research-article

HAMPI: a solver for string constraints

Authors:

Pieter Hooimeijer,

Michael D. ErnstAuthors Info & Claims

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

Pages 105 - 116

https://doi.org/10.1145/1572272.1572286

Published: 19 July 2009 Publication History

Abstract

Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraint generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of off-the-shelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive off-the-shelf solvers for string constraints generated by analysis techniques for string-manipulating programs.

We designed and implemented Hampi, a solver for string constraints over fixed-size string variables. Hampi constraints express membership in regular languages and fixed-size context-free languages. Hampi constraints may contain context-free-language definitions, regular language definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable.

Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi's source code, documentation, and the experimental data are available at http://people.csail.mit.edu/akiezun/hampi.

References

[1]

R. Axelsson, K. Heljank, and M. Lange. Analyzing context-free grammars using an incremental SAT solver. In ICALP, 2008.

Digital Library

[2]

A. Biere. Resolve and expand. In SAT, 2005.

Digital Library

[3]

A. Biere, A. Cimatti, E. Clarke, O. Strichman, and Y. Zhu. Bounded model checking. Advances in Computers, 2003.

[4]

N. Bjørner, N. Tillmann, and A. Voronkov. Path feasibility analysis for string-manipulating programs. In TACAS, 2009.

Digital Library

[5]

C. Cadar, D. Dunbar, and D. R. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008.

Digital Library

[6]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In CCS, 2006.

Digital Library

[7]

A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In SAS, 2003.

Digital Library

[8]

E. M. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In TACAS, 2004.

[9]

L. de Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS, 2008.

Digital Library

[10]

M. Emmi, R. Majumdar, and K. Sen. Dynamic test input generation for database applications. In ISSTA, 2007.

Digital Library

[11]

Brics finite state automata utilities. http://www.brics.dk/automaton/faq.html.

[12]

Finite state automata utilities. http://www.let.rug.nl/~vannoord/Fsa/fsa.html.

[13]

AT&T FSM library. http://www.research.att.com/~fsmtools/fsm.

[14]

X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting SQL injection vulnerabilities. In COMPSAC, 2007.

Digital Library

[15]

V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV, 2007.

Digital Library

[16]

P. Godefroid, A. Kie|un, and M. Y. Levin. Grammar-based whitebox fuzzing. In PLDI, 2008.

Digital Library

[17]

P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In PLDI, 2005.

Digital Library

[18]

P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.

[19]

S. Gulwani, S. Srivastava, and R. Venkatesan. Program analysis as constraint solving. In PLDI, 2008.

Digital Library

[20]

W. Halfond, A. Orso, and P. Manolios. WASP: Protecting Web applications using positive tainting and syntax-aware evaluation. IEEE TSE, 34(1), 2008.

Digital Library

[21]

P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In PLDI, 2009.

Digital Library

[22]

D. Jackson and M. Vaziri. Finding bugs with a constraint solver. In ISSTA, 2000.

Digital Library

[23]

K. Jayaraman, D. Harvison, V. Ganesh, and A. Kie|un. jFuzz: A concolic whitebox fuzzer for Java. In NFM, 2009.

[24]

A. Kie|un, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE, 2009.

[25]

N. Klarlund. Mona&Fido: The logic-automaton connection in practice. In WCSL, 1998.

Digital Library

[26]

R. Majumdar and R.-G. Xu. Directed test generation using symbolic grammars. In ASE, 2007.

Digital Library

[27]

G. Makanin. The problem of solvability of equations in a free semigroup. Sbornik: Mathematics, 32(2), 1977.

[28]

Y. Minamide. Static approximation of dynamically generated Web pages. In WWW, 2005.

Digital Library

[29]

M. Moskewicz, C. Madigan, Y. Zhao, L. Zhang, and S. Malik. Chaff: engineering an efficient SAT solver. In DAC, 2001.

Digital Library

[30]

G. Pesant. A regular language membership constraint for finite sequences of variables. In CP, 2004.

[31]

C. Quimper and T. Walsh. Global grammar constraints. In CP, 2006.

Digital Library

[32]

A. Rajasekar. Applications in constraint logic programming with strings. In PPCP, 1994.

Digital Library

[33]

H. Ruan, J. Zhang, and J. Yan. Test data generation for C programs with string-handling functions. In TASE, 2008.

Digital Library

[34]

K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In FSE, 2005.

Digital Library

[35]

D. Shannon, S. Hajra, A. Lee, D. Zhan, and S. Khurshid. Abstracting symbolic execution with string analysis. In TAICPART, 2007.

Digital Library

[36]

M. Sipser. Introduction to the Theory of Computation. Course Technology, 1996.

Digital Library

[37]

G. Wassermann and Z. Su. Sound and precise analysis of Web applications for injection vulnerabilities. In PLDI, 2007.

Digital Library

[38]

G. Wassermann and Z. Su. Static detection of cross-site scripting vulnerabilities. In ICSE, 2008.

Digital Library

[39]

G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for Web applications. In ISSTA, 2008.

Digital Library

[40]

Y. Xie and A. Aiken. Saturn: A scalable framework for error detection using Boolean satisfiability. In CAV, 2007.

Cited By

Eriksson BStjerna ADe Masellis RRüemmer PSabelfeld AMeng WJensen CCremers CKirda E(2023)Black Ostrich: Web Application Scanning with String SolversProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616582(549-563)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616582
Day JGanesh VGrewal NManea F(2023)On the Expressive Power of String ConstraintsProceedings of the ACM on Programming Languages10.1145/35712037:POPL(278-308)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571203
Meseguer J(2023)Variants and satisfiability in the infinitary unification wonderlandJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2023.100877134(100877)Online publication date: Aug-2023
https://doi.org/10.1016/j.jlamp.2023.100877
Show More Cited By

Index Terms

HAMPI: a solver for string constraints
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
      2. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods

Recommendations

HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars

Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraint-generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable ...
More on quantum, stochastic, and pseudo stochastic languages with few states

Stochastic languages are the languages recognized by probabilistic finite automata (PFAs) with cutpoint over the field of real numbers. More general computational models over the same field such as generalized finite automata (GFAs) and quantum finite ...
Boundary sets of regular and context-free languages

We investigate the descriptional and computational complexity of boundary sets of regular and context-free languages. For a letter a, the right (left, respectively) a-boundary set of a language L consists of the words in L whose a-predecessor or a-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '09: Proceedings of the eighteenth international symposium on Software testing and analysis

July 2009

306 pages

ISBN:9781605583389

DOI:10.1145/1572272

General Chair:
Gregg Rothermel
University of Nebraska-Lincoln, USA
,
Program Chair:
Laura Dillon
Michigan State University, USA

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '09

Sponsor:

ISSTA '09: International Symposium on Software Testing and Analysis

July 19 - 23, 2009

IL, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

169
Total Citations
View Citations
903
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Eriksson BStjerna ADe Masellis RRüemmer PSabelfeld AMeng WJensen CCremers CKirda E(2023)Black Ostrich: Web Application Scanning with String SolversProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616582(549-563)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616582
Day JGanesh VGrewal NManea F(2023)On the Expressive Power of String ConstraintsProceedings of the ACM on Programming Languages10.1145/35712037:POPL(278-308)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3571203
Meseguer J(2023)Variants and satisfiability in the infinitary unification wonderlandJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2023.100877134(100877)Online publication date: Aug-2023
https://doi.org/10.1016/j.jlamp.2023.100877
Day JGanesh VGrewal NKonefal MManea F(2023)A Closer Look at the Expressive Power of Logics Based on Word EquationsTheory of Computing Systems10.1007/s00224-023-10154-868:3(322-379)Online publication date: 11-Dec-2023
https://doi.org/10.1007/s00224-023-10154-8
Lotz KGoel ADutertre BKiesl-Reiter BKong SMajumdar RNowotka D(2023)Solving String Constraints Using SATComputer Aided Verification10.1007/978-3-031-37703-7_9(187-208)Online publication date: 17-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-37703-7_9
Kapugama CPham VAleti ABöhme MRyu SSmaragdakis Y(2022)Human-in-the-loop oracle learning for semantic bugs in string processing programsProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534406(215-226)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534406
Liu XYou WZhang ZZhang XRyu SSmaragdakis Y(2022)TensileFuzz: facilitating seed input generation in fuzzing via string constraint solvingProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534403(391-403)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534403
Hu YShen ZDolan-Gavitt B(2022)Characterizing and Improving Bug-Finders with Synthetic Bugs2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER53432.2022.00115(971-982)Online publication date: Mar-2022
https://doi.org/10.1109/SANER53432.2022.00115
Berzish MDay JGanesh VKulczynski MManea FMora FNowotka D(2022)Towards more efficient methods for solving regular-expression heavy string constraintsTheoretical Computer Science10.1016/j.tcs.2022.12.009Online publication date: Dec-2022
https://doi.org/10.1016/j.tcs.2022.12.009
Amadini R(2021)A Survey on String Constraint SolvingACM Computing Surveys10.1145/348419855:1(1-38)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3484198
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten