Word Equations with Length Constraints: What’s Decidable?

• Vijay Ganesh
• Mia Minnes
• Armando Solar-Lezama
• Martin Rinard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7857)

Abstract

We prove several decidability and undecidability results for the satisfiability and validity problems for languages that can express solutions to word equations with length constraints. The atomic formulas over this language are equality over string terms (word equations), linear inequality over the length function (length constraints), and membership in regular sets. These questions are important in logic, program analysis, and formal verification. Variants of these questions have been studied for many decades by mathematicians. More recently, practical satisfiability procedures (aka SMT solvers) for these formulas have become increasingly important in the context of security analysis for string-manipulating programs such as web applications.

We prove three main theorems. First, we give a new proof of undecidability for the validity problem for the set of sentences written as a ∀ ∃ quantifier alternation applied to positive word equations. A corollary of this undecidability result is that this set is undecidable even with sentences with at most two occurrences of a string variable. Second, we consider Boolean combinations of quantifier-free formulas constructed out of word equations and length constraints. We show that if word equations can be converted to a solved form, a form relevant in practice, then the satisfiability problem for Boolean combinations of word equations and length constraints is decidable. Third, we show that the satisfiability problem for quantifier-free formulas over word equations in regular solved form, length constraints, and the membership predicate over regular expressions is also decidable.

Preview

References

1. 1.
Blumensath, A.: Automatic structures. Diploma thesis, RWTH-Aachen (1999)Google Scholar
2. 2.
Cadar, C., Ganesh, V., Pawlowski, P., Dill, D., Engler, D.: EXE: automatically generating inputs of death. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM Conference on Computer and Communications Security, pp. 322–335. ACM (2006)Google Scholar
3. 3.
Charatonik, W., Pacholski, L.: Word equations with two variables. In: Abdulrab, H., Pécuchet, J.-P. (eds.) IWWERT 1991. LNCS, vol. 677, pp. 43–56. Springer, Heidelberg (1993)
4. 4.
Dabrowski, R., Plandowski, W.: On word equations in one variable. Algorithmica 60(4), 819–828 (2011)
5. 5.
Durnev, V.: Undecidability of the positive ∀ ∃ 3-theory of a free semigroup. Siberian Mathematical Journal 36(5), 1067–1080 (1995)
6. 6.
Ebbinghaus, H.-D., Flum, J., Thomas, W.: Mathematical Logic. Undergraduate Texts in Mathematics. Springer (1994)Google Scholar
7. 7.
Emmi, M., Majumdar, R., Sen, K.: Dynamic test input generation for database applications. In: Rosenblum, D., Elbaum, S. (eds.) ISSTA, pp. 151–162. ACM (2007)Google Scholar
8. 8.
Ganesh, V., Kieżun, A., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.: HAMPI: A string solver for testing, analysis and vulnerability detection. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 1–19. Springer, Heidelberg (2011)
9. 9.
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Sarkar, V., Hall, M. (eds.) PLDI, pp. 213–223. ACM (2005)Google Scholar
10. 10.
Hopcroft, J., Motwani, R., Ullman, J.: Introduction to automata theory, languages, and computation. Pearson/Addison Wesley (2007)Google Scholar
11. 11.
Ilie, L., Plandowski, W.: Two-variable word equations. ITA 34(6), 467–501 (2000)
12. 12.
Karhumäki, J., Mignosi, F., Plandowski, W.: The expressibility of languages and relations by word equations. J. ACM 47(3), 483–505 (2000)
13. 13.
Kiezun, A., Ganesh, V., Guo, P., Hooimeijer, P., Ernst, M.: HAMPI: a solver for string constraints. In: Rothermel, G., Dillon, L. (eds.) ISSTA, pp. 105–116. ACM (2009)Google Scholar
14. 14.
Majumdar, R.: Private correspondence. SWS, MPI, Kaiserslautern, Germany (2010)Google Scholar
15. 15.
Makanin, G.: The problem of solvability of equations in a free semigroup. Math. Sbornik 103, 147–236 (1977); English transl. in Math USSR Sbornik 32 (1977)Google Scholar
16. 16.
Marchenkov, S.S.: Unsolvability of positive ∀ ∃-theory of free semi-group. Sibirsky Mathmatichesky Jurnal 23(1), 196–198 (1982)
17. 17.
Matiyasevich, Y.: Word equations, Fibonacci numbers, and Hilbert’s tenth problem (2006) (unpublished), http://logic.pdmi.ras.ru/?yumat/Journal/jcontord.htm
18. 18.
Matiyasevich, Y.: Computation paradigms in light of Hilbert’s Tenth Problem. In: Cooper, S., Löwe, B., Sorbi, A. (eds.) New Computational Paradigms, pp. 59–85. Springer, New York (2008)
19. 19.
Möller, O.: ∃ BV [n] solvability. SRI International, Menlo Park, CA, USA (October 1996) (unpublished manuscript)Google Scholar
20. 20.
Plandowski, W.: Satisfiability of word equations with constants is in PSPACE. In: FOCS, pp. 495–500. IEEE Computer Society (1999)Google Scholar
21. 21.
Plandowski, W.: An efficient algorithm for solving word equations. In: Kleinberg, J. (ed.) STOC, pp. 467–476. ACM (2006)Google Scholar
22. 22.
Presburger, M.: Über de vollständigkeit eines gewissen systems der arithmetik ganzer zahlen, in welchen, die addition als einzige operation hervortritt. In: Comptes Rendus du Premier Congrès des Mathématicienes des Pays Slaves, Warsaw, pp. 92–101, 395 (1927)Google Scholar
23. 23.
Quine, W.V.: Concatenation as a basis for arithmetic. The Journal of Symbolic Logic 11(4), 105–114 (1946)
24. 24.
Robson, J.M., Diekert, V.: On quadratic word equations. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 217–226. Springer, Heidelberg (1999)
25. 25.
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: IEEE Symposium on Security and Privacy, pp. 513–528. IEEE Computer Society (2010)Google Scholar
26. 26.
Schulz, K.U.: Makanin’s algorithm for word equations-two improvements and a generalization. In: Schulz, K.U. (ed.) IWWERT 1990. LNCS, vol. 572, pp. 85–150. Springer, Heidelberg (1992)
27. 27.
Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Ferrante, J., McKinley, K. (eds.) PLDI, pp. 32–41. ACM (2007)Google Scholar

Authors and Affiliations

• Vijay Ganesh
• 1
• Mia Minnes
• 2
• Armando Solar-Lezama
• 1
• Martin Rinard
• 1
1. 1.Massachusetts Institute of TechnologyUSA
2. 2.University of CaliforniaSan DiegoUSA