Atomic violation detection method and device, electronic equipment and storage medium

By identifying global variable access pairs and injecting interrupt handlers in embedded software, and combining spatial and temporal atomicity checks, the problems of low accuracy and high false negative rate in atomicity violation detection in embedded software are solved, achieving efficient and accurate detection results.

CN122173404APending Publication Date: 2026-06-09BEIHANG UNIV +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIHANG UNIV
Filing Date
2026-03-26
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies struggle to efficiently and accurately detect and eliminate atomic violations in embedded software, especially in interrupt-driven embedded software. Traditional methods cannot cover the diverse runtime contexts of global variable access and cannot strategically control the timing of interrupts, resulting in high false negative rates and difficulties in reproducing the problem.

Method used

By identifying two consecutive ordered accesses to global variables in the main task, global variable access pairs, and injecting feasible interrupt handlers between access pairs, a dual verification mechanism of spatial atomicity and temporal atomicity is introduced to construct execution paths that may violate atomicity, ensuring that interruption scenarios are reproduced in the test environment. Iterative running and dynamic adjustment of input variables are used to achieve comprehensive coverage.

Benefits of technology

It significantly improves the accuracy of atomic violation detection, reduces the false negative rate, ensures the atomicity of key data paths in different input contexts, and achieves efficient and accurate atomic violation detection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122173404A_ABST
    Figure CN122173404A_ABST
Patent Text Reader

Abstract

This application provides a method, apparatus, electronic device, and storage medium for detecting atomicity violations, belonging to the field of software testing technology. The method includes: running the program under test using different input variables, identifying global variable access pairs covered during the execution of the program under test; for each global variable access pair, re-running the program under test using the corresponding input variables, and injecting feasible interrupt handlers between the global variable access pairs; if the interrupt handlers access the same global variable, recording the global variable access pair as a candidate global variable access pair; if the candidate global variable access pair simultaneously satisfies both spatial atomicity and temporal atomicity, then determining that the candidate global variable access pair has an atomicity violation risk. This application achieves efficient and accurate detection of atomicity violations by comprehensively covering variable access pairs, actively constructing interrupt scenarios, and establishing a spatiotemporal dual verification model.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of software testing technology, and in particular to an atomicity violation detection method, apparatus, electronic device, and storage medium. Background Technology

[0002] In safety-critical fields such as aerospace, industrial control, and automotive electronics, interrupt-driven embedded software forms the core of stable system operation. This type of software typically runs on resource-constrained hardware, lacking the complex memory management mechanisms of an operating system. The main task and interrupt handlers interact with each other through shared global variables. In this architecture, atomicity violations are a typical and insidious concurrency defect: when the main task accesses the same global variable twice consecutively (which should constitute an indivisible atomic operation unit), if interrupted by an external interrupt signal, and the interrupt handler also happens to access the variable, undefined behavior will occur in the execution sequence, leading to system logic errors, data corruption, or even catastrophic functional failures. Therefore, efficiently and accurately detecting and eliminating atomicity violations during the development phase is crucial for ensuring the security of highly reliable embedded systems.

[0003] Existing atomic violation detection methods can be broadly categorized into three types. The first type is based on multi-threaded models, such as the AVIO algorithm. Its core principle is to collect execution traces through instrumentation and use atomic invariants to check for interleaved execution between threads. However, these methods presuppose explicit synchronization primitives and thread scheduling models, while interrupt-driven software typically employs preemptive execution and lacks explicit synchronization primitives, making these methods incompatible. The second type is coverage-guided fuzzing techniques for IoT firmware. While these techniques address simulation efficiency and compatibility issues by enhancing process simulation, their primary goal is to improve code coverage to detect memory errors such as crashes or hangs, without designing a dedicated detection mechanism for atomic violations in concurrent logic. The third type is data race detection techniques specifically for interrupt-driven software. These techniques utilize full-system simulation and partial order relation construction to identify data races. However, data races and atomic violations differ fundamentally in their causes and manifestations; the former focuses on unordered access, while the latter focuses on the unexpected interruption of atomic operations. Therefore, existing data race detection tools cannot effectively identify atomic violations. In summary, existing technologies generally face two major challenges: First, they are difficult to cover the diverse runtime contexts of global variable access, and traditional fuzz testing often ignores the temporal correlation of specific variable access pairs; second, they cannot strategically control the timing of interrupts. Because interrupt triggering is random and unpredictable in actual operation, existing methods are unable to actively construct specific interrupt scenarios that trigger atomic violations, resulting in high false negative rates and difficulty in reproducing the problem.

[0004] Therefore, how to achieve accurate and proactive detection of atomicity violations between global variable access pairs has become an urgent technical problem to be solved. Summary of the Invention

[0005] This application provides an atomic violation detection method, apparatus, electronic device, and storage medium to address the shortcomings of low accuracy and high false negative rate in existing atomic violation detection technologies.

[0006] This application provides a method for detecting atomic violations, including the following steps: Run the program under test with different input variables and identify the global variable access pairs covered during the execution of the program under test. The global variable access pairs are two consecutive ordered accesses to the same global variable in the main task. For each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. For any of the candidate global variable access pairs, if the candidate global variable access pair satisfies both spatial atomicity and temporal atomicity, then the candidate global variable access pair is determined to have an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0007] According to the atomicity violation detection method provided in this application, the step of running the program under test with different input variables and identifying the global variable access pairs covered during the execution of the program under test includes: Run the program under test using the initial input. If there are global variable access pairs during the execution of the program under test, then add the initial input to the seed pool. Randomly select a seed from the seed pool, perform mutation processing on the seed, and use the mutation result as the input variable for the next run of the program under test; If the program under test is run using the input variable, and a new global variable access pair is overwritten during the execution of the program under test, then the input variable is added to the seed pool. The tested program is run iteratively using the seeds in the seed pool until the iteration stops.

[0008] According to the atomic violation detection method provided in this application, global variable access pairs during the execution of the program under test are determined based on the following steps: During the execution of the program under test, runtime information of each global variable access in the main task is recorded, including the access location, runtime call stack, and occurrence time. Based on the runtime information of each global variable access, the global variable access pairs covered during the execution of the program under test are identified.

[0009] According to the atomicity violation detection method provided in this application, after identifying the global variable access pairs covered during the execution of the program under test, the method further includes: Record the correspondence between the input variables and the global variable access pairs.

[0010] According to the atomicity violation detection method provided in this application, the spatial atomicity is that the caller functions of the two global variable accesses in a global variable access pair are the same, or the caller functions of the two global variable accesses have a first-level call relationship.

[0011] According to the atomicity violation detection method provided in this application, the temporal atomicity is that the time interval between two global variable accesses in a global variable access pair is less than a preset duration threshold.

[0012] This application also provides an atomic violation detection device, comprising the following modules: The access pair identification module is used to: run the program under test with different input variables, identify the global variable access pairs covered during the operation of the program under test, wherein the global variable access pair is two consecutive ordered accesses to the same global variable in the main task; The interrupt detection module is used to: for each global variable access pair, rerun the program under test using the corresponding input variables, and inject a feasible interrupt handler between the global variable access pairs; if the interrupt handler accesses the same global variable, then record the global variable access pair as a candidate global variable access pair. The violation verification module is used to: for any candidate global variable access pair, if the candidate global variable access pair simultaneously satisfies spatial atomicity and temporal atomicity, then determine that the candidate global variable access pair has an atomicity violation risk. The spatial atomicity is that the distance between two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0013] This application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the atomicity violation detection method as described above.

[0014] This application also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the atomicity violation detection method as described above.

[0015] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the atomicity violation detection method as described above.

[0016] The atomicity violation detection method, apparatus, electronic device, and storage medium provided in this application identify two consecutive ordered accesses to the same global variable in the main task, i.e., global variable access pairs, and precisely inject feasible interrupt handlers between the global variable access pairs. This application can forcibly construct execution paths that theoretically may violate atomicity, thereby ensuring that even interruption scenarios that are extremely difficult to trigger naturally in actual operation can be reproduced in the test environment. This fundamentally solves the problem of missed detection caused by the randomness of interrupts and significantly improves the determinism of defect triggering. At the same time, this application introduces a dual verification mechanism of spatial atomicity and temporal atomicity. Unlike data race detection that only focuses on access conflicts, this application not only requires that the interrupt handler accesses the same variable, but also further quantifies and analyzes the distance between the two accesses in the code space and the interval on the execution time axis. Only when these two dimensions simultaneously meet the preset stringent conditions is an atomicity violation risk determined. This derivation process effectively filters out false positive reports that, although there is variable sharing, do not actually violate the atomicity of business logic, significantly improving the accuracy of detection results. Furthermore, this application achieves comprehensive coverage of global variable access pairs by iteratively running the program under test and dynamically adjusting input variables. This overcomes the shortcomings of traditional fuzz testing, which only focuses on code line coverage and ignores specific variable interaction logic, ensuring that the atomicity of key data paths can be verified under different input contexts. In summary, this application achieves efficient and accurate detection of atomicity violations by comprehensively covering variable access pairs, actively constructing interruption scenarios, and establishing a spatiotemporal dual verification model. Attached Figure Description

