Abstract: Custom software vulnerability detection is difficult．Most of static vulnerability detection approach usually produces large amount of false information and positives results．A new method is able to understand the analyzed source code when a function is called．This paper proposed a method of combination top-down and bottom-up parsing tree which is based on CFL(context-free language)．In a case of not understanding or partially understanding inside code of a function definition,it can analyze function contract before or after function called,named pre-condition and post-condition．Extending the rules of XML grammar on object-oriented,pre-condition and post-condition can deal with objects belonging to inheritance relationship’s class．The experiments show that,compared with the same type of security analysis tools,it can avoid repeat function analysis,has good rules scalability and high accuracy for custom defined object classes and parameters in custom environmental especially.

Key words: Function vulnerability,Inheritance relationship,Contract rules in inherent,Parse tree