基于污点指针的二进制代码缺陷检测

污点指针严重影响二进制代码数据流和控制流的安全。为此,提出一种二进制代码缺陷检测方法。引入指针污点传播规则,结合路径约束条件和边界约束条件得到缺陷引发条件,构造能够引发4类污点指针代码缺陷的输入数据。在Linux系统下实现ELF二进制代码缺陷检测工具,测试结果表明,该方法能降低测试用例生成数量,并发现Linux系统工具的1个虚函数调用控制缺陷和2个指针内存破坏缺陷。     

面向自动校验系统的指针式压力表读数识别

针对基于机器视觉的指针式压力表校验系统,给出了一种采用帧差分法和角度法自动识别指针仪表读数的方案,并且为了解决残缺指针区域的质心偏移问题提出了一种利用区域极值点确定指针质心的方法。首先基于霍夫圆检测进行表盘中心定位和表盘分割;然后采用三帧差分法检测指针区域,并从其八方向极值点中选择最接近指针区域最小外接矩形对角顶点的两点来定位指针质心;最后连接指针质心和表盘中心以计算指针偏转角度和识别读数。实验结果表明基于区域极值点的指针质心定位可以简单有效地修正残缺指针区域质心偏移,整体方案能够较准确地识别指针式压力表读数。     

基于属性可靠分析的空指针引用缺陷检测

为实现基于静态分析技术充分地检测出C程序中的空指针引用缺陷,提出了一种基于属性可靠分析的缺陷检测方法。首先介绍了空指针引用缺陷模式及特征。然后针对空指针引用缺陷的检测特点提出了属性可靠分析理论,并将指针的指向属性描述为一个属性格。通过提出的抽象内存模型,基于给出的每种程序语句上的迁移实现指针指向属性的可靠分析,根据得到的每个被引用指针的指向属性进而实现空指针引用缺陷的检测。通过对五个实际工程的检测结果分析表明,方法可充分检测出C程序的空指针引用缺陷。     

基于指针网络的实体与关系联合抽取方法

针对现有实体和关系联合抽取方法中存在的实体与关系依赖建模不足、实体发生重叠难以抽取其所涉及的多个关系的问题,设计了基于深度学习的联合抽取框架。首先针对依赖建模不足问题,从预训练语料中提取实体共现特征,建模了实体间的潜在语义关系和实体与关系之间的依赖关系。其次提出了新颖的指针标注方法,该标注方法可以通过指针表示关系类别,由于任一实体可以被多个指针指向,所以可以在一段文本中标注重叠的实体并抽取多个实体—关系三元组结果。最后,为了有效利用单词的丰富语义和指针之间依赖的信息,设计了一个标签感知注意力机制,融合了包括来自编码层的字词信息、相关的共现语义信息。与研究中前沿的联合提取方法相比,该方法在百度DuIE测试集上实现了F₁值的增加。通过实验结果表明指针标注方法在一定程度上可以解决实体重叠问题。     

改进Faster R-CNN的汽车仪表指针实时检测

针对产业化的汽车仪表指针人工视觉检测效果差、检测速度慢和实时性低等问题,本文提出了一种改进的Faster R-CNN汽车仪表指针实时检测算法。通过改进原始的RoI网络层结构,实现小目标高低层特征之间的完整传递;采用双线性内插算法替代两次量化操作,使得特征聚集变成连续的过程,能够有效减少计算时间;最后将工业机采集的视频数据,预处理成VOC格式数据集进行训练,调整超参数得到改进汽车仪表指针检测模型。实验结果表明:所提出的方法能够快速、准确地实现汽车仪表指针检测,单张图片的平均检测时间为0.197 s,平均检测精度可达92.7%。在不同类别仪表指针的迁移实验中,展示了良好的泛化性能。     

垂悬指针检测与防御方法

随着技术的发展,信息物理融合系统(cyber-physical system,简称CPS)在生活中扮演着越来越重要的角色,例如电力系统、铁路系统.如果CPS遭到攻击,将对现实世界的正常运转造成巨大影响,甚至威胁生命安全.垂悬指针是指向的区域被释放后未被置为空的指针,它是一种会导致攻击的软件缺陷.由垂悬指针导致的use-after-free和double-free漏洞能够执行任意恶意代码.迄今为止,只有少量工作针对垂悬指针进行检测、防御.其中多数都会导致过高的额外运行时开销.提出Dang Done用于检测和防御垂悬指针.首先,通过静态分析检测潜在垂悬指针;然后,基于检测到的垂悬指针信息和一系列预定义的指针变换规则,依据指针传播信息变换指针,使得指针及其别名都指向同一个新引入的指针.基于该方法,实现了Dang Done的原型工具.基于11个开源项目和SPEC CPU benchmark的实验结果表明:DangDone的静态分析部分只有33%的误报率,指针变换部分只引入了1%左右的额外开销.同时,Dang Done成功防护了11个开源项目中的use-after-free和double-fre...     

