[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3062341.3062384acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Flatten and conquer: a framework for efficient analysis of string constraints

Published: 14 June 2017 Publication History

Abstract

We describe a uniform and efficient framework for checking the satisfiability of a large class of string constraints. The framework is based on the observation that both satisfiability and unsatisfiability of common constraints can be demonstrated through witnesses with simple patterns. These patterns are captured using flat automata each of which consists of a sequence of simple loops. We build a Counter-Example Guided Abstraction Refinement (CEGAR) framework which contains both an under- and an over-approximation module. The flow of information between the modules allows to increase the precision in an automatic manner. We have implemented the framework as a tool and performed extensive experimentation that demonstrates both the generality and efficiency of our method.

Supplementary Material

Auxiliary Archive (pldiae.tar.gz)
Supplemental file

References

[1]
P. A. Abdulla, B. Jonsson, M. Nilsson, and M. Saksena. A survey of regular model checking. In CONCUR’04, volume 170 of LNCS, pages 348–360. Springer, 2004.
[2]
P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In CAV’14, volume 8559 of LNCS, pages 150–166. Springer, 2014.
[3]
P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol´ık, A. Rezine, P. Rümmer, and J. Stenman. Norn: An SMT solver for string constraints. In CAV’15, volume 9206 of LNCS, pages 462– 469. Springer, 2015.
[4]
M. F. Atig, A. Bouajjani, and T. Touili. On the reachability analysis of acyclic networks of pushdown systems. In CONCUR’08, volume 5201 of LNCS, pages 356–371. Springer, 2008.
[5]
M. F. Atig, K. N. Kumar, and P. Saivasan. Acceleration in multi-pushdown systems. In TACAS’16, volume 9636 of LNCS, pages 698–714. Springer, 2016.
[6]
C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanovi´c, T. King, A. Reynolds, and C. Tinelli. CVC4. In TACAS’11, LNCS, pages 171–177. Springer, 2011.
[7]
A. Brillout, D. Kroening, P. Rümmer, and T. Wahl. An interpolating sequent calculus for quantifier-free Presburger arithmetic. Journal of Automated Reasoning, 47:341–367, 2011.
[8]
J. R. Büchi and S. Senger. Definability in the existential theory of concatenation and undecidable extensions of this theory. Z. Math. Logik Grundlagen Math., 34(4), 1988.
[9]
A. Cimatti, A. Griggio, B. J. Schaafsma, and R. Sebastiani. The MathSAT5 SMT solver. In TACAS’13, LNCS, pages 93– 107. Springer, 2013.
[10]
B. Courcelle. On constructing obstruction sets of words. Bulletin of the EATCS, (44):178–186, 1991.
[11]
L. De Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS’08, volume 4963 of LNCS, pages 337–340. Springer, 2008.
[12]
B. Dutertre. Yices 2.2. In CAV’14, volume 8559 of LNCS, pages 737–744. Springer, July 2014.
[13]
J. Esparza and P. Ganty. Complexity of pattern-based verification for multithreaded programs. In POPL’11, pages 499–510. ACM, 2011.
[14]
J. Esparza, P. Ganty, S. Kiefer, and M. Luttenberger. Parikh’s theorem: A simple and direct automaton construction. Inf. Process. Lett., 111(12):614–619, 2011.
[15]
J. Esparza, P. Ganty, and R. Majumdar. A perfect model for bounded verification. In LICS’12, pages 285–294. IEEE Computer Society, 2012.
[16]
J. Esparza, P. Ganty, and T. Poch. Pattern-based verification for multithreaded programs. ACM Trans. Program. Lang. Syst., 36(3):9:1–9:29, 2014.
[17]
V. Ganesh and M. Berzish. Undecidability of a theory of strings, linear arithmetic over length, and string-number conversion. CoRR, abs/1605.09442, 2016.
[18]
V. Ganesh, M. Minnes, A. Solar-Lezama, and M. Rinard. Word equations with length constraints: What’s decidable? In A. Biere, A. Nahir, and T. Vos, editors, Hardware and Software: Verification and Testing, volume 7857 of LNCS, pages 209–226. 2013.
[19]
P. Ganty, R. Majumdar, and B. Monmege. Bounded underapproximations. Formal Methods in System Design, 40(2): 206–231, 2012.
[20]
S. Ginsburg. The Mathematical Theory of Context-Free Languages. McGraw-Hill, Inc., 1966.
[21]
