String Constraints for Verification

We present a decision procedure for a logic that combines (i)aword equations over string variables denoting words of arbitrary lengths, together with (ii)aconstraints on the length of words, and on (iii)athe regular languages to which words belong. Decidability of this general logic is still open. Our procedure is sound for the general logic, and a decision procedure for a particularly rich fragment that restricts the form in which word equations are written. In contrast to many existing procedures, our method does not make assumptions about the maximum length of words. We have developed a prototypical implementation of our decision procedure, and integrated it into a CEGAR-based model checker for the analysis of programs encoded as Horn clauses. Our tool is able to automatically establish the correctness of several programs that are beyond the reach of existing methods.

[1]  William Craig,et al.  Linear reasoning. A new form of the Herbrand-Gentzen theorem , 1957, Journal of Symbolic Logic.

[2]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[3]  G. Makanin The Problem of Solvability of Equations in a Free Semigroup , 1977 .

[4]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[5]  J. Richard Büchi,et al.  Definability in the Existential Theory of Concatenation and Undecidable Extensions of this Theory , 1988, Math. Log. Q..

[6]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[7]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[8]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[9]  Ranjit Jhala,et al.  A Practical and Complete Approach to Predicate Refinement , 2006, TACAS.

[10]  Jorge A. Navas,et al.  A Flexible, (C)LP-Based Approach to the Analysis of Object-Oriented Programs , 2008, LOPSTR.

[11]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[12]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[13]  Daniel Kroening,et al.  A Survey of Automated Techniques for Formal Software Verification , 2008, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[14]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[16]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[17]  Daniel Kroening,et al.  An Interpolating Sequent Calculus for Quantifier-Free Presburger Arithmetic , 2010, Journal of Automated Reasoning.

[18]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[19]  Viktor Kuncak,et al.  A Verification Toolkit for Numerical Transition Systems - Tool Paper , 2012, FM.

[20]  Andrey Rybalchenko,et al.  Synthesizing software verifiers from proof rules , 2012, PLDI.

[21]  Frits W. Vaandrager,et al.  Automata Learning through Counterexample Guided Abstraction Refinement , 2012, FM.

[22]  Armando Solar-Lezama,et al.  Word Equations with Length Constraints: What's Decidable? , 2012, Haifa Verification Conference.

[23]  Manuel V. Hermenegildo,et al.  Energy Consumption Analysis of Programs Based on XMOS ISA-Level Models , 2013, LOPSTR.

[24]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.

[25]  Viktor Kuncak,et al.  Classifying and Solving Horn Clauses for Verification , 2013, VSTTE.

[26]  Michael D. Ernst,et al.  HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars , 2012, TSEM.

[27]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[28]  Alastair F. Donaldson,et al.  Software Model Checking , 2014, Computing Handbook, 3rd ed..

[29]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, SIGP.