Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

A Symbolic Algorithm for the Case-Split Rule in String Constraint Solving

  • Conference paper
  • First Online:
Programming Languages and Systems (APLAS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12470))

Included in the following conference series:

Abstract

Case split is a core proof rule in current decision procedures for the theory of string constraints. Its use is the primary cause of the state space explosion in string constraint solving, since it is the only rule that creates branches in the proof tree. Moreover, explicit handling of the case split rule may cause recomputation of the same tasks in multiple branches of the proof tree. In this paper, we propose a symbolic algorithm that significantly reduces such a redundancy. In particular, we encode a string constraint as a regular language and proof rules as rational transducers. This allows to perform similar steps in the proof tree only once, alleviating the state space explosion. In our preliminary experimental results, we validated that our technique (implemented in a Python prototype) works in many practical cases where other state-of-the-art solvers, such as CVC4 or Z3, fail to provide an answer.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    For instance, when Z3 receives the word equation \(xy=yax\), it infers the length constraint \(|x|+|y| = |y|+1+|x|\), which implies unsatisfiability of the word equation without the need to start applying the case-split rule at all.

References

  1. Abdulla, P.A.: Regular model checking. STTT 14(2), 109–118 (2012)

    Article  Google Scholar 

  2. Abdulla, P.A., et al.: Flatten and conquer: a framework for efficient analysis of string constraints. In: PLDI, pp. 602–617 (2017)

    Google Scholar 

  3. Abdulla, P.A., et al.: Trau: SMT solver for string constraints. In: FMCAD, pp. 1–5 (2018)

    Google Scholar 

  4. Abdulla, P.A., et al.: String constraints for verification. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 150–166. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_10

    Chapter  Google Scholar 

  5. Abdulla, P.A., et al.: Norn: an SMT solver for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 462–469. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_29

    Chapter  Google Scholar 

  6. Abdulla, P.A., Atig, M.F., Diep, B.P., Holík, L., Janků, P.: Chain-free string constraints. In: Chen, Y.-F., Cheng, C.-H., Esparza, J. (eds.) ATVA 2019. LNCS, vol. 11781, pp. 277–293. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-31784-3_16

    Chapter  Google Scholar 

  7. Aydin, A., et al.: Parameterized model counting for string and numeric constraints. In: SIGSOFT, pp. 400–410 (2018)

    Google Scholar 

  8. Barceló, P., Figueira, D., Libkin, L.: Graph logics with rational relations. arXiv preprint arXiv:1304.4150 (2013)

  9. Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_14

    Chapter  Google Scholar 

  10. Berstel, J.: Transductions and context-free languages. Vieweg+Teubner Verlag (1979)

    Google Scholar 

  11. Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00768-2_27

    Chapter  MATH  Google Scholar 

  12. Bouajjani, A., Habermehl, P., Rogalewicz, A., Vojnar, T.: Abstract regular (tree) model checking. STTT 14(2), 167–191 (2012)

    Article  Google Scholar 

  13. Bouajjani, A., Jonsson, B., Nilsson, M., Touili, T.: Regular model checking. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 403–418. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_31

    Chapter  Google Scholar 

  14. Büchi, J.R., Senger, S.: Definability in the existential theory of concatenation and undecidable extensions of this theory. In: Mac Lane, S., Siefkes, D. (eds.) The Collected Works of J. Richard Büchi, pp. 671–683. Springer, New York (1990). https://doi.org/10.1007/978-1-4613-8928-6_37

  15. Chen, T., Chen, Y., Hague, M., Lin, A.W., Wu, Z.: What is decidable about string constraints with the ReplaceAll function. PACMPL 2(POPL), 3:1–3:29 (2018)

    Google Scholar 

  16. Chen, T., Hague, M., Lin, A.W., Rümmer, P., Wu, Z.: Decision procedures for path feasibility of string-manipulating programs with complex operations. PACMPL 3(POPL), 49 (2019)

    Google Scholar 

  17. Diekert, V.: Makanin’s Algorithm, pp. 387–442 (2002)

    Google Scholar 

  18. Durnev, V.G., Zetkina, O.V.: On equations in free semigroups with certain constraints on their solutions. J. Math. Sci. 158(5), 671–676 (2009)

    Article  MathSciNet  Google Scholar 

  19. Ganesh, V., Berzish, M.: Undecidability of a theory of strings, linear arithmetic over length, and string-number conversion. arXiv preprint arXiv:1605.09442 (2016)

  20. Ganesh, V., Minnes, M., Solar-Lezama, A., Rinard, M.: Word equations with length constraints: what’s decidable? In: Biere, A., Nahir, A., Vos, T. (eds.) HVC 2012. LNCS, vol. 7857, pp. 209–226. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39611-3_21

    Chapter  Google Scholar 

  21. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI, pp. 213–223 (2005)

    Google Scholar 

  22. Gulwani, S., Jha, S., Tiwari, A., Venkatesan, R.: Synthesis of loop-free programs. In: PLDI, pp. 62–73 (2011)

    Google Scholar 

  23. Gulwani, S., Srivastava, S., Venkatesan, R.: Program analysis as constraint solving. In: PLDI (2008)

    Google Scholar 

  24. Holík, L., Janků, P., Lin, A.W., Rümmer, P., Vojnar, T.: String constraints with concatenation and transducers solved efficiently. PACMPL 2(POPL), 4 (2018)

    Google Scholar 

  25. Kaminski, M., Francez, N.: Finite-memory automata. TCS 134(2), 329–363 (1994)

    Article  MathSciNet  Google Scholar 

  26. Kiezun, A., Ganesh, V., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: a solver for word equations over strings, regular expressions, and context-free grammars. TOSEM 21(4), 25:1–25:28 (2012)

    Google Scholar 

  27. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MathSciNet  Google Scholar 

  28. Kosovskii, N.K.: Properties of the solutions of equations in a free semigroup. J. Math. Sci. 6(4), 361–367 (1976). https://doi.org/10.1007/BF01084074

    Article  MATH  Google Scholar 

  29. Le, Q.L., He, M.: A decision procedure for string logic with quadratic equations, regular expressions and length constraints. In: Ryu, S. (ed.) APLAS 2018. LNCS, vol. 11275, pp. 350–372. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02768-1_19

    Chapter  Google Scholar 

  30. Levi, F.W.: On semigroups. Bull. Calcutta Math. Soc. 36, 141–146 (1944)

    MathSciNet  MATH  Google Scholar 

  31. Liang, T., Reynolds, A., Tinelli, C., Barrett, C., Deters, M.: A DPLL(T) theory solver for a theory of strings and regular expressions. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 646–662. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_43

    Chapter  Google Scholar 

  32. Lin, A.W., Barceló, P.: String solving with word equations and transducers: towards a logic for analysing mutation XSS. In: POPL, pp. 123–136 (2016)

    Google Scholar 

  33. Lin, A.W., Majumdar, R.: Quadratic word equations with length constraints, counter systems, and Presburger arithmetic with divisibility. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018. LNCS, vol. 11138, pp. 352–369. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01090-4_21

    Chapter  Google Scholar 

  34. Makanin, G.S.: The problem of solvability of equations in a free semigroup. Matematicheskii Sbornik 145(2), 147–236 (1977)

    MathSciNet  MATH  Google Scholar 

  35. Matiyasevich, Y.: Computation paradigms in light of Hilbert’s tenth problem. In: Cooper, S.B., Lowe, B., Sorbi, A. (eds.) New computational paradigms, pp. 59–85. Springer, New York (2008). https://doi.org/10.1007/978-0-387-68546-5_4

  36. Matiyasevich, Y.V.: A connection between systems of word and length equations and Hilbert’s tenth problem. Zap. Nauchnykh Semin. POMI 8, 132–144 (1968)

    MathSciNet  Google Scholar 

  37. Nielsen, J.: Die isomorphismen der allgemeinen, unendlichen Gruppe mit zwei Erzeugenden. Mathematische Annalen 78(1), 385–397 (1917)

    Article  MathSciNet  Google Scholar 

  38. Osera, P.M.: Constraint-based type-directed program synthesis. In: TyDe, pp. 64–76 (2019)

    Google Scholar 

  39. Plandowski, W.: Satisfiability of word equations with constants is in PSPACE. In: FOCS, pp. 495–500 (1999)

    Google Scholar 

  40. Plandowski, W.: An efficient algorithm for solving word equations. In: STOC, pp. 467–476 (2006)

    Google Scholar 

  41. Quine, W.V.: Concatenation as a basis for arithmetic. JSYML 11(4), 105–114 (1946)

    MathSciNet  MATH  Google Scholar 

  42. Reynolds, A., Woo, M., Barrett, C., Brumley, D., Liang, T., Tinelli, C.: Scaling up DPLL(T) string solvers using context-dependent simplification. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 453–474. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_24

    Chapter  Google Scholar 

  43. Robson, J.M., Diekert, V.: On quadratic word equations. In: Meinel, C., Tison, S. (eds.) STACS 1999. LNCS, vol. 1563, pp. 217–226. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49116-3_20

    Chapter  Google Scholar 

  44. Schulz, K.U.: Makanin’s algorithm for word equations-two improvements and a generalization. In: Schulz, K.U. (ed.) IWWERT 1990. LNCS, vol. 572, pp. 85–150. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-55124-7_4

    Chapter  Google Scholar 

  45. Trinh, M.T., Chu, D.H., Jaffar, J.: S3: a symbolic string solver for vulnerability detection in web applications. In: CCS, pp. 1232–1243 (2014)

    Google Scholar 

  46. Trinh, M.-T., Chu, D.-H., Jaffar, J.: Progressive reasoning over recursively-defined strings. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 218–240. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_12

    Chapter  Google Scholar 

  47. Wang, H.-E., Tsai, T.-L., Lin, C.-H., Yu, F., Jiang, J.-H.R.: String analysis via automata manipulation with logic circuit representation. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 241–260. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_13

    Chapter  Google Scholar 

  48. Wang, Y., Zhou, M., Jiang, Y., Song, X., Gu, M., Sun, J.: A static analysis tool with optimizations for reachability determination. In: ASE, pp. 925–930 (2017)

    Google Scholar 

  49. Yu, F., Alkhalaf, M., Bultan, T.: Stranger: an automata-based string analysis tool for PHP. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 154–157. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12002-2_13

    Chapter  Google Scholar 

  50. Yu, F., Alkhalaf, M., Bultan, T., Ibarra, O.H.: Automata-based symbolic string analysis for vulnerability detection. FMSD 44(1), 44–70 (2014). https://doi.org/10.1007/s10703-013-0189-1

    Article  MATH  Google Scholar 

  51. Yu, F., Shueh, C.Y., Lin, C.H., Chen, Y.F., Wang, B.Y., Bultan, T.: Optimal sanitization synthesis for web application vulnerability repair. In: ISSTA, pp. 189–200 (2016)

    Google Scholar 

  52. Zheng, Y., et al.: Z3str2: an efficient solver for strings, regular expressions, and length constraints. FMSD 50(2–3), 249–288 (2017). https://doi.org/10.1007/s10703-016-0263-6

    Article  MATH  Google Scholar 

Download references

Acknowledgment

We thank the anonymous reviewers for helpful comments on how to improve the paper and Mohamed Faouzi Atig for discussing the topic. This work has been partially supported by the Guangdong Science and Technology Department (grant no. 2018B010107004), by the National Natural Science Foundation of China (grant nos. 61761136011, 61532019, 61836005), the Czech Ministry of Education, Youth and Sports project LL1908 of the ERC.CZ programme, the Czech Science Foundation project 20-07487S, the FIT BUT internal project FIT-S-20-6427, and the project of Ministry of Science and Technology, Taiwan (grant nos. 109-2628-E-001-001-MY3 and 106-2221-E-001-009-MY3).

Author information

Authors and Affiliations

  1. Academia Sinica, Taipei, Taiwan

    Yu-Fang Chen

  2. FIT, IT4I Centre of Excellence, Brno University of Technology, Brno, Czech Republic

    Vojtěch Havlena & Ondřej Lengál

  3. State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China

    Andrea Turrini

  4. Institute of Intelligent Software, Guangzhou, China

    Andrea Turrini

Authors
  1. Yu-Fang Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vojtěch Havlena
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ondřej Lengál
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andrea Turrini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ondřej Lengál .

Editor information

Editors and Affiliations

  1. University of Hong Kong, Hong Kong, Hong Kong

    Bruno C. d. S. Oliveira

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, YF., Havlena, V., Lengál, O., Turrini, A. (2020). A Symbolic Algorithm for the Case-Split Rule in String Constraint Solving. In: Oliveira, B.C.d.S. (eds) Programming Languages and Systems. APLAS 2020. Lecture Notes in Computer Science(), vol 12470. Springer, Cham. https://doi.org/10.1007/978-3-030-64437-6_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64437-6_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64436-9

  • Online ISBN: 978-3-030-64437-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation