CN116450402A - Program flow monitoring method, compiling device, processor and computer equipment - Google Patents

Abstract

The invention discloses a program flow monitoring method, a compiling device, a processor and computer equipment, wherein the program flow is correspondingly provided with a control flow and a data flow; the control flow comprises a plurality of basic blocks; the head part of the basic block is inserted with a control flow checking instruction in a compiling stage, and the tail part of the basic block is inserted with a data flow checking instruction in a linking stage; the program flow monitoring method comprises the following steps: executing the control flow checking instruction in the current basic block to check the correctness of the control flow under the condition that the program flow runs to the current basic block; in the case that the current basic block is running to the data stream check instruction, CRC signature values of all instructions of the current basic block are determined to check the integrity of the data stream. Therefore, the program flow is doubly monitored on the data flow and the control flow, and the problem that the program execution behavior is inconsistent with the expected behavior can be effectively detected.

Description

Program flow monitoring method, compiling method, device, processor and computer equipment

technical field

The invention relates to the technical field of program flow monitoring, in particular to a program flow monitoring method, compiling method, device, processor and computer equipment.

Background technique

As a core unit on a chip, a CPU (Central Processing Unit, central processing unit) is widely used in various fields. Usually, the CPU sequentially fetches, decodes, and executes the instruction stream sequence in accordance with the order of the instruction stream to complete the complete execution of the instruction. If the sequence of program flow execution is broken, program logic errors will occur, and even the entire system will be abnormal. Therefore, it is necessary to monitor the program flow to ensure the safe and reliable operation of the entire system program.

In related technologies, the program flow is usually monitored by an internal CPU watchdog or an external system watchdog module. However, the watchdog-based program flow monitoring method can detect whether the program flow is executed within a period of time, but cannot detect whether the program flow is effectively executed according to the design logic.

Contents of the invention

The present invention aims to solve one of the technical problems in the related art at least to a certain extent. For this reason, the first purpose of the present invention is to propose a program flow monitoring method, through the program flow monitoring method combining software and hardware, the program flow is double monitored on the data flow and control flow, which can effectively detect due to electromagnetic interference, The problem that the program execution behavior is not as expected due to the influence of factors such as line crosstalk.

The second object of the present invention is to provide a program code compiling method.

A third object of the present invention is to propose a processor.

The fourth object of the present invention is to provide a program flow monitoring device.

The fifth object of the present invention is to provide a program code compiling device.

A sixth object of the present invention is to propose a computer device.

The seventh object of the present invention is to provide a computer-readable storage medium.

In order to achieve the above-mentioned purpose, the implementation mode of the first aspect of the present invention proposes a program flow monitoring method, the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; the basic block header is inserted in the compilation stage There is a control flow check instruction, and a data flow check instruction is inserted into the tail of the basic block in the linking stage; wherein, the data flow checking instruction is inserted into the tail of the basic block in the compilation stage in the linking stage The placeholder instruction is replaced and inserted; the method includes: when the program flow runs to the current basic block, executing the control flow verification instruction in the current basic block to verify the control flow correctness; in the case that the current basic block runs to the data flow verification instruction, determine the CRC signature values of all instructions of the current basic block to verify the integrity of the data flow.

According to an embodiment of the present invention, the basic block is assigned with a static signature; the several basic blocks include the current basic block and the predecessor basic block that jumps to the current basic block; the execution of the current basic block in the current basic block A control flow verification instruction to verify the correctness of the control flow, including: obtaining the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block; wherein, the compensation signature is based on the predecessor basic block determined by the XOR calculation result of the static signature of the block and the static signature of the predecessor basic block; the predecessor basic block is a reference basic block at the control level of the predecessor basic block; Static signature and signature difference; wherein, the signature difference is determined based on the result of XOR calculation between the static signature of the predecessor basic block and the static signature of the current basic block; if the runtime of the predecessor basic block The XOR calculation result of the signature, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, and the current basic block passes the control flow verification.

According to an embodiment of the present invention, when the number of the predecessor basic block is 1, the predecessor basic block is the predecessor reference basic block, and the compensation signature is 0.

According to an embodiment of the present invention, when the number of the predecessor basic block is greater than 1, the predecessor reference basic block is determined based on the static signature of the basic block at the control level of the predecessor basic block.

According to an embodiment of the present invention, the program flow monitoring method further includes: if the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the XOR calculation result of the compensation signature of the predecessor basic block Not equal to the static signature of the current basic block, the current basic block does not pass the control flow check to trigger an exception.

According to an embodiment of the present invention, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static value of the current basic block signature, before the current basic block passes the control flow check, the program flow monitoring method further includes: based on the signature difference and the static signature of the current basic block, inserting Control flow verification instruction; if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block , then the current basic block passes the control flow verification, including: if the runtime signature of the predecessor basic block, the signature difference attached to the control flow verification instruction, and the XOR of the compensation signature of the predecessor basic block The calculation result is equal to the static signature attached to the control flow verification instruction, and the current basic block passes the control flow verification.

According to an embodiment of the present invention, the data flow verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links ; The determining the CRC signature values of all instructions of the current basic block to verify the integrity of the data stream includes: calculating the CRC signature values of all instructions in the current basic block to obtain a dynamic verification signature; If the dynamic verification signature when the current basic block is executed is consistent with the static verification signature, the current basic block passes the data stream verification.

According to an embodiment of the present invention, the determining the CRC signature values of all instructions of the current basic block to verify the integrity of the data stream further includes: if the current basic block completes execution, the dynamic verification The verification signature is inconsistent with the static verification signature, and the current basic block does not pass the data stream verification to trigger an exception.

According to an embodiment of the present invention, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; A signature information recovery instruction is inserted into the block at the compilation stage; the program flow monitoring method also includes: executing the signature information preservation instruction when the function is called, so as to support the push operation of the runtime signature and the compensation signature; when the called function returns Executing the signature information restoration instruction at a time, so as to support the pop-up operation of the saved runtime signature and the compensation signature.

According to an embodiment of the present invention, the program flow monitoring method further includes: adding global monitoring compiler parameters to monitor the entire running process of the application program.

According to an embodiment of the present invention, the program flow monitoring method further includes: for a specified function in the source code, adding a program flow detection flag and a compiler parameter at a specified position of the specified function, so as to monitor the specified function Monitor the running process.

According to an embodiment of the present invention, the program flow monitoring method further includes: enclosing the target source code to be monitored through parentheses in the source code; adding a guidance statement at a specified position of the target source code to The running process of the source code is monitored.

In order to achieve the above-mentioned purpose, the implementation mode of the second aspect of the present invention proposes a program code compiling method, the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks; the method includes: In the compilation phase, insert control flow verification instructions at the head of the basic block, and insert placeholder instructions at the end of the basic block; wherein, the control flow verification instructions are used to run the program flow corresponding to the program code to any basic block When verifying the correctness of the control flow; in the linking stage, the instruction code corresponding to the placeholder instruction is replaced with a data flow verification instruction; wherein, the data flow verification instruction is used in the program code corresponding to When the program flow of the program runs to the data flow verification instruction of any basic block, determine the CRC signature value of all instructions of the arbitrary basic block, so as to verify the integrity of the data flow.

According to an embodiment of the present invention, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the program code compiling method further includes: Inserting a signature information saving instruction, and inserting a signature information restoration instruction in the exit basic block; wherein, the signature information saving instruction is used for the runtime signature and the push operation of adjusting the signature when the function is called, and the signature information The restore instruction is used to pop the runtime signature and adjust the signature before the called function returns.

In order to achieve the above-mentioned purpose, the implementation manner of the third aspect of the present invention proposes a processor, the processor is used to execute a program flow, and the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; The processor includes an extended decoding circuit at the decoding pipeline level, a control flow verification circuit and a data flow verification circuit at the write-back pipeline level; the extended decoding circuit is used for decoding control flow verification instructions and A data flow verification instruction; wherein, the control flow verification instruction is inserted into the head of the basic block during the compilation phase, and the data flow verification instruction is a placeholder inserted into the tail of the basic block during the compilation phase during the linking phase Instructions are replaced and inserted; the control flow verification circuit is used to execute the control flow verification instructions in the current basic block to verify the control when the program flow runs to the current basic block The correctness of the flow; the data flow verification circuit is used to determine the CRC signature values of all instructions of the current basic block when the current basic block runs to the data flow verification instruction, so as to verify verify the integrity of the data stream.

According to an embodiment of the present invention, the basic block is assigned a static signature; the several basic blocks include a current basic block and a predecessor basic block that jumps to the current basic block; the processor is provided with a runtime signature register . Compensation signature register; the runtime signature register stores the runtime signature of the predecessor basic block, and the compensation signature register stores the compensation signature of the predecessor basic block; wherein, the compensation signature is based on the static signature of the predecessor basic block The XOR calculation result of the signature and the static signature of the predecessor basic block is determined; the predecessor basic block is the reference basic block on the control level where the predecessor basic block is located; the control flow verification circuit also uses To determine the static signature and signature difference of the current basic block, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the The static signature of the current basic block, the current basic block passing the control flow verification; wherein, the signature difference is the result of XOR calculation based on the static signature of the predecessor reference basic block and the static signature of the current basic block definite.

According to an embodiment of the present invention, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; A signature information recovery instruction is inserted into the block at the compilation stage; the processor is provided with a signature stack; the signature stack is used to execute the signature information preservation instruction when the function is called, and supports the push operation of the runtime signature and the compensation signature; The signature information restoration instruction is executed when the called function returns, and the operation of popping the saved runtime signature and compensation signature is supported.

According to an embodiment of the present invention, the data flow verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links ; The processor is provided with a CRC intermediate value register; the CRC intermediate value register is used to store the intermediate CRC signature value generated when the current basic block runs to the current instruction; the data flow verification circuit is also used for Calculate the CRC signature values of all instructions in the current basic block to obtain a dynamic verification signature; if the dynamic verification signature when the current basic block completes execution is consistent with the static verification signature, the current basic block passes the data Stream check.

In order to achieve the above object, the implementation mode of the fourth aspect of the present invention proposes a program flow monitoring device, the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; the basic block header is inserted in the compilation stage There is a control flow check instruction, and a data flow check instruction is inserted into the tail of the basic block in the linking stage; wherein, the data flow checking instruction is inserted into the tail of the basic block in the compilation stage in the linking stage The placeholder instruction is replaced and inserted; the device includes: a control flow verification module, configured to perform the control flow verification in the current basic block when the program flow runs to the current basic block Instructions to verify the correctness of the control flow; a data flow verification module, used to determine the CRC of all instructions of the current basic block when the current basic block runs to the data flow verification instruction Signature value to verify the integrity of the data stream in question.

According to an embodiment of the present invention, the basic block is assigned with a static signature; the several basic blocks include the current basic block and the predecessor basic block that jumps to the current basic block; the control flow verification module also uses Obtaining the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block; wherein, the compensation signature is based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the predecessor reference basic block Determined; the predecessor reference basic block is a reference basic block at the control level of the predecessor basic block; determine the static signature and signature difference of the current basic block; wherein, the signature difference is based on the predecessor The static signature of the reference basic block and the static signature of the current basic block are determined by the XOR calculation result; if the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the The XOR calculation result of the compensation signature is equal to the static signature of the current basic block, and the current basic block passes the control flow verification.

According to an embodiment of the present invention, the control flow verification module is further configured to insert a control flow verification instruction at the head of the current basic block based on the signature difference and the static signature of the current basic block ; If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference attached to the control flow verification instruction, and the compensation signature of the predecessor basic block is equal to the static signature, the current basic block passes the control flow check.

According to an embodiment of the present invention, the data flow verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links ; The data stream verification module is also used to calculate the CRC signature value of all instructions in the current basic block to obtain a dynamic verification signature; if the dynamic verification signature when the current basic block completes execution is the same as the static The verification signatures are consistent, and the current basic block passes the data stream verification.

According to an embodiment of the present invention, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; A signature information recovery instruction is inserted into the block at the compilation stage; the program flow monitoring device also includes: a signature push module, which is used to execute the signature information preservation instruction when the function is called, so as to support the push of the runtime signature and compensation signature Operation: a signature popping stack module, configured to execute the signature information recovery instruction when the called function returns, so as to support the stack popping operation of the saved runtime signature and compensation signature.

In order to achieve the above-mentioned purpose, the embodiment of the fifth aspect of the present invention proposes a program code compiling device, the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks; the device includes: The first instruction insertion module is used to insert a control flow verification instruction at the head of the basic block and insert a placeholder instruction at the end of the basic block during the compilation phase; wherein the control flow verification instruction is used to correspond to the program code When the program flow runs to any basic block, the correctness of the control flow is checked; the placeholder instruction replacement module is used to replace the instruction code corresponding to the placeholder instruction with a data flow verification instruction in the link stage; wherein The data flow verification instruction is used to determine the CRC signature values of all instructions of any basic block when the program flow corresponding to the program code runs to the data flow verification instruction of any basic block, so as to verify all integrity of the data stream.

According to an embodiment of the present invention, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the program code compiling device further includes: a second instruction insertion module, configured to In the stage, a signature information saving instruction is inserted into the entry basic block, and a signature information restoration instruction is inserted into the exit basic block; wherein, the signature information preservation instruction is used to execute the signature and adjust the signature when the function is called In a stack push operation, the signature information recovery instruction is used for a runtime signature before the called function returns and a stack pop operation for adjusting the signature.

In order to achieve the above object, the embodiment of the sixth aspect of the present invention proposes a computer device, including a memory and a processor, the memory stores a computer program, and when the processor executes the computer program, any one of the above embodiments is realized The steps of the method.

In order to achieve the above object, the implementation manner of the seventh aspect of the present invention proposes a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method described in any one of the foregoing implementation manners is implemented. step.

According to multiple implementations provided by the present invention, the integrity and correctness of the control flow and data flow of the application program are checked by using the signature information preservation instruction, signature information recovery instruction, control flow verification instruction, and data flow verification instruction. Perform real-time verification. Then realize the CPU micro-architecture supporting the execution of program flow monitoring instructions and the compilation tool chain supporting the generation of program flow monitoring instructions, and double monitor the program flow on the data flow and control flow through the program flow monitoring method combining software and hardware. At the same time, the method of first inserting control flow verification instructions and data flow verification instructions into the assembly code in the compilation stage, and then inserting data flow verification instructions into the binary instruction code in the linking stage to replace the placeholder instructions, The integrity verification of the newly added control flow verification instruction is realized.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Description of drawings

Fig. 1 is a schematic flowchart of a program flow monitoring method provided according to an embodiment of the present specification.

Fig. 2 is a schematic flowchart of verifying the correctness of a control flow provided according to an embodiment of the present specification.

Fig. 3 is a schematic flowchart of verifying the integrity of a data stream according to an embodiment of the present specification.

Fig. 4 is a schematic flowchart of a program flow monitoring method provided according to an embodiment of the present specification.

Fig. 5a is a schematic flowchart of a program code compiling method provided according to an embodiment of the present specification.

Fig. 5b is a schematic structural diagram of a compiler system provided according to an embodiment of the present specification.

Fig. 5c is a schematic diagram of an encoding format of a control flow verification instruction provided according to an embodiment of the present specification.

Fig. 5d is a schematic diagram of an encoding format of a control flow verification instruction provided according to an embodiment of the present specification.

Fig. 5e is a schematic diagram of an encoding format of a data stream verification instruction provided according to an embodiment of the present specification.

Fig. 5f is a schematic diagram of a process of inserting a control flow verification instruction and a data flow verification instruction according to an embodiment of the present specification.

Fig. 6a is a schematic diagram of an encoding format of a signature information saving instruction provided according to an embodiment of the present specification.

Fig. 6b is a schematic diagram of an encoding format of a signature information restoration instruction provided according to an embodiment of the present specification.

Fig. 6c is a schematic diagram of a process of inserting an instruction into a basic block according to an embodiment of the present specification.

Fig. 7 is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 8a is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 8b is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 9a is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 9b is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 10a is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 10b is a structural block diagram of a processor provided according to an embodiment of the present specification.

Fig. 11a is a structural block diagram of a program flow monitoring device provided according to an embodiment of the present specification.

Fig. 11b is a structural block diagram of a program flow monitoring device provided according to an embodiment of the present specification.

Fig. 12a is a structural block diagram of a program code compiling device provided according to an embodiment of the present specification.

Fig. 12b is a structural block diagram of a program code compiling device provided according to an embodiment of the present specification.

Fig. 13 is a structural block diagram of a computer device provided according to an embodiment of the present specification.

Detailed ways

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary and are intended to explain the present invention and should not be construed as limiting the present invention.

As a core unit on a chip, a CPU (Central Processing Unit, central processing unit) is widely used in various fields. Taking electric power, aerospace and other fields as examples, due to the particularity of the environment where power systems and aerospace equipment are located, the CPU is extremely vulnerable to factors such as electromagnetic interference, line crosstalk, and space single particles, resulting in program operation failures. Among them, the program counter and memory unit are abnormally rewritten, causing the program execution branch to jump abnormally, and the value of key variables seriously exceeds the normal range. Faults are particularly serious. Because such faults are affected by external environmental factors, the content of the fault and the memory address where it occurs are relatively random, so it is impossible to discover and deal with such faults through conventional software testing methods.

Usually, the compiler compiles the software program into a series of binary instruction stream sequences, and the CPU sequentially fetches, decodes, and executes the instruction stream sequences according to the order of the instruction streams to complete the complete execution of the instructions. Only when the CPU executes instructions sequentially in accordance with the order of the instruction stream can it ensure that the operation of the program meets the expected logic. If the execution sequence of the program flow is disrupted, such as some instructions not executed, branch jump errors, etc., or instructions are rewritten to other instructions or wrong instructions, the program execution results will not match expectations, and even cause the entire system to run abnormally. Therefore, it is necessary to monitor the execution process of the program flow in real time, so as to detect abnormalities in the program operation in time and deal with them accordingly, so as to ensure the safe and reliable operation of the entire system program.

When the program is running, after executing a jump instruction, it will turn to execute another instruction. This process is called a control flow transfer. A basic block is a sequence of instructions executed sequentially. Based on the basic block, the program can be expressed as a control flow graph composed of basic blocks and directed edges connecting the basic blocks. The directed edges represent the actual program control. stream transfer. If there is an edge from basic block Bi to basic block Bj, it means that there is a route from Bi to Bj in the program, Bi is recorded as the predecessor basic block of Bj, and Bj is recorded as the successor basic block of Bi. Based on the basic block and the program control flow graph, the legal program control flow has the following two meanings: (1) The program control flow inside the basic block. Since the internal instructions of the basic block are executed in sequence, the execution (control flow) of the program can only enter from the first statement of the basic block and leave from the last statement of the basic block, so except for the last instruction of the basic block, every Each instruction has only one successor instruction; (2) Program control flow transfer between basic blocks. For the last instruction of the basic block, there may be multiple subsequent instructions, but all must be the first instruction of the subsequent basic block of the basic block to which the last instruction belongs in the control flow graph.

In related technologies, the following two methods are usually used to monitor the operation of the program flow:

(1) Use the CPU internal watchdog or external system watchdog module to monitor the operation of the software. The watchdog circuit has a timing function. If the program does not initialize the count value within the specified time, it is considered that the program execution is abnormal. At this time, the watchdog circuit will output an interrupt or reset signal. However, the program flow monitoring method based on the watchdog can only confirm whether the program has entered an exception, but cannot confirm whether the program flow is actually executed as expected. For example, it is impossible to monitor the situation where some instructions are skipped and not executed when the program flow is executed due to the exception of the jump instruction. And as long as the cleared scheduled task is still running normally, errors in other places will not be discovered. It is possible that the program has been running in an error state for a long period of time before the watchdog reset signal is triggered, and the error data output during this period may bring certain losses to the user.

(2) Add an additional flag value field for each monitored subroutine. If the subroutine is called, the subroutine calculates the corresponding flag value field according to the algorithm agreed in advance, and then the main program calculates the flag value calculated by the subroutine Compare and check with the expected standard value, if they are the same, it is determined that the execution of the subroutine in the program flow meets expectations, otherwise it is determined that the execution of the subroutine in the program flow is wrong. However, this method can only confirm whether the subroutine is called and whether the program flow of the function of calculating the flag value field in the program flow is normally executed. The monitoring effect on the program flow is not very good, and more redundant code overhead may be added.

In order to solve the problems caused by the monitoring method of the program flow running process in the related technology and effectively improve the monitoring effect, it is necessary to propose a program flow monitoring method, compiling method, device, processor and computer equipment, by extending the program to the CPU architecture instruction set Flow monitoring instruction, by setting the signature verification instruction, in the program basic block, through the data flow verification instruction to ensure the integrity of the data flow between the instructions in the basic block, and through the control flow verification instruction between the program basic blocks to ensure the program basic block The correctness of the control flow of the transfer jump. Then implement the CPU microarchitecture supporting the execution of program flow monitoring instructions and the compiling tool chain supporting the generation of program flow monitoring instructions. Through the program flow monitoring method combining software and hardware, the program flow is double-monitored on the data flow and control flow, which can effectively detect the problem that the program execution behavior does not match the expected due to the influence of electromagnetic interference, line crosstalk and other factors. After program flow monitoring detects an error in program execution, an exception will be triggered immediately, so that the application software can take countermeasures such as module reset or overall reset in time to ensure the correctness of program operation.

The embodiment of this specification provides a program flow monitoring method. The program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; Stages are inserted with data flow verification instructions. Wherein, the data flow checking instruction is inserted in the linking stage by replacing the occupying instruction inserted at the end of the basic block in the compiling stage. Referring to FIG. 1 , the program flow monitoring method may include the following steps.

S110. When the program flow runs to the current basic block, execute the control flow verification instruction in the current basic block to verify the correctness of the control flow.

