WO2016095672A1

WO2016095672A1 - Stack-based exception detection method and device

Info

Publication number: WO2016095672A1
Application number: PCT/CN2015/095453
Authority: WO
Inventors: 张皓秋
Original assignee: 北京奇虎科技有限公司; 奇智软件（北京）有限公司
Priority date: 2014-12-18
Filing date: 2015-11-24
Publication date: 2016-06-23
Also published as: CN104536810A; CN104536810B

Abstract

A stack-based exception detection method and device. The method comprises: generating identification information (101); pushing the identification information onto a stack before a first business object pushes one or more parameters onto the stack (102); extracting a stack top element currently located at the top of the stack when calling of a second service object is finished in one or more parameters on the stack (103); detecting whether the stack top element is the same as the identification information (104); and determining that an exception occurs in the stack when the stack top element is different from the identification information (105). On the basis of the principle of transmitting parameters via a stack, real-time exception detection on calling of the second service object is achieved, so that not only the speed and the accuracy of detecting a stack exception are improved, but also the precision in locating an exception is improved. Moreover, parameters in a crash event can be directly seen in the stack, so that subsequently a developer can conduct a crash analysis to find out the cause of the stack crash, thereby improving the development efficiency.

Description

一种基于栈的异常检测方法和装置Stack-based anomaly detection method and device

技术领域Technical field

本发明涉及计算机技术领域，尤其涉及一种基于栈的异常检测方法方法和一种基于栈的异常检测装置。The present invention relates to the field of computer technologies, and in particular, to a stack-based anomaly detection method and a stack-based anomaly detection apparatus.

背景技术Background technique

栈(Stack)又称堆栈，它是一种运算受限的线性表，其限制是仅允许在表的一端进行***和删除运算。A stack, also known as a stack, is a linear table with limited operations. The limitation is that only insert and delete operations are allowed at one end of the table.

人们把此端称为栈顶，栈顶的第一个元素被称为栈顶元素，相对地，把另一端称为栈底。向一个栈***新元素又称为进栈或入栈，它是把该元素放到栈顶元素的上面，使之成为新的栈顶元素；从一个栈删除元素又称为出栈或退栈，它是把栈顶元素删除掉，使其下面的相邻元素成为新的栈顶元素。People call this end the top of the stack. The first element at the top of the stack is called the top element of the stack. In contrast, the other end is called the bottom of the stack. Inserting a new element into a stack, also known as pushing or unstacking, puts the element on top of the top of the stack, making it a new top-of-stack element; deleting an element from a stack is also called popping or unstacking. It removes the top element of the stack and makes the adjacent elements below it a new top element.

栈中存储着函数的局部变量等信息，在编译完成后，局部变量的位置是固定的，但是在调用其他业务对象时需要将参数压入栈(push)，这会破坏顺序，所以在调用完毕后需要将压入栈的数据再弹出(pop)以恢复栈空间的顺序，否则因为读取变量是读取固定位置，导致读取的值不正确，此时就认为变量被破坏了。The stack stores information such as local variables of the function. After the compilation is completed, the position of the local variable is fixed, but when calling other business objects, the parameters need to be pushed onto the stack, which will destroy the order, so the call is completed. After that, the data pushed onto the stack needs to be popped again to restore the order of the stack space. Otherwise, since the read variable is read at a fixed position, the read value is incorrect, and the variable is considered to be destroyed.

若当前业务对象需要调用其他用户制作的业务对象，大多数情况下业务对象与业务对象之间是通过栈空间来交换数据的，将参数压入栈顶，然后调用函数，对方在内部从栈顶拿出参数。If the current business object needs to call the business object made by other users, in most cases, the business object and the business object exchange data through the stack space, push the parameters onto the top of the stack, and then call the function, the other party internally from the top of the stack. Take out the parameters.

由于读取的是固定位置，因此如果栈空间出现问题，可能操作某局部变量的时候操作到意外的值，如果该局部变量是个函数指针，甚至会导致执行意外的代码。Since the read is a fixed location, if there is a problem with the stack space, it may operate to an unexpected value when operating a local variable. If the local variable is a function pointer, it may even cause unexpected code execution.

如果栈空间出现问题，当时并不会崩溃，而是当其他业务对象操作被破坏的局部变量时可能导致崩溃，难以定位出错的位置。比如向一个指针变量指向的地址写入数据，但是该变量被破坏，导致尝试向未知区域写入数据，此时可能因为写入不可写的地址而崩溃。If there is a problem with the stack space, it will not crash at the time, but when other business objects operate on the destroyed local variables, it may cause a crash and it is difficult to locate the error. For example, writing data to the address pointed to by a pointer variable, but the variable is destroyed, causing an attempt to write data to the unknown area, which may crash due to writing a non-writable address.

发明内容Summary of the invention

鉴于上述问题，提出了本发明以便提供一种克服上述问题或者至少部分地解决或减缓上述问题的一种基于栈的异常检测方法和相应的一种基于栈的异常检测装置。In view of the above problems, the present invention has been made in order to provide an overcoming of the above problems or at least partially A stack-based anomaly detection method and a corresponding stack-based anomaly detection apparatus for solving or slowing down the above problems.

根据本发明的一个方面，提供了一种基于栈的异常检测方法，包括步骤：According to an aspect of the present invention, a stack-based anomaly detection method is provided, including the steps of:

生成标识信息；Generate identification information;

在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；Pushing the identification information onto the stack before the first business object pushes one or more parameters onto the stack;

当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；When the second business object invokes one or more parameters in the stack to complete, extracting the top element of the stack currently located at the top of the stack;

检测所述栈顶元素与所述标识信息是否相同；以及Detecting whether the top element of the stack is the same as the identification information;

当所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。When the top element of the stack is different from the identification information, it is determined that the stack is abnormal.

根据本发明的另一方面，提供了一种基于栈的异常检测装置，包括：According to another aspect of the present invention, a stack-based anomaly detecting apparatus is provided, including:

第一生成模块，适于生成标识信息；a first generating module, configured to generate identification information;

压入模块，适于在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；The push-in module is adapted to push the identification information onto the stack before the first business object pushes one or more parameters onto the stack;

提取模块，适于当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；An extracting module, configured to extract a top element currently located at the top of the stack when the second business object invokes completion of one or more parameters in the stack;

检测模块，适于检测所述栈顶元素与所述标识信息是否相同；以及a detecting module, configured to detect whether the top element of the stack is the same as the identification information;

异常判断模块，适于在所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。The abnormality determining module is configured to determine that the stack is abnormal when the top element of the stack is different from the identifier information.

根据本发明的又一个方面，提供了一种计算机程序，其包括计算机可读代码，当所述计算机可读代码在计算设备上运行时，导致所述计算设备执行如上文所述的基于栈的异常检测方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform a stack based Anomaly detection method.

根据本发明的再一个方面，提供了一种计算机可读介质，其中存储了上述的计算机程序。According to still another aspect of the present invention, a computer readable medium is provided, wherein the computer program described above is stored.

本发明的有益效果为：The beneficial effects of the invention are:

本发明实施例在第一业务对象将一个或多个参数压入栈之前，将标识信息压入栈，当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素，检测所述栈顶元素与所述标识信息是否相同，若相异时，则判断栈出现异常，基于栈传递参数的原理，实现调用第二业务对象实时的异常检测，提高了检测栈异常的速度和准确率，同时提高了异常定位的精确度。并且，可以直观的在栈中看到崩溃时的参数以让后续开发人员进行崩溃分析，找到栈崩溃原因，提高开发效率。The embodiment of the present invention pushes the identification information onto the stack before the first business object pushes one or more parameters onto the stack. When the second service object invokes one or more parameters in the stack, the extraction is currently at the top of the stack. a stack top element, detecting whether the top element of the stack is the same as the identification information, if different When the stack is abnormal, based on the principle of the stack passing parameters, the real-time anomaly detection of the second service object is invoked, which improves the speed and accuracy of detecting the stack anomaly, and improves the accuracy of the abnormal positioning. Moreover, you can visually see the parameters of the crash on the stack to allow subsequent developers to perform crash analysis, find the cause of the stack crash, and improve development efficiency.

本发明实施例在不同时间对同一标识对象生成第一信息、第二信息，并按位进行异或操作，生成标识信息，大大提高了标识信息的复杂度，大大减少标识信息与在先其他数据重合的几率，进而减少了后续异常检测误判的几率，进一步提高了异常检测的判断准确率。In the embodiment of the present invention, the first information and the second information are generated on the same identifier object at different times, and the XOR operation is performed by bitwise to generate the identifier information, which greatly improves the complexity of the identifier information, and greatly reduces the identifier information and other prior data. The probability of coincidence reduces the probability of subsequent abnormality detection, and further improves the accuracy of the abnormality detection.

上述说明仅是本发明技术方案的概述，为了能够更清楚了解本发明的技术手段，而可依照说明书的内容予以实施，并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂，以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.

附图说明DRAWINGS

通过阅读下文优选实施方式的详细描述，各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的，而并不认为是对本发明的限制。而且在整个附图中，用相同的参考符号表示相同的部件。在附图中：Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:

图1示意性地示出了根据本发明一个实施例的一种基于栈的异常检测方法实施例的步骤流程示意图；FIG. 1 is a schematic flow chart showing the steps of an embodiment of a stack-based anomaly detection method according to an embodiment of the present invention; FIG.

图2示意性地示出了根据本发明一个实施例的一种基于栈的异常检测装置实施例的方块示意图；2 is a block diagram schematically showing an embodiment of a stack-based anomaly detecting apparatus according to an embodiment of the present invention;

图3示意性地示出了用于执行根据本发明的方法的计算设备的框图；以及Figure 3 schematically shows a block diagram of a computing device for performing the method according to the invention;

图4示意性地示出了用于保持或者携带实现根据本发明的方法的程序代码的存储单元。Fig. 4 schematically shows a storage unit for holding or carrying program code implementing the method according to the invention.

具体实施例Specific embodiment

下面结合附图和具体的实施方式对本发明作进一步的描述。The invention is further described below in conjunction with the drawings and specific embodiments.

参照图1，示出了根据本发明一个实施例的一种基于栈的异常检测方法实施例的步骤流程图，具体可以包括如下步骤：1 is a flow chart showing the steps of an embodiment of a stack-based anomaly detection method according to an embodiment of the present invention. Specifically, the method may include the following steps:

步骤101，生成标识信息； Step 101: Generate identification information.

在实际应用中，第一业务对象调用第二业务对象时，一般通过栈传递第二业务对象执行其内部逻辑所需的一个或多个参数。则第一业务对象可以称为调用者，第二业务对象可以称为被调用者。In an actual application, when the first business object invokes the second business object, the second business object is generally passed through the stack to perform one or more parameters required for its internal logic. Then the first business object can be called the caller and the second business object can be called the callee.

其中，第一业务对象、第二业务对象可以包括函数、程序等等。The first business object and the second business object may include functions, programs, and the like.

在本发明实施例中，若第一业务对象发起第二业务对象的调用，则可以生成标识信息cookie，该标识信息cookie可以为具有唯一性任意信息。In the embodiment of the present invention, if the first service object initiates the invocation of the second service object, the identifier information cookie may be generated, and the identifier information cookie may be unique information.

