Skip to main content
SpringerLink
Log in

Word Equations in Synergy with Regular Constraints

  • Conference paper
  • First Online:
Formal Methods (FM 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14000))

Included in the following conference series:

Abstract

We argue that in string solving, word equations and regular constraints are better mixed together than approached separately as in most current string solvers. We propose a fast algorithm, complete for the fragment of chain-free constraints, in which word equations and regular constraints are tightly integrated and exchange information, efficiently pruning the cases generated by each other and limiting possible combinatorial explosion. The algorithm is based on a novel language-based characterisation of satisfiability of word equations with regular constraints. We experimentally show that our prototype implementation is competitive with the best string solvers and even superior in that it is the fastest on difficult examples and has the least number of timeouts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Note that terms with letters from \(\Sigma \), sometimes used in our examples, can be encoded by replacing each occurrence o of a letter a by a fresh variable \(x_o\) and a regular constraint \(x_o\in \{ a \}\)..

References

  1. OWASP: Top 10 (2013). https://www.owasp.org/images/f/f8/OWASP_Top_10_-_2013.pdf

  2. OWASP: Top 10 (2017). https://owasp.org/www-project-top-ten/2017/

  3. OWASP: Top 10 (2021). https://owasp.org/Top10/

  4. Hadarean, L.: String solving at Amazon (2019). Presented at MOSCA 2019. https://mosca19.github.io/program/index.html

  5. Alt, L., Blicha, M., Hyvärinen, A.E.J., Sharygina, N.: SolCMC: solidity compiler’s model checker. In: Shoham, S., Vizel, Y. (eds.) Computer Aided Verification (CAV 2022). LNCS, vol. 13371, pp. 325–338. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-13185-1_16

  6. Liang, T., Reynolds, A., Tinelli, C., Barrett, C., Deters, M.: A DPLL(T) theory solver for a theory of strings and regular expressions. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 646–662. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_43

    Chapter  Google Scholar 

  7. Liang, T., Reynolds, A., Tsiskaridze, N., Tinelli, C., Barrett, C., Deters, M.: An efficient SMT solver for string constraints. Form. Methods Syst. Des. 48(3), 206–234 (2016). https://doi.org/10.1007/s10703-016-0247-6

    Article  MATH  Google Scholar 

  8. Barrett, C.W., Tinelli, C., Deters, M., Liang, T., Reynolds, A., Tsiskaridze, N.: Efficient solving of string constraints for security analysis. In: HotSoS 2016, ACM Trans. Comput. Log., pp. 4–6 (2016)

    Google Scholar 

  9. Liang, T., Tsiskaridze, N., Reynolds, A., Tinelli, C., Barrett, C.: A decision procedure for regular membership and length constraints over unbounded strings. In: Lutz, C., Ranise, S. (eds.) FroCoS 2015. LNCS (LNAI), vol. 9322, pp. 135–150. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24246-0_9

    Chapter  Google Scholar 

  10. Reynolds, A., Woo, M., Barrett, C., Brumley, D., Liang, T., Tinelli, C.: Scaling up DPLL(T) string solvers using context-dependent simplification. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 453–474. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_24

    Chapter  Google Scholar 

  11. Nötzli, A., Reynolds, A., Barbosa, H., Barrett, C., Tinelli, C.: Even faster conflicts and lazier reductions for string solvers. In: Shoham, S., Vizel, Y. (eds.) Computer Aided Verification (CAV 2022), pp. 205–226. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-13188-2_11

    Chapter  Google Scholar 

  12. Reynolds, A., Notzlit, A., Barrett, C., Tinelli, C.: Reductions for strings and regular expressions revisited. In: 2020 Formal Methods in Computer Aided Design (FMCAD), pp. 225–235 (2020)

    Google Scholar 

  13. Barbosa, H., et al.: cvc5: a versatile and industrial-strength SMT solver. In: TACAS 2022. LNCS, vol. 13243, pp. 415–442. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99524-9_24

    Chapter  Google Scholar 

  14. Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: Tools and Algorithms for the Construction and Analysis of Systems: 15th International Conference (TACAS 2009), Held as Part of the Joint European Conferences on Theory and Practice of Software (ETAPS 2009), York, UK, 22–29 March 2009. Proceedings 15, pp. 307–321. Springer, Heidelberg (2009)

