Skip to main content
SpringerLink
Log in

Constraint Programming for Dynamic Symbolic Execution of JavaScript

  • Conference paper
  • First Online:
Book cover Integration of Constraint Programming, Artificial Intelligence, and Operations Research (CPAIOR 2019)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 11494))

Abstract

Dynamic Symbolic Execution (DSE) combines concrete and symbolic execution, usually for the purpose of generating good test suites automatically. It relies on constraint solvers to solve path conditions and to generate new inputs to explore. DSE tools usually make use of SMT solvers for constraint solving. In this paper, we show that constraint programming (CP) is a powerful alternative or complementary technique for DSE. Specifically, we apply CP techniques for DSE of JavaScript, the de facto standard for web programming. We capture the JavaScript semantics with MiniZinc and integrate this approach into a tool we call Aratha. We use G-Strings, a CP solver equipped with string variables, for solving path conditions, and we compare the performance of this approach against state-of-the-art SMT solvers. Experimental results, in terms of both speed and coverage, show the benefits of our approach, thus opening new research vistas for using CP techniques in the service of program analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Similarly, Booleans and numbers are wrapped into Boolean and Number objects.

  2. 2.

    We treat \(\mathbb {T}\) as an enumeration where \( Null = 1, Undef = 2, \dots , Obj = 6\).

  3. 3.

    Publicly available at https://bitbucket.org/robama/g-strings/src/master/gecode-5.0.0/gecode/flatzinc/javascript.

  4. 4.

    Publicly available at https://github.com/ArathaJS/aratha.

  5. 5.

    \(T_{tot}\) is also useful because CVC4 may get stuck in presolving regardless of \(T_{pc}\) limit. (see http://cvc4.cs.stanford.edu/wiki/User_Manual#Resource_limits).

References

  1. Abdulla, P.A., et al.: Flatten and conquer: a framework for efficient analysis of string constraints. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, Barcelona, Spain, 18–23 June 2017, pp. 602–617 (2017)

    Google Scholar 

  2. Abdulla, P.A., et al.: Norn: an SMT solver for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 462–469. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_29

    Chapter  Google Scholar 

  3. Amadini, R., Flener, P., Pearson, J., Scott, J.D., Stuckey, P.J., Tack, G.: MiniZinc with strings. In: Hermenegildo, M.V., Lopez-Garcia, P. (eds.) LOPSTR 2016. LNCS, vol. 10184, pp. 59–75. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63139-4_4

    Chapter  Google Scholar 

  4. Amadini, R., Gabbrielli, M., Mauro, J.: A multicore tool for constraint solving. In: Proceedings 24th International Joint Conference Artificial Intelligence, pp. 232–238. AAAI Press (2015)

    Google Scholar 

  5. Amadini, R., Gange, G., Stuckey, P.J.: Propagating lex, find and replace with dashed strings. In: van Hoeve, W.-J. (ed.) CPAIOR 2018. LNCS, vol. 10848, pp. 18–34. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93031-2_2

    Chapter  MATH  Google Scholar 

  6. Amadini, R., Gange, G., Stuckey, P.J.: Propagating regular membership with dashed strings. In: Hooker, J. (ed.) CP 2018. LNCS, vol. 11008, pp. 13–29. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98334-9_2

    Chapter  MATH  Google Scholar 

  7. Amadini, R., Gange, G., Stuckey, P.J.: Sweep-based propagation for string constraint solving. In: Proceedings 32nd AAAI Conference Artificial Intelligence, pp. 6557–6564. AAAI Press (2018)

    Google Scholar 

  8. Amadini, R., Gange, G., Stuckey, P.J., Tack, G.: A novel approach to string constraint solving. In: Beck, J.C. (ed.) CP 2017. LNCS, vol. 10416, pp. 3–20. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66158-2_1

    Chapter  Google Scholar 

  9. Amadini, R., et al.: Combining string abstract domains for JavaScript analysis: an evaluation. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 41–57. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54577-5_3

    Chapter  Google Scholar 

  10. Amadini, R., Stuckey, P.J.: Sequential time splitting and bounds communication for a portfolio of optimization solvers. In: O’Sullivan, B. (ed.) CP 2014. LNCS, vol. 8656, pp. 108–124. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10428-7_11

    Chapter  Google Scholar 

  11. Artzi, S., et al.: Finding bugs in web applications using dynamic test generation and explicit-state model checking. IEEE Trans. Software Eng. 36(4), 474–494 (2010)

    Article  Google Scholar 

  12. Barrett, C., Fontaine, P., Tinelli, C.: The SMT-LIB standard: Version 2.6. Technical report, Department of Computer Science, University of Iowa (2017). www.SMT-LIB.org

  13. Berzish, M., Ganesh, V., Zheng, Y.: Z3str3: a string solver with theory-aware heuristics. In: Stewart, D., Weissenbacher, G. (eds.) Proceedings 17th Conference Formal Methods in Computer-Aided Design, pp. 55–59. FMCAD Inc. (2017)

    Google Scholar 

  14. Blanc, B., Junke, C., Marre, B., Gall, P.L., Andrieu, O.: Handling state-machines specifications with GATeL. Electr. Notes Theor. Comput. Sci. 264(3), 3–17 (2010). https://doi.org/10.1016/j.entcs.2010.12.011

    Article  Google Scholar 

  15. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings 8th USENIX Conference Operating Systems Design and Implementation, OSDI, vol. 8, pp. 209–224 (2008)

    Google Scholar 

  16. Delahaye, M., Botella, B., Gotlieb, A.: Infeasible path generalization in dynamic symbolic execution. Inf. Softw. Technol. 58, 403–418 (2015)