[0017] To more clearly illustrate the technical solutions in this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 This is one of the flowcharts illustrating the atomicity violation detection method provided in this application; Figure 2This is the second flowchart of the atomicity violation detection method provided in this application; Figure 3 This is a flowchart illustrating the fuzz testing process provided in this application; Figure 4 This is a schematic diagram of the atomicity violation detection device provided in this application; Figure 5 This is a schematic diagram of the structure of the electronic device provided in this application. Detailed Implementation

[0019] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0020] It should be noted that in the description of the embodiments of this application, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element. The terms "upper," "lower," etc., indicating orientation or positional relationships based on the orientation or positional relationships shown in the accompanying drawings, are only for the convenience of describing this application and simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as a limitation of this application. Unless otherwise expressly specified and limited, the terms "installed," "connected," and "linked" should be interpreted broadly, for example, they can be fixed connections, detachable connections, or integral connections; they can be mechanical connections or electrical connections; they can be direct connections or indirect connections through an intermediate medium; and they can be internal connections between two elements. Those skilled in the art can understand the specific meaning of the above terms in this application according to the specific circumstances.

[0021] The terms "first," "second," etc., used in this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class, without limiting the number of objects; for example, a first object can be one or more. Furthermore, "and / or" indicates at least one of the connected objects, and the character " / " generally indicates that the preceding and following objects have an "or" relationship.

[0022] The following is combined Figures 1-5 This application describes the atomicity violation detection method, apparatus, electronic device, and storage medium provided in the embodiments of this application.

[0023] Traditional coverage-guided fuzzing uses code coverage as program feedback, but this metric fails to reflect the concurrent execution of the program, significantly limiting the effectiveness of concurrency violation detection. To address this issue, several existing concurrent fuzzing methods replace code coverage with new coverage metrics to detect data races. However, these methods never consider the atomicity of global variable access or interrupt handling, making them unsuitable for atomicity violation detection in interrupt-driven embedded software. Even so, these methods offer an important insight: we can propose a new coverage metric regarding the root causes of atomicity violations to replace code coverage as the program feedback for fuzzing.

[0024] As a previous study showed, in interrupt-driven embedded software, over 80% of atomicity violations occur between the main task and an interrupt handler. In other words, an atomicity violation typically occurs when two consecutive accesses to a global variable in the main task, which should be atomic, are interrupted by an interrupt handler accessing the same global variable. Therefore, when detecting atomicity violations, special attention should be paid to two consecutive accesses to global variables in the main task.

[0025] Based on the above approach, this application proposes a novel coverage metric, the Global Variable Access Pair (GVAP), as program feedback to guide the fuzzing process. GVAP represents two consecutive and ordered accesses to global variables in the main task: ,in It refers to the previous access to the global variable. This is the last access to the same global variable.

[0026] Figure 1 This is one of the flowcharts illustrating the atomicity violation detection method provided in this application, such as... Figure 1As shown, the method includes the following: S110, run the program under test using different input variables, identify the global variable access pairs covered during the operation of the program under test, wherein the global variable access pairs are two consecutive ordered accesses to the same global variable in the main task; S120, for each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. S130, for any candidate global variable access pair, if the candidate global variable access pair simultaneously satisfies both spatial atomicity and temporal atomicity, then it is determined that the candidate global variable access pair has an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0027] It should be noted that the execution subject of the atomicity violation detection method provided in this application embodiment can be a server, computer equipment, such as mobile phone, tablet computer, laptop computer, handheld computer, vehicle electronic equipment, wearable device, ultra-mobile personal computer (UMPC), netbook or personal digital assistant (PDA), etc.

[0028] In this embodiment of the application, an atomicity violation refers to a code sequence (usually read, modify, and write operations on the same global variable) that should logically be executed as an indivisible whole in the main task, being interrupted by an interrupt handler during actual execution, and the interrupt handler also accessing the global variable, resulting in inconsistent logical states of the main task or undefined behavior.

[0029] In S110, a global variable access pair specifically refers to two consecutive and ordered access operations to the same global variable in the execution trajectory of the main task. Here, "consecutive" means that there are no other accesses to the specific variable in the instruction stream of the main task, but other unrelated instructions are allowed. This is the basic unit that constitutes a potential atomic operation.

[0030] Here, fuzz testing or symbolic execution techniques are used to generate diverse sets of input variables. These different input variables are sequentially fed into the program under test. During runtime, the execution flow of the main task is monitored in real time, and all instructions accessing global variables are monitored. When the main task accesses a global variable, an event is recorded. If the main task accesses the global variable again after this event, and no other accesses to the global variable occur in between, then this first access to the global variable is considered valid. With the second access to this global variable Composed of ( , Each global variable access pair is marked as a global variable access pair, and the input variable, code location, and execution timestamp corresponding to each global variable access pair are recorded.

[0031] In the specific implementation process, a GVAP table is maintained, which records which inputs in the seed pool covered which GVAPs during runtime, and is used to replay the inputs and reproduce the GVAPs.

[0032] In S120, a feasible interrupt handler refers to an interrupt service routine that is actually enabled in the current hardware configuration and software registry and can respond to a specific interrupt source. The injected code must be an interrupt handler that actually exists in the system and is logically likely to be triggered at the current moment, rather than fictitious code.

[0033] In the specific implementation process, for each global variable access pair identified in S110, the program under test is rerun using its corresponding original input variables to ensure the consistency of the execution path. This is done after the main task has finished executing. Later, not yet implemented Within the previous time window, a feasible interrupt handler is forcibly triggered. The execution process of the injected interrupt handler is monitored to determine whether the interrupt handler contains access operations to the same global variable. If so, and The same global variable was accessed This indicates that the interruption interfered with the main task's continuous access, and the corresponding ( , The interrupt is upgraded to a candidate global variable access pair; if the interrupt handler does not access the global variable, then this interrupt injection does not constitute an atomicity threat. Thus, a possible atomicity violation AV={ → → That is, when these three accesses satisfy any one of the four harmful patterns, including {Read→Write→Read}, {Write→Write→Read}, {Read→Write→Write}, and {Write→Read→Write}, where Read represents a read operation and Write represents a write operation.

[0034] Figure 2 This is the second flowchart of the atomicity violation detection method provided in this application, as shown below. Figure 2 As shown, an example illustrates how to perform interrupt injection and detect atomicity violations. This targets each entry in the GVAP table. First from Find two consecutive global variable accesses in the program code. and Secondly, by replaying the input variables... Run the program under test and reproduce the result by matching its location and runtime context. and in Then, a feasible interrupt is injected, and accordingly, the interrupt handler function is executed to verify whether the function is valid. and The same global variable was accessed .

[0035] In S130, spatial atomicity is used as a measure and Physical distance in source code or binary code: If the distance is too great, such as spanning multiple function calls or complex logical branches, compiler optimizations or context switching may lead to natural isolation, or the sequence itself may not be considered a tightly atomic operation. Temporal atomicity is used to measure... and In terms of the actual execution timeline, if the interval between the two operations is extremely short, it indicates a compact sequence of operations with a very high risk of being interrupted and severe consequences; if the interval is long, it may be a non-critical, loosely scheduled operation. In the specific implementation process, spatial atomicity is determined by using a preset number of lines of code, number of instructions, or control flow graph distance as a threshold; a preset time window is used as a threshold, specifically, a fixed time length threshold, such as 100 microseconds, or a preset number of CPU cycles, such as 100 CPU cycles.

[0036] In some embodiments, the calculation is based on the difference in the number of lines of source code, the difference in the number of assembly instructions, or the shortest path length in the control flow graph. and If the distance in the code space is less than a preset distance condition, it is considered to satisfy spatial atomicity, thus excluding long-distance accesses that are logically loose.

[0037] In some embodiments, during normal execution without interruption, Completion time and If the time difference between the completion times is less than the preset duration condition, it is considered to satisfy the atomicity of time, thereby ensuring that the critical sequences that are executed compactly and are easily interrupted by high-speed interrupts are selected.

[0038] Furthermore, if a candidate global variable access pair passes both spatial atomicity and temporal atomicity checks, it is determined that the global variable access pair has an atomicity violation risk, and a risk report is generated, which includes information such as variable name, code location, triggering interrupt source, spatial distance, and time interval.

