CN102662825A - Method for detecting memory leakage of heap operational program - Google Patents

Method for detecting memory leakage of heap operational program Download PDF

Info

Publication number
CN102662825A
CN102662825A CN2012100410257A CN201210041025A CN102662825A CN 102662825 A CN102662825 A CN 102662825A CN 2012100410257 A CN2012100410257 A CN 2012100410257A CN 201210041025 A CN201210041025 A CN 201210041025A CN 102662825 A CN102662825 A CN 102662825A
Authority
CN
China
Prior art keywords
pointer
state
statement
memory
heap
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100410257A
Other languages
Chinese (zh)
Other versions
CN102662825B (en
Inventor
王戟
董龙明
陈立前
董威
刘万伟
李仁见
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National University of Defense Technology
Original Assignee
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National University of Defense Technology filed Critical National University of Defense Technology
Priority to CN201210041025.7A priority Critical patent/CN102662825B/en
Publication of CN102662825A publication Critical patent/CN102662825A/en
Application granted granted Critical
Publication of CN102662825B publication Critical patent/CN102662825B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present invention discloses a method for detecting the memory leakage of a heap operational program, is directed to solving a technical problem of the memory error detection of the heap operational program in terms of precision and efficiency, and provides a novel memory leakage detection method with improved precision and efficiency of the detection. The technical scheme comprises analyzing a source code of the program in terms of statement and morphology at first and generating an intermediate file; carrying out a pretreatment which includes slicing and transformation; obtaining an abstract state of a heap memory based on the definition of an extension type of a pointer variable in the program; employing a forward data flow iteration method to implement an in-process detection and an inter-process detection; and finally inspecting and counting results of the memory leakage detection. The method finds a good equilibrium point between precision and efficiency of a static analysis, accelerates the termination of an iterative algorithm, improves the precision and the efficiency of the detection, and has a strong scalability and a low storage overhead.

