C程序中的内存泄漏机制分析与检测方法设计

内核中的引用计数缺陷会引起内存泄露、释放后使用漏洞等严重安全问题. 针对这类缺陷,提出基于错误路径行为一致性分析的缺陷检测方案. 相比已有工作,该方案引入错误路径的语义信息来推断合理的引用计数行为,从而检出以往难以覆盖的引用计数缺陷.具体而言,首先,该方案基于代码特征识别函数中所有的错误路径. 其次,采用路径敏感的静态分析对各条错误路径上的引用计数行为进行分析汇总,以推断该函数在错误路径上引用计数操作的主流倾向.最终,基于一致性分析原理,将与主流倾向不一致的路径标识为潜在缺陷.实验表明,该方案在Linux内核版本5.6-rc2和版本5.17上分别发现21个和9个引用计数缺陷,且大部分都被开发者确认;其中,在内核版本5.6-rc2上有9个缺陷是已有工作无法覆盖的.

     

基于动态插桩的C/C++内存泄漏检测工具的设计与实现

针对C、C++程序常出现的内存泄漏、内存越界访问、内存的不匹配释放等错误进行了研究,分析了现有的内存错误检测工具和方法,在基于开源的动态二进制插桩框架Pin的基础上,采用函数族的内存信息块管理方法和生命周期法,实现了在Linux平台下运行的内存检测工具MemGuard原型.该原型能有效地检测出内存泄漏、内存越界访问、内存的不匹配释放等问题,并通过与运行在Valgrind上的工具Memcheck的对比实验证明了该原型的有效性以及高效性.     

VMMP: a practical tool for the development of portable andefficient programs for multiprocessors

The VMMP (virtual machine for multiprocessors) software package is presented. It provides a coherent set of services for parallel application programs running on diverse multiple input multiple data (MIMD) multiprocessors, including shared memory and message passing multiprocessors. The communication, synchronization, and data distribution requirements of parallel algorithms are analyzed. Related languages and tools are described. VMMP services are identified. VMMP implementation, coding and portability are discussed. Some measurements of the performance of VROMP application programs and VMMP overhead are given. Several hints for improving the performance of application programs are described     

A deadlock detection tool for concurrent Java programs

This paper presents some issues related to the design and implementation of a concurrency analysis tool able to detect deadlock situations in Java programs that make use of multithreading mechanisms. An abstract formal model is generated from the Java source using the Java2Spin translator. The model is expressed in the PROMELA language, and the SPIN tool is used to perform its formal analysis. The paper mainly focuses on the design of the Java2Spin translator. A set of experiments, carried out to evaluate the performances of the analysis tool, is also presented. Copyright © 1999 John Wiley & Sons, Ltd.     

嵌入式软件内存泄露检测方法研究

动态内存分配为C/C++语言编程人员提供了极大的灵活性,但同时也带来了一个潜在的严重问题——内存泄露。与桌面系统相比,嵌入式系统处理能力弱、内存空间小、运行时间长,如果在程序运行期间发生内存泄露,将导致系统崩溃,造成不可预料的后果,因此需要在开发调试阶段尽早检测出造成内存泄露的代码。提出了一种基于动态检测技术和程序插装技术的嵌入式软件内存泄露分布式检测方法。该方法的实现思想是当程序在目标机运行时,插装代码自动截获内存操作函数,收集内存操作相关信息并把收集到的信息发送到服务器端处理,实现了嵌入式系统内存泄露的准确检测。实验结果证明,由于采用分布式技术进行信息处理,内存泄露检测效率得到了很大的提升。     

Web structures: a tool for representing and manipulating programs

The authors introduce web structures and their transformations and develop their theory in the framework of category theory. Once a program has been represented as a web structure, software tools, such as a high-level data flow analyzer or other general program transformers, can be written as sets of web structure production rules. An implementation of web structure transformations is in progress. The mathematical theory of web structure transformations allows form proofs of properties both at the metatheoretical and theoretical levels     

C程序中的内存泄漏机制分析与检测方法设计

C语言作为安全关键软件的主要实现语言,其存在的内存泄漏缺陷具有很高的隐蔽性和危害性,如何保证内存泄漏检测的准确性和高效性是一大挑战。静态分析具有直接分析源码、能够较早发现软件错误,从而降低修复代价的优势。基于静态分析技术,提出了一种基于路径敏感的值流分析的内存泄漏检测方法,首先进行指针分析生成精确指向信息;然后基于指向信息构建值流约束,执行可达性分析以识别程序中的泄漏路径;最后借助指针与内存地址的有效生命周期进行验证。在典型基准C程序上的实验结果分析表明,本文方法与现有技术相比在效率和精度上都具有一定优势。     

基于VxWorks操作系统的自动内存泄漏检测机制

针对当前VxWorks操作系统中内存泄漏检测机制的不足,通过设置内存泄漏门限值和内存驻留时间门限值,并利用中断服务程序及其唤醒的检测任务实现自动内存泄漏检测机制,可满足不同用户环境对内存泄漏检测实时性、便捷性、可靠性的要求。     

Information leak detection in business process models: Theory,application, and tool support

Despite the correct deployment of access control mechanisms, information leaks can persist and threaten the reliability of business process execution. This paper presents an automated and effective approach for the verification of information flow control for business process models. Building on the concept of place-based non-interference and declassification, the core contribution of this paper is the application of Petri net reachability to detect places in which information leaks occur. Such a feature allows for the use of state-of-the-art tool support to model-check business process models and detect leaks. We show that the approach is sound and complete, and present the Anica tool to identify leaks. An extensive evaluation comprising over 550 industrial process models is carried out and shows that information flow analysis of process models can be done in milliseconds. This motivates a tight integration of business process modeling and non-interference checking.     

gm: a practical tool for automating DNA sequence analysis

The gm (gene modeler) program automates the identification of candidate genes in anonymous, genomic DNA sequence data. gm accepts sequence data, organism-specific consensus matrices and codon asymmetry tables, and a set of parameters as input; it returns a set of models describing the structures of candidate genes in the sequence and a corresponding set of predicted amino acid sequences as output, gm is implemented in C, and has been tested on Sun, VAX, Sequent, MIPS and Cray computers. It is capable of analyzing sequences of several kilobases containing multi-exon genes in less than 1 min execution time on a Sun 4/60.     

AUSTIN: An open source tool for search based software testing of C programs

ContextDespite the large number of publications on Search-Based Software Testing (SBST), there remain few publicly available tools. This paper introduces AUSTIN, a publicly available open source SBST tool for the C language.¹ The paper is an extension of previous work [1]. It includes a new hill climb algorithm implemented in AUSTIN and an investigation into the effectiveness and efficiency of different pointer handling techniques implemented by AUSTIN’s test data generation algorithms.ObjectiveTo evaluate the different search algorithms implemented within AUSTIN on open source systems with respect to effectiveness and efficiency in achieving branch coverage. Further, to compare AUSTIN against a non-publicly available, state-of-the-art Evolutionary Testing Framework (ETF).MethodFirst, we use example functions from open source benchmarks as well as common data structure implementations to check if the decision procedure for pointer inputs, introduced in this paper, differs in terms of effectiveness and efficiency compared to a simpler alternative that generates random memory graphs. A second empirical study formulates two alternate hypotheses regarding the effectiveness and efficiency of AUSTIN compared to the ETF. These hypotheses are tested using a paired Wilcoxon test.Results and ConclusionThe first study highlights some practical problems with the decision procedure for pointer inputs described in this paper. In particular, if the code under test contains insufficient guard statements to enforce constraints over pointers, then using a constraint solver for pointer inputs may be suboptimal compared to a method that generates random memory graphs. The programs used in the second study do not require any constraint solving for pointer inputs and consist of eight non-trivial, real-world C functions drawn from three embedded automotive software modules. For these functions, AUSTIN is competitive compared to the ETF, achieving an equal or higher branch coverage for six of the functions. In addition, for functions where AUSTIN’s branch coverage is equal or higher, AUSTIN is more efficient than the ETF.     

基于Qt的软件内存泄漏静态检测技术研究

Qt继承了C++语言动态分配内存机制,保证了开发人员能根据实际需要灵活地使用内存,同时Qt也不可避免的要面对“内存泄漏”这个严重威胁软件安全的问题,虽然Qt采取了半自动化内存管理机制等措施,但不能从根本上解决问题。对此,提出了一种基于Qt的软件内存泄漏静态检测方法,该方法针对Qt的半自动化内存管理机制,通过静态分析被测对象中分配内存的代码识别出是否属于Qt自动管理的范围,从而准确地检测出内存泄漏和内存重复释放问题;并基于该检测方法设计了一种Qt内存泄漏自动检测工具,该工具能很大程度上提高测试效率。     

SharpChecker: Static analysis tool for C# programs

This paper considers various aspects of static analysis of C# programs in order to detect the maximum number of software bugs in an acceptable time. A complete cycle of software static analysis is described with the main focus being placed on the specifics of the C# language. Some methods are discussed that take into account popular features of C# at all levels of analysis: call graph and control flow graph construction, dataflow analysis, as well as context- and path-sensitive interprocedural analysis. A symbolic execution method is proposed, which is based on the works devoted to the Bounded Model Checking (BMC) and the Saturn Software Analysis Project. A memory model is described that enables an accurate intraprocedural analysis and allows one to create compact representations of error conditions associated with functions, which are essential for interprocedural analysis. A special attention is paid to the optimizations that occur during path-sensitive analysis of error conditions. The conditions need to be optimized in terms of size, because path-sensitive interprocedural analysis requires saving a large number of conditions for each analyzed function. The conditions are resolved using advanced SMT solvers (such as the Microsoft Z3 Prover). This paper also considers various approaches to modeling the behavior of library functions: based on a summary containing a set of properties required for analysis, or based on simplified implementations in C#. All the discussed solutions are implemented in the SharpChecker static analysis tool and are tested on a number of open-source projects from 1.5 thousand to 1.35 million lines of code.     