[0039] The atomicity violation detection method provided in this application identifies two consecutive ordered accesses to the same global variable in the main task, i.e., global variable access pairs, and precisely injects feasible interrupt handlers between these global variable access pairs. This application can forcibly construct execution paths that theoretically may violate atomicity, thereby ensuring that even interruption scenarios that are extremely difficult to trigger naturally in actual operation can be reproduced in the test environment. This fundamentally solves the problem of missed detections caused by the randomness of interrupts and significantly improves the determinism of defect triggering. At the same time, this application introduces a dual verification mechanism of spatial atomicity and temporal atomicity. Unlike data race detection that only focuses on access conflicts, this application not only requires that the interrupt handler accesses the same variable, but also further quantifies and analyzes the distance between the two accesses in the code space and the interval on the execution time axis. Only when both dimensions simultaneously meet the preset stringent conditions is an atomicity violation risk determined. This derivation process effectively filters out false positive reports that, although there is variable sharing, do not actually violate the atomicity of business logic, significantly improving the accuracy of the detection results. Furthermore, this application achieves comprehensive coverage of global variable access pairs by iteratively running the program under test and dynamically adjusting input variables. This overcomes the shortcomings of traditional fuzz testing, which only focuses on code line coverage and ignores specific variable interaction logic, ensuring that the atomicity of key data paths can be verified under different input contexts. In addition, the atomicity violation detection method provided in this application is a black-box testing method, requiring no source code for instrumentation; only the binary file of the embedded software under test and the VTest simulation platform are needed for testing. In summary, this application achieves efficient and accurate detection of atomicity violations by comprehensively covering variable access pairs, actively constructing interruption scenarios, and establishing a spatiotemporal dual verification model.

[0040] In an optional embodiment, the step of running the program under test with different input variables and identifying the global variable access pairs covered during the execution of the program under test includes: Run the program under test using the initial input. If there are global variable access pairs during the execution of the program under test, then add the initial input to the seed pool. Randomly select a seed from the seed pool, perform mutation processing on the seed, and use the mutation result as the input variable for the next run of the program under test; If the program under test is run using the input variable, and a new global variable access pair is overwritten during the execution of the program under test, then the input variable is added to the seed pool. The tested program is run iteratively using the seeds in the seed pool until the iteration stops.

[0041] Here, the seed pool is a dynamically maintained data set that stores input variables that can trigger the execution of a specific path in the program under test. Initially, it only contains default inputs provided by the user or randomly generated inputs, and it is continuously expanded as the test progresses.

[0042] Here, mutation processing involves making minor, random, or rule-based modifications to the existing input variables in the seed pool, such as bit flipping, arithmetic addition and subtraction, block insertion / deletion, boundary value replacement, etc., to generate new input variables, aiming to explore nearby code paths.

[0043] Here, the iteration stopping conditions may include, but are not limited to, reaching the maximum number of tests / time, the seed pool not generating new global variable access pairs in N consecutive iterations, or the discovery of a predetermined number of atomicity violation risks.

[0044] Figure 3 This is a flowchart illustrating the fuzzing test provided in this application, such as... Figure 3 As shown, the program under test is run using one or more initial input variables. The program is monitored, and the set of all global variable access pairs (GVAPs) that meet the definition in the main task is extracted. If the set of GVAPs is not empty, that is, the initial input has successfully triggered at least one access pair, the initial input variable is marked as a valid seed and added to the seed pool. If the initial input has not triggered any access pair, it is necessary to regenerate or prompt the user to provide a more effective initial input.

[0045] Furthermore, a seed is selected from the current seed pool according to a specific strategy, such as uniform random selection, selection based on weight, or selection based on the time of the most recent unselected seed. The selected seed is then subjected to mutation processing by mutation operators, such as bit mutation by flipping several bits, arithmetic mutation by adding or subtracting numerical values ​​for numerical inputs, and structural mutation by adjusting the length and swapping the order of fields for structured data inputs, to generate new input variables.

[0046] Furthermore, the program under test is run using the new input variable. In this run, a new set of global variable access pairs is extracted. This set is compared with all previously discovered sets of global variable access pairs, and the difference is calculated. If the difference is not empty, it indicates that a new global variable access pair has been discovered, meaning that the new input variable has explored new code logic or data paths. The new input variable is added to the seed pool as a new seed, and the set of global variable access pairs is updated. If the difference is empty, it indicates that no new global variable access pair has been discovered. The input variable is discarded and not added to the seed pool to avoid seed pool expansion and inefficiency.

[0047] Repeat the above steps of seed selection, mutation, and testing. In each loop, attempt to use the mutation of the existing seed to discover unknown global variable access pairs. After each loop, check the iteration stopping condition. If the maximum number of iterations is reached, or no new seed is generated after N consecutive mutations, or the testing time is exhausted, stop the iteration, output the list of all the finally identified global variable access pairs, and enter the subsequent interrupt injection stage.

[0048] It should be noted that, in this case, the execution of any interrupt handlers is ignored during the operation of the program under test.

[0049] The atomicity violation detection method provided in this application retains the input as a new seed if it covers one more global variable access pair than the parent seed. The next mutation will be based on this deeper seed. Through continuous iteration of mutation, discovery of new coverage, retention, and further mutation, the method gradually delves into deeper logic from shallow logic. This ensures that testing resources are concentrated on paths that are likely to discover new things, thereby uncovering global variable access pairs hidden in deep business logic that are inaccessible by traditional methods, greatly expanding the detection scope. At the same time, new inputs are only added to the seed pool when new global variable access pairs are discovered. Most invalid mutations are discarded immediately after generation and will not enter subsequent processes or pollute the seed pool. The seed pool always remains concise and high-value, with each seed representing a new code path. Subsequent interrupt injection phases only need to target these high-value access pairs, avoiding wasting computing power on meaningless code paths, maximizing the output rate of effective test cases, and optimizing testing efficiency.

[0050] In an optional embodiment, global variable access pairs during the execution of the program under test are determined based on the following steps: During the execution of the program under test, runtime information of each global variable access in the main task is recorded, including the access location, runtime call stack, and occurrence time. Based on the runtime information of each global variable access, the global variable access pairs covered during the execution of the program under test are identified.

[0051] It is understandable that global variable access can occur in different runtime contexts. Therefore, the location of this access (AccessLoc) and the call context (CallStack) at the time of this access are used here to describe the global variable access (GVA), thus ensuring context sensitivity. ;in, Indicates the calling context.

[0052] The call context is described by the runtime call stack, including information about each function call on the stack (from caller to callee), as well as the positions of the current call and the called function. Thus, the call context is represented as: ; ; in, This indicates information about function call n. Indicates the location of the function call. Indicates the location of the function being called.

[0053] In this embodiment, runtime information refers to dynamic data generated during the actual execution of the program. Specifically, it refers to the metadata set captured for each global variable access operation, used to reconstruct the execution context at that time, including the access location, runtime call stack, and occurrence time. The access location identifies the specific coordinates of the global variable access instruction in the code; it can be the line number and filename of the source code, or the memory address or function offset of the compiled binary file, serving as a unique spatial identifier to distinguish different access operations. The runtime call stack is a snapshot of the program's current function call chain when the global variable access instruction is executed, recording all function call sequences from the main task entry point to the current access point. It provides a richer logical context than a simple access location, helping to distinguish multiple executions of the same code under different business logics. The occurrence time refers to the absolute timestamp when the global variable access instruction is executed or the relative time relative to program startup, such as CPU clock cycles or microseconds. It is a key basis for determining whether two accesses are consecutive and for assessing the atomicity of computation time.

[0054] In an optional embodiment, after identifying the global variable access pairs covered during the execution of the program under test, the method further includes: Record the correspondence between the input variables and the global variable access pairs.

[0055] In this embodiment of the application, a mapping relationship is established between input variables and triggered global variable access pairs. If the same input variable triggers multiple different global variable access pairs, multiple mapping records are established respectively. Alternatively, if the same global variable access pair is triggered multiple times by multiple different input variables, a mapping relationship is established between the global variable access pair and multiple input variables respectively.

[0056] Preferably, a bidirectional index is constructed, which on the one hand indexes from the input variable to the global variable access pair, and is used to query the global variable access pair that will be overridden when the input variable is run again; on the other hand, it indexes from the global variable access pair to the input variable, and queries which input is needed to reproduce the global variable access pair.

[0057] The atomicity violation detection method provided in this application, when a global variable access pair is detected, forcibly locks and saves the exact input variable that triggered the behavior, establishes a stable causal mapping, and in the subsequent interrupt injection stage, can directly read the mapping table and accurately replay the corresponding input variable, ensuring that the program's control flow and data flow are completely consistent with when the detection was detected, thereby completely reproducing the global variable access pair.

[0058] In an optional embodiment, the spatial atomicity is that the caller functions of the two global variable accesses in the global variable access pair are the same, or the caller functions of the two global variable accesses have a first-level call relationship.

[0059] Here, a first-level call relationship means that the stack depth difference between the two caller functions is 1, and the upper level of the deeper caller function points to the shallower caller function.