空指针引用故障模型与测试方法研究

空指针态引用故障在使用指针的程序中是普遍存在的,采用动态测试方法进行测试难以准确定位故障源。而现有的静态分析方法主要存在漏报和误报过多的情况。针对这些问题,提出了一种基于指针映射关系分析的测试方法,给出了面向故障的指针映射集的构造规则,以此为基础建立了故障模型。通过指针映射集和故障模型,可以自动检测空指针引用内存故障,提高了测试效率。在分析过程中,还综合应用了控制流图和路径条件,提高了测试结果的精度。     

Program slicing with dynamic points-to sets

Program slicing is a potentially useful analysis for aiding program understanding. However, in reality even slices of small programs are often too large to be useful. Imprecise pointer analyses have been suggested as one cause of this problem. In this paper, we use dynamic points-to data, which represents optimistic pointer information, to obtain a bound on the best case slice size improvement that can be achieved with improved pointer precision. Our experiments show that slice size can be reduced significantly for programs that make frequent use of calls through function pointers because for them the dynamic pointer data results in a considerably smaller call graph, which leads to fewer data dependences. Programs without or with only few calls through function pointers, however, show considerably less improvement. We discovered that C programs appear to have a significant fraction of direct and nonspurious pointer data dependences so that reducing spurious dependences via pointers is only of limited benefit. Consequently, to make slicing useful in general for such programs, improvements beyond better pointer analyses are necessary. On the other hand, since we show that collecting dynamic function pointer information can be performed with little overhead (average slowdown of 10 percent for our benchmarks), dynamic pointer information may be a practical approach to making slicing of programs with frequent function pointer use more successful in practice.     

处理指针相等关系不确定的指针逻辑

为类C小语言PointerC设计的指针逻辑是Hoare逻辑的一种扩展,可用来对指针程序进行精确的指针分析,以支持指针相等关系确定的程序的安全性验证.通过增加相等关系不确定的指针类型访问路径集合,可扩展这种指针逻辑,使得扩展后的指针逻辑可以应用于有向图等指针相等关系不确定的抽象数据结构上的指针程序性质　证明.     

指针的学习与应用

指针是C程序设计的重点和难点，也是软件界的讨论热点：、正确而灵活地运用指针，可以有效地表示复杂的数据结构，能动态分配内存，直接处理内存地址等。在学习和应用指针过程中，传统的指针概念和用法常常使人感到困惑。文中提出了单星指针、双星指针等新概念，比较全面地介绍了指针的理论和应用．     

Precise Call Graphs for C Programs with Function Pointers

The use of pointers presents serious problems for software productivity tools for software understanding, restructuring, and testing. Pointers enable indirect memory accesses through pointer dereferences, as well as indirect procedure calls (e.g., through function pointers in C). Such indirect accesses and calls can be disambiguated with pointer analysis. In this paper we evaluate the precision of one specific pointer analysis (the FA pointer analysis by Zhang et al.) for the purposes of call graph construction for C programs with function pointers. The analysis is incorporated in a production-strength code-browsing tool from Siemens Corporate Research in which the program call graph is used as a primary tool for code understanding.The FA pointer analysis uses an inexpensive, almost-linear, flow- and context-insensitive algorithm. To measure analysis precision, we compare the call graph constructed by this analysis with the most precise call graph obtainable by a large category of existing pointer analyses. Surprisingly, for all our data programs the FA analysis achieves the best possible precision. This result indicates that for the purposes of call graph construction, inexpensive pointer analyses may provide precision comparable to the precision of expensive pointer analyses.     

全面解析C语言中的指针变量

指针是C语言甲的一个重要概念,正确熟练地掌握指针的概念和指针的使用就能设计出复杂的数据结构和高效的程序。在此重点论述了指针的概念及其在程序中的应用。     

全面解析C语言中的指针变量

指针是C语言中的一个重要概念,正确熟练地掌握指针的概念和指针的使用就能设计出复杂的数据结构和高效的程序。在此重点论述了指针的概念及其在程序中的应用。     

基于指针映射集的动态内存故障测试方法研究

动态内存故障在使用指针的程序中是普遍存在的,采用动态测试方法进行测试难以准确定位故障源.而现有的静态分析方法主要存在漏报和误报过多的情况.针对这些问题,提出了指针映射代数系统的概念,全面地反映了指针与内存之间的映射关系,并给出了面向不同故障的指针映射集的构造规则,以此为基础建立了动态内存故障模型.通过指针映射集和故障模型,可以自动检测内存释放异常、内存泄露和空指针引用等动态内存故障,提高了测试效率.在分析过程中,还综合应用了控制流图和路径条件,提高了测试结果的精度.实验结果表明,该方法能够有效检测动态内存故障,而且出于规则定义较为全面,漏报和误报率也较低.     

数据结构中指针的应用及分析

分析了指针在单链表、链栈及链队列中的应用,指出了容易出错的环节,并深入分析了出错原因,使学生能够深入理解和掌握指针在数据结构中的应用。     

Alias analysis of pointers in Pascal and Fortran 90: dependence analysis between pointer references

 Vectorization and parallelization of programs written in languages where pointers are used is now a subject of increasing interest. The presence of pointers in programs, however, poses new problems to dependence analysis in vectorizing and parallelizing compilers which had been designed to target only at FORTRAN77 programs. In this paper, a new method to analyze dependencies between pointer references in Pascal is proposed, which can also be applied to Fortran 90. It is designed to handle programs with dynamic data structures, such as linear linked lists or trees, which are the most common use of pointers. The method divides into two stages. The first stage is a safe alias analysis which handles any kind of dynamic data structures. The second stage focuses on the specific data structures. It first detects linear linked lists, and then performs dependence analysis between pointer references to the same list. The paper also proposes ways to enhance the second stage. Tree structures are handled here. Loops which manipulate linked lists can now be considered for vectorization by the proposed analysis. Techniques to vectorize such loops are presented in this paper. Some of the proposed algorithms are implemented in V-Pascal, the automatic vectorizing Pascal compiler of our laboratory. The effectiveness of the vectorization of list operations is proved by an experiment on HITAC S-820/80. Received: August 5, 1994/January 17, 1995     

基于对象的C程序边界安全检测改进技术

C语言对内存操作不进行边界安全检测,这使C程序具有高执行效率,但也产生各种安全问题,例如数组越界、指针访问越界、C库函数的非法操作等。基于对象的运行时验证技术能实时监测程序的运行行为,自动找出程序中存在的漏洞。在原有基于对象技术的基础上,改进多维数组和结构体变量的地址范围记录方式,用2次地址查询操作检测指针访问,用平衡二叉树优化存储结构。实验结果表明,改进的方法优于传统的基于对象技术。     

带有指针的嵌套式语言的全程分析方法

对指针变量以及过程间的数据的分析是嵌套式语言全程分析的关键问题之一。本文提出了一种对带有指针的嵌套式语言的全程分析方法，该方法可以有效地解决上述问题。     

一种用于指针程序的形状分析方法

指针程序的分析一直是研究热点。本文提出一种基于形状图逻辑的形状分析方法,其中形状分析采用形状图来表达程序中指针的指向和相等关系,并用形状图逻辑来进行推理。形状图逻辑是一种把形状图看成有关指针的断言,并在此基础上对Hoare逻辑进行扩展而得到的程序逻辑。首先介绍所提出的形状图和形状图逻辑;然后在此基础之上,设计一种基于形状图逻辑的形状分析方法。     

Generating input data structures for automated program testing

Automatic test data generation usually concerns identifying input values that cause a selected path to execute. If a given path involves pointers, then input values may be represented in terms of two‐dimensional dynamic data structures such as lists or trees. Thus, it is very important to identify the shape of the input data structure describing how many nodes are required and how nodes are connected each other. The approach presented in this paper makes use of the points‐to information for each statement in the selected path for the shape generation. It also converts each statement into a static single assignment (SSA) form without pointer dereferences. The SSA form serves as a system of constraints to be solved to yield input values for non‐pointer types. An empirical evaluation shows that shape generation can be achieved in linear time in terms of the number of pointer dereference operations. Copyright © 2008 John Wiley & Sons, Ltd.