Description

A kind of memory leakage detecting method towards the heap operation program
Technical field
The present invention relates to one type of static detection method in the computer program with heap operation program internal memory leakage of dynamic, variable shared drive operating characteristic.
Background technology
The heap operation program comprises the program of using dynamic data structure (as: chained list, tree etc.) storage and deal with data; Very common at system software and application software, such as: operating system (as: Linux, FreeRTOS) is usually used the task of priority query or Hash table management system; The device drives supervisory routine is used and is shared unidirectional or doubly linked list management various device; Server software (as: Apache) uses container (Collection) to accept and store various user's requests; Information system management software uses all kinds of containers to represent view and the storage data that inquiry obtains from database.This class method all has dynamic assignment in the operational process, polymerization, separation or discharges the characteristics of internal storage location in the heap; On the other hand; Can know when analyzing this class method source code; The programmer uses pointer variable (or pointer field) direct (or indirectly) to handle these internal storage locations; Make to exist complicated points relationship between these Dram unit, such as: certain internal storage location maybe be pointed by a plurality of pointer variables or other internal storage location.Therefore, it is more difficult and much complicated than the program of other types to judge whether the internal storage location of having applied in the heap operation program finally is released.Memory overflow is meant that the internal memory of dynamic assignment is not released immediately, and it is one type of important software mistake, and it can cause the system of continuous service to collapse perhaps important leakage of information owing to memory source exhausts.
Current, memory overflow detects has several different methods and instrument thereof, mainly is divided into dynamic and static method.The instrument of exemplary dynamic method has Purify, JPF etc., though these class methods can be located mistake exactly, automaticity is high, is subject to the input use-case, can not check all memory overflow mistakes; Static method is not check whether there is memory overflow under the operating software prerequisite, and exemplary operation has: LCLint, SATURN etc., can find all possible memory overflow mistake, but have higher rate of false alarm.Therefore, how under the prerequisite that guarantees precision, to make the Static Detection instrument can detect focus and the difficult point that extensive program is current Static Detection research.The method that detects to memory overflow in the heap operation program of dynamic, variable storage allocation mainly can be divided into:
(1) the insensitive detection method in territory
Whether the internal memory node that the insensitive detection method in territory is based on each distribution in the pointer alias analysis trace routine finally is released, can be divided into again stream responsive insensitive with stream, the path is responsive and the path is insensitive, context-sensitive and the insensitive 6 kinds of detection methods of context.For example: people such as Zongxing Xu have proposed in software quality international conference in 2008 (QSIC ' 08) based on the responsive interprocedual memory overflow algorithm in constraint solver CVC3 path; Yungbum Jung and Kwangkeun Yi have proposed a kind of static analysis tools SPARROW of robotization in international memory management forum meeting (ISMM ' 08), designed the parameterized procedure function method of abstracting based on the escape model; In addition; Xie Yichen and Alex Aiken have proposed memory overflow testing tool Saturn in the 10th European soft project meeting; With the memory leak issue stipulations is the satisfiability problem of boolean's formula, uses the SAT solver to judge whether to exist memory overflow then; People such as David L.Heine have proposed memory overflow testing tool Clouseau on the 28th International Conference on Software Engineering; It is based on pointer entitlement and describes the pointer variable that discharges the heap memory node, constructs the entitlement constrained system then and detects the memory overflow mistake.All these instruments can not directly apply to and detect memory overflow mistake in the heap operation program.
(2) the responsive detection method in territory
The responsive detection method in territory relates to the accessibility relation between the heap memory unit.People such as Mooly Sagiv have proposed three-valued logic TVLA (Three-Value Logic) on ACM program language in 2002 and system's transactions (TOPLAS ' 02); Program to having the chained list type is divided into limited equivalence class through definition core (core) and auxiliary (instrumental) predicate collection with the internal memory node; Form through routine analyzer proves that various chained list running programs do not have the memory overflow mistake, yet TVLA exists when being applied to the heap operation program internal memory Leak Detection of other types than higher wrong report; People such as Hackett have proposed a kind of regional morphology analytical algorithm based on reference count of novelty in ACM program language principle in 2005 international conference (POPL ' 05); And can in 2 minutes, detect and find 97 mistakes to 3 popular large-scale c programs of several ten thousand row; Wherein have only 37 to be true mistake; Though efficiency ratio is higher,, exist higher rate of false alarm; People such as Ji Wang have designed the memory overflow detection algorithm that drives based on the abstract sensing figure of internal memory demand on Chinese journal of computers English edition (JCST ' 09) in 2009; And on precision and efficient, obtain the better balance that compares; But storage overhead and computation complexity are still than higher.Recently, occurred in succession using the morphological analysis method of reasoning from logic to detect EMS memory error to the heap operation program, exemplary operation has: SpaceInvader and Xisa.SpaceInvader verifies upward use separation logic (Separation Logic) formula recursive definition linked list data structure invariant of international conference (CAV ' 08) area of computer aided in 2008; Designed various inference rules based on recursive definition then the heap operation program has been carried out reasoning, successful analysis and the internal memory correctness of having verified some device drives supervisory routines under Windows and the Linux; Xisa goes up the internal memory security property that the heap operation program was analyzed and verified to the User Defined data structure invariant of using abstract interpretation framework support parameterization in ACM program language principle in 2008 international conference (POPL ' 08).But these methods receive the constraint of User Defined data structure invariant, and automaticity is not high, and the EMS memory error that is difficult to be useful for extensive practical programs detects automatically.
In sum, though there is multiple different memory leakage detecting method in academia with industry member at present, every kind of method all has separately the characteristics and the scope of application, and they all have weak point on detection heap operation program.Though the insensitive detection method in territory can detect extensive program; But accuracy of detection is lower; Especially face when having the heap operation program of heap memory polymerization, stalling characteristic, whether all internal memory nodes that can not detect in the same pointer variable sensing region of memory all are released; Though the territory sensitive detecting method can detect all memory overflow mistakes in the heap operation program, but because automated procedures are not high or system resource (mainly comprising internal memory, time) consumption cost is too big, so efficient is not high, the program scale that can analyze is smaller.
Summary of the invention
The technical matters that the present invention will solve is: be directed against current memory leakage detecting method in the problem that has precision and efficient aspect the heap operation program internal memory error-detecting with operating characteristics such as dynamic shared drive application, merging, separation, deletions; A kind of memory leakage detecting method based on the abstract forward data flow iteration in heap memory part is provided, improves the precision and the efficient that detect.
Concrete technical scheme is:
The 1st step; Utilize the compiler platform that program to be detected is carried out lexical analysis, grammatical analysis, generate abstract syntax tree, control flow graph (describing the front and back relation of continuing between the program basic statement), the such intermediate information of invocation of procedure figure (call graph in the program between function) of program to be detected.
The 2nd step, pre-service.Before real heap operation program internal memory detects to one, need carry out two step pre-service.
2.1 section is about to those and does not use the assignment statement of any pointer type variable from program, to delete, the program after obtaining cutting into slices.
