Unbounded Model-Checking with Interpolation for Regular Language Constraints

We present a decision procedure for the problem of, given a set of regular expressions R1, …, Rn, determining whether R=R1∩⋯∩Rn is empty. Our solver, revenant, finitely unrolls automata for R1, …, Rn, encoding each as a set of propositional constraints. If a SAT solver determines satisfiability then R is non-empty. Otherwise our solver uses unbounded model checking techniques to extract an interpolant from the bounded proof. This interpolant serves as an overapproximation of R. If the solver reaches a fixed-point with the constraints remaining unsatisfiable, it has proven R to be empty. Otherwise, it increases the unrolling depth and repeats. We compare revenant with other state-of-the-art string solvers. Evaluation suggests that it behaves better for constraints that express the intersection of sets of regular languages, a case of interest in the context of verification.

[1]  Kenneth L. McMillan,et al.  An interpolating theorem prover , 2005, Theor. Comput. Sci..

[2]  Westley Weimer,et al.  Solving string constraints lazily , 2010, ASE.

[3]  William Craig,et al.  Linear reasoning. A new form of the Herbrand-Gentzen theorem , 1957, Journal of Symbolic Logic.

[4]  Lucian Ilie,et al.  Reducing NFAs by invariant equivalences , 2003, Theor. Comput. Sci..

[5]  G. S. Tseitin On the Complexity of Derivation in Propositional Calculus , 1983 .

[6]  Margus Veanes,et al.  An Evaluation of Automata Algorithms for String Analysis , 2011, VMCAI.

[7]  Nikolai Tillmann,et al.  Reggae: Automated Test Generation for Programs Using Complex Regular Expressions , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[8]  Alberto Griggio,et al.  A Practical Approach to Satisability Modulo Linear Integer Arithmetic , 2012, J. Satisf. Boolean Model. Comput..

[9]  David A. Plaisted,et al.  A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[10]  Roberto Solis-Oba,et al.  Reducing the Size of NFAs by Using Equivalences and Preorders , 2005, CPM.

[11]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[12]  Martin Lange,et al.  Analyzing Context-Free Grammars Using an Incremental SAT Solver , 2008, ICALP.

[13]  Sagar Chaki,et al.  Verifying Concurrent Message-Passing C Programs with Recursive Calls , 2006, TACAS.

[14]  Margus Veanes,et al.  Rex: Symbolic Regular Expression Explorer , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[15]  Yasuhiko Minamide,et al.  Static approximation of dynamically generated Web pages , 2005, WWW '05.

[16]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[17]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[18]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[19]  Westley Weimer,et al.  StrSolve: solving string constraints lazily , 2012, Automated Software Engineering.

[20]  Edmund M. Clarke,et al.  Counterexample-guided abstraction refinement , 2003, 10th International Symposium on Temporal Representation and Reasoning, 2003 and Fourth International Conference on Temporal Logic. Proceedings..

[21]  Niklas Sörensson,et al.  Translating Pseudo-Boolean Constraints into SAT , 2006, J. Satisf. Boolean Model. Comput..

[22]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[23]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[24]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[25]  Westley Weimer,et al.  A decision procedure for subset constraints over regular languages , 2009, PLDI '09.

[26]  Pavel Pudlák,et al.  Lower bounds for resolution and cutting plane proofs and monotone computations , 1997, Journal of Symbolic Logic.

[27]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[28]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.