High-Level Abstractions for Simplifying Extended String Constraints in SMT

Satisfiability Modulo Theories (SMT) solvers with support for the theory of strings have recently emerged as powerful tools for reasoning about string-manipulating programs. However, due to the complex semantics of extended string functions, it is challenging to develop scalable solvers for the string constraints produced by program analysis tools. We identify several classes of simplification techniques that are critical for the efficient processing of string constraints in SMT solvers. These techniques can reduce the size and complexity of input constraints by reasoning about arithmetic entailment, multisets, and string containment relationships over input terms. We provide experimental evidence that implementing them results in significant improvements over the performance of state-of-the-art SMT solvers for extended string constraints.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Nikolaj Bjørner,et al.  Path Feasibility Analysis for String-Manipulating Programs , 2009, TACAS.

[3]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[4]  Margus Veanes,et al.  Qex: Symbolic SQL Query Explorer , 2010, LPAR.

[5]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[6]  Christopher L. Conway,et al.  Cvc4 , 2011, CAV.

[7]  Guodong Li,et al.  PASS: String Solving with Parameterized Array and Interval Automaton , 2013, Haifa Verification Conference.

[8]  Michael D. Ernst,et al.  HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars , 2012, TSEM.

[9]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[10]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[11]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[12]  Cesare Tinelli,et al.  A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions , 2014, CAV.

[13]  Jie-Hong Roland Jiang,et al.  String Analysis via Automata Manipulation with Logic Circuit Representation , 2016, CAV.

[14]  Swarat Chaudhuri,et al.  Computer Aided Verification , 2016, Lecture Notes in Computer Science.

[15]  Joxan Jaffar,et al.  Progressive Reasoning over Recursively-Defined Strings , 2016, CAV.

[16]  Xiangyu Zhang,et al.  Z3str2: an efficient solver for strings, regular expressions, and length constraints , 2017, Formal Methods Syst. Des..

[17]  Cesare Tinelli,et al.  Scaling Up DPLL(T) String Solvers Using Context-Dependent Simplification , 2017, CAV.

[18]  Viktor Kuncak,et al.  Computer Aided Verification , 2017, Lecture Notes in Computer Science.

[19]  Yunhui Zheng,et al.  ZSstrS: A string solver with theory-aware heuristics , 2017, 2017 Formal Methods in Computer Aided Design (FMCAD).

[20]  Joxan Jaffar,et al.  Model Counting for Recursively-Defined Strings , 2017, CAV.

[21]  Quang Loc Le,et al.  A Decision Procedure for String Logic with Quadratic Equations, Regular Expressions and Length Constraints , 2018, APLAS.

[22]  C. Barrett,et al.  Rewrites for SMT Solvers using Syntax-Guided Enumeration ( Work in Progress ) , 2018 .

[23]  Parosh Aziz Abdulla,et al.  Trau: SMT solver for string constraints , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[24]  Philipp Rümmer,et al.  Decision procedures for path feasibility of string-manipulating programs with complex operations , 2018, Proc. ACM Program. Lang..