Sound regular expression semantics for dynamic symbolic execution of JavaScript

Loring, Blake; Mitchell, Duncan; Kinder, Johannes

doi:10.1145/3314221.3314645

Cited by 26 publications

(26 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, the gap between the string functions that are supported by current string solvers and those supported by modern programming languages is still too big. As convincingly argued in [Loring et al 2019] in the context of constraint solving, the widely used Regular Expressions in modern programming languages (among others, JavaScript, Python, etc. )Ðwhich we call RegEx in the sequelÐare one important and frequently occurring feature in programs that are difficult for existing SMT theories over strings to model and solve, especially because their syntaxes and semantics substantially differ from the notion of regular expressions in formal language theory [Hopcroft and Ullman 1979].…”

Section: Introductionmentioning

confidence: 89%

“…see [Abdulla et al 2018;Chen et al 2019;Liang et al 2014;Trinh et al 2016;), i.e., features that can be found in the above examples like capturing groups, greedy/lazy matching, and references are not supported. This limitation of existing string solvers was already mentioned in the recent paper [Loring et al 2019].…”

Section: Introductionmentioning

confidence: 91%

“…One recently proposed solution is to map the path constraints generated by string-manipulating programs that exploit RegEx into constraints in the SMT theories supported by existing string solvers. In fact, this was done in recent papers [Loring et al 2019], where the path constraints are mapped to constraints in the theory of strings with concatenation and regular constraints in Z3 [de Moura and Bjùrner 2008]. Unfortunately, this mapping is an approximation, since such complex string manipulations are generally inexpressible in any string theories supported by existing string solvers.…”

Section: Introductionmentioning

confidence: 99%

“…Unfortunately, this mapping is an approximation, since such complex string manipulations are generally inexpressible in any string theories supported by existing string solvers. To leverage this, CEGAR (counter-example guided abstraction and refinement) is used in [Loring et al 2019], while ensuring that an under-approximation is preserved. This results in a rather severe price in both precision and performance: the refinement process may not terminate even for extremely simple programs (e.g.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Solving string constraints with Regex-dependent functions through transducers with priorities and variables

Chen

Flores-Lamas

Hague

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Regular expressions are a classical concept in formal language theory. Regular expressions in programming languages (RegEx) such as JavaScript, feature non-standard semantics of operators (e.g. greedy/lazy Kleene star), as well as additional features such as capturing groups and references. While symbolic execution of programs containing RegExes appeals to string solvers natively supporting important features of RegEx, such a string solver is hitherto missing. In this paper, we propose the first string theory and string solver that natively provides such support. The key idea of our string solver is to introduce a new automata model, called prioritized streaming string transducers (PSST), to formalize the semantics of RegEx-dependent string functions. PSSTs combine priorities, which have previously been introduced in prioritized finite-state automata to capture greedy/lazy semantics, with string variables as in streaming string transducers to model capturing groups. We validate the consistency of the formal semantics with the actual JavaScript semantics by extensive experiments. Furthermore, to solve the string constraints, we show that PSSTs enjoy nice closure and algorithmic properties, in particular, the regularity-preserving property (i.e., pre-images of regular constraints under PSSTs are regular), and introduce a sound sequent calculus that exploits these properties and performs propagation of regular constraints by means of taking post-images or pre-images. Although the satisfiability of the string constraint language is generally undecidable, we show that our approach is complete for the so-called straight-line fragment. We evaluate the performance of our string solver on over 195000 string constraints generated from an open-source RegEx library. The experimental results show the efficacy of our approach, drastically improving the existing methods (via symbolic execution) in both precision and efficiency.

show abstract

Section: Introductionmentioning

confidence: 89%

Section: Introductionmentioning

confidence: 91%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Solving string constraints with Regex-dependent functions through transducers with priorities and variables

Chen

Flores-Lamas

Hague

et al. 2022

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…Symbolic Execution Tools for JavaScript and C. Most existing symbolic execution tools for JavaScript aim at bugfinding and target specific types of bugs, such as security vulnerabilities related to the misuse of strings [57], malformed Web API requests [66], DOM-API-specific bugs [35], or bugs involving regular expressions [36]. These tools aim at code in the large, primarily focussing on scalability and coverage.…”

Section: Parametric Framework For Abstract Interpretationmentioning

confidence: 99%

Gillian, Part I: A Multi-language Platform for Symbolic Execution

Santos

Maksimovic

Ayoun

et al. 2020

Artifact Digital Object Group

View full text Add to dashboard Cite

We introduce Gillian, a platform for developing symbolic analysis tools for programming languages. Here, we focus on the symbolic execution engine at the heart of Gillian, which is parametric on the memory model of the target language. We give a formal description of the symbolic analysis and a modular implementation that closely follows this description. We prove a parametric soundness result, introducing restriction on abstract states, which generalises path conditions used in classical symbolic execution. We instantiate Gillian to obtain trusted symbolic testing tools for JavaScript and C, and use these tools to find bugs in real-world code, thus demonstrating the viability of our parametric approach. CCS Concepts: • Theory of computation → Program analysis; Program semantics; • Software and its engineering → Formal language definitions.

show abstract

A Formal Model for Checking Cryptographic API Usage in JavaScript

Mitchell

Kinder

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Sound regular expression semantics for dynamic symbolic execution of JavaScript

Cited by 26 publications

References 42 publications

Solving string constraints with Regex-dependent functions through transducers with priorities and variables

Solving string constraints with Regex-dependent functions through transducers with priorities and variables

Gillian, Part I: A Multi-language Platform for Symbolic Execution

A Formal Model for Checking Cryptographic API Usage in JavaScript

Contact Info

Product

Resources

About