基于传播引擎的指针引用错误检测  被引量：4

作　　者：衷璐洁[1,2,3] 霍玮[1] 李丰[1,3] 陈聪明[1,3] 冯晓兵[1] 张兆庆[1] 

机构地区：[1]中国科学院计算技术研究所计算机体系结构国家重点实验室,北京100190 [2]首都师范大学信息工程学院,北京100048 [3]中国科学院研究生院,北京100049

出　　处：《计算机学报》2013年第2期432-444,共13页Chinese Journal of Computers

基　　金：自然科学基金青年科学基金项目(61100011);国家"九七三"重点基础研究发展规划项目基金(2011CB302504);国家"八六三"高技术研究发展计划项目基金(2012AA010901);国家自然科学基金创新研究群体科学基金(60921002);核高基国家重大科技专项基金项目(2011ZX01028-001-002)资助~~

摘　　要：指针在C程序中应用广泛,指针引用错误多发且危害严重.目前代表性的检测工具由于使用方便性和检测精度不足以及难以处理大规模程序等原因,并不能满足实用需求.文中提出一种新型的错误检测方法,该方法基于域敏感、流敏感和上下文敏感的传播引擎,通过定义错误属性格、在源程序中对错误属性格值进行计算和传播来完成错误检测.在开放源码编译器Open64中实现了其原型系统Propagator.以空指针引用错误检测为实例研究内容,使用Apache、OpenSSH、gzip等应用领域广泛的典型应用为实验用例.与Saturn、Splint和Clang-SA进行对比,Propagator的平均检测时间仅为12s,误报率平均仅为13%,远低于对比工具,且没有发现漏报已知错误.上述结果表明,Propagator既提高了检测精度又保证了可扩展性,具有很好的实用前景.Pointers are widely used in C programs, pointer dereference faults are dangerous while they occur frequently. Many tools are designed to detect this kind of faults, but the state-of-art tools cannot meet the practical needs due to inconvenient usage, low detection accuracy and poor scalability. This paper presents a detection approach which is based on flow-sensitive, field-sensitive and context-sensitive propagation engine. The approach successfully lowers the user burden, improves detection accuracy and scalability. The core concept of the approach is fault attribute lattice. The lattice values are computed and propagated through the source code to detect the faults which were characterized via the fault attribute lattice. A prototype system named Propa- gator based on Open64 compiler has been implemented. Using null-pointer dereference fault detection as one case study, the comparison experiments with Saturn, Splint and Clang-SA on applications such as Apache, OpenSSH, gzip etc. are done. The results show that Propagator uses only 12 seconds on average to finish the fault checking and the false positive rate of Propagator is only 13% on average. Furthermore, Propagator do not report known false negatives. that Propagator not only improves the scalability but also achieves the high detection thus indicates our approach can be used in practical. It is clear accuracy, thus indicates our approach can be used in practical.

关 键 词：空指针引用 错误属性格 上下文敏感 静态检测 传播引擎 

分 类 号：TP314[自动化与计算机技术—计算机软件与理论]