JDiff: A differencing technique and tool for object-oriented programs

During software evolution, information about changes between different versions of a program is useful for a number of software engineering tasks. For example, configuration-management systems can use change information to assess possible conflicts among updates from different users. For another example, in regression testing, knowledge about which parts of a program are unchanged can help in identifying test cases that need not be rerun. For many of these tasks, a purely syntactic differencing may not provide enough information for the task to be performed effectively. This problem is especially relevant in the case of object-oriented software, for which a syntactic change can have subtle and unforeseen effects. In this paper, we present a technique for comparing object-oriented programs that identifies both differences and correspondences between two versions of a program. The technique is based on a representation that handles object-oriented features and, thus, can capture the behavior of object-oriented programs. We also present JDiff, a tool that implements the technique for Java programs. Finally, we present the results of four empirical studies, performed on many versions of two medium-sized subjects, that show the efficiency and effectiveness of the technique when used on real programs.

Systematic detection of memory related performance bottlenecks in GPGPU programs

Graphics processing units (GPUs) pose an attractive choice for designing high-performance and energy-efficient software systems. This is because GPUs are capable of executing massively parallel applications. However, the performance of GPUs is limited by the contention in memory subsystems, often resulting in substantial delays and effectively reducing the parallelism. In this paper, we propose GRAB, an automated debugger to aid the development of efficient GPU kernels. GRAB systematically detects, classifies and discovers the root causes of memory-performance bottlenecks in GPUs. We have implemented GRAB and evaluated it with several open-source GPU kernels, including two real-life case studies. We show the usage of GRAB through improvement of GPU kernels on a real NVIDIA Tegra K1 hardware – a widely used GPU for mobile and handheld devices. The guidance obtained from GRAB leads to an overall improvement of up to 64%.     

FASTEST: a practical low-complexity algorithm for compile-timeassignment of parallel programs to multiprocessors

In the area of parallelizing compilers, considerable research has been carried out on data dependency analysis, parallelism extraction, as well as program and data partitioning. However, designing a practical, low complexity scheduling algorithm without sacrificing performance remains a challenging problem. A variety of heuristics have been proposed to generate efficient solutions but they take prohibitively long execution times for moderate size or large problems. In this paper, we propose an algorithm called FASTEST (Fast Assignment and Scheduling of Tasks using an Efficient Search Technique) that has O(e) time complexity, where e is the number of edges in the task graph. The algorithm first generates an initial solution in a short time and then refines it by using a simple but robust random neighborhood search. We have also parallelized the search to further lower the time complexity. We are using the algorithm in a prototype automatic parallelization and scheduling tool which compiles sequential code and generates parallel code optimized with judicious scheduling. The proposed algorithm is evaluated with several application programs and outperforms a number of previous algorithms by generating parallelized code with shorter execution times, while taking dramatically shorter scheduling times. The FASTEST algorithm generates optimal solutions for a majority of the test cases and close-to-optimal solutions for the rest     

Energy-monitoring tool for low-power embedded programs

Designing highly efficient embedded programs requires efficient tools to support performance monitoring and tuning of embedded software. Several such tools are available for various embedded processors. To effectively meet the energy consumption requirements of embedded systems, programmers try to understand the energy and power consumption of embedded systems as a high-priority monitoring target. The paper discusses SES, a highly integrated tool that delivers cycle-by-cycle power consumption data for optimizing embedded programs     

PPModel: a modeling tool for source code maintenance and optimization of parallel programs

As the computation power in desktops advances, parallel programming has emerged as one of the essential skills needed by next generation software engineers. However, programs written in popular parallel programming paradigms have a substantial amount of sequential code mixed with the parallel code. Several such versions supporting different platforms are necessary to find the optimum version of the program for the available resources and problem size. As revealed by our study on benchmark programs, sequential code is often duplicated in these versions. This can affect code comprehensibility and re-usability of the software. In this paper, we discuss a framework named PPModel, which is designed and implemented to free programmers from these scenarios. Using PPModel, a programmer can separate parallel blocks in a program, map these blocks to various platforms, and re-execute the entire program. We provide a graphical modeling tool (PPModel) intended for Eclipse users and a Domain-Specific Language (tPPModel) for non-Eclipse users to facilitate the separation, the mapping, and the re-execution. This is illustrated with a case study from a benchmark program, which involves re-targeting a parallel block to CUDA and another parallel block to OpenMP. The modified program gave almost 5× performance gain compared to the sequential counterpart, and 1.5× gain compared to the existing OpenMP version.