Wherein, the control flow is used to represent a directed jump between basic blocks in the program, and the control flow verification instruction may be a signature verification instruction including basic block signature information. It can be understood that a program can be represented as a control flow graph composed of basic blocks and directed edges connecting the basic blocks, where the directed edges represent the actual transfer of program control flow. If there is a directed edge from basic block Bi to basic block Bj, it means that there is a route from Bi to Bj in the program, Bi is recorded as the predecessor basic block of Bj, and Bj is recorded as the successor basic block of Bi. Therefore, in the program, the basic block can be used as the program flow monitoring and verification unit, and the verification is performed when jumping between basic blocks to ensure the correctness of the control flow.

The current basic block is used to represent the basic block that is currently ready to be executed or is currently being executed in the program flow. It can be understood that since the basic block is the largest continuous block composed of sequentially executed instructions in the program, all instructions except the last instruction cannot be program control instructions (program control instructions that can change the original execution order of the program, usually include Conditional branch instructions, unconditional jump instructions, function call instructions, function return instructions, etc.), except for the first instruction, other instructions cannot be the transfer target of the program control instruction. Therefore, a control flow verification instruction can be inserted at the head of the basic block, which is used to execute the corresponding control flow verification instruction before the first instruction of the current basic block is executed when the program flow runs to the current basic block. , to check whether the current basic block is the correct jump target of the predecessor basic block that jumps to the current basic block, and can directly trigger an exception in the case of checking that the predecessor basic block jumps incorrectly, which is performed by the application program Treat accordingly. Furthermore, the compiler can divide and mark the basic blocks according to the jump instructions, and build the control flow graph of the program on this basis. By adding the control flow verification instruction to the extended instruction set of the CPU, and by extending the compilation tool chain, the compiler inserts the control flow verification instruction into the executable code instruction sequence of the basic block during the program code compilation stage, so that the verification The insertion and execution of instructions are not affected by the syntax of high-level programming languages, etc.

Specifically, the signature information in the control flow verification instruction may include the signature information of each basic block and its corresponding legal predecessor basic block. When the program flow runs to the current basic block, the signature information in the control flow verification instruction of the current basic block is verified with the signature information of the predecessor basic block that jumps to the current basic block to detect the predecessor basic block. Whether the block has a jump error. By inserting a control flow verification instruction at the head of a basic block, when the program flow reaches a certain basic block, it can immediately verify whether the jump to the predecessor basic block of the basic block is correct. In this way, on the one hand, it can be verified The jump correctness of each basic block during the program flow is running, so as to verify the correctness of the control flow. On the other hand, in the case of verifying the jump error, an exception is immediately triggered to avoid subsequent wrong instructions that are executed after a period of time. be found, avoiding larger program errors.

S120. When the current basic block runs to a data flow verification instruction, determine the CRC signature values of all instructions of the current basic block, so as to verify the integrity of the data flow.

Wherein, the data flow is used to represent the sequential execution of each instruction in the basic block, and the data flow verification instruction may be a signature verification instruction including CRC signature values of all instructions in the basic block. It can be understood that the execution of each instruction in the basic block does not interfere with the branch jump. Therefore, a data flow verification instruction can be inserted at the end of the basic block to be used to enter the next basic block after the program executes the current basic block. block, immediately verify the integrity of the instruction sequence in the current basic block, and if the verification fails, an exception can be directly triggered, and the application program will handle it accordingly to avoid the occurrence of exceptions in the program flow for subsequent instruction sequences Continue to execute incorrectly.

In some cases, since the calculation of the CRC signature value of the basic block requires the binary machine code of the instruction in the basic block, in the assembly file generated in the program code compilation stage, only placeholder instructions are inserted at the end of the basic block to make the data The flow verification instruction can be occupied by a placeholder instruction. In the program code link stage, the assembler has converted the assembly instructions in the assembly file into binary instruction codes in the object file, and can calculate the CRC signature value of all instructions in the basic block through the CRC check algorithm to fill in the data stream checksum. In the verification instruction, and use the data flow verification instruction to replace the placeholder instruction at the end of the basic block, so as to insert the data flow verification instruction.

It should be noted that the CRC signature value included in the data flow verification instruction is the original static verification CRC signature value when all instructions in the basic block are not executed. In the above embodiments, the CRC signature value determined when the current basic block runs to the data flow verification instruction is the dynamic verification CRC signature value when all instructions of the current basic block are executed.

Specifically, when the instructions in the current basic block are executed, the dynamic CRC signature values of all the instructions in the current basic block are dynamically calculated. When the program instruction in the current basic block is executed and is about to jump to the next basic block, execute the data flow verification instruction at the end of the current basic block, and compare the static verification CRC signature value in the data flow verification instruction with the calculated The obtained dynamic verification CRC signature value of the basic block is compared, if consistent, the instruction sequence in the basic block is complete; if inconsistent, the instruction sequence in the basic block has been tampered with, and an exception can be directly triggered at this time, by The application processes accordingly.

In the above embodiment, based on the four stages of generating the final executable program file through preprocessing, compiling, assembling and linking the source code file, the control flow verification instruction is first inserted into the assembly code generated in the compiling stage, and then the A data flow verification instruction is inserted into the binary instruction code generated by the assembly stage. On the one hand, it can avoid the problem that the original static CRC signature value of all instructions in the basic block needs to be recalculated due to the insertion of the control flow verification instruction; on the other hand, the inserted control flow verification instruction also needs to be included in the basic block to perform The correctness check of the instruction execution in the basic block to ensure the integrity and correctness of the program flow and the newly added control flow check instruction sequence.

In some embodiments, a basic block is assigned a static signature; several basic blocks include a current basic block, a predecessor basic block that jumps to the current basic block. Referring to FIG. 2 , the method for executing the control flow verification instruction in the current basic block to verify the correctness of the control flow may include the following steps.

S210. Obtain the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block.

Among them, the compensation signature is determined based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the predecessor basic block; The reference basic block at the control level at . The compensation signature may be an adjustment signature.

Specifically, the static signature may be a natural number incremented from 0 or a continuous prime number allocated sequentially to each basic block. The runtime signature can be the static signature of the current basic block that is saved after the control flow verification of the current basic block when the program flow runs to the current basic block, and is used for the current basic block to jump to the next Control flow checks for basic blocks.

In some cases, a current basic block may correspond to multiple different legal predecessor basic blocks that can legally jump to the current basic block. When the program flow runs from any legal predecessor basic block to the current basic block, according to the signature information of any corresponding legal predecessor basic block, the control flow verification of the current basic block needs to pass. Since it is impossible to determine which predecessor basic block jumps to the current basic block during the running of the program, if the signature information of all legal predecessor basic blocks is added to the control flow verification instruction of the current basic block, it is easy to cause too much redundancy overhead. Therefore, a predecessor basic block can be selected from multiple legal predecessor basic blocks of the current basic block, and the corresponding legal predecessor basic blocks can be obtained by calculating the static signatures of each legal predecessor basic block and the static signature of the predecessor reference basic block. Compensation signatures to bridge the differences between the static signatures of different legal predecessor basic blocks. When the program flow reaches the current basic block, through the control flow verification instruction containing the signature information of the predecessor basic block, combined with the compensation signature of the predecessor basic block that jumps to the current basic block, the predecessor basic block can be Verify the correctness of the jump.

In some embodiments, the initial value of the compensation signature is 0, and the compensation signature of the predecessor basic block can be correspondingly adjusted according to the static signature of the predecessor reference basic block at the same control level. Exemplarily, the static signature of the basic block B1 is 1, the static signature of the basic block B2 is 2, the static signature of the basic block B3 is 3, and the static signature of the basic block B4 is 4. Basic block B1, basic block B2 and basic block B3 are all legal predecessor basic blocks of basic block B4, and basic block B1 is the predecessor reference basic block of basic block B4, then the compensation signature of basic block B1 is 0. Exclusive OR calculation of the static signature of the basic block B2 and the static signature of the basic block B1, the compensation signature of the basic block B2 can be obtained as 3; the XOR calculation of the static signature of the basic block B3 and the static signature of the basic block B1 can be The compensation signature of basic block B3 is 2.

In some embodiments, a current basic block may only correspond to a predecessor basic block that can legally jump to the current basic block, then the predecessor basic block is the predecessor reference basic block, and the compensation signature of the predecessor basic block can be obtained is 0. In some other embodiments, it can be determined according to the control flow graph of the program code that the predecessor basic block does not have the same successor basic block as other basic blocks. It can be understood that the compensation signature of the predecessor basic block may not be used to The target basic block of the jump is checked for control flow, so the compensation signature of the predecessor basic block can be directly set to 0.

It should be noted that multiple different predecessor basic blocks that can legally jump to the same basic block are at the same control level.

S220. Determine the static signature and signature difference of the current basic block.

Wherein, the signature difference is determined based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the current basic block.

Specifically, in the case that a current basic block may correspond to multiple different predecessor basic blocks that can legally jump to the basic block, a predecessor basic block can be determined among the legal predecessor basic blocks of the current basic block , so that the static signature of the predecessor basic block and the static signature of the current basic block can be XOR calculated to determine the signature difference of the current basic block.

In some embodiments, when a current basic block only corresponds to a predecessor basic block that can legally jump to the basic block, the predecessor reference basic block is the predecessor basic block, and the static signature of the predecessor basic block Perform XOR calculation with the static signature of the current basic block to determine the signature difference of the current basic block.

S230. If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, the current basic block passes the control flow verification.

Exemplarily, the static signature of basic block B1 is 1, the static signature of basic block B2 is 2, the static signature of basic block B3 is 3, the static signature of basic block B4 is 4, the static signature of basic block B5 is 5, and the basic Block B6 has a static signature of 6. Both basic block B1 and basic block B2 are legal predecessor basic blocks of basic block B4, and basic block B1 is the predecessor basic block of basic block B4; basic block B3 and basic block B5 are legal predecessor basic blocks of basic block B6, And the basic block B3 is the predecessor reference basic block of the basic block B6. Through calculation, it can be known that the runtime signature of the basic block B1 is 1, and the compensation signature is 0; the runtime signature of the basic block B2 is 2, and the compensation signature is 3; the runtime signature of the basic block B3 is 3, and the compensation signature is 0 ; Basic block B5 has a runtime signature of 5 and a compensation signature of 6. Exclusive OR calculation of the static signature of the basic block B1 and the static signature of the basic block B4, the signature difference of the basic block B4 can be obtained as 5; the XOR calculation of the static signature of the basic block B3 and the static signature of the basic block B6 can be The signature difference of basic block B6 is 5. When the program flow runs from the basic block B1 to the basic block B4, it is necessary to check whether the basic block B4 is the correct jump target of the basic block B1. XOR calculation is performed on the signature difference 5 of the basic block B4, the runtime signature 1 of the basic block B1, and the compensation signature 0 of the basic block B1, and the calculation result is 4, which is equal to the static signature of the basic block B4, and the basic block B4 passes Control flow verification, that is, the basic block B4 is the correct jump target of the basic block B1, and the runtime signature of the basic block B4 is saved as 4.

