Abstract
Solvers in the framework of Satisfiability Modulo Theories (SMT) have been widely successful in practice. Recently there has been an increasing interest in solvers for string constraints to address security issues in web programming, for example. To be practically useful, the solvers need to support an expressive constraint language over unbounded strings, and in particular, over string lengths. Satisfiability checking for these formulas, especially in the SMT context, is very hard; it is generally undecidable for a rich fragment. In this paper, we propose a form of dependency analysis for a rich fragment of string constraints including high-level operations such as length, contains to deal with their inter-theory interaction so as to solve them more efficiently. We implement our dependency analysis in the string theory of the Z3 solver to obtain a new one, called S3N. Finally, we demonstrate the superior performance of S3N over state-of-the-art string solvers such as Z3str3, CVC4, S3P, and Z3 on several large industrial-strength benchmarks.
Supplemental Material
- Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, and Philipp Rummer. 2017. Flatten and Conquer: A Framework for Eficient Analysis of String Constraints. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017 ). ACM, New York, NY, USA, 602-617. https://doi.org/10.1145/3062341.3062384 Google Scholar
Digital Library
- Parosh Aziz Abdulla, Mohamed Faouzi Atig, Bui Phi Diep, Lukáš Holík, and Petr Janků. 2019. Chain-Free String Constraints. In Automated Technology for Verification and Analysis, Yu-Fang Chen, Chih-Hong Cheng, and Javier Esparza (Eds.). Springer International Publishing, Cham, 277-293.Google Scholar
- Roland Axelsson, Keijo Heljanko, and Martin Lange. 2008. Analyzing Context-Free Grammars Using an Incremental SAT Solver. In Proceedings of the 35th International Colloquium on Automata, Languages and Programming, Part II (ICALP '08). Springer-Verlag, Berlin, Heidelberg, 410-422. https://doi.org/10.1007/978-3-540-70583-3_34 Google Scholar
Digital Library
- Abdulbaki Aydin, Lucas Bang, and Tevfik Bultan. 2015. Automata-Based Model Counting for String Constraints. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 255-272.Google Scholar
- Murphy Berzish, Vijay Ganesh, and Yunhui Zheng. 2017. Z3str3: A String Solver with Theory-Aware Heuristics. In Proceedings of the 17th Conference on Formal Methods in Computer-Aided Design (FMCAD '17). FMCAD Inc, Austin, Texas, 55-59.Google Scholar
Cross Ref
- Nikolaj Bjørner, Nikolai Tillmann, and Andrei Voronkov. 2009. Path Feasibility Analysis for String-Manipulating Programs. In Tools and Algorithms for the Construction and Analysis of Systems, Stefan Kowalewski and Anna Philippou (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 307-321.Google Scholar
- J. Richard Büchi and Steven Senger. 1990. Definability in the Existential Theory of Concatenation and Undecidable Extensions of this Theory. Springer New York, New York, NY, 671-683. https://doi.org/10.1007/978-1-4613-8928-6_37 Google Scholar
Cross Ref
- Taolue Chen, Matthew Hague, Anthony W. Lin, Philipp Rummer, and Zhilin Wu. 2019. Decision Procedures for Path Feasibility of String-Manipulating Programs with Complex Operations. Proc. ACM Program. Lang. 3, POPL, Article 49 ( Jan. 2019 ), 30 pages. https://doi.org/10.1145/3290362 Google Scholar
Digital Library
- Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. 2003. Precise Analysis of String Expressions. In Proceedings of the 10th International Conference on Static Analysis (SAS'03). Springer-Verlag, Berlin, Heidelberg, 1-18.Google Scholar
- Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Eficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 337-340.Google Scholar
- Vijay Ganesh, Adam Kieżun, Shay Artzi, Philip J. Guo, Pieter Hooimeijer, and Michael Ernst. 2011. HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 1-19.Google Scholar
- Vijay Ganesh, Mia Minnes, Armando Solar-Lezama, and Martin Rinard. 2013. Word Equations with Length Constraints: What's Decidable?. In Hardware and Software: Verification and Testing, Armin Biere, Amir Nahir, and Tanja Vos (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 209-226.Google Scholar
- Jun He, Pierre Flener, Justin Pearson, and Wei Ming Zhang. 2013. Solving String Constraints: The Case for Constraint Programming. In Principles and Practice of Constraint Programming, Christian Schulte (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 381-397.Google Scholar
- Lukas Holik, Petr Janku, Anthony W. Lin, Philipp Rummer, and Tomas Vojnar. 2017. String Constraints with Concatenation and Transducers Solved Eficiently. Proc. ACM Program. Lang. 2, POPL, Article 4 ( Dec. 2017 ), 32 pages. https://doi.org/10. 1145/3158092 Google Scholar
Digital Library
- Tianyi Liang, Andrew Reynolds, Cesare Tinelli, Clark Barrett, and Morgan Deters. 2014. A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham, 646-662.Google Scholar
- Anthony W. Lin and Rupak Majumdar. 2018. Quadratic Word Equations with Length Constraints, Counter Systems, and Presburger Arithmetic with Divisibility. In Automated Technology for Verification and Analysis, Shuvendu K. Lahiri and Chao Wang (Eds.). Springer International Publishing, Cham, 352-369.Google Scholar
- G. S. Makanin. 1977. THE PROBLEM OF SOLVABILITY OF EQUATIONS IN A FREE SEMIGROUP. Mathematics of the USSR-Sbornik 32, 2 ( 1977 ), 129.Google Scholar
- OWASP. 2013. Top ten project. http://www.owasp.org/.Google Scholar
- Gideon Redelinghuys, Willem Visser, and Jaco Geldenhuys. 2012. Symbolic Execution of Programs with Strings. In Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (SAICSIT '12). Association for Computing Machinery, New York, NY, USA, 139-148. https://doi.org/10.1145/2389836.2389853 Google Scholar
Digital Library
- Andrew Reynolds, Andres Nötzli, Clark Barrett, and Cesare Tinelli. 2019. High-Level Abstractions for Simplifying Extended String Constraints in SMT. In Computer Aided Verification, Isil Dillig and Serdar Tasiran (Eds.). Springer International Publishing, Cham, 23-42.Google Scholar
- Andrew Reynolds, Maverick Woo, Clark Barrett, David Brumley, Tianyi Liang, and Cesare Tinelli. 2017. Scaling Up DPLL(T) String Solvers Using Context-Dependent Simplification. In Computer Aided Verification: 29th International Conference, CAV 2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part II, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham, 453-474. https://doi.org/10.1007/978-3-319-63390-9_24 Google Scholar
Cross Ref
- Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A Symbolic Execution Framework for JavaScript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, USA, 513-528. https://doi.org/10.1109/SP. 2010.38 Google Scholar
Digital Library
- D. Shannon, I. Ghosh, S. Rajan, and S. Khurshid. 2009. Eficient Symbolic Execution of Strings for Validating Web Applications. In Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in Conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009 ) (DEFECTS '09). Association for Computing Machinery, New York, NY, USA, 22-26. https://doi.org/10.1145/1555860.1555868 Google Scholar
Digital Library
- Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2014. S3: A Symbolic String Solver for Vulnerability Detection in Web Applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). Association for Computing Machinery, New York, NY, USA, 1232-1243. https://doi.org/10.1145/2660267.2660372 Google Scholar
Digital Library
- Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2016. Progressive Reasoning over Recursively-Defined Strings. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 218-240.Google Scholar
- Minh-Thai Trinh, Duc-Hiep Chu, and Joxan Jafar. 2017. Model Counting for Recursively-Defined Strings. In Computer Aided Verification, Rupak Majumdar and Viktor Kunčak (Eds.). Springer International Publishing, Cham, 399-418.Google Scholar
- Yunhui Zheng, Vijay Ganesh, Sanu Subramanian, Omer Tripp, Julian Dolby, and Xiangyu Zhang. 2015. Efective Search-Space Pruning for Solvers of String Equations, Regular Expressions and Length Constraints. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham, 235-254.Google Scholar
- Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-Str: A Z3-Based String Solver for Web Application Analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013 ). Association for Computing Machinery, New York, NY, USA, 114-124. https://doi.org/10.1145/2491411.2491456 Google Scholar
Digital Library
Index Terms
Inter-theory dependency analysis for SMT string solvers
Recommendations
What is decidable about string constraints with the ReplaceAll function
The theory of strings with concatenation has been widely argued as the basis of constraint solving for verifying string-manipulating programs. However, this theory is far from adequate for expressing many string constraints that are also needed in ...
An efficient SMT solver for string constraints
An increasing number of applications in verification and security rely on or could benefit from automatic solvers that can check the satisfiability of constraints over a diverse set of data types that includes character strings. Until recently, ...
SMT-based variability analyses in FeatureIDE
VaMoS '20: Proceedings of the 14th International Working Conference on Variability Modelling of Software-Intensive SystemsHandling configurable systems with thousands of configuration options is a challenging problem in research and industry. One of the most common approaches to manage the configuration options of large systems is variability modelling. The verification ...






Comments