Word Equations with Length Constraints: What's Decidable?

We prove several decidability and undecidability results for the satisfiability and validity problems for languages that can express solutions to word equations with length constraints. The atomic formulas over this language are equality over string terms (word equations), linear inequality over the length function (length constraints), and membership in regular sets. These questions are important in logic, program analysis, and formal verification. Variants of these questions have been studied for many decades by mathematicians. More recently, practical satisfiability procedures (aka SMT solvers) for these formulas have become increasingly important in the context of security analysis for string-manipulating programs such as web applications. We prove three main theorems. First, we give a new proof of undecidability for the validity problem for the set of sentences written as a ∀∃ quantifier alternation applied to positive word equations. A corollary of this undecidability result is that this set is undecidable even with sentences with at most two occurrences of a string variable. Second, we consider Boolean combinations of quantifier-free formulas constructed out of word equations and length constraints. We show that if word equations can be converted to a solved form, a form relevant in practice, then the satisfiability problem for Boolean combinations of word equations and length constraints is decidable. Third, we show that the satisfiability problem for quantifier-free formulas over word equations in regular solved form, length constraints, and the membership predicate over regular expressions is also decidable.

[1]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[2]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[3]  Wojciech Plandowski,et al.  An efficient algorithm for solving word equations , 2006, STOC '06.

[4]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[5]  Yu. V. Matiyasevich,et al.  Hilbert’s Tenth Problem: Diophantine Equations in the Twentieth Century , 2006 .

[6]  Robert Dabrowski,et al.  On Word Equations in One Variable , 2002, Algorithmica.

[7]  Wojciech Plandowski,et al.  Two-variable word equations , 2000, RAIRO Theor. Informatics Appl..

[8]  Benedikt Löwe,et al.  New Computational Paradigms , 2005 .

[9]  Achim Blumensath,et al.  Automatic structures , 2000, Proceedings Fifteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.99CB36332).

[10]  G. Makanin The Problem of Solvability of Equations in a Free Semigroup , 1977 .

[11]  Klaus U. Schulz,et al.  Makanin's Algorithm for Word Equations - Two Improvements and a Generalization , 1990, IWWERT.

[12]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[13]  Wojciech Plandowski Satisfiability of word equations with constants is in PSPACE , 2004, JACM.

[14]  Witold Charatonik,et al.  Word Equations with Two Variables , 1991, IWWERT.

[15]  Jörg Flum,et al.  Mathematical logic , 1985, Undergraduate texts in mathematics.

[16]  Yuri Matiyasevich Computation Paradigms in Light of Hilbert's Tenth Problem , 2008 .

[17]  Klaus U. Schulz Word Equations and Related Topics , 1990, Lecture Notes in Computer Science.

[18]  Wojciech Plandowski Satisfiability of word equations with constants is in NEXPTIME , 1999, STOC '99.

[19]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[21]  V. Durnev Undecidability of the positive ∀∃3-theory of a free semigroup , 1995 .

[22]  Wojciech Plandowski,et al.  The expressibility of languages and relations by word equations , 1997, JACM.

[23]  Rupak Majumdar,et al.  Dynamic test input generation for database applications , 2007, ISSTA '07.

[24]  W. V. Quine,et al.  Concatenation as a basis for arithmetic , 1946, Journal of Symbolic Logic.

[25]  Michael D. Ernst,et al.  HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection , 2011, CAV.

[26]  Volker Diekert,et al.  Quadratic Word Equations , 1999, Jewels are Forever.