Exemplarily, when the program flow runs from the basic block B2 to the basic block B4, it is necessary to check whether the basic block B4 is the correct jump target of the basic block B2. Exclusive OR calculation is performed on the signature difference 5 of the basic block B4, the runtime signature 2 of the basic block B2, and the compensation signature 3 of the basic block B2, and the calculation result is 4, which is equal to the static signature of the basic block B4, and the basic block B4 passes Control flow check, save the runtime signature of basic block B4 as 4.

Exemplarily, when the program flow runs from the basic block B3 to the basic block B4, it is necessary to check whether the basic block B4 is the correct jump target of the basic block B3. XOR calculation is performed on the signature difference 5 of the basic block B4, the runtime signature 3 of the basic block B3, and the compensation signature 0 of the basic block B3, and the calculation result is 6, which is not equal to the static signature of the basic block B4, then the basic block B4 The control flow check is not passed, that is, the basic block B4 is not the correct jump target of the basic block B3, and an exception is directly triggered.

In the above implementation, for the current basic block with multiple legal predecessor basic blocks, by selecting a predecessor basic block among the multiple legal predecessor basic blocks, and adjusting the signature of the predecessor basic block to adjust other legal predecessor basic blocks Compensation signature of the block to ensure that no matter which legal predecessor basic block the program flow runs to the current basic block, it is calculated and verified in combination with the compensation signature of the corresponding predecessor basic block, so that the current basic block can pass the verification.

In some implementations, when the number of the predecessor basic block is 1, the predecessor basic block is the predecessor reference basic block, and the compensation signature is 0.

In some implementations, when the number of predecessor basic blocks is greater than 1, the predecessor reference basic block is determined based on the static signature of the basic block at the control level of the predecessor basic block.

Exemplarily, among the predecessor basic blocks at the same control level, the predecessor basic block with the minimum or maximum static signature may be determined as the reference basic block at the control level, that is, the predecessor reference basic block.

In some implementations, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is not equal to the static signature of the current basic block, the current basic block does not pass the control flow verification. test to trigger an exception.

In some implementations, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, then the current basic block is checked by the control flow. Before verification, the program flow monitoring method may also include: inserting a control flow verification instruction at the head of the current basic block based on the signature difference and the static signature of the current basic block.

Correspondingly, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, then the current basic block passes the control flow verification, and can also Including: if the runtime signature of the predecessor basic block, the signature difference attached to the control flow verification instruction, and the XOR calculation result of the compensation signature of the predecessor basic block are equal to the static signature attached to the control flow verification instruction, the current basic block passes the control Stream check.

Specifically, the control flow verification signature is designed, including the static signature of the basic block, the runtime signature, the signature difference and the compensation signature, so as to record the signature information of each basic block and its predecessor basic block for control flow verification, avoiding basic Block jumps to the head of a non-successor basic block. The control flow verification instruction of each basic block may contain the static signature and signature difference of each basic block. Further, the runtime signature register is designed to store the runtime signature after the basic block has passed the verification, which is used for the control flow verification when the basic block jumps to the next basic block; the compensation signature register is designed to store the basic block Compensation signature, used for control flow verification when jumping from this basic block to the next basic block.

Exemplarily, when the program flow runs from the basic block B1 to the basic block B2, the control flow verification instruction of the basic block B2 needs to be executed to verify whether the basic block B2 is the correct jump target of the basic block B1. The control flow verification instruction of B2 includes the static signature of basic block B2, and the signature difference of basic block B2 calculated based on the static signature of basic block B2 and its predecessor basic block (predecessor basic basic block). At this time, the runtime signature of the basic block B1 is stored in the runtime signature register, and the compensation signature of the basic block B1 is stored in the compensation signature register. Execute the control flow verification instruction of basic block B2, obtain the runtime signature of basic block B1 from the runtime register, obtain the compensation signature of basic block B1 from the compensation signature register, and obtain the signature of basic block B2 from the control flow verification instruction Static signature and signature difference, XOR calculation is performed on the runtime signature, compensation signature and signature difference obtained above, and the calculation result is compared with the static signature of the basic block B2. If the calculation result is consistent with the static signature of the basic block B2, the control flow verification of the basic block B2 passes, and no error occurs in the jump of the basic block B1; if the calculation result is inconsistent with the static signature of the basic block B2, the basic block B2’s If the control flow verification fails and the jump of the basic block B1 is wrong, an abnormal alarm can be directly triggered.

In the above implementation, the runtime signature of the basic block is dynamically calculated, and the runtime signature of the basic block is stored as a variable or component (such as a register, etc.) in the running process of the program to dynamically verify the correctness of the control flow of the basic block , to ensure the correctness of the program execution process in real time.

In some implementations, the data stream verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links. Referring to FIG. 3 , determining the CRC signature values of all instructions of the current basic block to verify the integrity of the data stream may include the following steps.

S310. Calculate CRC signature values of all instructions in the current basic block to obtain dynamic verification signatures.

S320. If the dynamic verification signature when the execution of the current basic block is completed is consistent with the static verification signature, the current basic block passes the data stream verification.

Wherein, the dynamic verification signature may be a CRC signature value after execution of all instructions in the current basic block.

Specifically, the data flow verification signature is designed, including static verification signature and dynamic verification signature, to record the instruction encoding information inside each basic block, avoiding the internal instruction of the basic block and the control flow verification added in the basic block during the compilation stage. The verification instruction has been illegally tampered with. Furthermore, the dynamic verification signature register is designed to store the dynamic verification signatures of all instructions in the basic block when the basic block is running, and is used for data flow verification at the end of the basic block running.

Exemplarily, when the instructions in the basic block B1 are executed, and the control flow verification instructions including the header of the basic block B1 are executed, the dynamic verification signatures of all instructions in the basic block B1 can be dynamically calculated according to the CRC verification algorithm, etc. , and stored in the dynamic verification signature register. When the instruction in the basic block B1 is executed and is about to jump to the next basic block, execute the data flow verification instruction at the end of the basic block B1, and obtain the dynamic verification signature of all instructions in the basic block B1 from the dynamic verification signature register , Obtain the static verification signatures of all instructions in the basic block B1 from the data flow verification instructions of the basic block B1, compare the dynamic verification signatures with the static verification signatures, if they are consistent, the instruction sequences in the basic block B1 are complete ; If inconsistent, the instructions in the basic block B1 have been tampered with, which can directly trigger an abnormal alarm.

In the above embodiment, the dynamic verification signature of all instructions in the basic block is dynamically calculated, and the dynamic verification signature is stored as a variable or component (such as a register, etc.) in the running process of the program to dynamically verify all instructions in the basic block The correctness and integrity of the sequence to further ensure the correctness and integrity of the program execution process.

In some embodiments, the method of executing the control flow verification instruction in the current basic block to verify the correctness of the control flow may further include: if the dynamic verification signature when the current basic block completes execution is inconsistent with the static verification signature, The current basic block does not pass the data flow check to trigger an exception.

In some implementations, the control flow includes a function control flow that includes an entry basic block and an exit basic block. The entry basic block inserts a signature information preservation instruction in the compilation stage, and the exit basic block inserts a signature information recovery instruction in the compilation stage. Referring to Fig. 4, the program flow monitoring method may further include the following steps.

S410. Execute the signature information saving instruction when the function is called, so as to support the push operation of the runtime signature and the compensation signature.

S420. Execute a signature information restoration instruction when the called function returns, so as to support the pop-up operation of the saved runtime signature and compensation signature.

Wherein, the signature information saving instruction is used to save the signature information of the basic block in the original function control flow jumping to the function control flow through the function call in the entry basic block of the function control flow. The signature information restoration instruction is used to restore the signature information of the basic block in the original function control flow saved by the signature information preservation instruction in the exit basic block of the function control flow.

It can be understood that a program is composed of several functions, and a function call can be regarded as a special control flow transfer that interrupts the control flow of the original function and jumps into the control flow of the called function. In order to prevent the basic block in the control flow of the called function from affecting the control flow verification process of the basic block in the control flow of the original function that executes the call, it is necessary to save the call in the entry basic block of the function control flow of the called function The signature information of the basic block in the original function control flow of the function, and restore the saved signature information of the basic block in the original function control flow in the exit basic block of the function control flow of the called function, so that the called When the exit basic block in the function finishes executing and returns to the original function, the control flow check of the basic block in the control flow of the original function can be continued.

Specifically, a signature information saving instruction may be inserted at the head of the entry basic block of the function control flow, and a signature information restoration instruction may be inserted at the end of the exit basic block of the function control flow. Furthermore, the signature stack can be set so that after the signature information saving instruction is executed, the corresponding signature information can be saved by performing a push operation on the signature stack, and after the signature information recovery instruction is executed, the corresponding passing signature information can be saved. The signature information saved by the save instruction is restored by popping the signature stack.

Exemplarily, when the function FUN2 is called by the function FUN1, the program flow runs to the function FUN2 through the function call instruction in the function FUN1, and the function control flow of the function FUN1 is interrupted. First execute the signature information saving instruction of the entry basic block of function FUN2, push the runtime signature and compensation signature of the basic block at the interruption of the function control flow of function FUN1 into the signature stack for saving, and then save the current runtime signature register and compensation signature The signature value in the register is initialized to be used for the control flow check of the basic block in the function control flow of the function FUN2. When the execution of the function FUN2 ends, the program flow returns to the function FUN1 through the return instruction of the function FUN2, and the function control flow of the function FUN1 needs to be restored. First execute the signature information restoration instruction of the exit basic block of function FUN2, pop the runtime signature and compensation signature of the basic block at the interrupted function control flow of the function FUN1 saved in the signature stack, and take out the stack operation, and then remove the current runtime signature The signature value in the register is set to the runtime signature, and the signature value in the compensation signature register is set to the compensation signature, which is used to restore the control flow check of the basic block in the function control flow of the function FUN1 after the function FUN2 returns .

In some embodiments, the program flow monitoring method may further include: adding global monitoring compiler parameters to monitor the entire running process of the application program.

Wherein, the compiler parameter may be a parameter of a program flow monitoring switch and/or a keyword code of a program flow monitoring scope.

Specifically, add the parameters of the global monitoring switch and/or the keyword code of the global monitoring in the monitored application code, so that the extended compiler tool chain with program flow monitoring function can recognize and automatically generate control flow verification instructions and data flow verification instructions, and the generated verification instructions can be automatically inserted into the basic blocks of the application program code, and finally the executable code of the instruction sequence within the scope of the entire application program code is generated.

In some implementations, the program flow monitoring method may further include: for a specified function in the source code, adding a program flow detection flag and a compiler parameter at a specified position of the specified function, so as to monitor the running process of the specified function.

Wherein, the program flow detection mark may be a descriptive prefix, which is used to mark functions that need to be monitored by program flow. Exemplarily, for a function specified in the application code that needs to monitor the running process, a descriptive prefix can be added before the function name when the function is defined to mark that the function immediately after the function definition needs to be monitored by the program flow.