S. Ginsburg and E. H. Spanier. Bounded algol-like languages. Transactions of the American Mathematical Society, 113(2): 333–368, 1964.
[22]
P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. SIGPLAN Not., 43(6):206–215, June 2008.
[23]
S. Kausler and E. Sherman. Evaluation of string constraint solvers in the context of symbolic execution. In ASE ’14, pages 259–270. ACM, 2014.
[24]
A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: A Solver for String Constraints. In ISSTA’09, pages 105–116. ACM, 2009.
[25]
T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. A DPLL(T) theory solver for a theory of strings and regular expressions. In CAV’14, volume 8559 of LNCS, pages 646– 662. Springer, 2014.
[26]
T. Liang, A. Reynolds, C. Tinelli, C. Barrett, and M. Deters. CVC4, 2016.
[27]
A. W. Lin and P. Barcel´o. String solving with word equations and transducers: towards a logic for analysing mutation XSS. In POPL’16, pages 123–136. ACM, 2016.
[28]
Z. Long, G. Calin, R. Majumdar, and R. Meyer. Languagetheoretic abstraction refinement. In FASE’12, volume 7212 of LNCS, pages 362–376. Springer, 2012.
[29]
R. Madhavan, M. Mayer, S. Gulwani, and V. Kuncak. Automating grammar comparison. SIGPLAN Not., 50(10):183– 200, Oct. 2015.
[30]
G. Makanin. The problem of solvability of equations in a free semigroup. Mathematics of the USSR-Sbornik, 32(2): 129–198, 1977.
[31]
Y. Matiyasevich. Computation paradigms in light of hilberts tenth problem. In New Computational Paradigms, pages 59– 85. Springer, New York, 2008.
[32]
M. Mohri and M.-J. Nederhof. Regular Approximation of Context-Free Grammars through Transformation, pages 153– 163. Springer Netherlands, Dordrecht, 2001.
[33]
R. Parikh. On context-free languages. J. ACM, 13(4), 1966.
[34]
W. Plandowski. Satisfiability of word equations with constants is in PSPACE. In FOCS, pages 495–500, 1999.
[35]
W. Plandowski. An efficient algorithm for solving word equations. In STOC, pages 467–476, 2006.
[36]
W. V. Quine. Concatenation as a basis for arithmetic. The Journal of Symbolic Logic, 11(4):105–114, 1946.
[37]
J. M. Robson and V. Diekert. On quadratic word equations. In STACS, pages 217–226, 1999.
[38]
P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A Symbolic Execution Framework for JavaScript. In IEEE Symposium on Security and Privacy, pages 513–528. IEEE Computer Society, 2010.
[39]
P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS. The Internet Society, 2010.
[40]
K. U. Schulz. Makanin’s algorithm for word equations - two improvements and a generalization. In IWWERT, pages 85– 150, 1990.
[41]
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. SIGPLAN Not., 41(1):372–382, Jan. 2006.
[42]
M. Trinh, D. Chu, and J. Jaffar. Progressive reasoning over recursively-defined strings. In CAV’16, volume 9779 of LNCS, pages 218–240. Springer, 2016.
[43]
M.-T. Trinh, D.-H. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In CCS’14, pages 1232–1243. ACM, 2014.
[44]
J. van Leeuwen. A generalisation of parikhs theorem in formal language theory. In ICALP, volume 14 of LNCS, pages 17–26, 1974.
[45]
J. van Leeuwen. Effective constructions in well-partiallyordered free monoids. Discrete Mathematics, 21(3):237 – 252, 1978.
[46]
H. Wang, T. Tsai, C. Lin, F. Yu, and J. R. Jiang. String analysis via automata manipulation with logic circuit representation. In CAV’16, volume 9779 of LNCS, pages 241–260. Springer, 2016.
[47]
G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. SIGPLAN Not., 42 (6):32–41, June 2007.
[48]
F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automatabased string analysis tool for PHP. In TACAS’10, volume 6015 of LNCS, pages 154–157. Springer, 2010.
[49]
Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: a z3-based string solver for web application analysis. In ESEC/FSE’13, pages 114–124. ACM, 2013.
[50]
Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A Z3-based string solver for web application analysis. In ESEC/FSE’13, pages 114–124. ACM, 2013.
[51]
Y. Zheng, V. Ganesh, S. Subramanian, O. Tripp, J. Dolby, and X. Zhang. Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In CAV’15, volume 9206 of LNCS, pages 235–254. Springer, 2015.

Cited By

View all
  • (2024)A Constraint Solving Approach to Parikh Images of Regular LanguagesProceedings of the ACM on Programming Languages10.1145/36498558:OOPSLA1(1235-1263)Online publication date: 29-Apr-2024
  • (2024)Parikh’s Theorem Made SymbolicProceedings of the ACM on Programming Languages10.1145/36329078:POPL(1945-1977)Online publication date: 5-Jan-2024
  • (2024)A decision procedure for string constraints with string/integer conversion and flat regular constraintsActa Informatica10.1007/s00236-023-00446-461:1(23-52)Online publication date: 1-Mar-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
PLDI 2017: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2017
708 pages
ISBN:9781450349888
DOI:10.1145/3062341
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 June 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Automata Theory
  2. Formal Verification
  3. String Equation

Qualifiers

  • Research-article

Conference

PLDI '17
Sponsor:

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)13
  • Downloads (Last 6 weeks)3
Reflects downloads up to 10 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)A Constraint Solving Approach to Parikh Images of Regular LanguagesProceedings of the ACM on Programming Languages10.1145/36498558:OOPSLA1(1235-1263)Online publication date: 29-Apr-2024
  • (2024)Parikh’s Theorem Made SymbolicProceedings of the ACM on Programming Languages10.1145/36329078:POPL(1945-1977)Online publication date: 5-Jan-2024
  • (2024)A decision procedure for string constraints with string/integer conversion and flat regular constraintsActa Informatica10.1007/s00236-023-00446-461:1(23-52)Online publication date: 1-Mar-2024
  • (2023)Solving String Constraints with Lengths by StabilizationProceedings of the ACM on Programming Languages10.1145/36228727:OOPSLA2(2112-2141)Online publication date: 16-Oct-2023
  • (2023)A symbolic algorithm for the case-split rule in solving word constraints with extensionsJournal of Systems and Software10.1016/j.jss.2023.111673201:COnline publication date: 1-Jul-2023
  • (2023)Word Equations in Synergy with Regular ConstraintsFormal Methods10.1007/978-3-031-27481-7_23(403-423)Online publication date: 3-Mar-2023
  • (2022)Solving string constraints with Regex-dependent functions through transducers with priorities and variablesProceedings of the ACM on Programming Languages10.1145/34987076:POPL(1-31)Online publication date: 12-Jan-2022
  • (2022)Fully abstract models for effectful λ-calculi via category-theoretic logical relationsProceedings of the ACM on Programming Languages10.1145/34987056:POPL(1-28)Online publication date: 12-Jan-2022
  • (2022)PRIMA: general and precise neural network certification via scalable convex hull approximationsProceedings of the ACM on Programming Languages10.1145/34987046:POPL(1-33)Online publication date: 12-Jan-2022
  • (2022)Twist: sound reasoning for purity and entanglement in Quantum programsProceedings of the ACM on Programming Languages10.1145/34986916:POPL(1-32)Online publication date: 12-Jan-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media