Convert canonical form 2.2 will pass through the pointer assignment statement that does not meet canonical form in the program after the section to according to transformation rule.The pointer assignment statement of canonical form comprises 7 kinds: 1, and p is changed to sky with pointer variable, and shape is like p=null; 2, with pointer field p->f of pointer variable p mBe changed to sky, shape is like p->f m=null; 3, copy statement between pointer variable, shape is like p=q; 4, copy statement between the pointer field of pointer p and pointer q, shape is like p=q->f m5, copy statement between the pointer field of pointer p and pointer q, shape is like p->f m=q; 6, internal memory application statement, shape is like p=malloc; 7, the internal memory free statement, shape is like free (p).Transformation rule has 5 kinds, is respectively: 1, introduce auxiliary pointer variable pt 0With shape such as p->f m=q->f nPointer assignment statement convert into: pt 0=q->f nP->f m=pt 02, introduce auxiliary pointer variable pt 1With shape such as p=p->f mPointer assignment statement convert into: pt 1=p->f mP=pt 13, introduce auxiliary pointer variable pt 2With shape such as p->f mThe pointer assignment statement of=malloc converts into: pt 2=malloc; P->f m=pt 24, introduce auxiliary pointer variable pt 3With shape such as p=q->f m->f nPointer assignment statement convert into: pt 3=q->f mP=pt 3->f n5, introduce auxiliary pointer variable pt 4With shape such as free (p->f m) the internal memory free statement convert into: pt 4=p->f mFree (pt 4).
In the 3rd step,, obtain the abstract state of heap memory of program according to the expansion type of the another name information definition pointer of each pointer variable in the function.In the heap operation program, the expansion type of pointer variable p<img file="BDA0000137616750000041.GIF" he="62" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="39" />Be defined as:<f<sub >1</sub>:<dist; 2<sup >PVar</sup>>f<sub >2</sub>:<dist, 2<sup >PVar</sup>>... f<sub >i</sub>:<dist; 2<sup >PVar</sup>>...; f<sub >n</sub>:<dist; 2<sup >PVar</sup>>>, wherein: f<sub >1</sub>, f<sub >2</sub>... f<sub >i</sub>..., f<sub >n</sub>Represent that respectively p points to the name of pointer field in the internal storage location, 1≤i≤n, that is: p points to the internal storage location of being assembled by n pointer field, and internal storage location is called the internal memory node again; The internal memory node was apart from the value of pointer p during variable dist represented to pile; 2<sup >PVar</sup>Represent the pointer variable collection that all internal memory nodes that to point to apart from p internal memory nodal value pointed be dist constitute, be called pointer another name collection, comprising: the formal parameter that has pointer type in global pointer variable, local pointers variable, the function.Analyzing 7 kinds of basic pointer assignment statements of standard of heap operation program can know: the internal memory node that p directly or indirectly quotes in pointer assignment statement is 1 apart from the maximal value of p, for example: statement p->f<sub >i</sub>=q, pointer field f in the internal memory node that pointer p is pointed<sub >i</sub>The value address of being revised as pointer q internal memory node pointed, in this statement, p is through pointer field f<sub >i</sub>The internal memory node that route can reach is 1 apart from the value of p.Therefore, the scope of variable dist value is: 0,1 and 2, wherein: element 0 and 1 expression heap memory middle distance p internal memory node exact value pointed, value 2 is arbitrary values, expression is through certain pointer field f<sub >i</sub>The above routing times of twice or twice (claim the operation of pointer dereference again, dereferencing), the internal memory node that in heap memory, obtains the like this node (summary node) of claiming again to make a summary.Two special elements are arranged: empty set among the pointer set 2PVar<img file="BDA0000137616750000042.GIF" he="41" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="21" />Have no pointer variable to point to this internal storage location in the expression heap memory, and this internal storage location has been assigned with in heap memory; ⊥ representes certain pointer variable p or pointer field f<sub >i</sub>Value be null (the special marking value representes that this pointer variable value is invalid memory address), p or pointer field f<sub >i</sub>Internal storage location pointed also is not assigned with in heap.The active pointer variable of heap operation program HP is one type of pointer variable that is used or revises in the usability of program fragments, and LivePVar representes by predicate.So, the local abstract state of heap memory<img file="BDA0000137616750000043.GIF" he="43" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="38" />Be set, that is: with expansion type formation of active pointer variable<img file="BDA0000137616750000044.GIF" he="44" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="54" />In the formula, p<sub >i</sub>Represent that any one has active pointer variable,<img file="BDA0000137616750000045.GIF" he="62" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="48" />Expression p<sub >i</sub>Expansion type.Hence one can see that: in the heap operation program, the number of the local abstract state of heap memory is limited.Suppose that the pointer variable number is pn in the heap operation program, the number of pointer field is fn in the aggregate type, so the local abstract state of heap memory<img file="BDA0000137616750000046.GIF" he="42" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="38" />Maximum number be: [fn * 3 * (2<sup >Pn</sup>+ 1)]<sup >Pn</sup>, in the formula, the kind of 3 expression distance values, 2<sup >Pn</sup>Number of subsets in the power set of expression pointer another name collection, 1 expression add that the pointer another name concentrates special elements value ⊥.
In the 4th step, memory overflow detects in the process.Definition according to above-mentioned pointer expansion type; Obtain in the heap operation program basic statement about the transition relationship of the abstract state of heap memory; Particularly; Certain function f of top-down selection from the invocation of procedure figure of program to be detected; And the abstract state
Figure BDA0000137616750000047
of function f porch is set to sky, and carrying out according to the forward data flow alternative manner that memory overflow detects in the process, the forward data flow alternative manner is:
4.1 the abstract state of the heap memory of each program point i in the initialization function f
Figure BDA0000137616750000048
is changed to sky; And formation W is changed to sky; W is the formation of a fifo fifo; Fundamental element is that
Figure BDA0000137616750000051
is right, and s is a statement.
4.2 entry statement s with function f 0With abstract state
Figure BDA0000137616750000052
Join formation W.
4.3 whether be empty, if for sky then changeed for the 6th step, if for sky then carry out 4.4 if judging formation W.
4.4 W popped from the queue items?
Figure BDA0000137616750000053
type conversion according to statement s abstract states? get new abstract states?
Figure BDA0000137616750000055
specific methods are as follows:
4.4.1 if statement s is basic pointer assignment statement; Then the type conversion state by 7 kinds of pointer assignment statements obtains new abstract state
Figure BDA0000137616750000057
and from Succ (s), selects certain element s ', the follow-up statement collection of statement s in Succ (s) the expression control flow graph.Carry out 4.5 then.Method by the type conversion
Figure BDA0000137616750000058
of 7 kinds of pointer assignment statements is:
(1) pointer assignment statement p=null.Transformation rule is: at state
Figure BDA0000137616750000059
In, at first from passing through certain pointer field f iRoute can reach the concentrated deletion of the pointer another name p that p points to the internal memory node, then will
Figure BDA00001376167500000510
Be changed to null, that is: will
Figure BDA00001376167500000511
In all pass through f iThe route distance value is that 0,1 and 2 pointer another name collection is changed to ⊥, obtains new abstract state
Figure BDA00001376167500000512
If state
Figure BDA00001376167500000513
Middle pointer p internal memory node pointed exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with this statement s and abstract state
Figure BDA00001376167500000514
Join among the memory overflow formation heapleakListF, heapleakListF preserves all statements that memory overflow takes place and the formation of state, and fundamental element is: statement and abstract state are right
Figure BDA00001376167500000515
(2) statement p->f m=null.Transformation rule is: at state
Figure BDA00001376167500000516
In, pointer variable x representative can be passed through certain pointer field f iRoute can reach the pointer variable that p points to the internal memory node.At first, revise the expansion type of x: if x calls with p, that is: x is 0 to the distance of p, then from In will pass through f iThe route distance value is that 1 and 2 pointer another name collection is changed to sky; If x is 1 or 2 to the distance value of p, then from
Figure BDA00001376167500000518
In pass through f iRoute distance is concentrated deletion from the pointer another name that is 2
Figure BDA00001376167500000519
In pass through f iThe route distance value is 1 and 2 pointer another name collection.Then, will
Figure BDA00001376167500000520
In pass through f mThe route distance value is that 1 and 2 pointer another name collection is changed to sky, obtains new abstract state
Figure BDA00001376167500000521
If state
Figure BDA00001376167500000522
Middle p points to the f in the internal memory node mThe internal memory node that points to exists and is not passed through f by other pointer variables or other internal memory nodes iRoute can reach, and memory overflow then takes place, with statement s and state
Figure BDA00001376167500000523
Join among the memory overflow formation heapleakListF.
(3) pointer copy statement p=q.Transformation rule is: at first; Obtaining middle abstract state
Figure BDA00001376167500000525
then under the abstract state in centre
Figure BDA00001376167500000526
according to rule (1) perform statement p=null under the state
Figure BDA00001376167500000524
; The sensing of p soon is revised as the node that q points to
Figure BDA00001376167500000527
assignment is given ; Obtain new abstract state
Figure BDA00001376167500000529
if the internal memory node that p points in the state
Figure BDA00001376167500000530
exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory; Memory overflow then takes place, and statement s and state are joined among the memory overflow formation heapleakListF.
(4) statement p=q->f mTransformation rule is: at first, and at state Abstract state in the middle of obtaining according to rule (1) perform statement p=null down
Figure BDA0000137616750000063
The abstract state in the centre then
Figure BDA0000137616750000064
To down, In pass through f mThe route distance value be 1 pointer another name collection assignment give with
Figure BDA0000137616750000066
In through certain pointer field f iThe route distance value is 0 pointer another name collection, and p is joined
Figure BDA0000137616750000067
In pass through f iThe route distance value is that 1 pointer another name is concentrated, and obtains new abstract state
Figure BDA0000137616750000068
If state
Figure BDA0000137616750000069
The internal memory node that middle p points to exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with statement s and state
Figure BDA00001376167500000610
Join among the memory overflow formation heapleakListF.
(5) statement p->f m=q.Transformation rule is: at first, and at state
Figure BDA00001376167500000611
Down according to rule (1) perform statement p->f mAbstract state in the middle of=null obtains
Figure BDA00001376167500000612
The abstract state in the centre then
Figure BDA00001376167500000613
Down, set Q representes
Figure BDA00001376167500000614
In through certain pointer field f iRoute distance is from the pointer another name collection that is 0, and pointer variable t representes abstract state
Figure BDA00001376167500000615
In can pass through f iThe one or many route arrives the pointer of the internal memory node of p sensing.According to abstract state in the middle of the following rules modification
Figure BDA00001376167500000616
At first, revise the expansion type of each pointer variable y among the set Q Will
Figure BDA00001376167500000618
In pass through f iRoute distance joins from the pointer another name collection that is 0 In pass through f iRoute distance is concentrated from the pointer another name that is 1, will In pass through f iRoute distance adds to from the pointer another name collection that is 1 and 2 In pass through f iRoute distance is concentrated from the pointer another name that is 2; Then, will pass through f iRoute distance is that 0,1 and 2 pointer another name collects and adds to together with q from q value In pass through f iRoute distance is concentrated from the pointer another name that is 2, obtains new abstract state
Figure BDA00001376167500000623
If state
Figure BDA00001376167500000624
F in the internal memory node that middle p points to mThe internal memory node that points to exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with statement s and state Join among the memory overflow formation heapleakListF.
(6) Memory Allocation statement p=malloc ().Transformation rule is: at first, and at state
Figure BDA00001376167500000626
Abstract state in the middle of obtaining according to rule (1) perform statement p=null down
Figure BDA00001376167500000627
The abstract state in the centre then
Figure BDA00001376167500000628
Down, newly apply for an internal memory node and give pointer p, that is: will the address assignment of this internal memory node
Figure BDA00001376167500000629
In through certain pointer field f iRoute distance is changed to empty set from the pointer another name collection that is 0 Pass through f iRoute distance is changed to ⊥ from the pointer another name collection that is 1 and 2, obtains new abstract state
Figure BDA00001376167500000631
If state
Figure BDA00001376167500000632
The internal memory node that middle p points to exists and is not passed through certain pointer field f by other internal memory nodes in other pointer variables or the heap memory iRoute can reach, and memory overflow then takes place, with statement s and state Join among the memory overflow formation heapleakListF.
(7) internal memory free statement free (p).Transformation rule is: at state
Figure BDA0000137616750000072
In, pointer variable w representes to remove among the pointer variable collection LivePVar alive (HP) the every other pointer variable of p, at first, from In through certain pointer field f iThe route distance value is 0,1 and 2 the concentrated deletion of pointer another name
Figure BDA0000137616750000074
In pass through f iRoute distance then will from the pointer another name collection that is 0
Figure BDA0000137616750000075
In pass through f iThe route distance value is that 0,1 and 2 pointer another name collection is changed to ⊥, obtains new abstract state
Figure BDA0000137616750000076
If state
Figure BDA0000137616750000077
The internal memory node existence pointed of certain pointer field can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory in the middle p sensing internal memory node, memory overflow then takes place, with statement s and state
Figure BDA0000137616750000078
Join among the memory overflow formation heapleakListF.
4.4.2 if statement s is a switch condition case statement; Then: the true value of at first under the abstract state of current heap memory
Figure BDA0000137616750000079
, finding the solution switch statement condition; From Succ (s), select next bar perform statement s ' according to the condition true value then; And with the follow-up statement of s ' as statement s, state
Figure BDA00001376167500000710
carries out 4.5 as new abstract state
Figure BDA00001376167500000711
.
4.4.3 if statement s is the unconditional jump statement; Then: and with the follow-up statement of object statement s ' as statement s, state
Figure BDA00001376167500000712
carries out 4.5 as new abstract state .
4.4.4 if statement s is the function call statement; Then carried out for the 5th step; Obtain new abstract state
Figure BDA00001376167500000714
and from Succ (s), select certain element s ', as the follow-up statement of s.
4.4.5 if statement s is function return statement return e; Then under abstract state
Figure BDA00001376167500000715
; With the expansion type of pointer variable e expansion type as function return value; The expansion type of global pointer variable is constant; The expansion type assignment of other local pointers variablees is put sky; Obtain new abstract state
Figure BDA00001376167500000716
and, carry out 4.5 then as discharge state
Figure BDA00001376167500000717
the exit statement s ' of function f follow-up statement as return statement s.
4.5 The new abstract states? and the subsequent statement s' initial state?
Figure BDA00001376167500000719
Join obtained by combining operations of the program point of the new abstract state?
Figure BDA00001376167500000720
execute step 4.6.In order to detect the mistake that the heap operation program internal memory leaks as much as possible; Union operation is: and if only if any two abstract states
Figure BDA00001376167500000721
and
Figure BDA00001376167500000722
exists and comprises when concerning and could merge, otherwise two abstract states are respectively as the element of union operation.Two abstract heap memory status?
Figure BDA00001376167500000723
and?
Figure BDA00001376167500000724
there is a containment relationship?
Figure BDA00001376167500000725
if and only if: Status?
Figure BDA00001376167500000726
any element in the state?
Figure BDA00001376167500000727
in.Union operation can be expressed as by formula:
4.6 The combined heap abstract states?
Figure BDA0000137616750000082
using saturation operation reached saturation?
Figure BDA0000137616750000083
saturation operation steps are as follows:
4.6.1 modified is initialized as vacation with token variable.
4.6.2 irreflexive operation.Travel through abstract state
Figure BDA0000137616750000084
In each pointer variable x 1, from
Figure BDA0000137616750000085
In through certain pointer field f iRoute distance is concentrated deletion pointer x from the pointer another name that is 0 1If certain pointer another name collection has been modified, modified is changed to very.
4.6.3 symmetry operation.Travel through abstract state
Figure BDA0000137616750000086
In each pointer variable x 2, from
Figure BDA0000137616750000087
In through certain pointer field f iRoute distance is concentrated from the pointer another name that is 0 and is taken out certain pointer variable y arbitrarily 2If,
Figure BDA0000137616750000088
In all pass through f iRoute distance does not comprise x from the pointer another name collection that is 0 2, then with x 2Add
Figure BDA0000137616750000089
In to passing through f iRoute distance is from the pointer another name collection that is 0.If certain pointer another name collection has been modified, modified is changed to very.
4.6.4 transmit operation.Travel through abstract state
Figure BDA00001376167500000810
In each pointer variable x 3, from
Figure BDA00001376167500000811
In through certain pointer field f iRoute distance is from being certain value d 1Pointer another name concentrate and take out certain pointer variable y arbitrarily,
Figure BDA00001376167500000812
In through certain pointer field route distance from be worth d for certain 2Obtain pointer another name collection Q 2If, pointer another name collection Q 2In certain pointer variable z do not exist
Figure BDA00001376167500000813
In pass through f iRoute distance is from being d 1+ d 2Pointer another name concentrate, then z is joined
Figure BDA00001376167500000814
In pass through f iRoute distance is from being d 1+ d 2Pointer another name concentrate.If certain pointer another name collection has been modified, modified is changed to very.
4.6.5 judge the value of modified; If be false, state
Figure BDA00001376167500000815
state that reaches capacity
Figure BDA00001376167500000816
changeed for 4.7 steps; Otherwise change the 4.6.1 step.
4.7 if state of saturation
Figure BDA00001376167500000817
is different with virgin state
Figure BDA00001376167500000818
; Then state of saturation
Figure BDA00001376167500000819
is joined among the W as new virgin state
Figure BDA00001376167500000820
and with state of saturation
Figure BDA00001376167500000821