在本发明的一种可选实施例中，步骤101可以包括如下子步骤：In an optional embodiment of the present invention, step 101 may include the following sub-steps:

子步骤S11，在第一时间针对标识对象生成第一信息；Sub-step S11, generating first information for the identification object at the first time;

子步骤S12，将所述第一信息写入特征变量中；Sub-step S12, the first information is written into the feature variable;

子步骤S13，在第二时间针对所述标识对象生成第二信息，其中所述第一时间与所述第二时间不同；Sub-step S13, generating second information for the identification object at a second time, wherein the first time is different from the second time;

子步骤S14，将所述第二信息写入全局变量中；以及Sub-step S14, writing the second information into a global variable;

子步骤S15，根据所述特征变量和所述全局变量生成所述标识信息。Sub-step S15, generating the identification information according to the feature variable and the global variable.

为使本领域技术人员更好地理解本发明实施例，以下通过具体示例来说明本发明实施例中标识信息的生成方法。In order to enable a person skilled in the art to better understand the embodiments of the present invention, a method for generating identification information in the embodiment of the present invention is described below by way of specific examples.

在第一业务对象编译时(第一时间)，通过GetTickCount函数等方式获取***(标识对象)从开机到现在的毫秒数，写入特征变量_st_safecall_cookie中。When the first business object is compiled (first time), the number of milliseconds from the power-on to the current system (identification object) is obtained by the GetTickCount function, and written into the feature variable _st_safecall_cookie.

然后在第一业务对象运行时(第二时间)，再次获取***(标识对象)从开机到现在的毫秒数，写入全局变量_SafeCall_cookie中。Then, when the first business object is running (the second time), the number of milliseconds from the power-on to the current system (identification object) is retrieved again and written into the global variable _SafeCall_cookie.

基于特征变量_st_safecall_cookie和全局变量_SafeCall_cookie计算生存标识信息。在本发明实施例的一种可选示例中，子步骤S15进一步可以包括如下子步骤：The survival identification information is calculated based on the feature variable _st_safecall_cookie and the global variable _SafeCall_cookie. In an optional example of the embodiment of the present invention, the sub-step S15 may further include the following sub-steps:

子步骤S151，将所述全局变量与所述特征变量进行按位异或运算，以获得异或结果；以及Sub-step S151, performing a XOR operation on the global variable and the feature variable to obtain an XOR result;

子步骤S152，将所述结果写入全局变量中，以获得标识信息。Sub-step S152, the result is written into a global variable to obtain identification information.

将全局变量_SafeCall_cookie与特征变量_st_safecall_cookie按位进行异或操作，并将异或结果再次存入全局变量_SafeCall_cookie中，以异或结果作为标识信息cookie。Bitwise global variable _SafeCall_cookie and feature variable _st_safecall_cookie Or operation, and save the XOR result to the global variable _SafeCall_cookie, and use the XOR result as the identification information cookie.

其中，按位异或运算可以由按位异或运算符“^”实现，按位异或运算符“^”是双目运算符，其功能是参与运算的两数(如全局变量_SafeCall_cookie与特征变量_st_safecall_cookie)各对应的二进位相异或，当两对应的二进位相异时，结果为1，相同时，结果为0。Among them, the bitwise XOR operation can be realized by the bitwise XOR operator "^". The bitwise XOR operator "^" is a binocular operator whose function is to participate in the operation of two numbers (such as the global variable _SafeCall_cookie and The characteristic variable _st_safecall_cookie) is different from each corresponding binary. When the two corresponding binary bits are different, the result is 1, and when they are the same, the result is 0.

例如，9^5可写成算式为00001001^00000101，结果为00001100。For example, 9^5 can be written as 00001001^00000101 and the result is 00001100.

当然，上述按位异或运算生成标识信息的方式只是作为示例，在实施本发明实施例时，可以根据实际情况设置其他生成标识信息的方式，例如，按位与或运算、按照指定的函数式计算等等，本发明实施例对此不加以限制。Certainly, the manner of generating the identification information by the above-described bitwise exclusive OR operation is only an example. When implementing the embodiment of the present invention, other manners of generating the identification information may be set according to actual conditions, for example, bitwise OR operation, according to a specified functional formula. The calculation and the like are not limited in the embodiment of the present invention.

此外，上述根据第一信息和第二信息生成标识信息的方式也只是作为示例，在实施本发明实施例时，可以根据实际情况设置其他生成标识信息的方式，例如，直接设置标识信息等，该标识信息具有唯一性即可，本发明实施例对此不加以限制。In addition, the manner of generating the identification information according to the first information and the second information is only an example. When the embodiment of the present invention is implemented, other manners of generating the identification information may be set according to actual conditions, for example, directly setting the identification information, etc., The identification information is unique, and the embodiment of the present invention does not limit this.

步骤102，在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；Step 102: Push the identification information onto the stack before the first service object pushes one or more parameters onto the stack.

在具体实现时，第一个压入栈的可以是标识信息cookie，然后是第一业务对象提供的一个或多个参数。In a specific implementation, the first push onto the stack may be an identification information cookie, and then one or more parameters provided by the first business object.

在具体实现中，可以在每个对外部第二业务对象的调用之前执行以下语句：In a concrete implementation, the following statement can be executed before each call to an external second business object:

一asm{An asm{

Push_SafeCall_cookiePush_SafeCall_cookie

}}

以使用push操作将存储有标识信息cookie的全局变量_SafeCall_cookie压入栈顶。Push the global variable _SafeCall_cookie, which stores the cookie with the identification information, onto the top of the stack using the push operation.

需要说明的是，该一个或多个参数中，第一个进栈的参数是第一业务对象中调用完第二业务对象后的下一条指令(函数调用语句的下一条可执行语句)的地址，然后是其他第二业务对象所需要的参数。It should be noted that, among the one or more parameters, the first parameter of the stack is the address of the next instruction (the next executable statement of the function call statement) after the second business object is called in the first business object. , then the parameters required by the other second business object.

具体而言，第一业务对象可以使用call指令调用第二业务对象，并把call指令的下一条指令的地址当成返回地址压入栈中(这个压栈操作隐含在call指令中)。 Specifically, the first business object can invoke the second business object using the call instruction and push the address of the next instruction of the call instruction into the stack as a return address (this push operation is implicit in the call instruction).