    Google Scholar 

  15. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  16. Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a Z3-based string solver for web application analysis. In: ESEC/FSE 2013, ACM Trans. Comput. Log., pp. 114–124 (2013)

    Google Scholar 

  17. Berzish, M., Ganesh, V., Zheng, Y.: Z3str3: a string solver with theory-aware heuristics. In: 2017 Formal Methods in Computer Aided Design (FMCAD), pp. 55–59 (2017)

    Google Scholar 

  18. Murphy, B.: Z3str4: a solver for theories over strings. PhD thesis (2021)

    Google Scholar 

  19. Zheng, Y., Ganesh, V., Subramanian, S., Tripp, O., Dolby, J., Zhang, X.: Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 235–254. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_14

    Chapter  Google Scholar 

  20. Berzish, M., et al.: An SMT solver for regular expressions and linear arithmetic over string length. In: Silva, A., Leino, K.R.M. (eds.) CAV 2021. LNCS, vol. 12760, pp. 289–312. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81688-9_14

    Chapter  Google Scholar 

  21. Lin, A.W., Barceló, P.: String solving with word equations and transducers: towards a logic for analysing mutation XSS. In: POPL 2016, ACM Trans. Comput. Log., pp. 123–136 (2016)

    Google Scholar 

  22. Chen, T., Chen, Y., Hague, M., Lin, A.W., Wu, Z.: What is decidable about string constraints with the replaceall function. Proc. ACM Program. Lang. 2(POPL), 3:1–3:29 (2018)

    Google Scholar 

  23. Chen, T., Hague, M., Lin, A.W., Rümmer, P., Wu, Z.: Decision procedures for path feasibility of string-manipulating programs with complex operations. Proc. ACM Program. Lang. 3(POPL), 49:1–49:30 (2019)

    Google Scholar 

  24. Chen, T., et al.: Solving string constraints with regex-dependent functions through transducers with priorities and variables. Proc. ACM Program. Lang. 6(POPL), 1–31 (2022)

    Google Scholar 

  25. Chen, T., et al.: A decision procedure for path feasibility of string manipulating programs with integer data type. In: Hung, D.V., Sokolsky, O. (eds.) ATVA 2020. LNCS, vol. 12302, pp. 325–342. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59152-6_18

    Chapter  Google Scholar 

  26. Abdulla, P.A., Atig, M.F., Diep, B.P., Holík, L., Janků, P.: Chain-free string constraints. In: Chen, Y.-F., Cheng, C.-H., Esparza, J. (eds.) ATVA 2019. LNCS, vol. 11781, pp. 277–293. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31784-3_16

    Chapter  Google Scholar 

  27. Abdulla, P.A., et al.: TRAU: SMT solver for string constraints. In: Bjørner, N.S., Gurfinkel, A. (eds.) 2018 Formal Methods in Computer Aided Design (FMCAD 2018), pp. 1–5. IEEE (2018)

    Google Scholar 

  28. Abdulla, P.A., et al.: Flatten and conquer: a framework for efficient analysis of string constraints. In: Cohen, A., Vechev, M.T. (eds.) Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2017), pp. 602–617, ACM (2017)

    Google Scholar 

  29. Abdulla, P.A., et al.: Solving not-substring constraint with flat abstraction. In: Oh, H. (ed.) APLAS 2021. LNCS, vol. 13008, pp. 305–320. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-89051-3_17

    Chapter  Google Scholar 

  30. Abdulla, P.A., et al.: String constraints for verification. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 150–166. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_10

    Chapter  Google Scholar 

  31. Abdulla, P.A., et al.: Norn: an SMT solver for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 462–469. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_29

    Chapter  Google Scholar 

  32. Trinh, M., Chu, D., Jaffar, J.: S3: a symbolic string solver for vulnerability detection in web applications. In: CCS, ACM Trans. Comput. Log., pp. 1232–1243 (2014)

    Google Scholar 

  33. Le, Q.L., He, M.: A decision procedure for string logic with quadratic equations, regular expressions and length constraints. In: Ryu, S. (ed.) APLAS 2018. LNCS, vol. 11275, pp. 350–372. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02768-1_19

    Chapter  Google Scholar 

  34. Abdulla, P.A., et al.: Efficient handling of string-number conversion. In: Proc. of PLDI 2020, ACM, pp. 943–957 (2020)

