Los medios en la Estrategia Computacional

To develop a heuristic for injection location selection, the concept ofdominators

and dominanceis adopted [92, 126]. First, the dominators concept will be briefly

outlined before explaining the heuristic. In a CFG G=hV, v0, Ai, wherev0 is the entry node, a node M is said to dominate a node N, (M dom N), if and only if every path fromv0toN goes throughM. Based on this basic dominance concept, several other concepts can be developed, namely:

• By definition the dominance relationship is:

– Reflexive, i.e., every node dominates itself. Thus (N dom N) is

always true. Note a node is said totrivially dominates itself.

– Transitive, i.e, if a nodeM dominates a nodeN andN dominates a

node R, thenM dominatesR. Thus if (M dom N) and (N dom R)

then (N dom R) is always true.

– Anti-symmetric, i.e., if a nodeM dominates a nodeN and N dom-

inates node M, this implies thatM =N. Thus if (M dom N) and (N dom M) thenM =N is true.

• M strictly dominates N, (M sdom N), if and only if (M dom N) and

M 6=N. Thus, a node cannot strictly dominates itself, i.e., (N sdom N) is never true.

7.2. INJECTION LOCATION SELECTION (ILS) 103

• A nodeM immediately dominates a nodeN, (M idom N), if and only if (M sdom N) and there does not exist a nodeDsuch that (D sdom N) and (M sdom D). Thus if a node has more than one dominator, there is always a unique”nearest” strict dominator called itsimmediate dominator. Note all nodes except the entry node have immediate dominators.

• Thedominance frontier of a nodeM, DFM, is the set of all nodes that

are immediate successors to nodes dominated by M, but which are not themselves strictly dominated by M. This means the dominance frontier of M is the set of nodes whereM’s dominance stops, i.e., the set of nodes whereM lies only in some of the paths inGfrom v0 to the these nodes. ThusDFM ={Z |(N idom Z)∧(M dom N)∧ ¬(M sdom Z)}. Note a

node can be in its own dominance frontier.

• Thedominator tree ofG DomT ree(G) is a tree created using immediate

dominators, where a parent node has as its children the nodes it imme- diately dominates and the entry node v0 is the root of the tree. Thus M → N exists in the DomT ree(G) if and only if (M idom M). Note: A node in a dominator tree dominates all its descendants in the tree, and immediately dominates all its children.

It should be mentioned that dominators reveals which basic block in a CFG must be executed prior to a blockN, they also reveal blocks that are not always executed. The complexity of generating the dominator tree is O(|U|2_{). The} dominator tree for the example CFG shown in Figure 3.1c is illustrated in Figure 7.1a; Figure 7.1b depicts the dominance relationship for the dominator tree. The coloured nodes depicts dominator nodes, i.e., nodes that strictly dominate one or more nodes.

Given a CFG GP = hV, v0, A, W,Φi of program P with amplification factor

A, the heuristic works as in Heuristic 7.1: first, the dominator tree of GP,

7.2. INJECTION LOCATION SELECTION (ILS) 104 Entry BB1 BB2 BB3 BB4 BB5 Exit (a) Dominator Tree

Basic Block Immediate

Dominator Dominates Dominance Frontier

Entry None {Entry, BB1, BB2, BB3,

BB4, BB5, Exit} {Ø} BB1 Entry {BB1, BB2, BB3, BB4, BB5, Exit} {Ø} BB2 BB1 {BB2, BB3,BB4, BB5, Exit} {Ø} BB3 BB2 {BB3, Exit} {BB2, BB4, BB5} BB4 BB2 {BB4} {BB2, , BB5} BB5 BB2 {BB5, Exit} {Ø} Exit BB5 {Exit} {Ø} (b) Dominance Relationships

Figure 7.1: Example of a dominator tree for a CFG and its corresponding dominance relationships.

weights from GP. Each node are tagged with their dominance frontier as dic-

tated byGP. The set of possible locationsUlis initially set toV. Then, all leaf

nodes ofDomT reeP are removed fromUl, and any nodenthat is not deemed

vulnerable, i.e., any nodenofDomT reeP with a non-empty dominance frontier

(DFn 6={∅}), were also removed fromUl.

The set Ul_{represents the set of potential fault injection locations. It does not}

represent the actual locations where faults will be injected, but rather where faults could potentially be injected. Given that A is set to twice the longest distance between two successive potential locations - which can be obtained

7.3. TARGET VARIABLE SELECTION (TVS) 105

input : GP = (UP, u0, A, W,Φ) output: Set of locations/blocks begin

1 Generate theDomT ree_G(P)of GP,

label edges inDomT reeG(P)fromGP,

tag nodes inDomT reeG(P) with dominance frontier fromGP; 2 Initially, setUlto beU_P;

3 Remove all leaf nodes of DomT ree_G(P) fromUland all nodes

that immediately dominate the exit node.;

4 Remove any nodeninDomT ree_G(P) whereDF_n6={∅} fromUl; 5 Remove every nodeusuch that Φ(u) = 0 fromUl;

end

Heuristic 7.1:Heuristic for Injection Location Selection (ILS)

from a software engineer, this distance is equal to twice the longest distance between two dominator nodes. Thus, the set of potential locations obtained from Heuristic 7.1 satisfies the amplification factor_A. Also, the reason the leaves of the dominator tree are removed is that injection of faults at these locations do not guarantee error propagation. The complexity of the ILS heuristic is O(|U|2_).

7.3

Target Variable Selection (TVS)

Following the identification of the set of potential locations, it is necessary to identify the set of variables to target for fault injection. This means, there may be potential locations at which no fault will be injected and others where more than one fault may be injected.

To determine this target variable set, the dominator tree generated by the heuristic presented in Chapter 7.2.1 (see Heuristic 7.1) is used and transformed into a weighted graph, where a dependency graph is superimposed upon the dominator tree. In this thesis, such a dependency graph for a programP upon its dominator tree is modelled as follows: the dependency graph forPis denoted as GD

7.3. TARGET VARIABLE SELECTION (TVS) 106

of P), A representing the set of arcs, where (u, v) ∈A means that variable u depends on variablev, U0 _{is the set of nodes with no outgoing arcs (variables} which do not depend on any other variables),W is the function that returns the weight on the arcs, and Lis a function (calledlevel) that maps a variable to a given block in the dominator treeDP. The dependency graph ofP is extended

in such a way thatA is augmented to include arcs between nodes at the same level with a weight 0. The significance of this is that if there are two variables v1, v2in the same block in the dominator tree, then it means that it is irrelevant if a fault is injected inv1 first andv2 second or vice-versa.

The challenge in selecting target variables stems from the fact that when a variable u is overlooked, then it means either that a variable v on which it depends has been selected (and selectinguwill override the effect of propagating error from v to u) or a variablew that depends onv has been selected. Thus, the decision of selecting a variable is not a local one. In Chapter 6, it has been demonstrated that early injections have a potential of uncovering more vulnerabilities. As such, the TVS heuristic is made biased towards selecting variables in earlier blocks.