Search

CN-122019345-A - Recording method and device for program execution path

CN122019345ACN 122019345 ACN122019345 ACN 122019345ACN-122019345-A

Abstract

The application provides a recording method and a recording device of a program execution path, wherein the method comprises the steps of reading memory mapping information of a running target process in a target program through a per proc/< pid >/maps file in a Unix/Linux-like operating system, disassembling the memory mapping information, identifying all function call instructions from the memory mapping information, obtaining addresses of the function call instructions in a process virtual address space of the Unix/Linux-like operating system, attaching ptrace in the Unix/Linux-like operating system to the target process, writing breakpoint instructions in the addresses of the function call instructions by adopting ptrace, triggering breakpoint events when the target process is executed to the breakpoint instructions, recording addresses corresponding to the breakpoint events, and dividing the addresses corresponding to the breakpoint events into different paths based on the key addresses. The method can completely and accurately record the actual execution path of the program, and remarkably improves the record integrity of the program execution path.

Inventors

  • CUI HAIBO
  • ZHANG WENLONG
  • HE YI
  • ZHANG ZHAO
  • JI SHENGLONG
  • QIU HAO
  • FU HAITAO
  • REN YAN

Assignees

  • 奇安信网神信息技术(北京)股份有限公司

Dates

Publication Date
20260512
Application Date
20251230

Claims (10)

  1. 1. The recording method of the program execution path is characterized in that the method is applied to a Unix/Linux-like operating system, and a target program is operated in the Unix/Linux-like operating system, and the method comprises the following steps: reading memory mapping information of a running target process in the target program through a/proc/< pid >/maps file in the Unix/Linux-like operating system; Disassembling the memory mapping information, identifying all function call instructions from the memory mapping information, and obtaining addresses of the function call instructions in a process virtual address space of the Unix/Linux-like operating system; attaching the ptrace in the Unix/Linux-like operating system to the target process, and writing a breakpoint instruction by adopting the address of the ptrace in the function call instruction; Acquiring a key address in a main loop of each thread in the target process, wherein the key address is used as a boundary between different complete paths; when the target process executes to the breakpoint instruction, triggering a breakpoint event, recording an address corresponding to the breakpoint event, and dividing the address corresponding to the breakpoint event into different paths based on the key address.
  2. 2. The method of claim 1, wherein the triggering breakpoint event number is multiple times, and wherein the obtaining a key address in a main loop of each thread in the target process comprises: triggering breakpoint events for multiple times, and acquiring call stack information when the breakpoint events are triggered for multiple times; Searching a first stack frame address which changes from the stack bottom in a plurality of pieces of call stack information; determining the address of the upper layer of the first changed stack frame address as a key address; When the target process executes to the breakpoint instruction, triggering a breakpoint event, recording an address corresponding to the breakpoint event, and dividing the address corresponding to the breakpoint event into different paths based on the key address, wherein the method comprises the following steps: When the target process executes to the breakpoint instruction, triggering a new breakpoint event, and judging whether an address corresponding to the new breakpoint event is the same as the key address; If the addresses are the same, recording the addresses corresponding to the new breakpoint event, and inserting a separator, wherein the separator is used for representing the end of the one-time execution path; if the addresses are different, the addresses corresponding to the new breakpoint event are recorded.
  3. 3. The method of claim 2, wherein the number of first changed stack frame addresses is a plurality, wherein determining the upper layer address of the first changed stack frame address as the key address comprises: Determining the quantity of call stack information corresponding to each first stack frame address which changes; and selecting the upper layer address of the first changed stack frame address with the largest number as the key address.
  4. 4. The method of claim 2, wherein the target process comprises a plurality of threads, the method further comprising: Acquiring the ID of the corresponding thread when the breakpoint event is triggered for a plurality of times, so as to search the first stack frame address which changes from the stack bottom in the call stack information corresponding to the same ID, and obtain the corresponding relation between the IDs of different threads and the key addresses corresponding to the different thread IDs; Acquiring a thread ID corresponding to a new breakpoint event, and determining a key address corresponding to the thread ID corresponding to the new breakpoint event from the corresponding relation; the determining whether the address corresponding to the new breakpoint event is the same as the key address includes: And judging whether the address corresponding to the new breakpoint event is the same as the key address determined from the corresponding relation.
  5. 5. The method of any of claims 1 to 4, wherein said disassembling the memory map information comprises: extracting a code segment with executable rights from the memory mapping information; The code segments are disassembled.
  6. 6. The method of claim 5, wherein prior to disassembling the code segment, the method further comprises: removing codes matched with code features of a target dynamic library which is not concerned in the code segments to obtain target code segments, wherein the target dynamic library comprises a basic runtime library, a system service library and a dynamic linker component; said disassembling said code segment, comprising: And disassembling the target code segment.
  7. 7. A recording device for a program execution path, wherein the device is applied to a Unix/Linux-like operating system, and a target program is run in the Unix/Linux-like operating system, and the device comprises: The memory mapping acquisition module is used for reading the memory mapping information of the running target process in the target program through a/proc/< pid >/maps file in the Unix/Linux-like operating system; The identification module is used for disassembling the memory mapping information, identifying all function call instructions from the memory mapping information, and obtaining addresses of the function call instructions in a process virtual address space of the Unix/Linux-like operating system; The breakpoint setting module is used for attaching the ptrace in the Unix/Linux-like operating system to the target process and writing a breakpoint instruction into the address of the function call instruction by adopting the ptrace; the key address acquisition module is used for acquiring a key address in a main loop of each thread in the target process, wherein the key address is used as a limit between different complete paths; And the recording module is used for triggering a breakpoint event when the target process is executed to the breakpoint instruction, recording an address corresponding to the breakpoint event and dividing the address corresponding to the breakpoint event into different paths based on the key address.
  8. 8. A computer device comprising a memory, a processor and a computer program stored on the memory, characterized in that the processor executes the computer program to carry out the steps of the method according to any one of claims 1 to 6.
  9. 9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 6.
  10. 10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 6.

