Unbounded Model-Checking with Interpolation for Regular Language Constraints

  • Graeme Gange
  • Jorge A. Navas
  • Peter J. Stuckey
  • Harald Søndergaard
  • Peter Schachte
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7795)


We present a decision procedure for the problem of, given a set of regular expressions R 1, …, R n , determining whether R = R 1 ∩ ⋯ ∩ R n is empty. Our solver, revenant, finitely unrolls automata for R 1, …, R n , encoding each as a set of propositional constraints. If a SAT solver determines satisfiability then R is non-empty. Otherwise our solver uses unbounded model checking techniques to extract an interpolant from the bounded proof. This interpolant serves as an overapproximation of R. If the solver reaches a fixed-point with the constraints remaining unsatisfiable, it has proven R to be empty. Otherwise, it increases the unrolling depth and repeats. We compare revenant with other state-of-the-art string solvers. Evaluation suggests that it behaves better for constraints that express the intersection of sets of regular languages, a case of interest in the context of verification.


Model Check Regular Expression Transition Relation Regular Language Reachable State 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Axelsson, R., Heljanko, K., Lange, M.: Analyzing Context-Free Grammars Using an Incremental SAT Solver. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 410–422. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Chaki, S., Clarke, E., Kidd, N., Reps, T., Touili, T.: Verifying Concurrent Message-Passing C Programs with Recursive Calls. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 334–349. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Chaki, S., Clarke, E.M., Groce, A., Jha, S., Veith, H.: Modular verification of software components in C. IEEE Transactions on Software Engineering 30(6), 388–402 (2004)CrossRefGoogle Scholar
  4. 4.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-Guided Abstraction Refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Craig, W.: Linear reasoning: A new form of the Herbrand-Gentzen theorem. Journal of Symbolic Logic 22(3), 250–268 (1957)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    de Moura, L., Bjørner, N.S.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Griggio, A.: A Practical Approach to Satisfiability Modulo Linear Integer Arithmetic. JSAT 8, 1–27 (2012)MathSciNetGoogle Scholar
  8. 8.
    Hooimeijer, P., Veanes, M.: An Evaluation of Automata Algorithms for String Analysis. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 248–262. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Hooimeijer, P., Weimer, W.: A decision procedure for subset constraints over regular languages. In: Proc. 2009 ACM SIGPLAN Conf. Programming Language Design and Implementation, pp. 188–198. ACM (2009)Google Scholar
  10. 10.
    Hooimeijer, P., Weimer, W.: Solving string constraints lazily. In: Proc. IEEE/ACM Conf. Automated Software Engineering, pp. 377–386 (2010)Google Scholar
  11. 11.
    Hooimeijer, P., Weimer, W.: StrSolve: Solving string constraints lazily. Automated Software Engineering 19(4), 531–559 (2012)CrossRefGoogle Scholar
  12. 12.
    Ilie, L., Solis-Oba, R., Yu, S.: Reducing the Size of NFAs by Using Equivalences and Preorders. In: Apostolico, A., Crochemore, M., Park, K. (eds.) CPM 2005. LNCS, vol. 3537, pp. 310–321. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Ilie, L., Yu, S.: Reducing NFAs by invariant equivalences. Theoretical Computer Science 306(1-3), 373–390 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: A solver for string constraints. In: Proc. 18th Int. Symp. Software Testing and Analysis (ISSTA 2009), pp. 105–116. ACM (2009)Google Scholar
  15. 15.
    Li, N., Xie, T., Tillmann, N., de Halleux, J., Schulte, W.: Reggae: Automated test generation for programs using complex regular expressions. In: Proc. 24th IEEE/ACM Int. Conf. Automated Software Engineering, pp. 515–519 (2009)Google Scholar
  16. 16.
    McMillan, K.L.: Interpolation and SAT-Based Model Checking. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    McMillan, K.L.: An interpolating theorem prover. Theoretical Computer Science 345(1), 101–121 (2005)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Minamide, Y.: Static approximation of dynamically generated web pages. In: Proc. 14th Int. Conf. World Wide Web, pp. 432–441. ACM Press (2005)Google Scholar
  19. 19.
    Pudlák, P.: Lower bounds for resolution and cutting plane proofs and monotone computations. Journal of Symbolic Logic 62(2), 981–998 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proc. IEEE Symp. Security and Privacy, pp. 513–528. IEEE Computer Society (2010)Google Scholar
  21. 21.
    Veanes, M., de Halleux, P., Tillman, N.: Rex: Symbolic regular expression explorer. Microsoft Research Technical Report MSR-TR-2009-137, Microsoft Research, Redmond, WA (2009)Google Scholar
  22. 22.
    Veanes, M., de Halleux, P., Tillmann, N.: Rex: Symbolic regular expression explorer. In: Proc. Third Int. Conf. Software Testing, Verification and Validation, pp. 498–507. IEEE Comp. Soc. (2010)Google Scholar
  23. 23.
    Wassermann, G., Su, Z.: Sound and precise analysis of web applications for injection vulnerabilities. In: Proc. ACM SIGPLAN 2007 Conf. Programming Language Design and Implementation, pp. 32–41 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Graeme Gange
    • 1
  • Jorge A. Navas
    • 1
  • Peter J. Stuckey
    • 1
  • Harald Søndergaard
    • 1
  • Peter Schachte
    • 1
  1. 1.The University of MelbourneAustralia

Personalised recommendations