Z3-Noodler 1.3: Shepherding Decision Procedures for Strings with Model Generation

In recent years, research in string solving gained a significant traction, motivated by problems such as finding security vulnerabilities in web applications [9, 37, 45, 55] or analyzing user policies controlling access to cloud resources [5, 31, 44].

Currently, there is a lot of string solvers utilizing various string solving approaches, usually integrated in general SMT solvers, such as cvc 5  [6, 8, 32‐34, 40, 42, 43] and Z3  [10‐14, 38, 48‐51, 56, 57], or more standalone string solvers, such as OSTRICH  [20‐23, 36]. In order to achieve a high performance on various real-world problems, one specific decision procedure applied to all formulae is usually not sufficient enough. In practice, there often occur formulae with different characteristics that are usually not coverable by a single procedure. One way to overcome this problem lies in using a combination of dedicated procedures tailored for a particular fragment of string constraints. For example, given a formula containing only quadratic word equations, the Nielsen transformation [39] usually performs better than any other approach.

One of the currently best string solvers is Z3-Noodler¹ [24, 25, 29], a winner of the string division of SMT-COMP’24 [47]. In [24], version 1.0 of Z3-Noodler was introduced, which implements the stabilization-based procedure described in previous papers [15, 25, 29]. Here we introduce version 1.3, implementing a framework for selecting and running decision procedures and two novel decision procedures: (i) one implementing multiple heuristics for handling pure regular constraints, based on finite automata library Mata  [26] and (ii) a procedure based on transforming equational block string constraints into linear-integer arithmetic (LIA) constraints based on the lengths and alignments of string literals, which are then solved by the internal Z3 LIA solver. Furthermore, we show how Z3-Noodler implements and optimizes the Nielsen transformation, whose preliminary implementation was already present in version 1.0. On top of that, version 1.3 extends Z3-Noodler by model generation. In particular, we explain how a model can be constructed not only for each of the aforementioned procedures, but also for the stabilization-based procedure, for which model generation was also missing.

We evaluate the impact of the decision procedures and the model generation, and compare Z3-Noodler with other string solvers on standard SMT-LIB benchmarks. The results show that the implemented decision procedures have large impact on the number of solved instances and the solving time, while the model generation has just a minimal impact. The comparison with other tools exposes that Z3-Noodler outperforms other state-of-the-art tools on the SMT-LIB benchmarks.

Sets, functions, and graphs. We use \(\mathbb {N}\) to denote the set of natural numbers (including 0), \(\mathbb {Z}\) to denote the set of integers, \(\mathbb {B}= \{ \top , \bot \}\) to denote the Boolean values, and \(\mathbb {B}_3= \mathbb {B}\cup \{ \textsf{undef}\}\) to denote \(\mathbb {B}\) extended with an undefined value. We use \(\uplus \) to denote the disjoin union. For a function \(f:X \rightarrow Y\), we use \(f \mathop {\vartriangleleft }\{ x \mapsto y \}\) to denote the function \((f \setminus (\{ x \}\times Y)) \cup \{ x \mapsto y \}\). We use boldface \(\boldsymbol{x}\) to denote vectors and \(\boldsymbol{x}_i\) to denote the i-th item of \(\boldsymbol{x}\). A (directed) graph is a pair \(G = (V,E)\) where V is a set of nodes and \(E \subseteq V\times V\) is a set of (directed) edges.

Strings and languages. We fix a finite alphabet \(\Sigma \) of symbols for the rest of the paper and we use letters from the start of the alphabet (\(a,b,c,\dots \)) to denote symbols from \(\Sigma \). A string (or word) over \(\Sigma \) is a finite sequence \(u = a_1\cdots a_n\) of symbols from \(\Sigma \). We say that \(|u| = n\) is the length of u. The length of the empty string \(\epsilon \) is \(|\epsilon | = 0\). The set of all strings over \(\Sigma \) is denoted by \(\Sigma ^*\). The concatenation of strings u and v is denoted \(u\cdot v\) or uv for short (\(\epsilon \) is the neutral element). Moreover, iteration of a word w is inductively defined as \(w^0 = \epsilon \) and \(w^{k+1} = w^{k}\cdot w\) for \(k\in \mathbb {N}\). A language is a subset of \(\Sigma ^*\).