Description

Recording method and device for program execution path Technical Field The present application relates to the field of computer software testing and debugging technologies, and in particular, to a recording method of a program execution path, a recording apparatus of the program execution path, a computer device, a computer readable storage medium, and a computer program product. Background The execution path of the program reflects the trend of the control flow of the program under specific input, and is an important basis for evaluating the code coverage rate, positioning the performance bottleneck, reproducing the software loopholes and verifying the program behavior. Recording the execution path of a program is critical for software testing, debugging, performance analysis, fuzzy testing, security audit and other applications. Currently, one of the main ways to record program execution paths is to use a debugger (such as GNU debugger (GNU Debugger, GDB)) to track the program execution path by setting a breakpoint and performing a single step. Specifically, the user analyzes the target program in advance, determines the function entry or key branch point to be traced through source code examination or experience guess, takes the function entry or key branch point as the breakpoint position, and then manually sets the breakpoints one by one through the GDB command. When the target program is started and then runs to any breakpoint, the debugger immediately pauses the whole process and outputs interrupt information at the console. At this time, the user needs to input a next command. For example, input a continuous to continue execution until the next breakpoint. For another example, step or next is input to perform a single step and to synchronize printing of the context information. By repeating the "execute-interrupt-record-continue" loop, the debugger records the program counter address, stack frame, etc. fragment information at each interrupt. Finally, the user integrates the information of the scattered record points manually and spells up the program execution path by combining the instruction stream captured during single step execution. Because the breakpoint setting is completely dependent on the prior understanding and manual selection of the program logic by the user, the user cannot predict all potential function call positions in the program, for example, the user cannot predict call entries resolved by indirect jump, function pointers or run-time, so that a large number of function call behaviors generated in the actual execution process cannot be captured by preset breakpoints, the recorded execution paths are only a subset of all control flows of the program, and the integrity of the program execution path records is reduced. Disclosure of Invention An object of an embodiment of the present application is to provide a recording method of a program execution path, a recording apparatus of the program execution path, a computer device, a computer readable storage medium, and a computer program product, so as to improve the integrity of the recording of the program execution path. In order to solve the technical problems, the embodiment of the application provides the following technical scheme: The first aspect of the present application provides a method for recording a program execution path, the method being applied to a Unix/Linux-like operating system in which a target program is running, the method comprising reading memory mapping information of a target process running in the target program via a/proc/< pid >/maps file in the Unix/Linux-like operating system; the method comprises the steps of disassembling memory mapping information, identifying all function call instructions from the memory mapping information, obtaining addresses of the function call instructions in a process virtual address space of a Unix/Linux-like operating system, adding ptrace in the Unix/Linux-like operating system to a target process, writing breakpoint instructions in the addresses of the function call instructions by adopting ptrace, obtaining a key address in a main loop of each thread in the target process, wherein the key address is used as a boundary between different complete paths, triggering a breakpoint event when the target process executes to the breakpoint instructions, recording addresses corresponding to the breakpoint event, and dividing the addresses corresponding to the breakpoint event into different paths based on the key address. Compared with the prior art, the recording method of the program execution path provided by the first aspect of the application obtains real-time memory mapping information by dynamically reading the/proc/< pid >/maps file of the target process and disassembles the code segments based on the memory mapping information, so that the addresses of all function call instructions in the process, including the function call instructions in the dynamic library, can be