Results 1  10
of
21
HAMPI: A Solver for String Constraints
, 2009
"... Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf ..."
Abstract

Cited by 102 (21 self)
 Add to MetaCart
(Show Context)
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive offtheshelf solvers for string constraints generated by analysis techniques for stringmanipulating programs. We designed and implemented Hampi, a solver for string constraints over fixedsize string variables. Hampi constraints express membership in regular languages and fixedsize contextfree languages. Hampi constraints may contain contextfreelanguage definitions, regularlanguage definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable. Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi’s source code, documentation, and the experimental data are available at
SugarJ: Librarybased syntactic language extensibility
 In Proceedings of Conference on ObjectOriented Programming, Systems, Languages, and Applications (OOPSLA). ACM
, 2011
"... Existing approaches to extend a programming language with syntactic sugar often leave a bitter taste, because they cannot be used with the same ease as the main extension mechanism of the programming language—libraries. Sugar libraries are a novel approach for syntactically extending a programming l ..."
Abstract

Cited by 37 (12 self)
 Add to MetaCart
(Show Context)
Existing approaches to extend a programming language with syntactic sugar often leave a bitter taste, because they cannot be used with the same ease as the main extension mechanism of the programming language—libraries. Sugar libraries are a novel approach for syntactically extending a programming language within the language. A sugar library is like an ordinary library, but can, in addition, export syntactic sugar for using the library. Sugar libraries maintain the composability and scoping properties of ordinary libraries and are hence particularly wellsuited for embedding a multitude of domainspecific languages into a host language. They also inherit selfapplicability from libraries, which means that sugar libraries can provide syntactic extensions for the definition of other sugar libraries. To demonstrate the expressiveness and applicability of sugar libraries, we have developed SugarJ, a language on top of Java, SDF and Stratego, which supports syntactic extensibility. SugarJ employs a novel incremental parsing technique, which allows changing the syntax within a source file. We demonstrate SugarJ by five language extensions, including embeddings of XML and closures in Java, all available as sugar libraries. We illustrate the utility of selfapplicability by embedding XML Schema, a metalanguage to define XML languages.
Solving String Constraints Lazily
, 2010
"... Decision procedures have long been a fixture in program analysis, and reasoning about string constraints is a key element in many program analyses and testing frameworks. Recent work on string analysis has focused on providing decision procedures that model string operations. Separating string analy ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
(Show Context)
Decision procedures have long been a fixture in program analysis, and reasoning about string constraints is a key element in many program analyses and testing frameworks. Recent work on string analysis has focused on providing decision procedures that model string operations. Separating string analysis from its client applications has important and familiar benefits: it enables the independent improvement of string analysis tools and it saves client effort. We present a constraint solving algorithm for equations over string variables. We focus on scalability with regard to the size of the input constraints. Our algorithm performs an explicit search for a satisfying assignment; the search space is constructed lazily based on an automata representation of the constraints. We evaluate our approach by comparing its performance with that of existing string decision procedures. Our prototype is, on average, several orders of magnitude faster than the fastest existing implementation.
Symbolic automata constraint solving
 LPAR17, volume 6397 of LNCS
, 2010
"... Abstract. Constraints over regular and contextfree languages are common in the context of stringmanipulating programs. Efficient solving of such constraints, often in combination with arithmetic and other theories, has many useful applications in program analysis and testing. We introduce and eval ..."
Abstract

Cited by 18 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Constraints over regular and contextfree languages are common in the context of stringmanipulating programs. Efficient solving of such constraints, often in combination with arithmetic and other theories, has many useful applications in program analysis and testing. We introduce and evaluate a method for symbolically expressing and solving constraints over automata, including subset constraints. Our method uses techniques present in the stateoftheart SMT solver Z3. 1
To CNF or not to CNF? An efficient yet presentable version of the CYK algorithm
 INFORMATICA DIDACTICA
, 2009
"... The most familiar algorithm to decide the membership problem for contextfree grammars is the one by Cocke, Younger and Kasami (CYK) using grammars in Chomsky normal form (CNF). We propose to teach a simple modification of the CYK algorithm that uses grammars in a much less restrictive binary normal ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
The most familiar algorithm to decide the membership problem for contextfree grammars is the one by Cocke, Younger and Kasami (CYK) using grammars in Chomsky normal form (CNF). We propose to teach a simple modification of the CYK algorithm that uses grammars in a much less restrictive binary normal form (2NF) and two precomputations: the set of nullable nonterminals and the inverse of the unit relation between symbols. The modified algorithm is equally simple as the original one, but highlights that the at most binary branching rules alone are responsible for the O(n³) time complexity. Moreover, the simple transformation to 2NF comes with a linear increase in grammar size, whereas some transformations to CNF found in most prominent textbooks on formal languages may lead to an exponential increase.
S3: A Symbolic String Solver for Vulnerability Detection in Web Applications
"... Motivated by the vulnerability analysis of web programs which work on string inputs, we present S3, a new symbolic string solver. Our solver employs a new algorithm for a constraint language that is expressive enough for widespread applicability. Specifically, our language covers all the main string ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Motivated by the vulnerability analysis of web programs which work on string inputs, we present S3, a new symbolic string solver. Our solver employs a new algorithm for a constraint language that is expressive enough for widespread applicability. Specifically, our language covers all the main string operations, such as those in JavaScript. The algorithm first makes use of a symbolic representation so that membership in a set defined by a regular expression can be encoded as string equations. Secondly, there is a constraintbased generation of instances from these symbolic expressions so that the total number of instances can be limited. We evaluate S3 on a wellknown set of practical benchmarks, demonstrating both its robustness (more definitive answers) and its efficiency (about 20 times faster) against the stateoftheart.
J.J.: Faster ambiguity detection by grammar filtering
 Proceedings of the Tenth Workshop on Language Descriptions, Tools and Applications (LDTA
, 2010
"... Real programming languages are often defined using ambiguous contextfree grammars. Some ambiguity is intentional while other ambiguity is accidental. A good grammar development environment should therefore contain a static ambiguity checker to help the grammar engineer. Ambiguity of contextfree gr ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Real programming languages are often defined using ambiguous contextfree grammars. Some ambiguity is intentional while other ambiguity is accidental. A good grammar development environment should therefore contain a static ambiguity checker to help the grammar engineer. Ambiguity of contextfree grammars is an undecidable property. Nevertheless, various imperfect ambiguity checkers exist. Exhaustive methods are accurate, but suffer from nontermination. Termination is guaranteed by approximative methods, at the expense of accuracy. In this paper we combine an approximative method with an exhaustive method. We present an extension to the Noncanonical Unambiguity Test that identifies production rules that do not contribute to the ambiguity of a grammar and show how this information can be used to significantly reduce the search space of exhaustive methods. Our experimental evaluation on a number of real world grammars shows orders of magnitude gains in efficiency in some cases and negligible losses of efficiency in others.
Solving extended regular constraints symbolically
, 2009
"... Abstract—Constraints over regular expressions are common in programming languages, often in combination with other constraints involving strings. Efficient solving of such constraints has many useful applications in program analysis and testing. We introduce a method for symbolically expressing and ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract—Constraints over regular expressions are common in programming languages, often in combination with other constraints involving strings. Efficient solving of such constraints has many useful applications in program analysis and testing. We introduce a method for symbolically expressing and analyzing regular constraints using state of the art SMT solving techniques. The method is implemented using the SMT solver Z3 and is evaluated over a collection of benchmarks. Keywordsregular expressions; subset constraints; finite automata; satisfiability modulo theories; strings I.
Modelling Grammar Constraints with Answer Set Programming
"... Representing and solving constraint satisfaction problems is one of the challenges of artificial intelligence. In this paper, we present answer set programming (ASP) models for an important and very general class of constraints, including all constraints specified via grammars or automata that recog ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Representing and solving constraint satisfaction problems is one of the challenges of artificial intelligence. In this paper, we present answer set programming (ASP) models for an important and very general class of constraints, including all constraints specified via grammars or automata that recognise some formal language. We argue that our techniques are effective and efficient, e.g., unitpropagation of an ASP solver can achieve domain consistency on the original constraint. Experiments demonstrate computational impact.
Hampi: A solver for word equations over strings, regular expressions and contextfree grammar
 ACM Transactions on Software Engineering and Methodology
"... Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable software reliability tools. The increasing efficie ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable software reliability tools. The increasing efficiency of offtheshelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive offtheshelf solvers for string constraints generated by analysis of stringmanipulating programs, so researchers end up implementing their own adhoc solvers. To fulfill this need, we designed and implemented Hampi, a solver for string constraints over bounded string variables. Users of Hampi specify constraints using regular expressions, contextfree grammars, equality/disequality between string terms, and typical string operations such as concatenation and substring extraction. Hampi then finds a string that satisfies all the constraints or reports that the constraints are unsatisfiable. We demonstrate Hampi’s expressiveness and efficiency by applying it to program analysis and automated testing: We used Hampi in static and dynamic analyses for finding SQL injection vulnerabilities in Web applications with hundreds of thousands of lines of code. We also used Hampi in the context of automated bug finding in C programs using dynamic systematic testing (also known as concolic testing). We then compared Hampi with another string solver, CFGAnalyzer, and show that Hampi is several times faster. Hampi’s source code, documentation, and experimental data are available at