skip to main content
research-article
Open Access
Artifacts Evaluated & Functional / v1.1

Inter-theory dependency analysis for SMT string solvers

Published:13 November 2020Publication History
Skip Abstract Section

Abstract

Solvers in the framework of Satisfiability Modulo Theories (SMT) have been widely successful in practice. Recently there has been an increasing interest in solvers for string constraints to address security issues in web programming, for example. To be practically useful, the solvers need to support an expressive constraint language over unbounded strings, and in particular, over string lengths. Satisfiability checking for these formulas, especially in the SMT context, is very hard; it is generally undecidable for a rich fragment. In this paper, we propose a form of dependency analysis for a rich fragment of string constraints including high-level operations such as length, contains to deal with their inter-theory interaction so as to solve them more efficiently. We implement our dependency analysis in the string theory of the Z3 solver to obtain a new one, called S3N. Finally, we demonstrate the superior performance of S3N over state-of-the-art string solvers such as Z3str3, CVC4, S3P, and Z3 on several large industrial-strength benchmarks.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

This is a presentation video of my talk at OOPSLA 2020 on our paper titled "Inter-theory Dependency Analysis for SMT String Solvers". In this paper, we propose a form of dependency analysis for a rich fragment of string constraints including high-level operations such as length, contains to deal with their inter-theory interaction so as to solve them more efficiently. We implement our dependency analysis in the string theory of the Z3 solver to obtain a new one, called S3N. Finally, we demonstrate the superior performance of S3N over state-of-the-art string solvers such as Z3str3, CVC4, S3P, and Z3 on several large industrial-strength benchmarks.

References

  1. Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, and Philipp Rummer. 2017. Flatten and Conquer: A Framework for Eficient Analysis of String Constraints. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017 ). ACM, New York, NY, USA, 602-617. https://doi.org/10.1145/3062341.3062384 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Parosh Aziz Abdulla, Mohamed Faouzi Atig, Bui Phi Diep, Lukáš Holík, and Petr Janků. 2019. Chain-Free String Constraints. In Automated Technology for Verification and Analysis, Yu-Fang Chen, Chih-Hong Cheng, and Javier Esparza (Eds.). Springer International Publishing, Cham, 277-293.Google ScholarGoogle Scholar
  3. Roland Axelsson, Keijo Heljanko, and Martin Lange. 2008. Analyzing Context-Free Grammars Using an Incremental SAT Solver. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II (ICALP '08). Springer-Verlag, Berlin, Heidelberg, 410-422. https://doi.org/10.1007/978-3-540-70583-3_34 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Abdulbaki Aydin, Lucas Bang, and Tevfik Bultan. 2015. Automata-Based Model Counting for String Constraints. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 255-272.Google ScholarGoogle Scholar
  5. Murphy Berzish, Vijay Ganesh, and Yunhui Zheng. 2017. Z3str3: A String Solver with Theory-Aware Heuristics. In Proceedings of the 17th Conference on Formal Methods in Computer-Aided Design (FMCAD '17). FMCAD Inc, Austin, Texas, 55-59.Google ScholarGoogle ScholarCross RefCross Ref
  6. Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. 2009. Path Feasibility Analysis for String-Manipulating Programs. In Tools and Algorithms for the Construction and Analysis of Systems, Stefan Kowalewski and Anna Philippou (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 307-321.Google ScholarGoogle Scholar
  7. J. Richard Büchi and Steven Senger. 1990. Definability in the Existential Theory of Concatenation and Undecidable Extensions of this Theory. Springer New York, New York, NY, 671-683. https://doi.org/10.1007/978-1-4613-8928-6_37 Google ScholarGoogle ScholarCross RefCross Ref
  8. Taolue Chen, Matthew Hague, Anthony W. Lin, Philipp Rummer, and Zhilin Wu. 2019. Decision Procedures for Path Feasibility of String-Manipulating Programs with Complex Operations. Proc. ACM Program. Lang. 3, POPL, Article 49 ( Jan. 2019 ), 30 pages. https://doi.org/10.1145/3290362 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. 2003. Precise Analysis of String Expressions. In Proceedings of the 10th International Conference on Static Analysis (SAS'03). Springer-Verlag, Berlin, Heidelberg, 1-18.Google ScholarGoogle Scholar
  10. Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337-340.Google ScholarGoogle Scholar
  11. Vijay Ganesh, Adam Kieżun, Shay Artzi, Philip J. Guo, Pieter Hooimeijer, and Michael Ernst. 2011. HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1-19.Google ScholarGoogle Scholar
  12. Vijay Ganesh, Mia Minnes, Armando Solar-Lezama, and Martin Rinard. 2013. Word Equations with Length Constraints: What's Decidable?. In Hardware and Software: Verification and Testing, Armin Biere, Amir Nahir, and Tanja Vos (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 209-226.Google ScholarGoogle Scholar
  13. Jun He, Pierre Flener, Justin Pearson, and Wei Ming Zhang. 2013. Solving String Constraints: The Case for Constraint Programming. In Principles and Practice of Constraint Programming, Christian Schulte (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 381-397.Google ScholarGoogle Scholar
  14. Lukas Holik, Petr Janku, Anthony W. Lin, Philipp Rummer, and Tomas Vojnar. 2017. String Constraints with Concatenation and Transducers Solved Eficiently. Proc. ACM Program. Lang. 2, POPL, Article 4 ( Dec. 2017 ), 32 pages. https://doi.org/10. 1145/3158092 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Tianyi Liang, Andrew Reynolds, Cesare Tinelli, Clark Barrett, and Morgan Deters. 2014. A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham, 646-662.Google ScholarGoogle Scholar
  16. Anthony W. Lin and Rupak Majumdar. 2018. Quadratic Word Equations with Length Constraints, Counter Systems, and Presburger Arithmetic with Divisibility. In Automated Technology for Verification and Analysis, Shuvendu K. Lahiri and Chao Wang (Eds.). Springer International Publishing, Cham, 352-369.Google ScholarGoogle Scholar
  17. G. S. Makanin. 1977. THE PROBLEM OF SOLVABILITY OF EQUATIONS IN A FREE SEMIGROUP. Mathematics of the USSR-Sbornik 32, 2 ( 1977 ), 129.Google ScholarGoogle Scholar
  18. OWASP. 2013. Top ten project. http://www.owasp.org/.Google ScholarGoogle Scholar
  19. Gideon Redelinghuys, Willem Visser, and Jaco Geldenhuys. 2012. Symbolic Execution of Programs with Strings. In Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (SAICSIT '12). Association for Computing Machinery, New York, NY, USA, 139-148. https://doi.org/10.1145/2389836.2389853 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Andrew Reynolds, Andres Nötzli, Clark Barrett, and Cesare Tinelli. 2019. High-Level Abstractions for Simplifying Extended String Constraints in SMT. In Computer Aided Verification, Isil Dillig and Serdar Tasiran (Eds.). Springer International Publishing, Cham, 23-42.Google ScholarGoogle Scholar
  21. Andrew Reynolds, Maverick Woo, Clark Barrett, David Brumley, Tianyi Liang, and Cesare Tinelli. 2017. Scaling Up DPLL(T) String Solvers Using Context-Dependent Simplification. In Computer Aided Verification: 29th International Conference, CAV 2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part II, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham, 453-474. https://doi.org/10.1007/978-3-319-63390-9_24 Google ScholarGoogle ScholarCross RefCross Ref
  22. Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A Symbolic Execution Framework for JavaScript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, USA, 513-528. https://doi.org/10.1109/SP. 2010.38 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. D. Shannon, I. Ghosh, S. Rajan, and S. Khurshid. 2009. Eficient Symbolic Execution of Strings for Validating Web Applications. In Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in Conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009 ) (DEFECTS '09). Association for Computing Machinery, New York, NY, USA, 22-26. https://doi.org/10.1145/1555860.1555868 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2014. S3: A Symbolic String Solver for Vulnerability Detection in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). Association for Computing Machinery, New York, NY, USA, 1232-1243. https://doi.org/10.1145/2660267.2660372 Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2016. Progressive Reasoning over Recursively-Defined Strings. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 218-240.Google ScholarGoogle Scholar
  26. Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2017. Model Counting for Recursively-Defined Strings. In Computer Aided Verification, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham, 399-418.Google ScholarGoogle Scholar
  27. Yunhui Zheng, Vijay Ganesh, Sanu Subramanian, Omer Tripp, Julian Dolby, and Xiangyu Zhang. 2015. Efective Search-Space Pruning for Solvers of String Equations, Regular Expressions and Length Constraints. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 235-254.Google ScholarGoogle Scholar
  28. Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-Str: A Z3-Based String Solver for Web Application Analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013 ). Association for Computing Machinery, New York, NY, USA, 114-124. https://doi.org/10.1145/2491411.2491456 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Inter-theory dependency analysis for SMT string solvers

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!