Automata. A (nondeterministic) finite automaton (NFA) over \(\Sigma \) is a tuple \(A=(Q,\delta ,I,F)\) where Q is a finite set of states, \(\delta \) is a set of transitions of the form with \(q,r\in Q\) and \(a\in \Sigma \), \(I\subseteq Q\) is the set of initial states, and \(F\subseteq Q\) is the set of final states. A run of \(A\) over a word \(w = w_1 \ldots w_n \in \Sigma ^*\) is a sequence of states \(q_0 \ldots q_n \in Q^{n+1}\) such that for all \(1 \le i \le n\) it holds that . The run is accepting if \(q_0 \in I\) and \(q_n \in F\), and the language \(L(A)\) of \(A\) is the set of all words for which \(A\) has an accepting run. To intersect the languages of two automata, we construct their product \(A\cap A' = (Q\times Q',\delta ^\times ,I\times I',F\times F')\) where  iff and . The union of two NFAs, denoted \(A\cup A'\), is given as the piece-wise disjoint union of their components. The complement of \(A\) is given as \(A^\complement = (2^Q, \delta ^D, \{ I \}, F^D)\) where \(\delta ^D(S, a) = \bigcup _{q\in S}\delta (q,a)\) and \(F^D = \{ S \subseteq Q \mid S \cap F = \emptyset \}\).

Basic string constraints. In this paper, we consider basic string constraints over alphabet \(\Sigma \), string variables \(\mathbb {X}\), and integer variables \(\mathbb {I}\). The string variables range over \(\Sigma ^*\) and integer variables over \(\mathbb {Z}\). In the paper, we use the letters x, y, z to denote variables. The syntax of a string constraint \(\varphi \) is given as follows:where \(t_s\) is a string term, \(t_i\) is linear-integer arithmetic (LIA) term, \(x_s \in \mathbb {X}\), \(a \in \Sigma \), \(x_i \in \mathbb {I}\), \(k \in \mathbb {Z}\), and \(\mathcal {R}\) is an (extended) regular expression (regex) as defined by the SMT-LIB standard [7] (classical regular expressions extended with operations such as re.compl, re.inter, ...). The semantics and satisfiability of string constraints are defined in the usual way (\(\texttt {len} (t_s)\) represents the length of the string term \(t_s\)). A formula without string terms is called a LIA formula and the set of all LIA formulae is denoted as \(\Phi _{\textsf{LIA}}\). We usually use the letters u, v, w to denote concatenations of string terms, i.e., words from \((\mathbb {X}\cup \Sigma )^*\). A string literal (or just literal) is a string term containing only symbols from \(\Sigma \). We use \(\texttt{Var}(\varphi )\) to denote the set of variables occurring in the string constraint \(\varphi \).

Other than the basic string constraints, Z3-Noodler can also handle extended string constraints (e.g., prefixof, indexof, from_int, ...) with the semantics specified by the SMT-LIB standard. We do not include these extended constraints in the definition as their solving is not subject of this paper (we briefly discuss their handling in Section 3.2).

Since handling string constraints is complex and there is no universal procedure efficient on every possible constraint, Z3-Noodler implements several decision procedures, each one suitable for a different class of constraints. In this section, we describe a framework for handling the decision procedures and its position within Z3-Noodler ’s architecture.

In this section, we propose a procedure for handling pure regular constraints, i.e., regular constraints without (dis-)equations or length-constraints. Solving these constraints can be done just by basic automata/regex-based reasoning. Here, the most difficult operation is automata complementation, corresponding to negation in the constraint, since it may cause a state blow-up during determinization of the automaton (this happens especially for automata obtained from regexes containing loop bounds). Therefore, our procedure tries to avoid explicit complementation and handle such constraints in a different way.

Automata construction. For a regular expression \(\mathcal {R}\) we use a procedure \(\textsf{aut}\) for an inductive construction of (nondeterministic) automaton corresponding to \(\mathcal {R}\). The procedure \(\textsf{aut}\) uses eager simulation-based reduction [19], which is applied after each inductive step. In the case that some sub-expression requires future complementation (because it is under the re.compl regex operator), we eagerly determinize and minimize the automaton for the sub-expression (using Brzozowski-based minimization [18]). We use the automata library Mata  [26] to handle finite automata and operations over them.

Another decision procedure used in Z3-Noodler is the Nielsen transformation [39]. We use the Nielsen transformation for satisfiability checking of a conjunction of string equations \(\mathcal {E}\) that are not suitable for the stabilization-based procedure. After a brief description of the Nielsen transformation, we propose an approach used for a (partial) handling of length constraints within Nielsen transformation as it is currently used in Z3-Noodler. We also discuss particular implementation details, including preprocessing details, optimizations, and suitability conditions when Nielsen transformation is applied.

Let e be an equation. By \(\textsf{trim}(e)\) we denote the equation obtained by removing the longest common prefix and suffix from both sides of e. For instance, the result of \(\textsf{trim}(abxzwb = abxnvb)\) is the equation \(zw = nv\). We lift \(\textsf{trim}\) to a set of equations as usual. In this section, we represent a conjunction of string equations by a set of equations \(\mathcal {E}\). We say that a set of equations \(\mathcal {E}\) is quadratic if each variable has at most two occurrences in \(\mathcal {E}\).

Nielsen rules. The transformation uses two meta-rules, which are used to generate a (Nielsen) graph. Nodes of the graph are sets of equations and the directed edges capture the effects of the applied rules. The rules are based on the following observation: if an equation \(xu = yv\) is satisfiable, then there is a couple of (not necessarily disjoint) cases that may occur: (i) \(x = y\) meaning that \(u = v\), or (ii) the variable x or y is \(\epsilon \), or (iii) \(\texttt {len} (x) \le \texttt {len} (y)\) (the other case is analogous); in that case we have that \(y = xy'\) where \(y'\) is a fresh variable and we can apply a substitution \(y/xy'\) in the equation, followed by the substitution \(y/y'\) to avoid generation of isomorphic equations. The Nielsen rules then mimic the cases (ii) and (iii), combined with an implicit handling of the case (i). Formally, the two rules are given as

The rule \((x \hookrightarrow \alpha x)\), where \(\alpha \in \Sigma \cup \mathbb {X}\), rewrites all occurrences of x in \(\mathcal {E}\) by \(\alpha x\). Since this rule is applied if the left-hand side of an equation starts with x while the right-hand side starts with \(\alpha \), after trimming, the first occurrence of \(\alpha \) from the right-hand side is removed. The second rule \(x \hookrightarrow \epsilon \) removes all occurrences of x from the system.

Nielsen graph. Nielsen graph \(\mathcal {G}_\mathcal {E}\) of a set of equations \(\mathcal {E}\) is a (possibly infinite) graph induced by Nielsen rules, meaning that vertices are sets of equations and edges are labeled by particular Nielsen rules. The initial vertex is \(\mathcal {E}\). The system \(\mathcal {E}\) is satisfiable iff the vertex \(\{ \epsilon = \epsilon \}\) is reachable in \(\mathcal {G}_\mathcal {E}\). If \(\mathcal {E}\) is a quadratic system, \(\mathcal {G}_\mathcal {E}\) is finite [39].

Even though the stabilization-based procedure can be fast, it may suffer from an explosion in the number of alignments, especially for large systems of equations with many unrestricted variables and literals. To deal with such formulae, we propose a length-based decision procedure, which can symbolically encode all possible alignments using LIA formulae. Solving of the string formula is hence converted to the solving of a LIA formula, which might be easier.

Block-acyclic string constraints.An equational block (or just a block for short) of a variable x is a conjunction of string equations of the form shown in the right, where for each \(i\ne j\), \(R_i \in (\mathbb {X}\cup \Sigma )^*\), each variable of \(R_i\) has at most one occurrence in \(R_i\), \(x\notin \texttt{Var}(R_i)\) , and \(\texttt{Var}(R_i) \cap \texttt{Var}(R_j) = \emptyset \).

A conjunction of equational blocks is called a block string constraint. We abuse the notation and treat \(\mathcal {E}_x\) as a set of atoms of the conjunction. A directed graph \(G = (\{ \mathcal {E}_x \mid x \in \mathbb {X}\}, \{ (\mathcal {E}_x, \mathcal {E}_y) \mid x \ne y \wedge (y \in \texttt{Var}(\mathcal {E}_x) \vee (\texttt{Var}(\mathcal {E}_x) \cap \texttt{Var}(\mathcal {E}_y)) \setminus \{ x,y \} \ne \emptyset ) \})\) is called the block-graph of the block string constraint. Block-graph connects blocks s.t. the values of variables of the adjacent blocks affect the value of the block variable of the predecessor. A string constraint is called block-acyclic if the corresponding block-graph is acyclic. As an example, Fig. 2 shows the block-graph for the block-acyclic constraint .

The main and the most general decision procedure is the stabilization-based procedure applicable for any constraint. It was first introduced in [15] for handling word equations with regular constraints and then extended for handling length constraints [25] and string-integer conversions [29]. The procedure follows the framework from Section 3.3, with preprocessing rules described in [25], the \(\textsf{nextSolution}\) function follows the procedure from [25], and \(\textsf{getLIA}\) is based on [25, 29]. As the procedure is explained in these papers, we do not give details here, instead, we focus on model generation, which was not done before.

We implemented the presented decision procedures and model generation in version 1.3 of Z3-Noodler and evaluated them on all string benchmarks from SMT-LIB [7]. We split the benchmarks into three categories: In Regex we gather the benchmark sets that contain mostly regular and length constraints: AutomatArk  [12], Denghang, Redos, StringFuzz  [17], and Sygus-qgen. The benchmark sets Kaluza  [33, 46], Kepler  [30], Norn  [1, 2], Omark, Slent  [52], Slog  [53], Webapp, and Woorpje  [28], consisting of mostly word equations and length constraints with some small number of more complex constraints, are in the Equations category. The last category, Predicates, contains benchmark sets FullStrInt, LeetCode, PyEx  [43], StrSmallRw  [41], and Transducer+  [22], which heavily feature more complex string constraints. The experiments were executed on a workstation with an AMD Ryzen 5 5600G CPU @ 3.8 GHz with 100 GiB of RAM running Ubuntu 22.04.4. The timeout was set to 120 s, memory limit was 8 GiB.

Procedures comparison. Table 1 shows the impact of various decision procedures within Z3-Noodler on solving string constraints. We compare the number of times a particular procedure was used for solving. Note that the total number of calls might be different to the number of formulae in the particular benchmark as some formulae might have been solved directly by the theory rewriter or the initial phase (and therefore no call of a decision procedure was used) while some formulae might have resulted in multiple calls. The table shows that the decision procedure for regex constraints is (unsurprisingly) strong on the Regex benchmark. Furthermore, the length-based procedure is quite strong on Equations (and on regex-heavy benchmarks due to the StringFuzz benchmark set as it contains parts with pure equations). Even though the impact of the Nielsen transformation seems low, without it, Z3-Noodler cannot solve most of the formulae the procedure solves. Note that for Equations, there are 44 calls that were not solved by any presented procedure. Instead, they were solved by a simple procedure that is used for benchmarks that contain equations with exactly one symbol and length constraints. This procedure just asks if the lengths of both sides of each equation are the same (as there is only one symbol, it is the same as asking if the equation holds). All in all, Z3-Noodler with all procedures enabled takes 3,583 seconds less to solve 944 formulae more than Z3-Noodler with only stabilization-based procedure, which is a significant improvement (see tables in the appendix for more detailed results). From Table 1 it is also evident that the values of called and solved are close to each other, i.e., the suitability check can precisely identify a suitable decision procedure.

Comparison with other tools. In Table 2 and Fig. 5, we compare Z3-Noodler with cvc 5 (version 1.2.0) and Z3 (version 4.13.0). The table also shows the impact of model generation. From the results we can see that Z3-Noodler is significantly better (in both the number of solved instances and the time) than other tools on Regex. Furthermore, it is better than other tools on Equations, while slightly worse than cvc 5 on Predicates. Comparing the impact of model generation, we can see that for all three tools, it is not significant, there is usually some slight slowdown with a few less solved instances. All in all, even with model generation, Z3-Noodler can solve the most number of instances the fastest.