the embodiments of the present specification may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of this specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present specification may employ a computer program implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein form of the product.

Embodiments of the specification are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the specification. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable array out-of-bounds access detection device to produce a machine that enables processing by a computer or other programmable array out-of-bounds access detection device The instructions executed by the processor produce means for implementing the functions specified in the flow or blocks of the flowchart and/or the block or blocks of the block diagram.

These computer program instructions may also be stored in a computer readable memory capable of directing a computer or other programmable array out-of-bounds access detection device to function in a particular manner, such that the instructions stored in the computer readable memory result in an article of manufacture comprising the instruction means , the instruction means implements the functions specified in the flow or flow of the flowchart and/or the block or blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable array out-of-bounds access detection device, such that a series of operational steps are performed on the computer or other programmable device to produce a computer-implemented process, which is then executed on the computer or other programmable device The instructions executed on the above provide steps for implementing the functions specified in the flowchart or blocks and/or the block or blocks of the block diagrams.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, excludes transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also Other elements not expressly listed, or which are inherent to such a process, method, article of manufacture, or apparatus are also included. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article of manufacture, or device that includes the element.

As will be appreciated by one skilled in the art, the embodiments of the present specification may be provided as a method, a system or a computer program product. Accordingly, one or more embodiments of this specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present specification may employ a computer program implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein form of the product.

One or more embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of this specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

Each embodiment in this specification is described in a progressive manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for related parts, please refer to the partial descriptions of the method embodiments.

The above descriptions are merely examples of the present specification, and are not intended to limit the present specification. Various modifications and variations of this specification are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this specification shall be included within the scope of the claims of this specification.

Claims (17)

1. a detection method for array out-of-bounds access, the method comprising: Obtain the functions contained in the program code to be detected, and the calling relationship information between the functions; If the calling relationship information between the functions includes an unvisited target program statement, then detect whether the target program statement needs to access an array; If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array; Based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array. 2. The method according to claim 1, after the acquisition of the functions contained in the program code to be detected and the calling relationship information between the functions, the method further comprises: Detecting whether the calling relationship information between the functions includes unvisited functions; If the calling relationship information between the functions includes an unvisited function, use the program statement in the unvisited function as the target program statement; If the invocation relationship information between the functions does not include unvisited functions, it is detected whether the invocation relation information between the functions includes an unvisited target program statement. 3. The method of claim 1, further comprising: Converting the program code to be detected into program code in a predetermined expression form; The acquisition of the functions contained in the program code to be detected, and the calling relationship information between the functions, include: The functions contained in the program code converted into a predetermined expression form and the calling relationship information between the functions are acquired. 4. The method of claim 3, further comprising: Identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result; If the identification result indicates that the program statement of the function is a loop statement, acquiring the loop induction variable and the loop body corresponding to the program statement of the function; A range of values for the loop induction variable within the loop body is determined. 5. The method of claim 4, further comprising: If the identification result indicates that the program statement of the function is an IF branch statement, then obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function; The value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block are respectively determined. 6. The method of claim 4, further comprising: If the identification result indicates that the program statement of the function is a SWITCH selection statement, then obtain the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and selection variable; Determine the value range of the selection variable within each CASE statement block and the value range within the DEFAULT statement block. 7. The method according to claim 1, wherein the acquiring call relationship information between the functions comprises: Analyzing the calling relationship between the functions to obtain a function calling graph, where the function calling graph includes multiple functions and connecting lines between the multiple functions; Connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information; The usage and definition relationship between each function in the function call graph of the predetermined global variable is acquired, and the connection information of the usage definition of the global variable is obtained. 8. The method according to claim 1, wherein if the target program statement needs to access an array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, including : If the target program statement needs to access the array, then according to the predetermined use definition relationship information, determine the definition of the array accessed by the target program statement; According to the predetermined usage definition relationship information and the record information corresponding to the definition of the array accessed by the target program statement, query the value range of each dimension of the predetermined variable in the array accessed by the target program statement in the program area corresponding to the array . 9. A detection device for array out-of-bounds access, the device comprising: an information acquisition module, used for acquiring the functions contained in the program code to be detected, and the calling relationship information between the functions; an array access detection module for detecting whether the target program statement needs to access an array if the calling relationship information between the functions includes an unvisited target program statement; A value range acquisition module, configured to obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array if the target program statement needs to access the array; The out-of-bounds access detection module is configured to detect whether the program code includes out-of-bounds access to the array based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array. 10. The apparatus of claim 9, further comprising: a function detection module, configured to detect whether the calling relationship information between the functions includes unvisited functions; A function detection result module, configured to use the program statement in the unvisited function as the target program statement if the calling relationship information between the functions includes an unvisited function; A statement detection module, configured to detect whether the calling relationship information between the functions includes an unvisited target program statement if the calling relationship information between the functions does not include an unvisited function. 11. The apparatus of claim 9, further comprising: a conversion module for converting the program code to be detected into a program code of a predetermined expression form; The information acquisition module is used for acquiring the functions contained in the program code converted into a predetermined expression form, and the calling relationship information between the functions. 12. The apparatus of claim 11, further comprising: The identification module is used to identify the structure of the program statement of the function contained in the converted program code, and obtain the identification result; a first statement processing module, configured to acquire a loop induction variable and a loop body corresponding to the program statement of the function if the identification result indicates that the program statement of the function is a loop statement; The first value range determination module is used for determining the value range of the loop induction variable in the loop body. 13. The apparatus of claim 12, further comprising: The second statement processing module is used to obtain the THEN statement block, the ELSE statement block and the condition judgment variable corresponding to the program statement of the function if the recognition result indicates that the program statement of the function is an IF branch statement; The second value range determination module is configured to respectively determine the value range of the condition judgment variable in the THEN statement block and the value range in the ELSE statement block. 14. The apparatus of claim 12, further comprising: A third statement processing module, configured to acquire the CASE statement value corresponding to the program statement of the function and its corresponding CASE statement block, DEFAULT statement block and select variable; The third value range determination module is used for determining the value range of the selection variable in each CASE statement block and the value range in the DEFAULT statement block. 15. The device according to claim 9, the information acquisition module, comprising: a call graph determination unit, configured to analyze the calling relationship between the functions to obtain a function call graph, where the function call graph includes multiple functions and connecting lines between the multiple functions; a parameter connection determination unit, configured to connect the formal parameters of the function in the function call map with the actual parameters of the function in the function call map to obtain parameter connection information; The connection information determination unit is configured to acquire the usage and definition relationship between the functions of the predetermined global variables in the function call graph, and obtain the usage definition connection information of the global variables. 16. The apparatus according to claim 9, the value range acquisition module, comprising: A definition determining unit is used to determine the definition of the array accessed by the target program statement according to predetermined use definition relationship information if the target program statement needs to access the array; The value range acquisition unit is used to query the corresponding record information of each dimension of the array accessed by the target program statement according to the predetermined use definition relationship information and the corresponding record information of the definition of the array accessed by the target program statement. range of values within the program area of . 17. A detection device for array out-of-bounds access, the detection device for array out-of-bounds access comprises: processor; and memory arranged to store computer-executable instructions which, when executed, cause the processor to: Obtain the functions contained in the program code to be detected, and the calling relationship information between the functions; If the calling relationship information between the functions includes an unvisited target program statement, then detect whether the target program statement needs to access an array; If the target program statement needs to access the array, then obtain the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array; Based on the value range of the predetermined variable of the array accessed by the target program statement in the program area corresponding to the array, it is detected whether the program code includes out-of-bounds access to the array.

Images