Formal Methods in System Design

, Volume 48, Issue 3, pp 206–234 | Cite as

An efficient SMT solver for string constraints

  • Tianyi Liang
  • Andrew Reynolds
  • Nestan Tsiskaridze
  • Cesare TinelliEmail author
  • Clark Barrett
  • Morgan Deters


An increasing number of applications in verification and security rely on or could benefit from automatic solvers that can check the satisfiability of constraints over a diverse set of data types that includes character strings. Until recently, satisfiability solvers for strings were standalone tools that could reason only about fairly restricted fragments of the theory of strings and regular expressions (e.g., strings of bounded lengths). These solvers were based on reductions to satisfiability problems over other data types such as bit vectors or to automata decision problems. We present a set of algebraic techniques for solving constraints over a rich theory of unbounded strings natively, without reduction to other problems. These techniques can be used to integrate string reasoning into general, multi-theory SMT solvers based on the common DPLL(T) architecture. We have implemented them in our SMT solver cvc4, expanding its already large set of built-in theories to include a theory of strings with concatenation, length, and membership in regular languages. This implementation makes cvc4 the first solver able to accept a rich set of mixed constraints over strings, integers, reals, arrays and algebraic datatypes. Our initial experimental results show that, in addition, on pure string problems cvc4 is highly competitive with specialized string solvers accepting a comparable input language.


String solving Satisfiability modulo theories Automated deduction 

Mathematics Subject Classification

68Q60 03B10 03B20 03B22 03B25 03B70 



We thank the developers of z3-str for their technical support in using their tool and several clarifications on it, as well as for their prompt response to our inquiries. We also express our gratitude to the developers of the StarExec service for their assistance and for implementing additional features we requested while running our experimental evaluation on the service. Finally, we thank the anonymous reviewers for their supportive comments and for their valuable suggestions on improving the paper’s presentation. The work described here was partially funded by NSF Grants #1228765 and #1228768. The second author was also supported in part by the European Research Council (ERC) Project Implicit Programming.


  1. 1.
    Abdulla PA, Atig MF, Chen YF, Holik L, Rezine A, Rummer P, Stenman J (2014) String constraints for verification. In: Biere A, Bloem R (eds) Proceedings of the 26th international conference on computer aided verification. Lecture notes in computer science, vol. 8559. Springer, BerlinGoogle Scholar
  2. 2.
    Barrett C, Nieuwenhuis R, Oliveras A, Tinelli C (2006) Splitting on demand in SAT modulo theories. In: Proceedings of LPAR’06. Lecture notes in computer science, vol. 4246. Springer, Berlin, pp 512–526Google Scholar
  3. 3.
    Barrett C, Sebastiani R, Seshia S, Tinelli C (2009) Satisfiability modulo theories. In: Biere A, Heule MJH, van Maaren H, Walsh T (eds) Handbook of satisfiability, vol 185, chap 26. IOS Press, Amsterdam, pp 825–885Google Scholar
  4. 4.
    Bjørner N, Tillmann N, Voronkov A (2009) Path feasibility analysis for string-manipulating programs. In: Proceedings of the 15th international conference on tools and algorithms for the construction and analysis of systems. Lecture notes in computer science. Springer, pp 307–321Google Scholar
  5. 5.
    Brumley D, Caballero J, Liang Z, Newsome J (2007) Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: Proceedings of the 16th USENIX security symposium, Boston, MA, USA, 6–10 August 2007Google Scholar
  6. 6.
    Brumley D, Wang H, Jha S, Song DX (2007) Creating vulnerability signatures using weakest preconditions. In: 20th IEEE computer security foundations symposium, CSF 2007, 6–8 July 2007, Venice, Italy, pp 311–325Google Scholar
  7. 7.
    Christensen AS, Møller A, Schwartzbach MI (2003) Precise analysis of string expressions. In: Proceedings of the 10th international conference on static analysis. Lecture notes in computer science. Springer, Berlin, pp 1–18Google Scholar
  8. 8.
    De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: Proceedings of the theory and practice of software, 14th international conference on tools and algorithms for the construction and analysis of systems. Lecture notes in computer science. Springer, Berlin, pp 337–340Google Scholar
  9. 9.
    Egele M, Kruegel C, Kirda E, Yin H, Song D (2007) Dynamic spyware analysis. In: 2007 USENIX annual technical conference on proceedings of the USENIX annual technical conference, ATC’07. USENIX Association, Berkeley, CA, USA, pp 18:1–18:14Google Scholar
  10. 10.
    Fu X, Li C (2010) A string constraint solver for detecting web application vulnerability. In: Proceedings of the 22nd international conference on software engineering and knowledge engineering, SEKE’2010. Knowledge Systems Institute Graduate School, SkokieGoogle Scholar
  11. 11.
    Ganesh V, Minnes M, Solar-Lezama A, Rinard M (2013) Word equations with length constraints: what’s decidable? In: Proceedings of the 8th international conference on hardware and software: verification and testing, HVC’12. Springer, Berlin, pp 209–226Google Scholar
  12. 12.
    Ghosh I, Shafiei N, Li G, Chiang W (2013) JST: an automatic test generation tool for industrial Java applications with strings. In: Proceedings of the 2013 international conference on software engineering, ICSE’13. IEEE Press, Piscataway, pp. 992–1001Google Scholar
  13. 13.
    Hooimeijer P, Veanes M (2011) An evaluation of automata algorithms for string analysis. In: Proceedings of the 12th international conference on verification, model checking, and abstract interpretation. Springer, Berlin, pp 248–262Google Scholar
  14. 14.
    Hooimeijer P, Weimer W (2009) A decision procedure for subset constraints over regular languages. In: Proceedings of the 2009 ACM SIGPLAN conference on programming language design and implementation. ACM, Dublin, pp 188–198Google Scholar
  15. 15.
    Hooimeijer P, Weimer W (2010) Solving string constraints lazily. In: Proceedings of the IEEE/ACM international conference on automated software engineering. ACM, New York, pp 377–386Google Scholar
  16. 16.
    Kiezun A, Ganesh V, Guo PJ, Hooimeijer P, Ernst MD (2009) HAMPI: a solver for string constraints. In: Proceedings of the eighteenth international symposium on Software testing and analysis. ACM, New York, pp 105–116Google Scholar
  17. 17.
    Li G, Ghosh I (2013) PASS: string solving with parameterized array and interval automaton. In: Bertacco V, Legay A (eds) Hardware and software: verification and testing. Lecture notes in computer science, vol 8244. Springer, Berlin, pp 15–31Google Scholar
  18. 18.
    Liang T, Reynolds A, Tinelli C, Barrett C, Deters M (2014) A DPLL(T) theory solver for a theory of strings and regular expressions. In: Biere A, Bloem R (eds) Proceedings of the 26th international conference on computer aided verification. Lecture notes in computer science, vol 8559. Springer, BerlinGoogle Scholar
  19. 19.
    Liang T, Tsiskaridze N, Reynolds A, Tinelli C, Barrett C (2015) A decision procedure for regular membership and length constraints over unbounded strings. In: Frontiers of combining systems. Springer, Berlin, pp 135–150Google Scholar
  20. 20.
    Makanin GS (1977) The problem of solvability of equations in a free semigroup. English transl. in Math USSR Sbornik, vol 32, pp 147–236Google Scholar
  21. 21.
    Namjoshi KS, Narlikar GJ (2010) Robust and fast pattern matching for intrusion detection. In: INFOCOM 2010. 29th IEEE international conference on computer communications, joint conference of the IEEE computer and communications societies, 15–19 March 2010, San Diego, CA, USA, pp 740–748Google Scholar
  22. 22.
    Nelson G, Oppen DC (1979) Simplification by cooperating decision procedures. ACM Trans Program Lang Syst 1(2):245–257CrossRefzbMATHGoogle Scholar
  23. 23.
    Nieuwenhuis R, Oliveras A, Tinelli C (2006) Solving SAT and SAT Modulo theories: from an abstract Davis–Putnam–Logemann–Loveland procedure to DPLL(T). J ACM 53(6):937–977MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Perrin D (1989) Equations in words. In: Ait-Kaci H, Nivat M (eds) Resolution of equations in algebraic structures, vol 2. Academic Press, Cambridge, pp 275–298Google Scholar
  25. 25.
    Plandowski W (2004) Satisfiability of word equations with constants is in PSPACE. J ACM 51(3):483–496MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Saxena P, Akhawe D (2010) Kaluza web site.
  27. 27.
    Saxena P, Akhawe D, Hanna S, Mao F, McCamant S, Song D (2010) A symbolic execution framework for JavaScript. In: Proceedings of the 2010 IEEE symposium on security and privacy. IEEE Computer Society, pp 513–528Google Scholar
  28. 28.
    Stump A, Sutcliffe G, Tinelli C (2014) Starexec: a cross-community infrastructure for logic solving. In: Demri S, Kapur D, Weidenbach C (eds) Proceedings of the 7th international joint conference on automated reasoning. Lecture notes in artificial intelligence. Springer, BerlinGoogle Scholar
  29. 29.
    Tillmann N, Halleux J (2008) Pex—white box test generation for .NET. In Beckert B, Hähnle R (eds) Tests and proofs. Lecture notes in computer science, vol 4966. Springer, Berlin, pp 134–153Google Scholar
  30. 30.
    Tinelli C, Harandi MT (1996) A new correctness proof of the Nelson–Oppen combination procedure. In: Baader F, Schulz KU (eds) Frontiers of combining systems: proceedings of the 1st international workshop (Munich, Germany). Applied logic. Kluwer Academic Publishers, Dordrecht, pp 103–120Google Scholar
  31. 31.
    Trinh MT, Chu DH, Jaffar J (2014) S3: a symbolic string solver for vulnerability detection in web applications. In: Yung M, Li N (eds) Proceedings of the 21st ACM conference on computer and communications security. ACM, New York, pp 1232–1243Google Scholar
  32. 32.
    Veanes M (2013) Applications of symbolic finite automata. In: Proceedings of the 18th international conference on implementation and application of automata, CIAA’13. Springer, Berlin, pp 16–23Google Scholar
  33. 33.
    Veanes M, Bjørner N, De Moura L (2010) Symbolic automata constraint solving. In: Proceedings of the 17th international conference on logic for programming, artificial intelligence, and reasoning. Lecture notes in computer science. Springer, Berlin, pp 640–654Google Scholar
  34. 34.
    Yu F, Alkhalaf M, Bultan T (2010) Stranger: an automata-based string analysis tool for php. In: Esparza J, Majumdar R (eds) Tools and algorithms for the construction and analysis of systems. Lecture notes in computer science, vol 6015. Springer, Berlin, pp 154–157Google Scholar
  35. 35.
    Zheng Y, Zhang X, Ganesh V (2013) Z3-str: a Z3-based string solver for web application analysis. In: Proceedings of the 2013 9th joint meeting on foundations of software engineering, ESEC/FSE 2013. ACM, New York, pp 114–124Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceThe University of IowaIowaUSA
  2. 2.Two Sigma InvestmentsNew YorkUSA
  3. 3.Department of Computer ScienceNew York UniversityNew YorkUSA

Personalised recommendations