and follow-up statement s ', change 4.3.
In the 5th step, the memory overflow that the heap operation program is carried out interprocedual detects, and method is:
5.1 acquisition process call statement e=f (e 1, e 2..., e k) initialization information.Invoked procedure is by name: f, formal parameter is: p 1, p 2..., p k, actual parameter is: e 1, e 2..., e k, wherein: p hRepresent formal parameter, e hBe p hCorresponding actual parameter, the scope of subscript h are 1≤h≤k, and rreturn value is: ret f, the local pointers variables set is: LVar f, the global pointer variables set is: GVar f, the abstract state of heap memory before the execution function call statement does
Figure BDA0000137616750000091
5.2 carry out down the state transition of call statement at the abstract state of heap memory
Figure BDA0000137616750000092
, heap memory original state
Figure BDA0000137616750000093
process of the function that obtains being called is following:
5.2.1 with state Middle global pointer variables set GVar fIn arbitrarily the expansion type of global pointer variable g pass to invoked procedure, that is: state
Figure BDA0000137616750000095
Middle g's Equal state
Figure BDA0000137616750000097
Middle g's
Figure BDA0000137616750000098
5.2.2 with state
Figure BDA0000137616750000099
Middle actual parameter e h
Figure BDA00001376167500000910
Pass to formal parameter p h, as the porch p that is called h
Figure BDA00001376167500000911
That is: state In
Figure BDA00001376167500000913
Value be state
Figure BDA00001376167500000914
In
Figure BDA00001376167500000915
Value.
5.2.3 state Middle local pointers variables set LVar fIn the expansion type of any local pointers variable l
Figure BDA00001376167500000917
Be initialized as sky.
5.3 with function f and original state
Figure BDA00001376167500000918
as parameter; Adopt the 4th step forward data flow alternative manner that function f is carried out memory overflow detection in the process, obtain the new abstract state of function exit heap memory
5.4
Figure BDA00001376167500000920
passes to invoked procedure with the heap memory state, obtains new abstract state
Figure BDA00001376167500000921
according to following steps:
5.4.1 with state
Figure BDA00001376167500000922
Middle pointer type rreturn value ret fExpansion type pass to invoked procedure, as state
Figure BDA00001376167500000923
The expansion type of following pointer e.
5.4.2 the expansion type
Figure BDA00001376167500000925
of global pointer variable g is constant when passing to invoked procedure in the state
Figure BDA00001376167500000924
, as
Figure BDA00001376167500000927
of g under the state
Figure BDA00001376167500000926
5.4.3 the expansion type of other local pointers variablees is constant before and after the invocation of procedure, that is: the value of the expansion type of other local pointers variablees is the value of the corresponding topical pointer variable expansion type in the state
Figure BDA00001376167500000929
in the state .
The 6th step, statistics heap operation program internal memory Leak Detection result data.
6.1 according on the control flow graph in each program point about the information of the abstract state of heap memory, export the abstract state of heap memory and the abstract state of heap memory in exit of the entry statement of each program point.
6.2 according to the content of memory overflow formation heapleakListF, output the program statement s and the state
Figure BDA00001376167500000930
of memory overflow might take place and add up the number of memory overflow.
6.3 screen possible memory overflow mistake, count the wrong report number of detection, and obtain rate of false alarm.Because the pointer assignment of a memory overflow mistake representative under the current pointer expansion type reported these mistakes with abstract state and the right form of pointer assignment statement in forward direction iterative detection process, can assist and confirm true mistake.
6.4 information when moving according to compiling platform and system obtains the situation of memory leakage detecting method consume system resources, such as: elapsed time of memory consumption, each detection-phase or the like.
Compared with prior art, adopt the present invention can reach following technique effect:
(1) on the basis of the present invention's pointer expansion type definition in the 2nd step; A kind of memory leakage detecting method towards heap operation has been proposed; Use internal memory Rankine-Hugoniot relations local between expansion pointer type record pointer variable to support the local reasoning of heap memory then; Detect the memory overflow mistake in the heap operation program, taken into account efficient and precision, between the precision of static analysis and efficient, found an equilibrium point preferably.
(2) the present invention proposes to describe based on the pointer expansion type another name relation of pointer; Compare with traditional memory leakage detecting method based on unified (unification-based) sensing alias analysis; Not only having represented the another name information of pointer, and represented the another name information of all pointer fields in the pointer node pointed, is the responsive memory overflow static detection method in a kind of territory; Compare with other memory leakage detecting methods, improved accuracy of detection.
(3) the present invention provided based on the local abstract representation of the heap memory of pointer expansion type in the 3rd step; Compare with the sensing figure of classics; Simple, efficient based on the local abstract STA representation of the heap memory of pointer expansion type, directly towards the operational semantics of pointer assignment statement, need not to calculate the lvalue and the r value of pointer expression formula; Just can obtain the another name information and the occurrence of pointer, improve the efficient that detects.
(4) the present invention's the 4th step memory overflow detects and adopts the forward data flow iterative algorithm; Try to achieve of the set of each program point through the fixed point iterative process, can consider various possible pointer another name situation, on the other hand about the local abstract state of heap memory; The number of the local abstract state of heap memory is limited in the program; Can guarantee the termination property of iterative algorithm, union operation can reduce the storage overhead of state, quickens the termination of iterative algorithm.
(5) has favorable expansibility.Because program termination property is undecidable in theory, the number of the interprocedual transfer environment of context-sensitive is infinite, therefore, accomplish that context-sensitive is impossible completely.The 5th step of the present invention is when the interprocedual of handling context-sensitive detects; Use a kind of detection method of log history information increment type: if when the original state of invoked procedure does not comprise current abstract state; Then testing process is called, and the result that will detect joins in the invoked procedure; Otherwise do not get into the detection invoked procedure.This method can improve the efficient of detection, and when especially repeatedly being called repeatedly with some identical process along with the increase of detection of code scale, this advantage embodies extremely obviously.
Description of drawings
Fig. 1 is an overview flow chart of the present invention.
Fig. 2 is the process flow diagram that detects in the present invention's the 4th step process.
Fig. 3 is the process flow diagram that the present invention's the 5th step interprocedual detects.
Specific embodiments
Fig. 1 overview flow chart of the present invention.Input is the source code of program, possibly cause statement and abstract state, the various statistic of memory overflow during output in the program source code.
The present invention includes following step:
1. at first utilize the compiler platform that program source code is carried out statement analysis and lexical analysis, generate intermediate file, comprising: abstract syntax tree, control flow graph and invocation of procedure figure.
2. pre-service comprises: section and conversion.
3. the definition according to the expansion type of pointer variable in the program obtains the abstract state of heap memory.
4. detect in the process.
5. interprocedual detects.
6. inspection and statistics memory overflow are checked the result who detects.
Fig. 2 is the process flow diagram that detects in the present invention's the 4th step process, may further comprise the steps:
4.1 abstract state of the heap memory of each program point i and formation W in the initialization function.
4.2 the population statement and the abstract state of function are joined in the formation.
4.3 whether be empty, if for sky then changeed for the 6th step, if for sky then carry out 4.4 if judging formation W.
4.4 from formation, eject a certainly, obtain new abstract state according to the abstract state of type conversion of statement.
4.5 the original state of new abstract state and follow-up statement is merged into new abstract state through union operation.
The state 4.6 the abstract state employing of the heap after will merging operated in saturation reaches capacity.
4.7 if state of saturation is different with virgin state, then with state of saturation as new virgin state, and state of saturation and follow-up statement joined among the W, jumped to for the 4.3rd step then.
Fig. 3 is the process flow diagram that the present invention's the 5th step interprocedual detects, and may further comprise the steps:
5.1 the initialization information of acquisition process call statement.
5.2 under the abstract state of heap memory, carry out the state transition of call statement, the heap memory original state of the function that obtains being called.
5.3 adopt the 4th step forward data flow iterative algorithm that function is carried out memory overflow detection in the process, obtain the new abstract state of function exit heap memory.
5.4 give invoked procedure with the heap memory state transfer, obtain new abstract state.

Claims (4)

1. memory leakage detecting method towards the heap operation program is characterized in that may further comprise the steps:
The 1st step, utilize the compiler platform that program to be detected is carried out lexical analysis, grammatical analysis, generate abstract syntax tree, control flow graph, the invocation of procedure figure of program to be detected;
The 2nd step, pre-service:
2.1 section is about to those and does not use the assignment statement of any pointer type variable from program, to delete, the program after obtaining cutting into slices;
Convert canonical form 2.2 will pass through the pointer assignment statement that does not meet canonical form in the program after the section to according to transformation rule;
In the 3rd step,, obtain the abstract state of heap memory of program according to the expansion type of the another name information definition pointer of each pointer variable in the function; In the heap operation program, the definition of the expansion type of pointer variable p<img file="FDA0000137616740000011.GIF" he="63" id="ifm0001" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="39" />For:<f<sub >1</sub>:<dist; 2<sup >PVar</sup>>f<sub >2</sub>:<dist, 2<sup >PVar</sup>>... f<sub >i</sub>:<dist; 2<sup >PVar</sup>>...; f<sub >n</sub>:<dist; 2<sup >PVar</sup>>>, wherein: f<sub >1</sub>, f<sub >2</sub>... f<sub >i</sub>..., f<sub >n</sub>Represent that respectively p points to the name of pointer field in the internal storage location, 1≤i≤n, that is: p points to the internal storage location of being assembled by n pointer field, and internal storage location is called the internal memory node again; The internal memory node was apart from the value of pointer p during variable dist represented to pile; 2<sup >PVar</sup>Represent the pointer variable collection that all internal memory nodes that to point to apart from p internal memory nodal value pointed be dist constitute, be called pointer another name collection; The scope of variable dist value is: 0,1 and 2, wherein: element 0 and 1 expression heap memory middle distance p internal memory node exact value pointed, value 2 is arbitrary values, expression is through certain pointer field f<sub >i</sub>Twice or twice above routing times, the internal memory node that in heap memory, obtains is like this claimed the node of making a summary again; Pointer set 2<sup >PVar</sup>In two special elements are arranged: empty set<img file="FDA0000137616740000012.GIF" he="42" id="ifm0002" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="21" />Have no pointer variable to point to this internal storage location in the expression heap memory, and this internal storage location has been assigned with in heap memory; ⊥ representes certain pointer variable p or pointer field f<sub >i</sub>Value be null, represent that this pointer variable value is invalid memory address, p or pointer field f<sub >i</sub>Internal storage location pointed also is not assigned with in heap; The active pointer variable of heap operation program HP is one type of pointer variable that is used or revises in the usability of program fragments, and LivePVar representes by predicate; The local abstract state of heap memory<img file="FDA0000137616740000013.GIF" he="43" id="ifm0003" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="38" />Be set, that is: with expansion type formation of active pointer variable<img file="FDA0000137616740000014.GIF" he="44" id="ifm0004" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="54" />p<sub >i</sub>Represent that any one has active pointer variable,<img file="FDA0000137616740000015.GIF" he="62" id="ifm0005" img-content="drawing" img-format="GIF" inline="no" orientation="portrait" wi="49" />Expression p<sub >i</sub>Expansion type;
The 4th step; Certain function f of top-down selection from the invocation of procedure figure of program to be detected; And the abstract state
Figure FDA0000137616740000016
of function f porch is set to sky; Carry out memory overflow detection in the process according to the forward data flow alternative manner; Obtain that basic statement is about the transition relationship of the abstract state of heap memory in the heap operation program, the forward data flow alternative manner is:
4.1 the abstract state of the heap memory of each program point i in the initialization function f
Figure FDA0000137616740000017
is changed to sky; And formation W is changed to sky; W is the formation of a fifo fifo; Fundamental element is that
Figure FDA0000137616740000021
is right; S is a statement,
Figure FDA0000137616740000022
be the local abstract state of heap memory;
4.2 entry statement s with function f 0With abstract state
Figure FDA0000137616740000023
Join formation W;
4.3 whether be empty, if for sky then changeed for the 6th step, if for sky then carry out 4.4 if judging formation W;
4.4 W popped from the queue items?
Figure FDA0000137616740000024
type conversion according to statement s abstract states?
Figure FDA0000137616740000025
get new abstract states?
Figure FDA0000137616740000026
specific methods are as follows:
4.4.1 if statement s is basic pointer assignment statement; Then obtain new abstract state
Figure FDA0000137616740000028
and from the control flow graph, select certain element s ' among the follow-up statement collection Succ (s) of statement s, carry out 4.5 then by the type conversion state
Figure FDA0000137616740000027
of 7 kinds of pointer assignment statements; Method by the type conversion
Figure FDA0000137616740000029
of 7 kinds of pointer assignment statements is:
(1) pointer assignment statement p=null, transformation rule is: at state In, at first from passing through certain pointer field f iRoute can reach the concentrated deletion of the pointer another name p that p points to the internal memory node, then will Be changed to null, that is: will
Figure FDA00001376167400000212
In all pass through f iThe route distance value is that 0,1 and 2 pointer another name collection is changed to ⊥, obtains new abstract state
Figure FDA00001376167400000213
If state
Figure FDA00001376167400000214
Middle pointer p internal memory node pointed exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with this statement s and abstract state
Figure FDA00001376167400000215
Join among the memory overflow formation heapleakListF, heapleakListF preserves all statements that memory overflow takes place and the formation of state, and fundamental element is: statement and abstract state are right
Figure FDA00001376167400000216
(2) statement p->f m=null, transformation rule is: at state
Figure FDA00001376167400000217
In, pointer variable x representative can be passed through certain pointer field f iRoute can reach the pointer variable that p points to the internal memory node; At first, revise the expansion type of x: if x calls with p, that is: x is 0 to the distance of p, then from
Figure FDA00001376167400000218
In will pass through f iThe route distance value is that 1 and 2 pointer another name collection is changed to sky; If x is 1 or 2 to the distance value of p, then from
Figure FDA00001376167400000219
In pass through f iRoute distance is concentrated deletion from the pointer another name that is 2
Figure FDA00001376167400000220
In pass through f iThe route distance value is 1 and 2 pointer another name collection; Then, will
Figure FDA00001376167400000221
In pass through f mThe route distance value is that 1 and 2 pointer another name collection is changed to sky, obtains new abstract state
Figure FDA00001376167400000222
If state
Figure FDA00001376167400000223
Middle p points to the f in the internal memory node mThe internal memory node that points to exists and is not passed through f by other pointer variables or other internal memory nodes iRoute can reach, and memory overflow then takes place, with statement s and state
Figure FDA00001376167400000224
Join among the memory overflow formation heapleakListF;
(3) pointer copy statement p=q; Transformation rule is: at first; Obtaining middle abstract state then under the abstract state in centre
Figure FDA00001376167400000227
according to rule (1) perform statement p=null under the state
Figure FDA00001376167400000225
; The sensing of p soon is revised as the node that q points to
Figure FDA00001376167400000228
assignment is given
Figure FDA00001376167400000229
; Obtain new abstract state
Figure FDA0000137616740000031
if the internal memory node that p points in the state exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory; Memory overflow then takes place, and statement s and state
Figure FDA0000137616740000033
are joined among the memory overflow formation heapleakListF;
(4) statement p=q->f m, transformation rule is: at first, and at state
Figure FDA0000137616740000034
Abstract state in the middle of obtaining according to rule (1) perform statement p=null down
Figure FDA0000137616740000035
The abstract state in the centre then
Figure FDA0000137616740000036
To down,
Figure FDA0000137616740000037
In pass through f mThe route distance value be 1 pointer another name collection assignment give with
Figure FDA0000137616740000038
In through certain pointer field f iThe route distance value is 0 pointer another name collection, and p is joined
Figure FDA0000137616740000039
In pass through f iThe route distance value is that 1 pointer another name is concentrated, and obtains new abstract state
Figure FDA00001376167400000310
If state
Figure FDA00001376167400000311
The internal memory node that middle p points to exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with statement s and state
Figure FDA00001376167400000312
Join among the memory overflow formation heapleakListF;
(5) statement p->f m=q, transformation rule is: at first, at state
Figure FDA00001376167400000313
Down according to rule (1) perform statement p->f mAbstract state in the middle of=null obtains
Figure FDA00001376167400000314
The abstract state in the centre then
Figure FDA00001376167400000315
Down, set Q representes
Figure FDA00001376167400000316
In through certain pointer field f iRoute distance is from the pointer another name collection that is 0, and pointer variable x representes abstract state
Figure FDA00001376167400000317
In can pass through f iThe one or many route arrives the pointer of the internal memory node of p sensing; According to abstract state in the middle of the following rules modification
Figure FDA00001376167400000318
At first, revise the expansion type of pointer variable y among the set Q
Figure FDA00001376167400000319
Will
Figure FDA00001376167400000320
In pass through f iRoute distance joins from the pointer another name collection that is 0
Figure FDA00001376167400000321
In pass through f iRoute distance is concentrated from the pointer another name that is 1, will
Figure FDA00001376167400000322
In pass through f iRoute distance adds to from the pointer another name collection that is 1 and 2 In pass through f iRoute distance is concentrated from the pointer another name that is 2; Then, will pass through f iRoute distance is that 0,1 and 2 pointer another name collects and adds to together with q from q value
Figure FDA00001376167400000324
In pass through f iRoute distance is concentrated from the pointer another name that is 2, obtains new abstract state
Figure FDA00001376167400000325
If state
Figure FDA00001376167400000326
F in the internal memory node that middle p points to mThe internal memory node that points to exists and can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory, memory overflow then takes place, with statement s and state
Figure FDA00001376167400000327
Join among the memory overflow formation heapleakListF;
(6) Memory Allocation statement p=malloc (), transformation rule is: at first, at state Abstract state in the middle of obtaining according to rule (1) perform statement p=null down
Figure FDA00001376167400000329
The abstract state in the centre then
Figure FDA00001376167400000330
Down, newly apply for an internal memory node and give pointer p, that is: will the address assignment of this internal memory node
Figure FDA00001376167400000331
In through certain pointer field f iRoute distance is changed to empty set from the pointer another name collection that is 0 Pass through f iRoute distance is changed to ⊥ from the pointer another name collection that is 1 and 2, obtains new abstract state
Figure FDA0000137616740000042