    Google Scholar 

  35. Wang, H.-E., Tsai, T.-L., Lin, C.-H., Yu, F., Jiang, J.-H.R.: String analysis via automata manipulation with logic circuit representation. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 241–260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_13

    Chapter  Google Scholar 

  36. Wang, H.E., Chen, S.Y., Yu, F., Jiang, J.H.R.: A symbolic model checking approach to the analysis of string and length constraints. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE 2018), pp. 623–633. Association for Computing Machinery, NY (2018)

    Google Scholar 

  37. Hooimeijer, P., Weimer, W.: StrSolve: solving string constraints lazily. Autom. Softw. Eng. 19(4), 531–559 (2012)

    Article  Google Scholar 

  38. Amadini, R., Gange, G., Stuckey, P.J., Tack, G.: A novel approach to string constraint solving. In: Beck, J.C. (ed.) CP 2017. LNCS, vol. 10416, pp. 3–20. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66158-2_1

    Chapter  Google Scholar 

  39. Yu, F., Alkhalaf, M., Bultan, T.: Stranger: an automata-based string analysis tool for PHP. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 154–157. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12002-2_13

    Chapter  Google Scholar 

  40. Yu, F., Alkhalaf, M., Bultan, T., Ibarra, O.H.: Automata-based symbolic string analysis for vulnerability detection. Form. Methods Syst. Des. 44(1), 44–70 (2014)

    Article  MATH  Google Scholar 

  41. Yu, F., Bultan, T., Ibarra, O.H.: Relational string verification using multi-track automata. Int. J. Found. Comput. Sci. 22(8), 1909–1924 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  42. Aydin, A., Bang, L., Bultan, T.: Automata-based model counting for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 255–272. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_15

    Chapter  Google Scholar 

  43. Bultan, T., contributors: ABC string solver

    Google Scholar 

  44. Scott, J.D., Flener, P., Pearson, J., Schulte, C.: Design and implementation of bounded-length sequence variables. In: Salvagnin, D., Lombardi, M. (eds.) CPAIOR 2017. LNCS, vol. 10335, pp. 51–67. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59776-8_5

    Chapter  MATH  Google Scholar 

  45. Kiezun, A., Ganesh, V., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: a solver for word equations over strings, regular expressions, and context-free grammars. ACM Trans. Comput. Log. 21(4), 25:1–25:28 (2012)

    Google Scholar 

  46. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: SP 2010, IEEE Computer Society, pp. 513–528 (2010)

    Google Scholar 

  47. Cox, A., Leasure, J.: Model checking regular language constraints. arXiv preprint arXiv:1708.09073 (2017)

  48. Chen, Y.-F., Havlena, V., Lengál, O., Turrini, A.: A symbolic algorithm for the case-split rule in string constraint solving. In: Oliveira, B.C.S. (ed.) APLAS 2020. LNCS, vol. 12470, pp. 343–363. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64437-6_18

    Chapter  Google Scholar 

  49. Day, J.D., Ehlers, T., Kulczynski, M., Manea, F., Nowotka, D., Poulsen, D.B.: On solving word equations using SAT. In: Filiot, E., Jungers, R., Potapov, I. (eds.) RP 2019. LNCS, vol. 11674, pp. 93–106. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30806-3_8

    Chapter  Google Scholar 

  50. Li, G., Ghosh, I.: PASS: string solving with parameterized array and interval automaton. In: Bertacco, V., Legay, A. (eds.) HVC 2013. LNCS, vol. 8244, pp. 15–31. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03077-7_2

    Chapter  Google Scholar 

  51. Hooimeijer, P., Livshits, B., Molnar, D., Saxena, P., Veanes, M.: Fast and precise sanitizer analysis with BEK. In: USENIX Security Symposium 2011, USENIX Association (2011)

    Google Scholar 

  52. Veanes, M., Hooimeijer, P., Livshits, B., Molnar, D., Bjørner, N.: Symbolic finite state transducers: algorithms and applications. In: POPL 2012, ACM Trans. Comput. Log., pp. 137–150 (2012)

    Google Scholar 

  53. Fu, X., Li, C.: Modeling regular replacement for string constraint solving. In: NFM 2010. Volume NASA/CP-2010-216215 of NASA, pp. 67–76 (2010)

    Google Scholar 

  54. Trinh, M.-T., Chu, D.-H., Jaffar, J.: Progressive reasoning over recursively-defined strings. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 218–240. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_12