[0060] In this embodiment, the runtime call stack Stack1 of the first access and Stack2 of the second access are obtained. The top elements Func1 and Func2 of Stack1 and Stack2 are extracted. It is determined whether Func1 is equal to Func2, that is, whether the function name and module representation are completely consistent. If they are completely consistent, it means that the two accesses occur within the same function body, satisfying spatial atomicity. Otherwise, it is checked whether the function Func2 in the second access is in the direct call list of the function Func1 in the first access, that is, whether the second level element of the runtime call stack Stack2 of the second access is equal to Func1. If they are equal, it means that the two accesses occur within the same function body, satisfying spatial atomicity. If Func1 calls Func2, and the second access occurs during the execution of Func2, it indicates that the caller function of the first access and the caller function of the second access have a first-level call relationship. Alternatively, check if the function Func1, where the first access is located, is in the direct call list of the function Func2, where the second access is located. That is, check if the second level element of the runtime call stack Stack1 of the first access is equal to Func2. If they are equal, it indicates that Func2 called Func1, or that the first access occurred in the called sub-function, and the second access occurred in the parent function that called it, indicating that the caller function of the first access and the caller function of the second access have a first-level call relationship.

[0061] The atomicity violation detection method provided in this application is based on the semantic unit of function call boundary. Regardless of how many lines of code or instructions are inside a function, as long as two accesses are within the same function or between directly called parent and child functions, they are considered to be tightly coupled in terms of logical intent. This shields the interference of physical code layout and ensures that the detection is based on the true logical atomicity rather than physical proximity, based on the logical essence verification, thus greatly improving the semantic accuracy and robustness of the detection results.

[0062] In an optional embodiment, the time atomicity is defined as the time interval between two global variable accesses in a global variable access pair being less than a preset duration threshold.

[0063] In this embodiment, for each global variable access event, a high-precision timing source, such as a CPU timestamp counter, is read. After identifying the global variable access pair, the time difference between the two accesses is calculated. The calculated time difference is compared with a preset duration threshold. If it is less than the threshold, the time atomicity is satisfied, indicating that the two accesses are extremely compact, with almost no space to execute other instructions in between, or the execution time is extremely short. Although the probability of being interrupted exists, the window is extremely small. Once interrupted, it is a serious violation. If it is not less than the threshold, the time atomicity is not satisfied, indicating that the interval between the two accesses is relatively long, possibly involving complex calculations, loops, or I / O waits. Such a long window is easily interrupted by interrupts. If a violation occurs at this time, it often means that there is a major problem with the logic design itself, such as performing time-consuming operations outside the interrupt-disabled area, or that the access pair should not have been considered an atomic operation unit.

[0064] Optionally, if the system supports multiple operating modes, such as different frequencies and different power consumption modes, the duration threshold can be dynamically adjusted according to the current operating mode. For example, the number of cycles corresponding to the threshold in high-frequency mode should be increased accordingly to maintain the consistency of the physical time window.

[0065] The atomicity violation detection method provided in this application introduces a duration threshold, which forces two accesses to be within a very short time window, so that the detection target focuses on the true implicit atomic intent, and excludes those obvious long logic blocks that should be locked, thereby greatly reducing the false alarm rate.

[0066] The atomic violation detection apparatus provided in the embodiments of this application will be described below. The atomic violation detection apparatus described below can be referred to in correspondence with the atomic violation detection method described above.

[0067] Figure 4 This is a schematic diagram of the atomicity violation detection device provided in this application, as shown below. Figure 4 As shown, the atomicity violation detection device may include, but is not limited to: Access pair identification module 410 is used to: run the program under test with different input variables, identify global variable access pairs covered during the operation of the program under test, wherein the global variable access pair is two consecutive ordered accesses to the same global variable in the main task; The interrupt detection module 420 is used to: for each global variable access pair, rerun the program under test using the corresponding input variables, and inject a feasible interrupt handler between the global variable access pairs; if the interrupt handler accesses the same global variable, then record the global variable access pair as a candidate global variable access pair. The violation verification module 430 is used to: for any candidate global variable access pair, if the candidate global variable access pair simultaneously satisfies spatial atomicity and temporal atomicity, then determine that the candidate global variable access pair has an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0068] It should be noted that the atomic violation detection device provided in this application embodiment can execute the atomic violation detection method described in any of the above embodiments during specific operation, which will not be elaborated in this embodiment.

[0069] Figure 5 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 5 As shown, the electronic device may include: a processor 510, a communications interface 520, a memory 530, and a communication bus 540, wherein the processor 510, the communications interface 520, and the memory 530 communicate with each other via the communication bus 540. The processor 510 can call logical instructions in the memory 530 to execute an atomicity violation detection method, which includes: Run the program under test with different input variables and identify the global variable access pairs covered during the execution of the program under test. The global variable access pairs are two consecutive ordered accesses to the same global variable in the main task. For each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. For any of the candidate global variable access pairs, if the candidate global variable access pair satisfies both spatial atomicity and temporal atomicity, then the candidate global variable access pair is determined to have an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0070] Furthermore, the logical instructions in the aforementioned memory 530 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0071] On the other hand, this application also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer is able to execute the atomicity violation detection method provided by the above methods, the method including: Run the program under test with different input variables and identify the global variable access pairs covered during the execution of the program under test. The global variable access pairs are two consecutive ordered accesses to the same global variable in the main task. For each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. For any of the candidate global variable access pairs, if the candidate global variable access pair satisfies both spatial atomicity and temporal atomicity, then the candidate global variable access pair is determined to have an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0072] Furthermore, this application also provides a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, is implemented to perform the atomicity violation detection methods provided by the methods described above, the method comprising: Run the program under test with different input variables and identify the global variable access pairs covered during the execution of the program under test. The global variable access pairs are two consecutive ordered accesses to the same global variable in the main task. For each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. For any of the candidate global variable access pairs, if the candidate global variable access pair satisfies both spatial atomicity and temporal atomicity, then the candidate global variable access pair is determined to have an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

[0073] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0074] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0075] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A method for detecting atomicity violations, characterized in that, include: Run the program under test with different input variables and identify the global variable access pairs covered during the execution of the program under test. The global variable access pairs are two consecutive ordered accesses to the same global variable in the main task. For each global variable access pair, the program under test is run again using the corresponding input variables, and a feasible interrupt handler is injected between the global variable access pairs. If the interrupt handler accesses the same global variable, the global variable access pair is recorded as a candidate global variable access pair. For any of the candidate global variable access pairs, if the candidate global variable access pair satisfies both spatial atomicity and temporal atomicity, then the candidate global variable access pair is determined to have an atomicity violation risk. The spatial atomicity is that the distance between the two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between the two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

2. The atomicity violation detection method according to claim 1, characterized in that, The process of running the program under test with different input variables and identifying the global variable access pairs covered during the execution of the program under test includes: Run the program under test using the initial input. If there are global variable access pairs during the execution of the program under test, then add the initial input to the seed pool. Randomly select a seed from the seed pool, perform mutation processing on the seed, and use the mutation result as the input variable for the next run of the program under test; If the program under test is run using the input variable, and a new global variable access pair is overwritten during the execution of the program under test, then the input variable is added to the seed pool. The tested program is run iteratively using the seeds in the seed pool until the iteration stops.

3. The atomicity violation detection method according to claim 2, characterized in that, The global variable access pairs during the execution of the program under test are determined based on the following steps: During the execution of the program under test, runtime information of each global variable access in the main task is recorded, including the access location, runtime call stack, and occurrence time. Based on the runtime information of each global variable access, the global variable access pairs covered during the execution of the program under test are identified.

4. The atomicity violation detection method according to claim 1, characterized in that, After identifying the global variable access pairs covered during the execution of the program under test, the method further includes: Record the correspondence between the input variables and the global variable access pairs.

5. The atomicity violation detection method according to any one of claims 1-4, characterized in that, The spatial atomicity refers to the fact that the caller functions of the two global variable accesses in a global variable access pair are the same, or that the caller functions of the two global variable accesses have a first-level call relationship.

6. The atomicity violation detection method according to any one of claims 1-4, characterized in that, The time atomicity is defined as the time interval between two global variable accesses in a global variable access pair being less than a preset duration threshold.

7. An atomicity violation detection device, characterized in that, include: The access pair identification module is used to: run the program under test with different input variables, identify the global variable access pairs covered during the operation of the program under test, wherein the global variable access pair is two consecutive ordered accesses to the same global variable in the main task; The interrupt detection module is used to: for each global variable access pair, rerun the program under test using the corresponding input variables, and inject a feasible interrupt handler between the global variable access pairs; if the interrupt handler accesses the same global variable, then record the global variable access pair as a candidate global variable access pair. The violation verification module is used to: for any candidate global variable access pair, if the candidate global variable access pair simultaneously satisfies spatial atomicity and temporal atomicity, then determine that the candidate global variable access pair has an atomicity violation risk. The spatial atomicity is that the distance between two global variable accesses of the candidate global variable access pair in the code space satisfies a preset distance condition, and the temporal atomicity is that the interval between two global variable accesses of the candidate global variable access pair on the execution time axis satisfies a preset duration condition.

8. An electronic device comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the atomicity violation detection method as described in any one of claims 1 to 6.

9. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the atomicity violation detection method as described in any one of claims 1 to 6.

10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the atomicity violation detection method as described in any one of claims 1 to 6.