An SMT Solver for Regular Expressions and Linear Arithmetic over String Length

We present a novel length-aware solving algorithm for the quantifier-free first-order theory over regex membership predicate and linear arithmetic over string length. We implement and evaluate this algorithm and related heuristics in the Z3 theorem prover. A crucial insight that underpins our algorithm is that real-world instances contain a wealth of information about upper and lower bounds on lengths of strings under constraints, and such information can be used very effectively to simplify operations on automata representing regular expressions. Additionally, we present a number of novel general heuristics, such as the prefix/suffix method, that can be used in conjunction with a variety of regex solving algorithms, making them more efficient. We showcase the power of our algorithm and heuristics via an extensive empirical evaluation over a large and diverse benchmark of 57256 regex-heavy instances, almost 75% of which are derived from industrial applications or contributed by other solver developers. Our solver outperforms five other state-of-the-art string solvers, namely, CVC4, OSTRICH, Z3seq, Z3str3, and Z3-Trau, over this benchmark, in particular achieving a 2.4x speedup over CVC4, 4.4x speedup over Z3seq, 6.4x speedup over Z3-Trau, 9.1x speedup over Z3str3, and 13x speedup over OSTRICH.

[1]  Cole Schlesinger,et al.  One-Click Formal Methods , 2019, IEEE Software.

[2]  Fang Yu,et al.  Stranger: An Automata-Based String Analysis Tool for PHP , 2010, TACAS.

[3]  Federico Mora,et al.  StringFuzz: A Fuzzer for String Solvers , 2018, CAV.

[4]  Janusz A. Brzozowski,et al.  Derivatives of Regular Expressions , 1964, JACM.

[5]  Joxan Jaffar,et al.  Progressive Reasoning over Recursively-Defined Strings , 2016, CAV.

[6]  Armando Solar-Lezama,et al.  Word Equations with Length Constraints: What's Decidable? , 2012, Haifa Verification Conference.

[7]  Cesare Tinelli,et al.  A Decision Procedure for Regular Membership and Length Constraints over Unbounded Strings , 2015, FroCos.

[8]  Florin Manea,et al.  The Satisfiability of Word Equations: Decidable and Undecidable Theories , 2018, RP.

[9]  Rupak Majumdar,et al.  Quadratic Word Equations with Length Constraints, Counter Systems, and Presburger Arithmetic with Divisibility , 2018, ATVA.

[10]  Cesare Tinelli,et al.  A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions , 2014, CAV.

[11]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[12]  Parosh Aziz Abdulla,et al.  String Constraints for Verification , 2014, CAV.

[13]  Klaus U. Schulz,et al.  Makanin's Algorithm for Word Equations - Two Improvements and a Generalization , 1990, IWWERT.

[14]  Xiangyu Zhang,et al.  Effective Search-Space Pruning for Solvers of String Equations, Regular Expressions and Length Constraints , 2015, CAV.

[15]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[16]  Wojciech Plandowski Satisfiability of word equations with constants is in PSPACE , 2004, JACM.