Abstract
We describe a uniform and efficient framework for checking the satisfiability of a large class of string constraints. The framework is based on the observation that both satisfiability and unsatisfiability of common constraints can be demonstrated through witnesses with simple patterns. These patterns are captured using flat automata each of which consists of a sequence of simple loops. We build a Counter-Example Guided Abstraction Refinement (CEGAR) framework which contains both an under- and an over-approximation module. The flow of information between the modules allows to increase the precision in an automatic manner. We have implemented the framework as a tool and performed extensive experimentation that demonstrates both the generality and efficiency of our method.
Supplemental Material
Available for Download
Supplemental file
- P. A. Abdulla, B. Jonsson, M. Nilsson, and M. Saksena. A survey of regular model checking. In CONCUR’04, volume 170 of LNCS, pages 348–360. Springer, 2004.Google Scholar
- P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In CAV’14, volume 8559 of LNCS, pages 150–166. Springer, 2014. Google Scholar
Digital Library
- P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. Norn: An SMT solver for string constraints. In CAV’15, volume 9206 of LNCS, pages 462– 469. Springer, 2015.Google Scholar
- M. F. Atig, A. Bouajjani, and T. Touili. On the reachability analysis of acyclic networks of pushdown systems. In CONCUR’08, volume 5201 of LNCS, pages 356–371. Springer, 2008. Google Scholar
Digital Library
- M. F. Atig, K. N. Kumar, and P. Saivasan. Acceleration in multi-pushdown systems. In TACAS’16, volume 9636 of LNCS, pages 698–714. Springer, 2016. Google Scholar
Digital Library
- C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanovi´c, T. King, A. Reynolds, and C. Tinelli. CVC4. In TACAS’11, LNCS, pages 171–177. Springer, 2011. Google Scholar
Digital Library
- A. Brillout, D. Kroening, P. Rümmer, and T. Wahl. An interpolating sequent calculus for quantifier-free Presburger arithmetic. Journal of Automated Reasoning, 47:341–367, 2011. Google Scholar
Digital Library
- J. R. Büchi and S. Senger. Definability in the existential theory of concatenation and undecidable extensions of this theory. Z. Math. Logik Grundlagen Math., 34(4), 1988.Google Scholar
- A. Cimatti, A. Griggio, B. J. Schaafsma, and R. Sebastiani. The MathSAT5 SMT solver. In TACAS’13, LNCS, pages 93– 107. Springer, 2013. Google Scholar
Digital Library
- B. Courcelle. On constructing obstruction sets of words. Bulletin of the EATCS, (44):178–186, 1991.Google Scholar
- L. De Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS’08, volume 4963 of LNCS, pages 337–340. Springer, 2008. Google Scholar
Digital Library
- B. Dutertre. Yices 2.2. In CAV’14, volume 8559 of LNCS, pages 737–744. Springer, July 2014. Google Scholar
Digital Library
- J. Esparza and P. Ganty. Complexity of pattern-based verification for multithreaded programs. In POPL’11, pages 499–510. ACM, 2011. Google Scholar
Digital Library
- J. Esparza, P. Ganty, S. Kiefer, and M. Luttenberger. Parikh’s theorem: A simple and direct automaton construction. Inf. Process. Lett., 111(12):614–619, 2011. Google Scholar
Digital Library
- J. Esparza, P. Ganty, and R. Majumdar. A perfect model for bounded verification. In LICS’12, pages 285–294. IEEE Computer Society, 2012. Google Scholar
Digital Library
- J. Esparza, P. Ganty, and T. Poch. Pattern-based verification for multithreaded programs. ACM Trans. Program. Lang. Syst., 36(3):9:1–9:29, 2014. Google Scholar
Digital Library
- V. Ganesh and M. Berzish. Undecidability of a theory of strings, linear arithmetic over length, and string-number conversion. CoRR, abs/1605.09442, 2016.Google Scholar
- V. Ganesh, M. Minnes, A. Solar-Lezama, and M. Rinard. Word equations with length constraints: What’s decidable? In A. Biere, A. Nahir, and T. Vos, editors, Hardware and Software: Verification and Testing, volume 7857 of LNCS, pages 209–226. 2013. Google Scholar
Digital Library
- P. Ganty, R. Majumdar, and B. Monmege. Bounded underapproximations. Formal Methods in System Design, 40(2): 206–231, 2012. Google Scholar
Digital Library
- S. Ginsburg. The Mathematical Theory of Context-Free Languages. McGraw-Hill, Inc., 1966. Google Scholar
Digital Library
- S. Ginsburg and E. H. Spanier. Bounded algol-like languages. Transactions of the American Mathematical Society, 113(2): 333–368, 1964.Google Scholar
- P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. SIGPLAN Not., 43(6):206–215, June 2008. Google Scholar
Digital Library
- S. Kausler and E. Sherman. Evaluation of string constraint solvers in the context of symbolic execution. In ASE ’14, pages 259–270. ACM, 2014. Google Scholar
Digital Library
- A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A Solver for String Constraints. In ISSTA’09, pages 105–116. ACM, 2009. Google Scholar
Digital Library
- T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. A DPLL(T) theory solver for a theory of strings and regular expressions. In CAV’14, volume 8559 of LNCS, pages 646– 662. Springer, 2014. Google Scholar
Digital Library
- T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. CVC4, 2016.Google Scholar
- A. W. Lin and P. Barcel´o. String solving with word equations and transducers: towards a logic for analysing mutation XSS. In POPL’16, pages 123–136. ACM, 2016. Google Scholar
Digital Library
- Z. Long, G. Calin, R. Majumdar, and R. Meyer. Languagetheoretic abstraction refinement. In FASE’12, volume 7212 of LNCS, pages 362–376. Springer, 2012. Google Scholar
Digital Library
- R. Madhavan, M. Mayer, S. Gulwani, and V. Kuncak. Automating grammar comparison. SIGPLAN Not., 50(10):183– 200, Oct. 2015. Google Scholar
Digital Library
- G. Makanin. The problem of solvability of equations in a free semigroup. Mathematics of the USSR-Sbornik, 32(2): 129–198, 1977.Google Scholar
Cross Ref
- Y. Matiyasevich. Computation paradigms in light of hilberts tenth problem. In New Computational Paradigms, pages 59– 85. Springer, New York, 2008.Google Scholar
- M. Mohri and M.-J. Nederhof. Regular Approximation of Context-Free Grammars through Transformation, pages 153– 163. Springer Netherlands, Dordrecht, 2001.Google Scholar
- R. Parikh. On context-free languages. J. ACM, 13(4), 1966. Google Scholar
Digital Library
- W. Plandowski. Satisfiability of word equations with constants is in PSPACE. In FOCS, pages 495–500, 1999. Google Scholar
Digital Library
- W. Plandowski. An efficient algorithm for solving word equations. In STOC, pages 467–476, 2006. Google Scholar
Digital Library
- W. V. Quine. Concatenation as a basis for arithmetic. The Journal of Symbolic Logic, 11(4):105–114, 1946.Google Scholar
Cross Ref
- J. M. Robson and V. Diekert. On quadratic word equations. In STACS, pages 217–226, 1999. Google Scholar
Digital Library
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In IEEE Symposium on Security and Privacy, pages 513–528. IEEE Computer Society, 2010. Google Scholar
Digital Library
- P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS. The Internet Society, 2010.Google Scholar
- K. U. Schulz. Makanin’s algorithm for word equations - two improvements and a generalization. In IWWERT, pages 85– 150, 1990. Google Scholar
Digital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. SIGPLAN Not., 41(1):372–382, Jan. 2006. Google Scholar
Digital Library
- M. Trinh, D. Chu, and J. Jaffar. Progressive reasoning over recursively-defined strings. In CAV’16, volume 9779 of LNCS, pages 218–240. Springer, 2016.Google Scholar
- M.-T. Trinh, D.-H. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In CCS’14, pages 1232–1243. ACM, 2014. Google Scholar
Digital Library
- J. van Leeuwen. A generalisation of parikhs theorem in formal language theory. In ICALP, volume 14 of LNCS, pages 17–26, 1974. Google Scholar
Digital Library
- J. van Leeuwen. Effective constructions in well-partiallyordered free monoids. Discrete Mathematics, 21(3):237 – 252, 1978. Google Scholar
Digital Library
- H. Wang, T. Tsai, C. Lin, F. Yu, and J. R. Jiang. String analysis via automata manipulation with logic circuit representation. In CAV’16, volume 9779 of LNCS, pages 241–260. Springer, 2016.Google Scholar
- G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. SIGPLAN Not., 42 (6):32–41, June 2007. Google Scholar
Digital Library
- F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automatabased string analysis tool for PHP. In TACAS’10, volume 6015 of LNCS, pages 154–157. Springer, 2010. Google Scholar
Digital Library
- Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: a z3-based string solver for web application analysis. In ESEC/FSE’13, pages 114–124. ACM, 2013. Google Scholar
Digital Library
- Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A Z3-based string solver for web application analysis. In ESEC/FSE’13, pages 114–124. ACM, 2013. Google Scholar
Digital Library
- Y. Zheng, V. Ganesh, S. Subramanian, O. Tripp, J. Dolby, and X. Zhang. Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In CAV’15, volume 9206 of LNCS, pages 235–254. Springer, 2015.Google Scholar
Index Terms
Flatten and conquer: a framework for efficient analysis of string constraints
Recommendations
Flatten and conquer: a framework for efficient analysis of string constraints
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe describe a uniform and efficient framework for checking the satisfiability of a large class of string constraints. The framework is based on the observation that both satisfiability and unsatisfiability of common constraints can be demonstrated ...
Abstract Regular Tree Model Checking
Regular (tree) model checking (RMC) is a promising generic method for formal verification of infinite-state systems. It encodes configurations of systems as words or trees over a suitable alphabet, possibly infinite sets of configurations as finite word ...
Closure properties and descriptional complexity of deterministic regular expressions
We study the descriptional complexity of regular languages that are definable by deterministic regular expressions, i.e., we examine worst-case blow-ups in size when translating between different representations for such languages. As representations of ...






Comments