Word Equations with Length Constraints: What’s Decidable?

  • Vijay Ganesh
  • Mia Minnes
  • Armando Solar-Lezama
  • Martin Rinard
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7857)

Abstract

We prove several decidability and undecidability results for the satisfiability and validity problems for languages that can express solutions to word equations with length constraints. The atomic formulas over this language are equality over string terms (word equations), linear inequality over the length function (length constraints), and membership in regular sets. These questions are important in logic, program analysis, and formal verification. Variants of these questions have been studied for many decades by mathematicians. More recently, practical satisfiability procedures (aka SMT solvers) for these formulas have become increasingly important in the context of security analysis for string-manipulating programs such as web applications.

We prove three main theorems. First, we give a new proof of undecidability for the validity problem for the set of sentences written as a ∀ ∃ quantifier alternation applied to positive word equations. A corollary of this undecidability result is that this set is undecidable even with sentences with at most two occurrences of a string variable. Second, we consider Boolean combinations of quantifier-free formulas constructed out of word equations and length constraints. We show that if word equations can be converted to a solved form, a form relevant in practice, then the satisfiability problem for Boolean combinations of word equations and length constraints is decidable. Third, we show that the satisfiability problem for quantifier-free formulas over word equations in regular solved form, length constraints, and the membership predicate over regular expressions is also decidable.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Blumensath, A.: Automatic structures. Diploma thesis, RWTH-Aachen (1999)Google Scholar
  2. 2.
    Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: automatically generating inputs of death. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM Conference on Computer and Communications Security, pp. 322–335. ACM (2006)Google Scholar
  3. 3.
    Charatonik, W., Pacholski, L.: Word equations with two variables. In: Abdulrab, H., Pécuchet, J.-P. (eds.) IWWERT 1991. LNCS, vol. 677, pp. 43–56. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Dabrowski, R., Plandowski, W.: On word equations in one variable. Algorithmica 60(4), 819–828 (2011)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Durnev, V.: Undecidability of the positive ∀ ∃ 3-theory of a free semigroup. Siberian Mathematical Journal 36(5), 1067–1080 (1995)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Ebbinghaus, H.-D., Flum, J., Thomas, W.: Mathematical Logic. Undergraduate Texts in Mathematics. Springer (1994)Google Scholar
  7. 7.
    Emmi, M., Majumdar, R., Sen, K.: Dynamic test input generation for database applications. In: Rosenblum, D., Elbaum, S. (eds.) ISSTA, pp. 151–162. ACM (2007)Google Scholar
  8. 8.
    Ganesh, V., Kieżun, A., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.: HAMPI: A string solver for testing, analysis and vulnerability detection. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 1–19. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Sarkar, V., Hall, M. (eds.) PLDI, pp. 213–223. ACM (2005)Google Scholar
  10. 10.
    Hopcroft, J., Motwani, R., Ullman, J.: Introduction to automata theory, languages, and computation. Pearson/Addison Wesley (2007)Google Scholar
  11. 11.
    Ilie, L., Plandowski, W.: Two-variable word equations. ITA 34(6), 467–501 (2000)MathSciNetMATHGoogle Scholar
  12. 12.
    Karhumäki, J., Mignosi, F., Plandowski, W.: The expressibility of languages and relations by word equations. J. ACM 47(3), 483–505 (2000)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Kiezun, A., Ganesh, V., Guo, P., Hooimeijer, P., Ernst, M.: HAMPI: a solver for string constraints. In: Rothermel, G., Dillon, L. (eds.) ISSTA, pp. 105–116. ACM (2009)Google Scholar
  14. 14.
    Majumdar, R.: Private correspondence. SWS, MPI, Kaiserslautern, Germany (2010)Google Scholar
  15. 15.
    Makanin, G.: The problem of solvability of equations in a free semigroup. Math. Sbornik 103, 147–236 (1977); English transl. in Math USSR Sbornik 32 (1977)Google Scholar
  16. 16.
    Marchenkov, S.S.: Unsolvability of positive ∀ ∃-theory of free semi-group. Sibirsky Mathmatichesky Jurnal 23(1), 196–198 (1982)MathSciNetMATHGoogle Scholar
  17. 17.
    Matiyasevich, Y.: Word equations, Fibonacci numbers, and Hilbert’s tenth problem (2006) (unpublished), http://logic.pdmi.ras.ru/?yumat/Journal/jcontord.htm
  18. 18.
    Matiyasevich, Y.: Computation paradigms in light of Hilbert’s Tenth Problem. In: Cooper, S., Löwe, B., Sorbi, A. (eds.) New Computational Paradigms, pp. 59–85. Springer, New York (2008)CrossRefGoogle Scholar
  19. 19.
    Möller, O.: ∃ BV [n] solvability. SRI International, Menlo Park, CA, USA (October 1996) (unpublished manuscript)Google Scholar
  20. 20.
    Plandowski, W.: Satisfiability of word equations with constants is in PSPACE. In: FOCS, pp. 495–500. IEEE Computer Society (1999)Google Scholar
  21. 21.
    Plandowski, W.: An efficient algorithm for solving word equations. In: Kleinberg, J. (ed.) STOC, pp. 467–476. ACM (2006)Google Scholar
  22. 22.
    Presburger, M.: Über de vollständigkeit eines gewissen systems der arithmetik ganzer zahlen, in welchen, die addition als einzige operation hervortritt. In: Comptes Rendus du Premier Congrès des Mathématicienes des Pays Slaves, Warsaw, pp. 92–101, 395 (1927)Google Scholar
  23. 23.
    Quine, W.V.: Concatenation as a basis for arithmetic. The Journal of Symbolic Logic 11(4), 105–114 (1946)MathSciNetMATHCrossRefGoogle Scholar
  24. 24.
    Robson, J.M., Diekert, V.: On quadratic word equations. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 217–226. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. 25.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: IEEE Symposium on Security and Privacy, pp. 513–528. IEEE Computer Society (2010)Google Scholar
  26. 26.
    Schulz, K.U.: Makanin’s algorithm for word equations-two improvements and a generalization. In: Schulz, K.U. (ed.) IWWERT 1990. LNCS, vol. 572, pp. 85–150. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  27. 27.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Ferrante, J., McKinley, K. (eds.) PLDI, pp. 32–41. ACM (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Vijay Ganesh
    • 1
  • Mia Minnes
    • 2
  • Armando Solar-Lezama
    • 1
  • Martin Rinard
    • 1
  1. 1.Massachusetts Institute of TechnologyUSA
  2. 2.University of CaliforniaSan DiegoUSA

Personalised recommendations