第一业务对象可以把第二业务对象所需要的参数按照与第二业务对象的形参顺序相反的顺序压入栈中，即从右向左依次把被第二业务对象所需要的参数压入栈。The first business object may push the parameters required by the second business object into the stack in the reverse order of the formal parameters of the second business object, that is, press the parameters required by the second business object from right to left. Stack.

则标识信息与一个或多个参数在栈中的局部结构可以如下表所示：The local structure of the identification information and one or more parameters on the stack can be as follows:

表1Table 1

栈Stack	数据data
a_n a _n	AA
a_n-1 a _n-1	BB
a_n-2 a _n-2	CC
a_n-3 a _n-3	返回地址Return address
a_n-4 a _n-4	SafeCall_cookieSafeCall_cookie
............	............
a₂ a ₂	............
a₁ a ₁	..............

其中，a_n为栈顶元素，a₁为栈底元素，A、B、C、返回地址为第一业务对象提供的参数，SafeCall_cookie为存储有标识信息cookie的全局变量。Wherein, a _n is the top element, a ₁ is the bottom of the stack of elements, A, B, C, a first parameter is the return address provided by business object, SafeCall_cookie cookie to store identification information of the global variable.

步骤103，当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；Step 103: When the second service object invokes one or more parameters in the stack to complete, extracting a top element currently located at the top of the stack;

对于栈的逻辑结构，假设一个栈中的元素为a_n，a_n-1，..，a₂，a₁，可以称a₁为栈底元素，a_n为栈顶元素，即栈中的元素按a₁，a₂，..，a_n-1，a_n的次序进栈。For the logical structure of the stack, suppose the elements in a stack are a _n , a _n-1 , .., a ₂ , a ₁ , which can be called a ₁ as the bottom element of the stack, and a _n is the top element of the stack, ie in the stack. The elements are pushed in the order of a ₁ , a ₂ , .., a _n-1 , a _n .

一般情况下，出栈的元素都是栈顶元素。换句话说，栈的修改是按后进先出的原则进行的。因此，栈又称为后进先出(Last In First Out)表，简称为LIFO表。In general, the elements that are popped are the top elements of the stack. In other words, the modification of the stack is based on the principle of last in, first out. Therefore, the stack is also known as the Last In First Out table, referred to as the LIFO table.

在本发明的一种可选实施例中，所述第二业务对象调用在栈中一个或多个参数的操作可以包括：In an optional embodiment of the present invention, the operation of the second service object to invoke one or more parameters in the stack may include:

子步骤S21，读取在栈中的所述一个或多个参数；Sub-step S21, reading the one or more parameters in the stack;

第二业务对象在栈中读取所需要的参数(即出栈)，按照该参数执行内部的逻辑，然后栈顶指针指向返回地址，也就是第一业务对象中的下一条指令，第一业务对象由该点继续运行。The second business object reads the required parameters (ie, pops) in the stack, executes the internal logic according to the parameter, and then the top-of-stack pointer points to the return address, that is, the next instruction in the first business object, the first service The object continues to run from that point.

一般情况下，第二业务对象从栈中获取参数，此时栈中的参数并不会被出栈，而是等到进行堆栈平衡时候，才会从栈中处理掉。In general, the second business object gets the parameters from the stack, and the parameters in the stack are not Popping, but waiting until the stack is balanced, will be processed from the stack.

子步骤S22，进行堆栈平衡处理。Sub-step S22, stack balancing processing is performed.

第一业务对象把参数压入栈，然后调用第二业务对象，在完成后，由于堆栈中先前压入的参数不再有用，第一业务对象或者第二业务对象中有一方把堆栈指针修正到调用前的状态，这就叫堆栈的平衡。The first business object pushes the parameters onto the stack and then calls the second business object. After the completion, since the previously pushed parameters in the stack are no longer useful, one of the first business object or the second business object corrects the stack pointer to The state before the call, this is called the balance of the stack.

而究竟由第一业务对象还第二业务对象来修正堆栈可以预先约定(称为调用约定)，不然就会产生错误的结果。Whether the first business object or the second business object to correct the stack can be pre-agreed (called a calling convention), or it will produce an erroneous result.

在实际应用中，各种语言默认的调用约定是不同的。例如，C类型是在第一业务对象在使用call指令完成后，自行用add esp指令把栈空间清除，而PASCAL和StdCall的是由第二业务对象用ret指令来实现的(ret指令后面加一个操作数表示在ret后把堆栈指针esp加上操作数)。In practice, the default calling conventions for various languages are different. For example, the C type is to use the add esp instruction to clear the stack space after the first business object is completed using the call instruction, and the PASCAL and StdCall are implemented by the second business object with the ret instruction (the ret instruction is followed by a new one). The operand means that the stack pointer esp is added to the operand after ret).

在本发明的一种可选实施例中，步骤103可以包括如下子步骤：In an optional embodiment of the present invention, step 103 may include the following sub-steps:

子步骤S31，对当前位于栈顶的栈顶元素进行出栈操作；Sub-step S31, performing a pop-up operation on the top element of the stack currently located at the top of the stack;

子步骤S32，将出栈之后的栈顶元素写入局部变量。Sub-step S32, the top element after the stack is written to the local variable.

在实际应用中，可以在第二业务对象调用完成后，执行语句：In the actual application, after the second business object call is completed, the statement is executed:

_asm{_asm{

Pop_loc_Safecall_CookiePop_loc_Safecall_Cookie

}}

以使用pop操作将栈顶元素出栈，并写入局部变量_loc_Safecall_Cookie中。Use the pop operation to pop the top element of the stack and write it to the local variable _loc_Safecall_Cookie.

其中，局部变量_loc_Safecall_Cookie可以是调用外部第二业务对象的第一业务对象的局部变量。The local variable _loc_Safecall_Cookie may be a local variable of the first business object that calls the external second business object.

局部变量的应用示例可以如下：An example of the application of a local variable can be as follows:

第一业务对象{First business object {

Int I＝0；//声明并定义整数变量I，初始化值为0Int I=0; / / declare and define the integer variable I, the initial value is 0

第二业务对象()；//调用第二业务对象Second business object (); / / call the second business object

}}

第一业务对象调用第二业务对象，I则是第一业务对象的局部变量。The first business object invokes the second business object, and I is the local variable of the first business object.

步骤104，检测所述栈顶元素与所述标识信息是否相同；Step 104: Detect whether the top element of the stack is the same as the identifier information.

本发明实施例中，可以通过对比栈顶元素与标识信息，检测调用第二业务对象过程中是否出现异常。 In the embodiment of the present invention, it is possible to detect whether an abnormality occurs during the process of calling the second service object by comparing the top element of the stack with the identification information.

在本发明的一种可选实施例中，步骤104可以包括如下子步骤：In an optional embodiment of the invention, step 104 may include the following sub-steps:

子步骤S41，判断所述局部变量与所述全局变量是否相同；若是，则执行子步骤S42，若否，则执行子步骤S43；Sub-step S41, it is determined whether the local variable is the same as the global variable; if so, sub-step S42 is performed, and if not, sub-step S43 is performed;

子步骤S42，判断所述栈顶元素与所述标识信息相同；Sub-step S42, determining that the top element of the stack is the same as the identification information;

子步骤S43，判断所述栈顶元素与所述标识信息不同。Sub-step S43, determining that the top element of the stack is different from the identification information.

堆栈平衡之后，在正常情况下，栈空间是与传递参数前一致，因为标识信息cookie其实不是传递给第二业务对象的参数，所以不会在堆栈平衡中处理掉，标识信息cookie位于栈顶。After the stack is balanced, under normal circumstances, the stack space is the same as before the parameter is passed, because the identification information cookie is not the parameter passed to the second business object, so it will not be processed in the stack balance, and the identification information cookie is at the top of the stack.

则正常情况下，第二业务对象调用完成后，栈中的局部结构可以如下表所示：Under normal circumstances, after the second business object is called, the local structure in the stack can be as shown in the following table:

表2Table 2

栈Stack	数据data
a_n a _n	SafeCall_cookieSafeCall_cookie
a_n-1 a _n-1	............
a_n-2 a _n-2	............
a_n-3 a _n-3	............
a_n-4 a _n-4
............	............
a₂ a ₂	............
a₁ a ₁	............

其中，a_n为栈顶元素，a₁为栈底元素，SafeCall_cookie为存储有标识信息cookie的全局变量。Among them, a _n is the top element of the stack, a ₁ is the bottom element of the stack, and SafeCall_cookie is a global variable storing the cookie of the identification information.

在正常情况下，写入局部变量_loc_Safecall_Cookie的栈顶元素a_n为在先写入的全局变量SafeCall_cookie，则局部变量_loc_Safecall_Cookie与全局变量SafeCall_cookie相同。Under normal circumstances, the top element a _n of the local variable _loc_Safecall_Cookie is the previously written global variable SafeCall_cookie, and the local variable _loc_Safecall_Cookie is the same as the global variable SafeCall_cookie.

堆栈平衡之后，在异常情况下，栈空间与传递参数前并不一致，位于栈顶的是其他数据，而并非标识信息cookie。After the stack is balanced, in the abnormal case, the stack space is inconsistent with the parameter before it is passed. The other data is located at the top of the stack, not the cookie.

则在异常情况下，第二业务对象调用完成后，在栈中的局部结构可以如下表所示：In the abnormal case, after the second business object is called, the local structure in the stack can be as shown in the following table:

表3 table 3

栈Stack	数据data
a_n a _n	CC
a_n-1 a _n-1	返回地址Return address
a_n-2 a _n-2	SafeCall_cookieSafeCall_cookie
a_n-3 a _n-3	............
a_n-4 a _n-4	............
............	............
a₂ a ₂	............
a₁ a ₁	............

其中，a_n为栈顶元素，a₁为栈底元素，C、返回地址为第一业务对象提供的参数，SafeCall_cookie为存储有标识信息cookie的全局变量。Wherein, a _n is the top element, a ₁ is the bottom of the stack element, C, the return address for the first service object provides the parameter, SafeCall_cookie cookie to store identification information of the global variable.

在异常情况下，写入局部变量_loc_Safecall_Cookie的栈顶元素a_n为其他数据，例如表3中的参数C，并非在先写入的全局变量SafeCall_cookie，则局部变量_loc_Safecall_Cookie与全局变量SafeCall_cookie相异。In exceptional cases, the local variable written of the top element a _n _loc_Safecall_Cookie other data, such as global variables in Table 3, the parameters C, SafeCall_cookie not previously written, then the local variable and global variables SafeCall_cookie different _loc_Safecall_Cookie .

步骤105，当所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。Step 105: When the top element of the stack is different from the identification information, determine that the stack is abnormal.

若栈顶元素与标识信息相异，如局部变量_loc_Safecall_Cookie与全局变量SafeCall_cookie相异，则可以认为栈被破坏，出现异常。If the top element of the stack is different from the identification information, such as the local variable _loc_Safecall_Cookie is different from the global variable SafeCall_cookie, the stack can be considered corrupted and an exception occurs.

本发明实施例在第一业务对象将一个或多个参数压入栈之前，将标识信息压入栈，当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素，检测所述栈顶元素与所述标识信息是否相同，若相异时，则判断栈出现异常，基于栈传递参数的原理，实现调用第二业务对象实时的异常检测，提高了检测栈异常的速度和准确率，同时提高了异常定位的精确度。并且，可以直观的在栈中看到崩溃时的参数以让后续开发人员进行崩溃分析，找到栈崩溃原因，提高开发效率。The embodiment of the present invention pushes the identification information onto the stack before the first business object pushes one or more parameters onto the stack. When the second service object invokes one or more parameters in the stack, the extraction is currently at the top of the stack. The top element of the stack detects whether the top element of the stack is the same as the identifier information. If the difference is different, the stack is abnormal. Based on the principle of the parameter of the stack, the real-time abnormality detection of the second service object is called, and the detection is improved. Detects the speed and accuracy of stack anomalies while improving the accuracy of anomaly positioning. Moreover, you can visually see the parameters of the crash on the stack to allow subsequent developers to perform crash analysis, find the cause of the stack crash, and improve development efficiency.

在本发明的一种可选实施例中，还可以包括如下步骤：In an optional embodiment of the present invention, the following steps may also be included:

步骤106，生成所述栈出现异常的提示信息；Step 106: Generate prompt information that the stack is abnormal;

在本发明实施例中，若检测到栈出现异常，则可以提示开发者或者用户。In the embodiment of the present invention, if an abnormality is detected in the stack, the developer or the user may be prompted.

例如，弹出提示框“调用xxx函数后发现栈空间异常”。For example, a pop-up prompt box "Unexpected stack space is found after calling the xxx function".

或者， Or,

步骤107，使用调试接口输出异常信息。In step 107, the debug interface is used to output the abnormal information.

在本发明实施例中，若检测到栈出现异常，则可以使用调试接口输出与异常有关的信息，例如，第一业务对象的函数入口地址、第二业务对象的函数入口地址、时间等等。In the embodiment of the present invention, if an abnormality is detected in the stack, the debug interface may be used to output information related to the exception, such as a function entry address of the first business object, a function entry address of the second business object, time, and the like.

步骤108，当所述栈顶元素与所述标识信息相同时，判断所述栈运行正常。Step 108: When the top element of the stack is the same as the identifier information, determine that the stack runs normally.

若栈顶元素与标识信息相同，如局部变量_loc_Safecall_Cookie与全局变量SafeCall_cookie相同，则可以认为栈运行正常。If the top element of the stack is the same as the identification information, such as the local variable _loc_Safecall_Cookie is the same as the global variable SafeCall_cookie, then the stack can be considered to be working properly.

对于方法实施例，为了简单描述，故将其都表述为一系列的动作组合，但是本领域技术人员应该知悉，本发明实施例并不受所描述的动作顺序的限制，因为依据本发明实施例，某些步骤可以采用其他顺序或者同时进行。其次，本领域技术人员也应该知悉，说明书中所描述的实施例均属于优选实施例，所涉及的动作并不一定是本发明实施例所必须的。For the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the embodiments of the present invention are not limited by the described action sequence, because the embodiment according to the present invention Some steps can be performed in other orders or at the same time. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.

参照图2，示出了根据本发明一个实施例的一种基于栈的异常检测装置实施例的结构框图，具体可以包括如下模块：Referring to FIG. 2, a block diagram of a structure of a stack-based anomaly detecting apparatus according to an embodiment of the present invention is shown. Specifically, the following modules may be included:

第一生成模块201，适于生成标识信息；The first generating module 201 is adapted to generate identification information;

压入模块202，适于在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；The push-in module 202 is adapted to push the identification information onto the stack before the first business object pushes one or more parameters onto the stack;

提取模块203，适于当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；The extracting module 203 is adapted to extract a top element currently located at the top of the stack when the second business object invokes completion of one or more parameters in the stack;

检测模块204，适于检测所述栈顶元素与所述标识信息是否相同；以及The detecting module 204 is adapted to detect whether the top element of the stack is the same as the identifier information;

异常判断模块205，适于在所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。The abnormality determining module 205 is adapted to determine that the stack is abnormal when the top element of the stack is different from the identification information.

在本发明的一种可选实施例中，还可以包括如下模块：In an optional embodiment of the present invention, the following modules may also be included:

正常判断模块，适于在所述栈顶元素与所述标识信息相同时，判断所述栈运行正常。The normal judgment module is configured to determine that the stack runs normally when the top element of the stack is the same as the identifier information.

第二生成模块，适于生成所述栈出现异常的提示信息； a second generating module, configured to generate prompt information that the stack is abnormal;

或者，or,

输出模块，适于使用调试接口输出异常信息。An output module adapted to output exception information using a debug interface.

在本发明的一种可选实施例中，所述第一生成模块201还可以适于：In an optional embodiment of the present invention, the first generating module 201 may further be adapted to:

在第一时间针对标识对象生成第一信息；Generating first information for the identification object at a first time;

将所述第一信息写入特征变量中；Writing the first information into the feature variable;

在第二时间针对所述标识对象生成第二信息，其中所述第一时间与所述第二时间相异；Generating second information for the identification object at a second time, wherein the first time is different from the second time;

将所述第二信息写入全局变量中；以及Writing the second information into a global variable;

根据所述特征变量和所述全局变量生成所述标识信息。The identification information is generated according to the feature variable and the global variable.

在本发明实施例的一种可选示例中，所述第一生成模块201还可以适于：In an optional example of the embodiment of the present invention, the first generating module 201 may be further configured to:

将所述全局变量与所述特征变量进行按位异或运算，以获得异或结果；以及Performing a XOR operation on the global variable and the feature variable to obtain an XOR result;

将所述结果写入全局变量中，以获得标识信息。The result is written to a global variable to obtain identification information.

在本发明的一种可选实施例中，在所述第二业务对象调用在栈中一个或多个参数的过程中，所述第二业务对象适于：In an optional embodiment of the present invention, in the process of calling the second business object one or more parameters in the stack, the second service object is adapted to:

读取在栈中的所述一个或多个参数；以及Reading the one or more parameters in the stack;

进行堆栈平衡处理。Perform stack balancing processing.

在本发明的一种可选实施例中，所述提取模块203还可以适于：In an optional embodiment of the present invention, the extraction module 203 is further adapted to:

对当前位于栈顶的栈顶元素进行出栈操作；以及Popping the top element of the stack currently on top of the stack; and

将出栈之后的栈顶元素写入局部变量。Write the top element of the stack after the stack to a local variable.

在本发明的一种可选实施例中，所述标识信息可以存储在全局变量中，以及所述检测模块204还可以适于：In an optional embodiment of the present invention, the identification information may be stored in a global variable, and the detection module 204 may further be adapted to:

判断所述局部变量与所述全局变量是否相同；以及Determining whether the local variable is the same as the global variable;

若是，则判断所述栈顶元素与所述标识信息相同，否则，则判断所述栈顶元素与所述标识信息不同。If yes, it is determined that the top element of the stack is the same as the identifier information; otherwise, the top element of the stack is determined to be different from the identifier information.

对于装置实施例而言，由于其与方法实施例基本相似，所以描述的比较简单，相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.

本发明的各个部件实施例可以以硬件实现，或者以在一个或者多个处理器上运行的软件模块实现，或者以它们的组合实现。本领域的技术人员应当理解，可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的基于栈的异常检测设备中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如，计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上，或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到，或者在载体信号上提供，或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art should It is understood that some or all of the functionality of some or all of the stack-based anomaly detection devices in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

例如，图3示出了可以实现根据本发明的基于栈的异常检测计算设备，例如应用服务器。该计算设备传统上包括处理器310和以存储器320形式的计算机程序产品或者计算机可读介质。存储器320可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器320具有存储用于执行上述方法中的任何方法步骤的程序代码331的存储空间330。例如，存储程序代码的存储空间330可以包括分别用于实现上面的方法中的各种步骤的各个程序代码331。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘，紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为例如图4所示的便携式或者固定存储单元。该存储单元可以具有与图3的计算设备中的存储器320类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常，存储单元包括用于执行根据本发明的方法步骤的计算机可读代码331’，即可以由诸如310之类的处理器读取的代码，当这些代码由计算设备运行时，导致该计算设备执行上面所描述的方法中的各个步骤。For example, Figure 3 illustrates a stack-based anomaly detection computing device, such as an application server, in accordance with the present invention. The computing device conventionally includes a processor 310 and a computer program product or computer readable medium in the form of a memory 320. The memory 320 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. The memory 320 has a storage space 330 that stores program code 331 for performing any of the method steps described above. For example, storage space 330 storing program code may include various program code 331 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units such as those shown in FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 320 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit comprises computer readable code 331' for performing the steps of the method according to the invention, ie code that can be read by a processor such as 310, which when executed by the computing device causes the computing device Perform the various steps in the method described above.

本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着，结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外，请注意，这里“在一个实施例中”的词语例子不一定全指同一个实施例。"an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.

在此处所提供的说明书中，说明了大量具体细节。然而，能够理解，本发明的实施例可以在没有这些具体细节的情况下被实践。在一些实例中，并未详细示出公知的方法、结构和技术，以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制，并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中，不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中，这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-described embodiments are illustrative of the present invention and are not intended to limit the invention, and those skilled in the art can devise alternatives without departing from the scope of the appended claims Example. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

此外，还应当注意，本说明书中使用的语言主要是为了可读性和教导的目的而选择的，而不是为了解释或者限定本发明的主题而选择的。因此，在不偏离所附权利要求书的范围和精神的情况下，对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围，对本发明所做的公开是说明性的，而非限制性的，本发明的范围由所附权利要求书限定。 In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims

一种基于栈的异常检测方法，包括步骤：A stack-based anomaly detection method includes the steps of:

生成标识信息；Generate identification information;

在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；Pushing the identification information onto the stack before the first business object pushes one or more parameters onto the stack;

当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；When the second business object invokes one or more parameters in the stack to complete, extracting the top element of the stack currently located at the top of the stack;

检测所述栈顶元素与所述标识信息是否相同；以及Detecting whether the top element of the stack is the same as the identification information;

当所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。When the top element of the stack is different from the identification information, it is determined that the stack is abnormal.
如权利要求1所述的方法，还包括步骤：The method of claim 1 further comprising the step of:

当所述栈顶元素与所述标识信息相同时，判断所述栈运行正常。When the top element of the stack is the same as the identification information, it is determined that the stack runs normally.
如权利要求1所述的方法，还包括步骤：The method of claim 1 further comprising the step of:

生成所述栈出现异常的提示信息；Generating a prompt message that the stack is abnormal;

或者，or,

使用调试接口输出异常信息。Use the debug interface to output exception information.
如权利要求1所述的方法，其中，所述生成标识信息的步骤包括：The method of claim 1 wherein said step of generating identification information comprises:

在第一时间针对标识对象生成第一信息；Generating first information for the identification object at a first time;

将所述第一信息写入特征变量中；Writing the first information into the feature variable;

在第二时间针对所述标识对象生成第二信息，其中所述第一时间与所述第二时间不同；Generating second information for the identification object at a second time, wherein the first time is different from the second time;

将所述第二信息写入全局变量中；以及Writing the second information into a global variable;

根据所述特征变量和所述全局变量生成所述标识信息。The identification information is generated according to the feature variable and the global variable.
如权利要求4所述的方法，其中，所述根据所述特征变量和所述全局变量生成所述标识信息的步骤进一步包括：The method of claim 4, wherein the step of generating the identification information according to the feature variable and the global variable further comprises:

将所述全局变量与所述特征变量进行按位异或运算，以获得异或结果；以及Performing a XOR operation on the global variable and the feature variable to obtain an XOR result;

将所述结果写入全局变量中，以获得标识信息。The result is written to a global variable to obtain identification information.
如权利要求1或2或3或4或5所述的方法，其中，所述第二业务对象调用在栈中一个或多个参数的操作进一步包括：The method of claim 1 or 2 or 3 or 4 or 5, wherein the operation of the second business object to invoke one or more parameters in the stack further comprises:

读取在栈中的所述一个或多个参数；以及Reading the one or more parameters in the stack;

进行堆栈平衡处理。 Perform stack balancing processing.
如权利要求1或2或3或4或5所述的方法，其中，所述提取当前位于栈顶的栈顶元素的步骤进一步包括：The method of claim 1 or 2 or 3 or 4 or 5, wherein the step of extracting the top element currently located at the top of the stack further comprises:

对当前位于栈顶的栈顶元素进行出栈操作；以及Popping the top element of the stack currently on top of the stack; and

将出栈之后的栈顶元素写入局部变量。Write the top element of the stack after the stack to a local variable.
如权利要求7所述的方法，其中，所述标识信息存储在全局变量中，以及所述检测所述栈顶元素与所述标识信息是否相同的步骤进一步包括：The method of claim 7, wherein the identification information is stored in a global variable, and the step of detecting whether the top element of the stack is identical to the identification information further comprises:

判断所述局部变量与所述全局变量是否相同；以及Determining whether the local variable is the same as the global variable;

若是，则判断所述栈顶元素与所述标识信息相同，否则，则判断所述栈顶元素与所述标识信息不同。If yes, it is determined that the top element of the stack is the same as the identifier information; otherwise, the top element of the stack is determined to be different from the identifier information.
一种基于栈的异常检测装置，包括：A stack-based anomaly detection device includes:

第一生成模块，适于生成标识信息；a first generating module, configured to generate identification information;

压入模块，适于在第一业务对象将一个或多个参数压入栈之前，将所述标识信息压入栈；The push-in module is adapted to push the identification information onto the stack before the first business object pushes one or more parameters onto the stack;

提取模块，适于当第二业务对象调用在栈中的一个或多个参数完成时，提取当前位于栈顶的栈顶元素；An extracting module, configured to extract a top element currently located at the top of the stack when the second business object invokes completion of one or more parameters in the stack;

检测模块，适于检测所述栈顶元素与所述标识信息是否相同；以及a detecting module, configured to detect whether the top element of the stack is the same as the identification information;

异常判断模块，适于在所述栈顶元素与所述标识信息不同时，判断所述栈出现异常。The abnormality determining module is configured to determine that the stack is abnormal when the top element of the stack is different from the identifier information.
如权利要求9所述的装置，还包括：The apparatus of claim 9 further comprising:

正常判断模块，适于在所述栈顶元素与所述标识信息相同时，判断所述栈运行正常。The normal judgment module is configured to determine that the stack runs normally when the top element of the stack is the same as the identifier information.
如权利要求9所述的装置，还包括：The apparatus of claim 9 further comprising:

第二生成模块，适于生成所述栈出现异常的提示信息；a second generating module, configured to generate prompt information that the stack is abnormal;

或者，or,

输出模块，适于使用调试接口输出异常信息。An output module adapted to output exception information using a debug interface.
如权利要求9所述的装置，其中，所述第一生成模块还适于：The apparatus of claim 9, wherein the first generation module is further adapted to:

在第一时间针对标识对象生成第一信息；Generating first information for the identification object at a first time;

将所述第一信息写入特征变量中；Writing the first information into the feature variable;

在第二时间针对所述标识对象生成第二信息，其中所述第一时间与所述第二时间不同； Generating second information for the identification object at a second time, wherein the first time is different from the second time;

将所述第二信息写入全局变量中；以及Writing the second information into a global variable;

根据所述特征变量和所述全局变量生成所述标识信息。The identification information is generated according to the feature variable and the global variable.
如权利要求12所述的装置，其中，所述第一生成模块还适于：The apparatus of claim 12, wherein the first generation module is further adapted to:

将所述全局变量与所述特征变量进行按位异或运算，以获得异或结果；以及Performing a XOR operation on the global variable and the feature variable to obtain an XOR result;

将所述结果写入全局变量中，以获得标识信息。The result is written to a global variable to obtain identification information.
如权利要求9或10或11或12或13所述的装置，其中，在所述第二业务对象调用在栈中一个或多个参数的过程中，所述第二业务对象适于：The apparatus of claim 9 or 10 or 11 or 12 or 13 wherein, in the process of invoking the second business object to invoke one or more parameters in the stack, the second business object is adapted to:

读取在栈中的所述一个或多个参数；以及Reading the one or more parameters in the stack;

进行堆栈平衡处理。Perform stack balancing processing.
如权利要求9或10或11或12或13所述的装置，其中，所述提取模块还适于：The apparatus of claim 9 or 10 or 11 or 12 or 13 wherein said extraction module is further adapted to:

对当前位于栈顶的栈顶元素进行出栈操作；以及Popping the top element of the stack currently on top of the stack; and

将出栈之后的栈顶元素写入局部变量。Write the top element of the stack after the stack to a local variable.
如权利要求15所述的装置，其中，所述标识信息存储在全局变量中，以及所述检测模块还适于：The apparatus of claim 15, wherein the identification information is stored in a global variable, and the detecting module is further adapted to:

判断所述局部变量与所述全局变量是否相同；以及Determining whether the local variable is the same as the global variable;

若是，则判断所述栈顶元素与所述标识信息相同，否则，则判断所述栈顶元素与所述标识信息不同。If yes, it is determined that the top element of the stack is the same as the identifier information; otherwise, the top element of the stack is determined to be different from the identifier information.
一种计算机程序，包括计算机可读代码，当所述计算机可读代码在计算设备上运行时，导致所述计算设备执行根据权利要求1-8中的任一个所述的基于栈的异常检测方法。A computer program comprising computer readable code causing the computing device to perform a stack based anomaly detection method according to any one of claims 1-8 when the computer readable code is run on a computing device .
一种计算机可读介质，其中存储了如权利要求17所述的计算机程序。 A computer readable medium storing the computer program of claim 17.