    Chapter  Google Scholar 

  55. Plandowski, W.: Satisfiability of word equations with constants is in NEXPTIME. In: Proceedings of the Thirty-First Annual ACM Symposium on Theory of Computing (STOC 1999), pp. 721–725. Association for Computing Machinery, NY (1999)

    Google Scholar 

  56. Jeż, A.: Recompression: a simple and powerful technique for word equations. J. ACM 63(1), 1–51 (2016)

    Article  MathSciNet  MATH  Google Scholar 

  57. Makanin, G.S.: The problem of solvability of equations in a free semigroup. Matematicheskii Sbornik 32(2), 147–236 (1977). (in Russian)

    MathSciNet  MATH  Google Scholar 

  58. Nielsen, J.: Die isomorphismen der allgemeinen, unendlichen gruppe mit zwei erzeugenden. Math. Ann. 78(1), 385–397 (1917)

    Article  MathSciNet  MATH  Google Scholar 

  59. Ganesh, V., Minnes, M., Solar-Lezama, A., Rinard, M.: Word equations with length constraints: what’s decidable? In: Biere, A., Nahir, A., Vos, T. (eds.) HVC 2012. LNCS, vol. 7857, pp. 209–226. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39611-3_21

    Chapter  Google Scholar 

  60. Blahoudek, F., et al.: Word equations in synergy with regular constraints (technical report). arXiv preprint arXiv:2212.02317 (2022)

  61. Aziz, A., Singhal, V., Swamy, G., Brayton, R.K.: Minimizing interacting finite state machines. Technical Report UCB/ERL M93/68, EECS Department, University of California, Berkeley (1993)

    Google Scholar 

  62. Henzinger, M., Henzinger, T., Kopke, P.: Computing simulations on finite and infinite graphs. In: Proceedings of IEEE 36th Annual Foundations of Computer Science, pp. 453–462 (1995)

    Google Scholar 

  63. Blahoudek, F., et al.: Noodler (2022). https://github.com/vhavlena/Noodler

  64. Mora, F., Berzish, M., Kulczynski, M., Nowotka, D., Ganesh, V.: Z3str4: a multi-armed string solver. In: Huisman, M., Păsăreanu, C., Zhan, N. (eds.) FM 2021. LNCS, vol. 13047, pp. 389–406. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90870-6_21

    Chapter  Google Scholar 

  65. Holík, L., Janku, P., Lin, A.W., Rümmer, P., Vojnar, T.: String constraints with concatenation and transducers solved efficiently. Proc. ACM Program. Lang. 2(POPL), 4:1–4:32 (2018)

    Google Scholar 

  66. Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-44898-5_1

    Chapter  MATH  Google Scholar 

Download references

Acknowledgements

This work was supported by the Czech Ministry of Education, Youth and Sports project LL1908 of the ERC.CZ programme, the Czech Science Foundation project GA20-07487S, the FIT BUT internal project FIT-S-20-6427, and the project of Ministry of Science and Technology, Taiwan (grant no. 109-2628-E-001-001-MY3).

Author information

Authors and Affiliations

  1. Faculty of Information Technology, Brno University of Technology, Brno, Czech Republic

    František Blahoudek, David Chocholatý, Vojtěch Havlena, Lukáš Holík, Ondřej Lengál & Juraj Síč

  2. Institute of Information Science, Academia Sinica, Taipei City, Taiwan

    Yu-Fang Chen

Authors
  1. František Blahoudek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yu-Fang Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Chocholatý
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vojtěch Havlena
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lukáš Holík
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Ondřej Lengál
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Juraj Síč
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lukáš Holík .

Editor information

Editors and Affiliations

  1. University of Toronto, Toronto, ON, Canada

    Marsha Chechik

  2. RWTH Aachen University, Aachen, Germany

    Joost-Pieter Katoen

  3. University of Lübeck, Lübeck, Germany

    Martin Leucker

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Blahoudek, F. et al. (2023). Word Equations in Synergy with Regular Constraints. In: Chechik, M., Katoen, JP., Leucker, M. (eds) Formal Methods. FM 2023. Lecture Notes in Computer Science, vol 14000. Springer, Cham. https://doi.org/10.1007/978-3-031-27481-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-27481-7_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-27480-0

  • Online ISBN: 978-3-031-27481-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation