Abstract
In this paper, we propose a decision procedure for a class of string-manipulating programs which includes not only a wide range of string operations such as concatenation, replaceAll, reverse, and finite transducers, but also those involving the integer data-type such as length, indexof, and substring. To the best of our knowledge, this represents one of the most expressive string constraint languages that is currently known to be decidable. Our decision procedure is based on a variant of cost register automata. We implement the decision procedure, giving rise to a new solver \(\text {OSTRICH+}\). We evaluate the performance of \(\text {OSTRICH+}\) on a wide range of existing and new benchmarks. The experimental results show that \(\text {OSTRICH+}\) is the first string decision procedure capable of tackling finite transducers and integer constraints, whilst its overall performance is comparable with the state-of-the-art string constraint solvers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdulla, P.A., et al.: Flatten and conquer: a framework for efficient analysis of string constraints. In: PLDI, pp. 602–617 (2017)
Abdulla, P.A., et al.: String constraints for verification. In: CAV, pp. 150–166 (2014)
Abdulla, P.A., Atig, M.F., Diep, B.P., Holík, L., Janku, P.: Chain-free string constraints. In: ATVA, pp. 277–293 (2019)
Alur, R., D’Antoni, L., Deshmukh, J., Raghothaman, M., Yuan, Y.: Regular functions and cost register automata. In: LICS, pp. 13–22. IEEE Computer Society (2013)
Barceló, P., Figueira, D., Libkin, L.: Graph logics with rational relations. Logical Meth. Comput. Sci. 9(3) (2013)
Berzish, M., Ganesh, V., Zheng, Y.: Z3str3: a string solver with theory-aware heuristics. In: FMCAD, pp. 55–59 (2017)
Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: TACAS, pp. 307–321 (2009)
Büchi, J.R., Senger, S.: Definability in the existential theory of concatenation and undecidable extensions of this theory. In: Collected Works of J. R. Büchi, pp. 671–683 (1990)
Bui, D. and contributors. Z3-trau (2019)
Bultan, T. and contributors. Abc string solver (2015)
Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)
Chen, T., Chen, Y., Hague, M., Lin, A.W., Wu, Z.: What is decidable about string constraints with the replaceall function. PACMPL 2(POPL), 3:1–3:29 (2018)
Chen, T., et al.: A decision procedure for path feasibility of string manipulating programs with integer data type (full version) (2020). http://arxiv.org/abs/2007.06913
Chen, T., Hague, M., Lin, A.W., Rümmer, P., Wu., Z.: Decision procedures for path feasibility of string-manipulating programs with complex operations. PACMPL, 3(POPL) (2019)
Day, J.D., Ganesh, V., He, P. , Manea, F., Nowotka, D.: RP, pp. 15–29 (2018)
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: TACAS, pp. 337–340 (2008)
Ganesh, V., Minnes, M., Solar-Lezama, A., Rinard, M.C.: Word equations with length constraints: what’s decidable? HVC 2012, 209–226 (2012)
Holík, L., Janku, P., Lin, A.W., Rümmer, P., Vojna, T.: String constraints with concatenation and transducers solved efficiently. PACMPL 2(POPL), 4:1–4:32 (2018)
Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: USENIX Security Symposium (2011)
Liang, T., Reynolds, A., Tinelli, C., Barrett, C., Deters, M.: DPLL(T) theory solver for a theory of strings and regular expressions. In: CAV, pp. 646–662 (2014)
Lin, A.W., Barceló, P.: String solving with word equations and transducers: towards a logic for analysing mutation XSS. In: POPL, pp. 123–136. ACM (2016)
Lin, A.W., Majumdar, R.: Quadratic word equations with length constraints, counter systems, and presburger arithmetic with divisibility. In: ATVA, pp. 352–369 (2018)
Papadimitriou, C.H.: Computational Complexity. Addison-Wesley, Reading (1994)
Reynolds, A., Woo, M., Barrett, C., Brumley, D., Liang, T., Tinelli, C.: Scaling Up DPLL(T) string solvers using context-dependent simplification. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 453–474. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_24
Rümmer, P.: A constraint sequent calculus for first-order logic with linear integer arithmetic. In: LPAR, pp. 274–289 (2008)
Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for Javascript. In: S&P, pp. 513–528 (2010)
Trinh, M., Chu, D., Jaffar, J.: S3: a symbolic string solver for vulnerability detection in web applications. In: CCS, pp. 1232–1243 (2014)
Trinh, M.-T., Chu, D.-H., Jaffar, J.: Progressive reasoning over recursively-defined strings. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 218–240. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_12
van der Stock, A., Glas, B., Smithline, N., Gigler, T.: OWASP Top 10–2017 (2017)
Verma, K.N., Seidl, H., Schwentick, T.: On the complexity of equational horn clauses. In: CADE, pp. 337–352 (2005)
Wang, H.-E., Tsai, T.-L., Lin, C.-H., Yu, F., Jiang, J.-H.R.: String analysis via automata manipulation with logic circuit representation. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 241–260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_13
Wang, H.-E., Chen, S.-Y., Yu, F., Jiang, J.-H.R.: A symbolic model checking approach to the analysis of string and length constraints. In: ASE, pp. 623–633. ACM (2018)
Yu, F., Alkhalaf, M., Bultan, T., Ibarra, O.H.: Automata-based symbolic string analysis for vulnerability detection. Formal Methods Syst. Des. 44(1), 44–70 (2013). https://doi.org/10.1007/s10703-013-0189-1
Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a Z3-based string solver for web application analysis. In: ESEC/SIGSOFT FSE, pp. 114–124 (2013)
Acknowledgements
T. Chen and Z. Wu are supported by Guangdong Science and Technology Department grant (No. 2018B010107004); T. Chen is also supported by Overseas Grant (KFKT2018A16) from the State Key Laboratory of Novel Software Technology, Nanjing University, China and Natural Science Foundation of Guangdong Province, China (No. 2019A1515011689). M. Hague is supported by EPSRC [EP/T00021X/1];. A. Lin is supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no 759969). P. Rümmer is supported by the Swedish Research Council (VR) under grant 2018-04727, and by the Swedish Foundation for Strategic Research (SSF) under the project WebSec (Ref. RIT17-0011). Z. Wu is supported by the Open Project of Shanghai Key Laboratory of Trustworthy Computing (No. 07dz22304201601), the NSFC grants (No. 61872340), and the INRIA-CAS joint research project VIP.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, T. et al. (2020). A Decision Procedure for Path Feasibility of String Manipulating Programs with Integer Data Type. In: Hung, D.V., Sokolsky, O. (eds) Automated Technology for Verification and Analysis. ATVA 2020. Lecture Notes in Computer Science(), vol 12302. Springer, Cham. https://doi.org/10.1007/978-3-030-59152-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-59152-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59151-9
Online ISBN: 978-3-030-59152-6
eBook Packages: Computer ScienceComputer Science (R0)