If state The internal memory node that middle p points to exists and is not passed through certain pointer field f by other internal memory nodes in other pointer variables or the heap memory iRoute can reach, and memory overflow then takes place, with statement s and state Join among the memory overflow formation heapleakListF;
(7) internal memory free statement free (p), transformation rule is: at state
Figure FDA0000137616740000045
In, pointer variable w representes to remove among the pointer variable collection LivePVar alive (HP) the every other pointer variable of p, at first, from
Figure FDA0000137616740000046
In through certain pointer field f iThe route distance value is 0,1 and 2 the concentrated deletion of pointer another name
Figure FDA0000137616740000047
In pass through f iRoute distance then will from the pointer another name collection that is 0
Figure FDA0000137616740000048
In pass through f iThe route distance value is that 0,1 and 2 pointer another name collection is changed to ⊥, obtains new abstract state If state
Figure FDA00001376167400000410
The internal memory node existence pointed of certain pointer field can not reached through certain pointer field route by other internal memory nodes in other pointer variables or the heap memory in the middle p sensing internal memory node, memory overflow then takes place, with statement s and state
Figure FDA00001376167400000411
Join among the memory overflow formation heapleakListF;
4.4.2 if statement s is a switch condition case statement; Then: the true value of at first under the abstract state of current heap memory
Figure FDA00001376167400000412
, finding the solution switch statement condition; From Succ (s), select next bar perform statement s ' according to the condition true value then; And with the follow-up statement of s ' as statement s, state
Figure FDA00001376167400000413
carries out 4.5 as new abstract state
Figure FDA00001376167400000414
;
4.4.3 if statement s is the unconditional jump statement; Then: with the follow-up statement of object statement s ' as statement s, state
Figure FDA00001376167400000415
carries out 4.5 as new abstract state
Figure FDA00001376167400000416
;
4.4.4 if statement s is the function call statement; Then carried out for the 5th step; Obtain new abstract state
Figure FDA00001376167400000417
and from Succ (s), select certain element s ', as the follow-up statement of s;
4.4.5 if statement s is function return statement return e; Then under abstract state ; With the expansion type of pointer variable e expansion type as function return value; The expansion type of global pointer variable is constant; The expansion type assignment of other local pointers variablees is put sky; Obtain new abstract state
Figure FDA00001376167400000419
and, carry out 4.5 then as discharge state
Figure FDA00001376167400000420
the exit statement s ' of function f follow-up statement as return statement s;
4.5 The new abstract states?
Figure FDA00001376167400000421
and the subsequent statement s' initial state?
Figure FDA00001376167400000422
Join obtained by combining operations of the program point of the new abstract state?
Figure FDA00001376167400000423
Executive 4.6 step; merge operations is: if and only if any two abstract states?
Figure FDA00001376167400000424
and?
Figure FDA00001376167400000425
relationship can exist, including merger or two abstract states, respectively, as the merge operation elements; two abstract state of heap memory?
Figure FDA00001376167400000426
and?
Figure FDA00001376167400000427
there is a containment relationship?
Figure FDA00001376167400000428
if and only if: Status?
Figure FDA00001376167400000429
any element in the state?
Figure FDA00001376167400000430
in;? merge operation by the expressed by the formula:
4.6 The combined heap abstract states? using saturation operation reached saturation? saturation operation steps are as follows:
4.6.1 modified is initialized as vacation with token variable;
4.6.2 irreflexive operation: travel through abstract state
Figure FDA0000137616740000054
In each pointer variable x 1, from In through certain pointer field f iRoute distance is concentrated deletion pointer x from the pointer another name that is 0 1If certain pointer another name collection has been modified, and modified is changed to very;
4.6.3 symmetry operation: travel through abstract state
Figure FDA0000137616740000056
In each pointer variable x 2, from
Figure FDA0000137616740000057
In through certain pointer field f iRoute distance is concentrated from the pointer another name that is 0 and is taken out certain pointer variable y arbitrarily 2If,
Figure FDA0000137616740000058
In all pass through f iRoute distance does not comprise x from the pointer another name collection that is 0 2, then with x 2Add
Figure FDA0000137616740000059
In to passing through f iRoute distance, is changed to modified very if certain pointer another name collection has been modified from the pointer another name collection that is 0;
4.6.4 transmit operation: travel through abstract state
Figure FDA00001376167400000510
In each pointer variable x 3, from
Figure FDA00001376167400000511
In through certain pointer field f iRoute distance is from being certain value d 1Pointer another name concentrate and take out certain pointer variable y arbitrarily,
Figure FDA00001376167400000512
In through certain pointer field route distance from be worth d for certain 2Obtain pointer another name collection Q 2If, pointer another name collection Q 2In certain pointer variable z do not exist
Figure FDA00001376167400000513
In pass through f iRoute distance is from being d 1+ d 2Pointer another name concentrate, then z is joined
Figure FDA00001376167400000514
In pass through f iRoute distance is from being d 1+ d 2Pointer another name concentrate, if certain pointer another name collection has been modified, modified is changed to very;
4.6.5 judge the value of modified; If be false, state
Figure FDA00001376167400000515
state that reaches capacity
Figure FDA00001376167400000516
changeed for 4.7 steps; Otherwise change the 4.6.1 step;
4.7 if state of saturation
Figure FDA00001376167400000517
is different with virgin state
Figure FDA00001376167400000518
; Then state of saturation
Figure FDA00001376167400000519
is joined among the W as new virgin state
Figure FDA00001376167400000520
and with state of saturation
Figure FDA00001376167400000521
and follow-up statement s ', change 4.3;
In the 5th step, the memory overflow that the heap operation program is carried out interprocedual detects, and method is:
5.1 acquisition process call statement e=f (e 1, e 2..., e k) initialization information, invoked procedure is by name: f, formal parameter is: p 1, p 2..., p k, actual parameter is: e 1, e 2..., e k, wherein: p hRepresent formal parameter, e hBe p hCorresponding actual parameter, 1≤h≤k, rreturn value is: ret f, the local pointers variables set is: LVar f, the global pointer variables set is: GVar f, the abstract state of heap memory before the execution function call statement does
Figure FDA0000137616740000061
5.2 carry out down the state transition of call statement at the abstract state of heap memory
Figure FDA0000137616740000062
, heap memory original state
Figure FDA0000137616740000063
process of the function that obtains being called is following:
5.2.1 with state
Figure FDA0000137616740000064
Middle global pointer variables set GVar fIn arbitrarily the expansion type of global pointer variable g pass to invoked procedure, that is: state
Figure FDA0000137616740000065
Middle g's
Figure FDA0000137616740000066
Equal state
Figure FDA0000137616740000067
Middle g's
Figure FDA0000137616740000068
5.2.2 with state
Figure FDA0000137616740000069
Middle actual parameter eh's Pass to formal parameter p h, as the porch p that is called h
Figure FDA00001376167400000611
That is: state
Figure FDA00001376167400000612
In
Figure FDA00001376167400000613
Value be state
Figure FDA00001376167400000614
In
Figure FDA00001376167400000615
Value;
5.2.3 state
Figure FDA00001376167400000616
Middle local pointers variables set LVar fIn the expansion type of any local pointers variable l
Figure FDA00001376167400000617
Be initialized as sky;
5.3 with function f and original state
Figure FDA00001376167400000618
as parameter; Adopt the 4th step forward data flow alternative manner that function f is carried out memory overflow detection in the process, obtain the new abstract state of function exit heap memory
Figure FDA00001376167400000619
5.4
Figure FDA00001376167400000620
passes to invoked procedure with the heap memory state, obtains new abstract state
Figure FDA00001376167400000621
according to following steps:
5.4.1 with state
Figure FDA00001376167400000622
Middle pointer type rreturn value ret fExpansion type pass to invoked procedure, as state
Figure FDA00001376167400000623
The expansion type of following pointer e;
5.4.2 the expansion type
Figure FDA00001376167400000625
of global pointer variable g is constant when passing to invoked procedure in the state , as
Figure FDA00001376167400000627
of g under the state
Figure FDA00001376167400000626
5.4.3 the expansion type of other local pointers variablees is constant before and after the invocation of procedure, that is: the value of the expansion type of other local pointers variablees is the value of the corresponding topical pointer variable expansion type in the state
Figure FDA00001376167400000629
in the state ;
The 6th step, statistics heap operation program internal memory Leak Detection result data:
6.1 according on the control flow graph in each program point about the information of the abstract state of heap memory, export the abstract state of heap memory and the abstract state of heap memory in exit of the entry statement of each program point;
6.2 according to the content of memory overflow formation heapleakListF, output the program statement s and the state
Figure FDA00001376167400000630
of memory overflow might take place and add up the number of memory overflow;
6.3 screen possible memory overflow mistake, count the wrong report number of detection, and obtain rate of false alarm;
6.4 information when moving according to compiling platform and system obtains the situation of memory leakage detecting method consume system resources.
2. a kind of memory leakage detecting method towards the heap operation program as claimed in claim 1 is characterized in that the pointer assignment statement of canonical form comprises 7 kinds in the pre-service: 1), pointer variable p is changed to empty statement p=null; 2), with pointer field p->f of pointer variable p mBe changed to empty statement p->f m=null; 3), copy statement p=q between pointer variable; 4), the copy statement p=q->f between the pointer field of pointer p and pointer q m5), the copy statement p->f between the pointer field of pointer p and pointer q m=q; 6), internal memory application statement p=malloc; 7), internal memory free statement free (p).
3. a kind of memory leakage detecting method towards the heap operation program as claimed in claim 1 is characterized in that the transformation rule in the said pre-service has 5 kinds, is respectively: 1), introduce auxiliary pointer variable pt 0With shape such as p->f m=q->f nPointer assignment statement convert into: pt 0=q->f nP->f m=pt 02), introduce auxiliary pointer variable pt 1With shape such as p=p->f mPointer assignment statement convert into: pt 1=p->f mP=pt 13), introduce auxiliary pointer variable pt 2With shape such as p->f mThe pointer assignment statement of=malloc converts into: pt 2=malloc; P->f m=pt 24), introduce auxiliary pointer variable pt 3With shape such as p=q->f m->f nPointer assignment statement convert into: pt 3=q->f mP=pt 3->f n5), introduce auxiliary pointer variable pt 4With shape such as free (p->f m) the internal memory free statement convert into: pt4=p->f mFree (pt 4).
4. a kind of memory leakage detecting method towards the heap operation program as claimed in claim 1 is characterized in that said pointer another name collection comprises: the formal parameter that has pointer type in global pointer variable, local pointers variable, the function.
CN201210041025.7A 2012-02-22 2012-02-22 Method for detecting memory leakage of heap operational program Active CN102662825B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210041025.7A CN102662825B (en) 2012-02-22 2012-02-22 Method for detecting memory leakage of heap operational program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210041025.7A CN102662825B (en) 2012-02-22 2012-02-22 Method for detecting memory leakage of heap operational program

Publications (2)

Publication Number Publication Date
CN102662825A true CN102662825A (en) 2012-09-12
CN102662825B CN102662825B (en) 2014-07-16

Family

ID=46772322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210041025.7A Active CN102662825B (en) 2012-02-22 2012-02-22 Method for detecting memory leakage of heap operational program

Country Status (1)

Country Link
CN (1) CN102662825B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103942077A (en) * 2014-04-15 2014-07-23 清华大学 Drive resource recycle analyzing method
CN104636256A (en) * 2015-02-17 2015-05-20 中国农业银行股份有限公司 Memory access abnormity detecting method and memory access abnormity detecting device
CN104750563A (en) * 2013-12-26 2015-07-01 北京大学 A memory leak auto repair method based on control flow diagram
CN105302712A (en) * 2014-07-17 2016-02-03 南京普爱射线影像设备有限公司 Method for detecting C++ memory leakage
CN105765896A (en) * 2013-12-05 2016-07-13 皇家飞利浦有限公司 A computing device for iterative application of table networks
CN107992307A (en) * 2017-12-11 2018-05-04 北京奇虎科技有限公司 A kind of function Compilation Method and device
CN109711167A (en) * 2018-12-21 2019-05-03 华中科技大学 A kind of UAF loophole defence method based on multilevel-pointer
CN111694747A (en) * 2020-06-17 2020-09-22 北京字节跳动网络技术有限公司 Thread detection method, device, equipment and computer readable medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6658652B1 (en) * 2000-06-08 2003-12-02 International Business Machines Corporation Method and system for shadow heap memory leak detection and other heap analysis in an object-oriented environment during real-time trace processing
CN101339533A (en) * 2007-07-04 2009-01-07 国际商业机器公司 Method and device for diagnosing Java system EMS memory leakage based on partition
US20090172476A1 (en) * 2004-12-21 2009-07-02 Grey James A Test Executive System with Memory Leak Detection for User Code Modules
CN101763305A (en) * 2009-12-29 2010-06-30 青岛海信宽带多媒体技术有限公司 Method for detecting memory leak of embedded system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6658652B1 (en) * 2000-06-08 2003-12-02 International Business Machines Corporation Method and system for shadow heap memory leak detection and other heap analysis in an object-oriented environment during real-time trace processing
US20090172476A1 (en) * 2004-12-21 2009-07-02 Grey James A Test Executive System with Memory Leak Detection for User Code Modules
CN101339533A (en) * 2007-07-04 2009-01-07 国际商业机器公司 Method and device for diagnosing Java system EMS memory leakage based on partition
CN101763305A (en) * 2009-12-29 2010-06-30 青岛海信宽带多媒体技术有限公司 Method for detecting memory leak of embedded system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JI WANG ET AL.: "Demand-Driven Memory Leak Detection Based on Flow- and Context-Sensitive Pointer Analysis", 《JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY》 *
张威等: "基于指针映射集的动态内存故障测试方法研究", 《计算机学报》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105765896B (en) * 2013-12-05 2020-02-07 皇家飞利浦有限公司 Computing device for iterative application of a table network
CN105765896A (en) * 2013-12-05 2016-07-13 皇家飞利浦有限公司 A computing device for iterative application of table networks
CN104750563B (en) * 2013-12-26 2017-11-07 北京大学 A kind of memory overflow self-repairing method based on controlling stream graph
CN104750563A (en) * 2013-12-26 2015-07-01 北京大学 A memory leak auto repair method based on control flow diagram
CN103942077A (en) * 2014-04-15 2014-07-23 清华大学 Drive resource recycle analyzing method
CN103942077B (en) * 2014-04-15 2018-06-15 清华大学 A kind of driving resource reclaim analysis method
CN105302712A (en) * 2014-07-17 2016-02-03 南京普爱射线影像设备有限公司 Method for detecting C++ memory leakage
CN104636256B (en) * 2015-02-17 2017-10-24 中国农业银行股份有限公司 A kind of abnormal detection method and device of internal storage access
CN104636256A (en) * 2015-02-17 2015-05-20 中国农业银行股份有限公司 Memory access abnormity detecting method and memory access abnormity detecting device
CN107992307A (en) * 2017-12-11 2018-05-04 北京奇虎科技有限公司 A kind of function Compilation Method and device
CN107992307B (en) * 2017-12-11 2021-04-13 北京奇虎科技有限公司 Function compiling method and device
CN109711167A (en) * 2018-12-21 2019-05-03 华中科技大学 A kind of UAF loophole defence method based on multilevel-pointer
CN111694747A (en) * 2020-06-17 2020-09-22 北京字节跳动网络技术有限公司 Thread detection method, device, equipment and computer readable medium
CN111694747B (en) * 2020-06-17 2023-03-28 抖音视界有限公司 Thread detection method, device, equipment and computer readable medium

Also Published As

Publication number Publication date
CN102662825B (en) 2014-07-16

Similar Documents

Publication Publication Date Title
CN102662825B (en) Method for detecting memory leakage of heap operational program
Salloum et al. Big data analytics on Apache Spark
US10162612B2 (en) Method and apparatus for inventory analysis
US11036614B1 (en) Data control-oriented smart contract static analysis method and system
Mei et al. Data flow testing of service-oriented workflow applications
US8166464B2 (en) Analysis and detection of soft hang responsiveness program errors
JP2020522790A (en) Automatic dependency analyzer for heterogeneously programmed data processing systems
CN102567200A (en) Parallelization security hole detecting method based on function call graph
CN103577168A (en) Test case creation system and method
Heo et al. Continuously reasoning about programs using differential bayesian inference
CN110059006A (en) Code audit method and device
Rabl et al. Apache Flink in current research
Nicoletti et al. BFL: a logic to reason about fault trees
CN102521126A (en) Complexity analysis method of software defect testing system based on modular decomposition technology
Giachino et al. Deadlock detection in linear recursive programs
US20230236830A1 (en) Detecting duplicated code patterns in visual programming language code instances
AL-AHMAD et al. Jacoco-Coverage Based Statistical Approach for Ranking and Selecting Key Classes in Object-Oriented Software
Romanov et al. Representing programs with dependency and function call graphs for learning hierarchical embeddings
CN114691197A (en) Code analysis method and device, electronic equipment and storage medium
CN114912110A (en) Js code security detection method and system
Simon et al. ’SQL Code Complexity Analysis’
Liu Software vulnerability mining techniques based on data fusion and reverse engineering
Zhang et al. Propositional projection temporal logic specification mining
Legay et al. Statistical model checking of llvm code
Kusu et al. A Node Access Frequency based Graph Partitioning Technique for Efficient Dynamic Dependency Analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant