Abstract
Regular expressions are a classical concept in formal language theory. Regular expressions in programming languages (RegEx) such as JavaScript, feature non-standard semantics of operators (e.g. greedy/lazy Kleene star), as well as additional features such as capturing groups and references. While symbolic execution of programs containing RegExes appeals to string solvers natively supporting important features of RegEx, such a string solver is hitherto missing. In this paper, we propose the first string theory and string solver that natively provides such support. The key idea of our string solver is to introduce a new automata model, called prioritized streaming string transducers (PSST), to formalize the semantics of RegEx-dependent string functions. PSSTs combine priorities, which have previously been introduced in prioritized finite-state automata to capture greedy/lazy semantics, with string variables as in streaming string transducers to model capturing groups. We validate the consistency of the formal semantics with the actual JavaScript semantics by extensive experiments. Furthermore, to solve the string constraints, we show that PSSTs enjoy nice closure and algorithmic properties, in particular, the regularity-preserving property (i.e., pre-images of regular constraints under PSSTs are regular), and introduce a sound sequent calculus that exploits these properties and performs propagation of regular constraints by means of taking post-images or pre-images. Although the satisfiability of the string constraint language is generally undecidable, we show that our approach is complete for the so-called straight-line fragment. We evaluate the performance of our string solver on over 195000 string constraints generated from an open-source RegEx library. The experimental results show the efficacy of our approach, drastically improving the existing methods (via symbolic execution) in both precision and efficiency.
Highlights
In modern programming languagesÐsuch as JavaScript, Python, Java, and PHPÐthe string data type plays a crucial role
Our experiments have the purpose of answering the following main questions: R1: How does OSTRICH compare to other solvers that can handle real-world regular expressions, including greedy/lazy quantifiers and capturing groups? R2: How does OSTRICH perform in the context of symbolic execution, the primary application of string constraint solving?
The challenge of reasoning about string constraints with regular expressions stems from functions like match and replace that exploit features like capturing groups, not to mention the subtle deterministic matching
Summary
In modern programming languagesÐsuch as JavaScript, Python, Java, and PHPÐthe string data type plays a crucial role. No existing string solvers can support any of these features This is despite the fact that idealized versions of regular constraints and the replace functions are allowed in modern string solvers (e.g. see [Abdulla et al 2018; Chen et al 2019; Holík et al 2018; Liang et al 2014; Trinh et al.2016; Yu et al 2014]), i.e., features that can be found in the above examples like capturing groups, greedy/lazy matching, and references are not supported. This limitation of existing string solvers was already mentioned in the recent paper [Loring et al 2019].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