Furthermore, the function of the program flow detection flag can be changed by adjusting compiler parameters. Exemplarily, by adjusting compiler parameters, the program flow detection flag is used to mark functions that do not need to be monitored by program flow, and within a larger program flow monitoring scope that includes the specified function, when the function is defined The corresponding program flow detection flag is added before the function name, which is used to mark that the function immediately following the function definition needs to be excluded from the scope of the program flow monitoring.

In some embodiments, the program flow monitoring method may further include: enclosing the target source code to be monitored through parentheses in the source code; adding guidance statements at specified positions of the target source code to monitor the running process of the target source code.

Wherein, the guidance statement may be a code statement with grammatical rules and action rules that can be recognized by the compiler, and is used to mark the target source code that needs to be monitored by the program flow. Exemplarily, for the target source code specified in the application code that needs to monitor the running process, the target source code can be enclosed by curly bracket pairs "{}", and a guidance statement can be added in front of the left curly bracket "{" for The curly braces immediately following the tag-directed statement require program flow monitoring for the source code within "{}".

Further, the function of the guidance statement can be changed by adjusting compiler parameters. Exemplarily, through the adjustment of compiler parameters, the guidance statement is used to mark the target source code that does not need to be monitored by the program flow, and within the scope of larger program flow monitoring that includes the target source code, use curly braces to "{} "Enclose the target source code, and add the corresponding guidance statement in front of the left curly brace "{", which is used to mark the source code in the pair of curly braces "{}" immediately following the guidance statement of the mark needs to be obtained from the program Excluded from flow monitoring.

The implementation mode of this specification provides a program code compiling method, the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks. Referring to Fig. 5a, the program code compiling method may include the following steps.

S510. In the compilation phase, insert a control flow verification instruction at the head of the basic block, and insert a placeholder instruction at the end of the basic block.

Wherein, the control flow verification instruction is used to verify the correctness of the control flow when the program flow corresponding to the program code runs to any basic block.

S520. In the linking stage, replace the instruction code corresponding to the placeholder instruction with a data flow verification instruction.

Wherein, the data flow verification instruction is used to determine the CRC signature value of all instructions of any basic block when the program flow corresponding to the program code runs to the data flow verification instruction of any basic block, so as to verify the integrity of the data flow.

It should be noted that, for the description of the control flow verification instruction and the data flow verification instruction in the above embodiment, please refer to the description of the control flow verification instruction and the data flow verification instruction in the program flow monitoring method in this specification. I won't go into details here.

Specifically, the compilation tool chain is extended, the compiler is modified, and the compiler divides the program code into basic blocks and constructs a control flow graph. During the compilation phase of the program code, on the one hand, according to the designed control flow verification process, the compiler generates Corresponding control flow verification instruction, and insert the control flow verification instruction into the executable instruction sequence of the basic block; on the other hand, the compiler inserts a placeholder instruction at the end of the basic block for the linking stage of the subsequent program code, The placeholder instruction is replaced by a data flow verification instruction by the assembler. Exemplarily, the compiler is modified so that the compiler first creates the statement of the control flow verification instruction and the placeholder instruction of the data flow verification instruction, and then inserts the created statement of the control flow verification instruction and the placeholder instruction into the basic block's sequence of statements, and then updates the control flow graph. In some embodiments, the insert statement may be executed before the GIMPLE tree is converted into an RTL tree after the compiler divides the program code into basic blocks and builds a control flow graph. Exemplarily, referring to FIG. 5 b , it is a compiler system structure after modifying the GCC compiler according to the above-mentioned embodiment.

Specifically, modify the assembler, first add the definition of the corresponding extended instruction in the instruction list, and then write the instruction processing function, so that the assembler can fill in each field of the binary machine code of the corresponding instruction according to different instructions. At the same time, when the assembler translates the assembly file into binary machine code, the binary machine code of all instructions in the basic block is processed by the CRC check algorithm to obtain the static check signature of the basic block to fill in the data flow check In the corresponding field in the instruction. In the link stage of the program code, that is, after the assembler translates the assembly file into binary machine code, the placeholder instruction is replaced with a data flow verification instruction containing the signature value at the end of the basic block.

Exemplarily, according to the signature difference d of the current basic block, the static signature S and the compensation signature D _c , the assembly format of the control flow verification instruction is set as CTRLSIG_M d, S, D _c . Wherein, operand d, operand S and operand D _c are all source operands and are all constants, which are pre-calculated and put into the instruction when the program code is compiled, and do not need to read source operands from general-purpose registers. The process of performing control flow verification by this instruction is:

First, the runtime signature of the current basic block is calculated: _Gc = G'⊕op(d)⊕D'.

Among them, the op operation means fetching the immediate value from the instruction code, G' means the runtime signature of the predecessor basic block saved in the runtime signature register, and D' means the compensation signature of the predecessor basic block saved in the compensation signature register.

Secondly, verify the runtime signature of the current basic block, if G'⊕op(d)⊕D'≠op(S), an exception will be triggered, and this instruction will be written in the exception cause register; if G'⊕op( d)⊕D'=op(S), then the verification is passed, the runtime signature _Gc of the current basic block is saved in the runtime signature register, and the compensation signature _Dc of the current basic block is saved in the compensation signature register, That is, G'=G _c =op(S), D'=op(D _c ), used for control flow check when the current basic block jumps to the next basic block. Fig. 5c shows a coding format corresponding to the control flow checking instruction.

In some embodiments, when the current basic block has only one valid predecessor basic block, the compensation signature of the predecessor basic block is 0. It can be understood that, in this case, the control flow verification of the current basic block may not use the compensation signature of the predecessor basic block. Therefore, the assembly format of the control flow verification instruction can be set as CTRLSIG_S d, S, D _c . The process of performing control flow verification by this instruction is:

First, the runtime signature G _c =G'⊕op(d) of the current basic block is calculated.

Secondly, verify the runtime signature of the current basic block, if G'⊕op(d)≠op(S), trigger an exception, and write this instruction in the exception cause register; if G'⊕op(d)= op(S), the verification is passed, the runtime signature G _c of the current basic block is saved in the runtime signature register, and the compensation signature D _c of the current basic block is saved in the compensation signature register, that is, G'=G _c =op(S), D'=op(D _c ), used for control flow check when the current basic block jumps to the next basic block. Fig. 5d shows a coding format corresponding to the control flow checking instruction.

Exemplarily, according to the static verification signature C of all instructions in the current basic block, the assembly format of the data flow verification instruction is set to CRCSIG C. Among them, the operand C is the source operand, which is pre-calculated and put into the instruction when the assembler generates the object file, and does not need to read the source operand from the general-purpose register. The process of performing data flow verification by this instruction is as follows: first, calculate the dynamic verification signature N of all instructions when the current basic block is executed, and store it in the dynamic verification signature register. Secondly, compare the dynamic verification signature N in the dynamic verification signature register with the static verification signature C. If they are equal, the instruction sequence in the current basic block is correct and complete. If they are not equal, an exception will be triggered. FIG. 5e shows an encoding format corresponding to the data stream verification instruction.

Further, in some embodiments, refer to FIG. 5f , which is a schematic diagram of inserting corresponding control flow verification instructions and data flow verification instructions into basic blocks during program code compilation. The process can include:

In the compilation phase, after the compiler analyzes the jump relationship in the program code, divides the program code into basic blocks and constructs a control flow graph, it can first assign a corresponding static signature S to each basic block.

Secondly, any current basic block can be selected according to the control flow graph, and it can be judged whether the current basic block has the same successor basic block as other basic blocks in the same control level. If it is judged that the current basic block and other basic blocks in the same control level have the same successor basic block, then determine the predecessor reference basic block in the corresponding control level and calculate the compensation signature D _c of the current basic block; otherwise , and set the compensation signature D _c of the current basic block to 0.

Again, judge whether the current basic block has multiple legal predecessor basic blocks, if it is judged to be yes, then insert the control flow check instruction CTRLSIG_M d, S, D _c at the head of the current basic block; if it is judged to be no, then Insert control flow check instructions CTRLSIG_S d, S, D _c at the head of the current basic block.

Then, at the end of the current basic block, insert a placeholder instruction for the data flow verification instruction to occupy the placeholder.

The assembly file processed by the method in the above compilation stage includes control flow verification instructions and placeholder instructions for locating data flow verification instructions. Then, the assembler converts the assembly instructions in the assembly file into binary instruction codes in the object file, and fills each field of the corresponding instruction binary machine code according to the instruction processing function. The assembler calculates the static verification signature C of all instructions in each basic block according to the CRC verification algorithm, fills it into the corresponding data flow verification instruction CRCSIG C, and updates the occupancy instructions at the end of the corresponding basic block one by one. Finally, the linker links the object files to generate an executable program file with control flow verification instructions and data flow verification instructions.

In the above implementation, only one control flow verification signature instruction is inserted into each basic block, and only one data flow verification instruction is inserted at the end, which satisfies program flow error monitoring and minimizes the extra overhead caused by signature instructions , which can minimize the code increase of the application program after recompilation.

In some implementations, the control flow includes a function control flow that includes an entry basic block and an exit basic block. The program code compiling method may also include: inserting a signature information saving instruction into the entry basic block, and inserting a signature information restoration instruction into the exit basic block during the compilation stage.

Among them, the signature information saving instruction is used for the runtime signature and the push operation of adjusting the signature when the function is called, and the signature information recovery instruction is used for the runtime signature and the stack pop operation of adjusting the signature before the called function returns.

It should be noted that, for the description of the signature information saving instruction and the signature information restoration instruction in the above embodiment, please refer to the description of the signature information preservation instruction and the signature information restoration instruction in the program flow monitoring method in this manual, and details will not be repeated here. .

Specifically, expand the compilation tool chain, modify the compiler, divide the program code into basic blocks by the compiler and build a control flow graph, and in the compilation phase of the program code, the signature information preservation instruction and signature information restoration instruction generated by the compiler, The signature information saving instruction is inserted into the executable instruction sequence of the entry basic block of each function, and the signature information restoration instruction is inserted into the executable instruction sequence of the exit basic block of each function.

Exemplarily, the assembly format of the set signature information saving instruction is PUSHSIG. When this instruction is executed, the runtime signature G _pf and the compensation signature D _pf of the previous function basic block jumping to the current function entry basic block through the function call instruction are pushed into the signature stack for preservation, and at the same time, the current runtime signature register is initialized Runtime signature G and compensation signature D in the compensation signature register. Fig. 6a shows a coding format corresponding to the signature information saving instruction.

Exemplarily, the assembly format of the signature information recovery instruction is set as POPSIG. When this instruction is executed, the runtime signature G _pf and the compensation signature D _pf of the previous function basic block saved in the signature stack are taken out by popping the stack operation, and the runtime signature G _pf is saved in the runtime signature register. The compensation signature D _pf is saved in the compensation signature register, that is, G=G _pf , D=D _pf . Fig. 6b shows an encoding format corresponding to the signature information recovery instruction.

Further, in some embodiments, as shown in FIG. 6c, in order to insert signature information saving instructions and signature information restoration instructions into functions during program code compilation, insert corresponding control flow verification instructions and Schematic diagram of the process of the data flow verification instruction. Among them, in the compilation stage, after the compiler divides the program code into basic blocks and constructs the control flow graph, it can also insert the signature information saving instruction PUSHSIG for the entry basic block of each function, and insert the signature information for the exit basic block of each function Restore instruction POPSIG. It should be noted that, for the description of the process of inserting the corresponding control flow verification instruction and data flow verification instruction in the basic block shown in Figure 6c, please refer to the basic block shown in Figure 5f in this specification. The description of the process of inserting the corresponding control flow verification instruction and data flow verification instruction will not be repeated here.

According to the above-mentioned multiple implementations in this specification, by inserting a save signature instruction in the entry basic block of each function, and inserting a restore signature instruction in each exit basic block; only one control instruction is inserted in each basic block Flow verification signature instructions, and only inserting a data flow verification instruction at the end of each basic block, can use the least extended instructions to complete the goal of program flow monitoring, and minimize the impact of extended instructions on the storage and execution of applications. additional overhead. At the same time, each basic block generally contains 6 to 10 instructions, and the abnormal execution of the instruction can be detected quickly to ensure that the error of the instruction is limited to the basic block or the starting position of the next basic block. Further, the compiling method in the embodiment of this specification is to add some extended instructions for program flow monitoring to the text section of the program file. The size increase ratio of the compiled executable target file is generally within 10%, which is not necessary for the application program. Operational impact is small.

The embodiments of this specification provide a processor, which is used to execute a program flow, and the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks. Referring to FIG. 7 , the processor 700 may include an extended decoding circuit 710 at the decoding pipeline level, a control flow checking circuit 720 and a data flow checking circuit 730 at the writing back pipeline level.

The extended decoding circuit 710 is used to decode the control flow check instruction and the data flow check instruction; wherein, the control flow check instruction is inserted into the header of the basic block during the compilation stage, and the data flow check instruction is inserted into the basic block header during the link stage. It is inserted by replacing the placeholder instruction inserted at the end of the basic block during the compilation phase.

The control flow verification circuit 720 is configured to execute the control flow verification instruction in the current basic block to verify the correctness of the control flow when the program flow runs to the current basic block. The data flow verification circuit 730 is configured to determine the CRC signature values of all instructions of the current basic block to verify the integrity of the data flow when the current basic block runs to the data flow verification instruction.

It can be understood that, according to the five-stage instruction execution process of "fetch-decode-execute-memory access-write-back", the instruction pipeline on the processor 700 may include an instruction fetch pipeline stage, a decode pipeline stage, an instruction Execution pipeline, fetch pipeline and write back pipeline.

Specifically, the extended decoding circuit 710 may be used to add decoding logic for extended instructions to the instruction decoding functional unit. The decoding logic can identify the instruction type according to the value of the instruction opcode bit field of the extended instruction, so as to generate corresponding control signals according to the identified different instruction types, and send the control signals along the pipeline stages between the instruction pipelines The registers are passed down, and these control signals are used to control the operation type selection, operand selection, result selection, etc. of the pipeline at all levels. Exemplarily, for the control flow verification instruction, the data flow verification instruction, the signature information saving instruction, and the signature information restoration instruction, the extended decoding circuit 710 needs to generate at least the control signals shown in Table 1.

Table 1

Wherein, the basic block start signal can be used to indicate the start position of the basic block, and can be transmitted to the data stream verification circuit 730 through the instruction pipeline. The intermediate signature may include a runtime signature that needs to be calculated during the control flow verification process, and/or a compensation signature that is obtained by fetching an immediate value from the instruction code.

Exemplarily, the control flow verification circuit 720 may include an intermediate signature calculation circuit and an intermediate signature comparison circuit. Corresponding to the CTRLSIG instruction for control flow verification, an intermediate signature calculation circuit, an intermediate signature comparison circuit, a runtime signature register regG, and a compensation signature register regD can be set at the write-back pipeline stage of the instruction pipeline. The intermediate signature calculation circuit can calculate the intermediate signature of the current basic block according to the signature operation rule of the aforementioned control flow check according to the control signal generated by the extended decoding circuit 710 and transmitted to the write-back stage along the instruction pipeline. The intermediate signature comparison circuit can compare the intermediate signature generated by the intermediate signature calculation circuit with the operands in the instruction according to the semantics of the CTRLSIG instruction. If the comparison results are consistent, the runtime signature calculated in the intermediate signature is stored in the In the runtime signature register regG, the compensation signature obtained by fetching the immediate value is stored in the compensation signature register regD; if the comparison result is inconsistent, an instruction exception indication signal is generated, and the exception handling circuit performs subsequent exception handling.

Exemplarily, the data stream verification circuit 730 may include a dynamic verification signature value calculation circuit and a verification signature value comparison circuit. Corresponding to the CRCSIG instruction for data flow verification, a dynamic verification signature value calculation circuit, a verification signature value comparison circuit and a dynamic verification signature value register regN can be set at the write-back pipeline level of the instruction pipeline. The verification signature value comparison circuit can accept the instruction currently being executed and the instruction code width indication signal. If the instruction is 16-bit wide, 16 0s can be filled in the high bits of the instruction code to form a 32-bit instruction code, which is put into the dynamic calibration In the verification signature value calculation circuit; if the instruction is 32-bit wide, there is no need to add 0 additionally, and this 32-bit instruction code is put into the dynamic verification signature value calculation circuit. The dynamic verification signature value calculation circuit dynamically calculates the verification signature value for the input instruction, and the adopted algorithm may be CRC verification algorithm or other verification algorithms. When the currently executed instruction is not a CRCSIG instruction, the result of the dynamic verification signature value calculation circuit is stored in the dynamic verification signature value register regN; when the current instruction is a CRCSIG instruction, the result of the dynamic verification signature value calculation circuit is compared with the CRCSIG The operands in the instruction are compared. If they are consistent, the instruction is executed normally. If they are inconsistent, an instruction exception signal is generated, and the exception processing circuit performs subsequent exception processing.

Furthermore, since the CRCSIG instruction is to verify the instructions in each basic block, when a new basic block starts to execute, it is necessary to restart the calculation of the dynamic verification signature value in the basic block. In some embodiments, the extended decoding circuit 710 can be used to decode the current basic block start signal generated by the CTRLSIG instruction, and use this signal to clear the value of the dynamic verification signature value register regN to save the calculated current basic block The dynamic verification signature value of the inner instruction, so that the data flow verification of the previous basic block will not affect the data flow verification of the current basic block.

In some embodiments, when the control flow verification circuit 720 or the data flow verification circuit 730 compares and finds that the corresponding signatures are inconsistent, an instruction exception signal will be generated. In order to handle these instruction abnormal signals, an abnormal collection and recording circuit can be set, so that the instruction abnormal signal can be sent to the abnormal collection and recording circuit after it is generated. The circuit can collect abnormal information in instruction abnormal signals such as control flow verification exception and data flow verification exception, and after merging with the original exception processing circuit of the instruction pipeline, generate the final instruction abnormal indication. Wherein, the processing of the exception by the instruction pipeline is well known in the art, and details are not repeated here.

In the above embodiment, in the data flow verification circuit, the instruction codes of different lengths are filled with 0, so that the instruction codes used to calculate the dynamic verification signature value are unified into 32 bits, which simplifies the complexity of the data flow verification circuit. , and at the same time, it can meet the requirement of calculating the check value for instruction codes of different lengths.

In some embodiments, a basic block is assigned a static signature; several basic blocks include a current basic block, a predecessor basic block that jumps to the current basic block. Referring to FIG. 8 a , the processor 700 may be provided with a runtime signature register 810 and a compensation signature register 820 .

The runtime signature register 810 stores the runtime signature of the predecessor basic block, and the compensation signature register 820 stores the compensation signature of the predecessor basic block. Among them, the compensation signature is determined based on the XOR calculation result of the static signature of the precursor basic block and the static signature of the precursor basic block; the precursor reference basic block and the predecessor basic block are at the same control level, and the precursor reference basic block can be understood as The base basic block at the level of control in which the block resides.

The control flow verification circuit 720 is also used to determine the static signature and signature difference of the current basic block, if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the current basic block The static signature of the block, the current basic block passes the control flow verification. Wherein, the signature difference is determined based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the current basic block.

Exemplarily, as shown in FIG. 8b, the control flow verification circuit 720 may be connected to the runtime signature register 810 and the compensation signature register 820, and the control flow verification circuit 720 may also include an intermediate signature calculation circuit 830 and an intermediate signature comparison circuit 840. . When the instruction CTRLSIG_M d, S, D _c is executed, the intermediate signature calculation circuit 830 can calculate according to the control signal generated by the extended decoding circuit 710 and transmitted to the write-back stage along the instruction pipeline according to the signature operation rule of the aforementioned control flow check The runtime signature of the current basic block G _c =G'⊕op(d)⊕D', where the op operation means fetching an immediate value from the instruction code, and G' denotes the predecessor basic block fetched from the current runtime signature register 810 D' represents the compensation signature of the predecessor basic block fetched from the current compensation signature register 820 . The intermediate signature comparison circuit 840 compares the calculated runtime signature G _c with the operands in the instruction according to the semantics of the CTRLSIG_M instruction, that is, compares whether G'⊕op(d)⊕D' is consistent with op(S), if If the comparison result is consistent, the runtime signature G _c of the current basic block is stored in the runtime signature register 810 , and the compensation signature op(D) of the current basic block obtained by fetching the immediate value is stored in the compensation signature register 820 .

In some implementations, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the entry basic block is inserted with a signature information saving instruction during the compilation phase, and the exit basic block is inserted with a signature information restoration instruction during the compilation phase . Referring to FIG. 9 a , the processor 700 may be provided with a signature stack 910 . The signature stack 910 is used to execute the signature information saving instruction when the function is called, and supports the push operation of the runtime signature and the compensation signature; when the called function returns, it executes the signature information recovery instruction, and supports the saved runtime signature and compensation signature. stack operations.

Exemplarily, as shown in FIG. 9 b , the signature stack 910 may be connected to the control flow verification circuit 720 . In some embodiments, the signature stack 910 may be implemented by setting a dedicated hardware storage circuit and managing the storage circuit in a stack manner. When executing the PUSHSIG instruction, the runtime signature G and compensation signature D of the current basic block are stored in the top register of the signature stack 910; when the POPSIG instruction is executed, the runtime signature is read from the top register of the current signature stack 910 G and the compensation signature D are stored in the runtime signature register 810 and the compensation signature register 820 correspondingly. The signature stack 910 is implemented by setting a dedicated hardware storage circuit, which has the advantage of not needing to set software for additional circuit control; the disadvantage is that due to the limited capacity of the dedicated hardware circuit, and in order to save the hardware circuit, the area of the circuit Usually they are relatively small. When the program is executed, if the signature information that needs to be pushed on the stack exceeds the capacity of the dedicated hardware circuit, a stack overflow problem will occur, and additional stack overflow exception handling is required.

In other embodiments, the signature stack 910 can be realized by allocating a part of space in the system memory for saving signature information through software settings, and related configuration information needs to be saved in software-accessible configuration registers, such as the signature stack The initial address configuration register of 910, the capacity configuration register of signature stack 910, the register pointing to the top of the signature stack 910, and the like. When executing the PUSHSIG instruction, write the runtime signature G and compensation signature D of the current basic block into the system memory according to the value of the register pointing to the top of the stack 910 currently pointing to the signature stack 910; The value of the register at the top of the stack reads the runtime signature G and the compensation signature D from the system memory, and stores them into the runtime signature register 810 and the compensation signature register 820 correspondingly. The advantage of implementing the signature stack 910 through software settings is that the large capacity of the system memory can be fully utilized to store more signature information; the disadvantage is that the signature stack 910 needs to be pre-configured in the software.

In some implementations, the data stream verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links. Referring to FIG. 10 a , the processor 700 may be provided with a CRC intermediate value register 1010 . The CRC intermediate value register 1010 is used to store the intermediate CRC signature value generated when the current basic block runs to the current instruction. The data flow verification circuit 730 is also used to calculate the CRC signature value of all instructions in the current basic block to obtain a dynamic verification signature; if the dynamic verification signature when the current basic block completes execution is consistent with the static verification signature, the current basic block passes Data flow verification.

Specifically, when the current basic block runs to the current instruction, the dynamic verification signature value executed by the instruction can be calculated and stored in the CRC intermediate value register 1010 as an intermediate CRC signature value. After the execution of all instructions in the current basic block is completed, the CRC intermediate value register 1010 may include dynamic check signature values of all instructions in the current basic block.

Exemplarily, as shown in FIG. 10b, the data stream verification circuit 730 may be connected to the CRC intermediate value register 1010, and the data stream verification circuit 730 may also include a dynamic verification signature value calculation circuit 1020 and a verification signature value comparison circuit 1030 . When the instruction in the basic block is executed, the verification signature value comparison circuit 1030 can accept the currently executing instruction and the instruction code width indication signal, and put them into the dynamic verification signature value calculation circuit 1020, and the dynamic verification signature value calculation circuit 1020 The CRC signature value is dynamically calculated for the placed instruction. When the currently executed instruction is not a CRCSIG instruction, the CRC signature value calculated by the dynamic verification signature value calculation circuit 1020 is stored in the CRC intermediate value register 1010; when the current instruction is a CRCSIG instruction, the dynamic verification signature value calculation circuit 1020 is calculated. The CRC signature value is compared with the operand in the CRCSIG instruction, and if they are consistent, the instruction is executed normally.

In some cases, in order to avoid the soft power-off instruction issued by the host computer and other debugging instructions being mistakenly regarded as internal instructions of the basic block during the debugging process, they are used for the calculation of the dynamic verification signature value of the internal instructions of the basic block, thereby Interfering with the result of the data flow verification of the basic block, you can set a shielding mechanism for the debugging instructions issued by the host computer, so that the debugging instructions issued by the upper computer will not participate in the data flow verification process of the basic block, so that The programs added with extended instructions in this manual can support various debugging actions without affecting the data flow verification.

The embodiment of this specification provides a program flow monitoring device. The program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; Stages are inserted with data flow verification instructions. Wherein, the data flow checking instruction is inserted in the linking stage by replacing the occupying instruction inserted at the end of the basic block in the compiling stage. Referring to FIG. 11 a , the program flow monitoring device 1100 includes: a control flow verification module 1110 and a data flow verification module 1120 .

The control flow verification module 1110 is configured to execute the control flow verification instruction in the current basic block to verify the correctness of the control flow when the program flow runs to the current basic block.

The data flow verification module 1120 is configured to determine the CRC signature values of all instructions of the current basic block to verify the integrity of the data flow when the current basic block runs to the data flow verification instruction.

In some embodiments, a basic block is assigned a static signature; several basic blocks include a current basic block, a predecessor basic block that jumps to the current basic block. The control flow verification module 1110 is also used to obtain the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block; wherein, the compensation signature is based on the XOR calculation of the static signature of the predecessor basic block and the static signature of the predecessor reference basic block The result is determined; the predecessor reference basic block is the reference basic block at the control level of the predecessor basic block; determine the static signature and signature difference of the current basic block; wherein, the signature difference is based on the static signature of the predecessor reference basic block and the current basic The XOR calculation result of the static signature of the block is determined; if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, the current basic block The block passes the control flow checksum.

In some implementations, the control flow verification module 1110 is further configured to insert a control flow verification instruction at the head of the current basic block based on the signature difference and the static signature of the current basic block; if the runtime signature of the predecessor basic block , the signature difference attached to the control flow verification instruction, and the XOR calculation result of the compensation signature of the predecessor basic block is equal to the static signature attached to the control flow verification instruction, and the current basic block passes the control flow verification.

In some implementations, the data stream verification instruction is accompanied by a static verification signature, and the static verification signature is determined based on the CRC signature values of all instructions in the current basic block when the compiler compiles and links. The data flow verification module 1120 is also used to calculate the CRC signature value of all instructions in the current basic block to obtain a dynamic verification signature; if the dynamic verification signature when the current basic block completes execution is consistent with the static verification signature, the current basic block Pass data flow check.

In some implementations, the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the entry basic block is inserted with a signature information saving instruction during the compilation phase, and the exit basic block is inserted with a signature information restoration instruction during the compilation phase . Referring to FIG. 11 b , the program flow monitoring apparatus 1100 may further include: a signature push module 1130 and a signature pop module 1140 .

The signature push module 1130 is configured to execute the signature information saving instruction when the function is called, so as to support the stack push operation of runtime signatures and compensation signatures.

The signature stack popping module 1140 is configured to execute the signature information recovery instruction when the called function returns, so as to support the pop stack operation of the saved runtime signature and compensation signature.

The embodiment of this specification provides a program code compiling device, the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks. Referring to FIG. 12 a , the program code compiling device 1200 includes: a first instruction insertion module 1210 and a placeholder instruction replacement module 1220 .

The first instruction inserting module 1210 is configured to insert a control flow checking instruction at the head of the basic block and insert a placeholder instruction at the end of the basic block during the compilation stage. Wherein, the control flow verification instruction is used to verify the correctness of the control flow when the program flow corresponding to the program code runs to any basic block.

The placeholder instruction replacement module 1220 is configured to replace the instruction code corresponding to the placeholder instruction with a data flow verification instruction in the linking stage. Wherein, the data flow verification instruction is used to determine the CRC signature value of all instructions of any basic block when the program flow corresponding to the program code runs to the data flow verification instruction of any basic block, so as to verify the integrity of the data flow.

In some implementations, the control flow includes a function control flow that includes an entry basic block and an exit basic block. Referring to FIG. 12 b , the program code compiling apparatus 1200 may further include: a second instruction inserting module 1230 .

The second instruction insertion module 1230 is used to insert a signature information saving instruction in the entry basic block during the compilation phase, and insert a signature information restoration instruction in the exit basic block; wherein, the signature information preservation instruction is used for the runtime when the function is called The stack operation of signing and adjusting the signature, and the signature information recovery instruction is used for the pop-up operation of the runtime signature and adjusting the signature before the called function returns.

For the specific limitations of the program flow monitoring device and the program code compiling device, reference may be made to the limitations of the program flow monitoring method and the program code compiling method above, which will not be repeated here. Each module in the above-mentioned program flow monitoring device and program code compiling device can be fully or partially realized by software, hardware and a combination thereof. The above-mentioned modules can be embedded in or independent of the processor in the computer device in the form of hardware, and can also be stored in the memory of the computer device in the form of software, so that the processor can invoke and execute the corresponding operations of the above-mentioned modules.

The embodiment of this specification also provides a computer device, as shown in FIG. The steps of the program flow monitoring method and/or the program code compiling method of the embodiment.

The embodiments of this specification also provide a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the steps of the program flow monitoring method and/or program code compiling method in any of the foregoing embodiments are implemented. .

According to multiple implementations of this specification, through the program flow monitoring method based on the combination of software and hardware based on extended instructions, full-automatic program flow monitoring can be realized without additional changes to the user program, and the monitoring time delay is short. The number of instructions exceeding one basic block has a very low delay, which avoids the abnormal situation that subsequent instructions continue to execute after an exception occurs in the execution of an instruction.

It should be noted that the logic and/or steps shown in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer readable medium for use in an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can fetch instructions from an instruction execution system, apparatus, or device and execute instructions), or in combination with these Instructions are used to execute systems, devices, or equipment. For the purposes of this specification, a "computer-readable medium" may be any device that can contain, store, communicate, propagate or transmit a program for use in or in conjunction with an instruction execution system, device or device. More specific examples (non-exhaustive list) of computer-readable media include the following: electrical connection with one or more wires (electronic device), portable computer disk case (magnetic device), random access memory (RAM), Read Only Memory (ROM), Erasable and Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable medium on which the program can be printed, as it may be possible, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or other suitable processing if necessary. The program is processed electronically and stored in computer memory.

It should be understood that various parts of the present invention can be realized by hardware, software, firmware or their combination. In the embodiments described above, various steps or methods may be implemented by software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques known in the art: Discrete logic circuits, ASICs with suitable combinational logic gates, Programmable Gate Arrays (PGAs), Field Programmable Gate Arrays (FPGAs), etc.

In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

In the present invention, unless otherwise clearly specified and limited, terms such as "installation", "connection", "connection" and "fixation" should be understood in a broad sense, for example, it can be a fixed connection or a detachable connection , or integrated; it may be mechanically connected or electrically connected; it may be directly connected or indirectly connected through an intermediary, and it may be the internal communication of two components or the interaction relationship between two components, unless otherwise specified limit. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention according to specific situations.

Although the embodiments of the present invention have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limiting the present invention, those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (27)

1. A program flow monitoring method, characterized in that, the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; the basic block header is inserted with a control flow verification instruction in the compilation stage, and A data flow check instruction is inserted at the end of the basic block in the linking stage; wherein, the data flow checking instruction is inserted in the linking stage by replacing the occupancy instruction inserted into the end of the basic block in the compilation stage ; the method comprising: When the program flow reaches the current basic block, execute the control flow verification instruction in the current basic block to verify the correctness of the control flow; When the current basic block runs to the data flow verification instruction, determine the CRC signature values of all instructions of the current basic block to verify the integrity of the data flow. 2. The method according to claim 1, wherein the basic block is assigned a static signature; the several basic blocks include a current basic block, a predecessor basic block jumping to the current basic block; the execution The control flow verification instruction in the current basic block to verify the correctness of the control flow includes: Obtaining the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block; wherein, the compensation signature is determined based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the predecessor reference basic block The predecessor basic block is a reference basic block at the control level where the predecessor basic block is located; determining the static signature and signature difference of the current basic block; wherein the signature difference is determined based on the result of XOR calculation of the static signature of the predecessor reference basic block and the static signature of the current basic block; If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, the current basic block passes the control Stream check. 3. The method according to claim 2, wherein when the number of the predecessor basic block is 1, the predecessor basic block is the predecessor reference basic block, and the compensation signature is 0. 4. The method according to claim 2, wherein when the quantity of the predecessor basic block is greater than 1, the predecessor reference basic block is based on the static state of the basic block on the control level where the predecessor basic block is located Signed for sure. 5. The method according to claim 2, characterized in that the method further comprises: If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is not equal to the static signature of the current basic block, the current basic block does not Pass control flow checks to trigger exceptions. 6. The method according to claim 2, wherein if the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the XOR calculation result of the compensation signature of the predecessor basic block are equal to The static signature of the current basic block, before the current basic block passes the control flow verification, the method also includes: Inserting a control flow verification instruction at the head of the current basic block based on the signature difference and the static signature of the current basic block; If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, then the current basic block Blocks pass control flow checks, including: If the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference attached to the control flow verification instruction, and the compensation signature of the predecessor basic block is equal to the static signature attached to the control flow verification instruction , the current basic block passes the control flow check. 7. The method according to claim 1, wherein a static verification signature is attached to the data flow verification instruction, and the static verification signature is based on all the current basic blocks in the current basic block when the compiler is compiling and linking. Determined by the CRC signature value of the instruction; the determination of the CRC signature value of all instructions of the current basic block to verify the integrity of the data stream includes: Calculating the CRC signature values of all instructions in the current basic block to obtain a dynamic verification signature; If the dynamic verification signature when the current basic block is executed is consistent with the static verification signature, the current basic block passes the data stream verification. 8. The method according to claim 7, further comprising: If the dynamic verification signature when the current basic block completes execution is inconsistent with the static verification signature, the current basic block does not pass the data flow verification to trigger an exception. 9. The method according to claim 2, wherein the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the entry basic block is inserted with signature information in the compilation stage Save instructions, the exit basic block is inserted with a signature information restoration instruction during the compilation phase; the method also includes: Executing the signature information saving instruction when the function is called, so as to support the push operation of the runtime signature and the compensation signature; The signature information recovery instruction is executed when the called function returns, so as to support the pop-up operation of the saved runtime signature and compensation signature. 10. The method of claim 1, further comprising: Add compiler parameters for global monitoring to monitor the entire running process of the application. 11. The method of claim 1, further comprising: For a specified function in the source code, a program flow detection mark and a compiler parameter are added at a specified position of the specified function, so as to monitor the running process of the specified function. 12. The method of claim 1, further comprising: In the source code, enclose the target source code that needs to be monitored through brackets; A guidance statement is added at a designated position of the target source code to monitor the running process of the target source code. 13. A program code compiling method, characterized in that the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks; the method comprises: In the compilation phase, insert control flow verification instructions at the head of the basic block, and insert placeholder instructions at the end of the basic block; wherein, the control flow verification instructions are used to run the program flow corresponding to the program code to any basic block checking the correctness of the control flow; In the linking stage, the instruction code corresponding to the placeholder instruction is replaced with a data flow verification instruction; wherein, the data flow verification instruction is used to run the data flow of any basic block in the program flow corresponding to the program code When verifying instructions, determine the CRC signature values of all instructions of the arbitrary basic block, so as to verify the integrity of the data stream. 14. The method according to claim 13, wherein the control flow comprises a function control flow, and the function control flow comprises an entry basic block and an exit basic block; the method further comprises: In the compilation phase, insert a signature information saving instruction in the entry basic block, and insert a signature information restoration instruction in the exit basic block; wherein, the signature information preservation instruction is used for runtime signature and adjustment when the function is called A stack push operation of the signature, the signature information recovery instruction is used for the runtime signature before the called function returns and the pop stack operation of adjusting the signature. 15. A processor, characterized in that the processor is used to execute a program flow, and the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; The extended decoding circuit at the level, the control flow verification circuit and the data flow verification circuit at the write-back pipeline level; The extended decoding circuit is used to decode the control flow check instruction and the data flow check instruction; wherein, the control flow check instruction is inserted into the header of the basic block during the compilation stage, and the data flow check instruction is inserted at the linking stage by replacing the placeholder instruction inserted at the end of the basic block in the compiling stage; The control flow verification circuit is configured to execute a control flow verification instruction in the current basic block to verify the correctness of the control flow when the program flow runs to the current basic block; The data flow verification circuit is configured to determine the CRC signature values of all instructions of the current basic block to verify the data flow when the current basic block runs to the data flow verification instruction integrity. 16. The processor according to claim 15, the basic block is assigned a static signature; the several basic blocks include a current basic block, a predecessor basic block jumping to the current basic block; the processor is provided with Runtime signature register, compensation signature register; The runtime signature register stores the runtime signature of the predecessor basic block, and the compensation signature register stores the compensation signature of the predecessor basic block; wherein, the compensation signature is based on the static signature of the predecessor basic block and the precursor Determined by the XOR calculation result of the static signature of the reference basic block; the predecessor reference basic block is a reference basic block at the control level where the predecessor basic block is located; The control flow verification circuit is also used to determine the static signature and signature difference of the current basic block, if the runtime signature of the predecessor basic block, the signature difference of the current basic block, and the signature difference of the predecessor basic block The XOR calculation result of the compensation signature is equal to the static signature of the current basic block, and the current basic block passes the control flow verification; wherein, the signature difference is based on the static signature of the predecessor reference basic block and the current basic block The static signature of the block is determined by the result of XOR calculation. 17. The processor according to claim 16, wherein the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the entry basic block is inserted with a signature information preservation instruction during the compilation stage, The exit basic block is inserted with a signature information recovery instruction in the compilation stage; the processor is provided with a signature stack; The signature stack is used to execute the signature information preservation instruction when the function is called, and supports the push operation of runtime signature and compensation signature; when the called function returns, executes the signature information restoration instruction, and supports the saved runtime signature And the pop-up operation of the compensation signature. 18. The processor according to claim 15, the data flow verification instruction is accompanied by a static verification signature, and the static verification signature is based on the CRC of all instructions in the current basic block when the compiler compiles and links The signature value is determined; the processor is provided with a CRC intermediate value register; the CRC intermediate value register is used to store the intermediate CRC signature value generated when the current basic block runs to the current instruction; The data flow verification circuit is also used to calculate the CRC signature values of all instructions in the current basic block to obtain a dynamic verification signature; The verification signatures are consistent, and the current basic block passes the data stream verification. 19. A program flow monitoring device, characterized in that the program flow corresponds to a control flow and a data flow; the control flow includes several basic blocks; the head of the basic block is inserted with a control flow verification instruction during the compilation stage, and A data flow check instruction is inserted at the end of the basic block in the linking stage; wherein, the data flow checking instruction is inserted in the linking stage by replacing the occupancy instruction inserted into the end of the basic block in the compilation stage ; the device comprises: A control flow verification module, configured to execute the control flow verification instruction in the current basic block to verify the correctness of the control flow when the program flow runs to the current basic block; A data stream verification module, configured to determine the CRC signature values of all instructions of the current basic block when the current basic block runs to the data stream verification instruction, so as to verify the integrity of the data stream sex. 20. The device according to claim 19, wherein the basic block is assigned a static signature; the several basic blocks include a current basic block, a predecessor basic block jumping to the current basic block; The control flow verification module is also used to obtain the compensation signature of the predecessor basic block and the runtime signature of the predecessor basic block; wherein, the compensation signature is based on the static signature of the predecessor basic block and the predecessor reference Determined by the XOR calculation result of the static signature of the basic block; the predecessor basic block is the reference basic block at the control level of the predecessor basic block; determine the static signature and signature difference of the current basic block; where , the signature difference is determined based on the XOR calculation result of the static signature of the predecessor basic block and the static signature of the current basic block; if the runtime signature of the predecessor basic block, the current basic block The signature difference of and the XOR calculation result of the compensation signature of the predecessor basic block is equal to the static signature of the current basic block, and the current basic block passes the control flow verification. 21. The device according to claim 20, wherein the control flow verification module is further configured to, based on the signature difference and the static signature of the current basic block, create a signature at the head of the current basic block A control flow verification instruction is inserted; if the XOR calculation result of the runtime signature of the predecessor basic block, the signature difference attached to the control flow verification instruction, and the compensation signature of the predecessor basic block is equal to the control flow A static signature attached to the verification instruction that the current basic block passes the control flow verification. 22. The device according to claim 19, wherein a static verification signature is attached to the data flow verification instruction, and the static verification signature is based on all the current basic blocks in the current basic block when the compiler is compiling and linking. Determined by the CRC signature value of the instruction; The data flow verification module is also used to calculate the CRC signature values of all instructions in the current basic block to obtain a dynamic verification signature; The verification signatures are consistent, and the current basic block passes the data stream verification. 23. The device according to claim 19, wherein the control flow includes a function control flow, and the function control flow includes an entry basic block and an exit basic block; the entry basic block is inserted with signature information in the compilation stage Save instructions, the exit basic block is inserted with a signature information recovery instruction in the compilation stage; the device also includes: The signature push module is used to execute the signature information saving instruction when the function is called, so as to support the push operation of runtime signature and compensation signature; The signature stack popping module is configured to execute the signature information recovery instruction when the called function returns, so as to support the pop stack operation of the saved runtime signature and compensation signature. 24. A program code compiling device, characterized in that the program code corresponds to a program control flow graph, and the program control flow graph has several basic blocks; the device comprises: The first instruction insertion module is used to insert a control flow verification instruction at the head of the basic block and insert a placeholder instruction at the end of the basic block during the compilation phase; wherein the control flow verification instruction is used to correspond to the program code Verify the correctness of the control flow when the program flow runs to any basic block; The placeholder instruction replacement module is used to replace the instruction code corresponding to the placeholder instruction with a data flow verification instruction in the linking stage; wherein, the data flow verification instruction is used in the program flow corresponding to the program code When running to the data flow verification instruction of any basic block, determine the CRC signature value of all instructions of the arbitrary basic block, so as to verify the integrity of the data flow. 25. The device according to claim 24, wherein the control flow comprises a function control flow, and the function control flow comprises an entry basic block and an exit basic block; the device further comprises: The second instruction insertion module is used to insert a signature information saving instruction in the entry basic block during the compilation stage, and insert a signature information restoration instruction in the exit basic block; wherein, the signature information preservation instruction is used in the function The runtime signature and the stack push operation of the adjustment signature at the time of calling, and the signature information restoration instruction is used for the runtime signature and the stack pop operation of the adjustment signature before the called function returns. 26. A computer device, comprising a memory and a processor, the memory stores a computer program, wherein the processor implements the method according to any one of claims 1 to 14 when executing the computer program step. 27. A computer-readable storage medium, on which a computer program is stored, wherein, when the computer program is executed by a processor, the steps of the method according to any one of claims 1 to 14 are realized.