    Article  Google Scholar 

  17. ECMA International: Ecmascript 2018 language specification (2018). https://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf

  18. Francis, K., Navas, J., Stuckey, P.J.: Modelling destructive assignments. In: Schulte, C. (ed.) CP 2013. LNCS, vol. 8124, pp. 315–330. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40627-0_26

    Chapter  Google Scholar 

  19. Ganzinger, H., Hagen, G., Nieuwenhuis, R., Oliveras, A., Tinelli, C.: DPLL(T): fast decision procedures. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 175–188. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27813-9_14

    Chapter  Google Scholar 

  20. Gecode Team: Gecode: Generic constraint development environment (2016). http://www.gecode.org

  21. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings ACM SIGPLAN Conference Programming Language Design and Implementation (PLDI 2005), pp. 213–223. ACM (2005)

    Google Scholar 

  22. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Commun. ACM 55(3), 40–44 (2012)

    Article  Google Scholar 

  23. Gotlieb, A.: TCAS software verification using constraint programming. Knowl. Eng. Rev. 27(3), 343–360 (2012). https://doi.org/10.1017/S0269888912000252

    Article  Google Scholar 

  24. Holík, L., Janku, P., Lin, A.W., Rümmer, P., Vojnar, T.: String constraints with concatenation and transducers solved efficiently. PACMPL 2(POPL), 4:1–4:32 (2018)

    Google Scholar 

  25. Hooimeijer, P., Weimer, W.: StrSolve: solving string constraints lazily. Autom. Softw. Eng. 19(4), 531–559 (2012)

    Article  Google Scholar 

  26. Kashyap, V., et al.: JSAI: a static analysis platform for JavaScript. In: Proceedings 22nd ACM SIGSOFT International Symposium Foundations of Software Engineering, pp. 121–132. ACM (2014)

    Google Scholar 

  27. Kieżun, A., Ganesh, V., Artzi, S., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: a solver for word equations over strings, regular expressions, and context-free grammars. ACM Trans. Softw. Eng. Methodol. 21(4) (2012). Article 25

    Google Scholar 

  28. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MathSciNet  Google Scholar 

  29. Lee, H., Won, S., Jin, J., Cho, J., Ryu, S.: SAFE: formal specification and implementation of a scalable analysis framework for ECMAScript. In: Proceedings 19th International Workshop on Foundations of Object-Oriented Languages (FOOL 2012) (2012)

    Google Scholar 

  30. Li, G., Andreasen, E., Ghosh, I.: SymJS: automatic symbolic testing of JavaScript web applications. In: Proceedings 22nd ACM SIGSOFT International Symposium Foundations of Software Engineering, pp. 449–459. ACM (2014)

    Google Scholar 

  31. Li, G., Ghosh, I.: PASS: string solving with parameterized array and interval automaton. In: Bertacco, V., Legay, A. (eds.) HVC 2013. LNCS, vol. 8244, pp. 15–31. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03077-7_2

    Chapter  Google Scholar 

  32. Liang, T., Reynolds, A., Tinelli, C., Barrett, C., Deters, M.: A DPLL(T) theory solver for a theory of strings and regular expressions. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 646–662. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_43

    Chapter  Google Scholar 

  33. Liang, T., Reynolds, A., Tsiskaridze, N., Tinelli, C., Barrett, C., Deters, M.: An efficient SMT solver for string constraints. Formal Methods Syst. Des. 48(3), 206–234 (2016)

    Article  Google Scholar 

  34. Loring, B., Mitchell, D., Kinder, J.: ExpoSE: practical symbolic execution of standalone JavaScript. In: Proceedings 24th ACM SIGSOFT International SPIN Symposium Model Checking of Software, pp. 196–199. ACM (2017)

    Google Scholar 

  35. Majumdar, R., Sen, K.: Hybrid concolic testing. In: Proceedings 29th International Conference Software Engineering (ICSE 2007), pp. 416–426. IEEE (2007)

    Google Scholar 

  36. Majumdar, R., Xu, R.-G.: Reducing test inputs using information partitions. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 555–569. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02658-4_41

    Chapter  Google Scholar 

  37. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24

    Chapter  Google Scholar 

  38. Nethercote, N., Stuckey, P.J., Becket, R., Brand, S., Duck, G.J., Tack, G.: MiniZinc: towards a standard CP modelling language. In: Bessière, C. (ed.) CP 2007. LNCS, vol. 4741, pp. 529–543. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74970-7_38

    Chapter  Google Scholar 

  39. Plazar, Q., Acher, M., Bardin, S., Gotlieb, A.: Efficient and complete FD-solving for extended array constraints. In: Sierra, C. (ed.) Proceedings 26th International Joint Conference Artificial Intelligence, pp. 1231–1238 (2017). ijcai.org

  40. Rossi, F., van Beek, P., Walsh, T. (eds.): Handbook of Constraint Programming. Elsevier, New York (2006)

    MATH  Google Scholar 

  41. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings 2010 IEEE Symposium Security and Privacy, pp. 513–528. IEEE Computer Socience (2010)

    Google Scholar 

  42. Scott, J.D., Flener, P., Pearson, J., Schulte, C.: Design and implementation of bounded-length sequence variables. In: Salvagnin, D., Lombardi, M. (eds.) CPAIOR 2017. LNCS, vol. 10335, pp. 51–67. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59776-8_5

    Chapter  MATH  Google Scholar 

  43. Sen, K., Agha, G.: CUTE and jCUTE: concolic unit testing and explicit path model-checking tools. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 419–423. Springer, Heidelberg (2006). https://doi.org/10.1007/11817963_38

    Chapter  Google Scholar 

  44. Sen, K., Kalasapur, S., Brutch, T.G., Gibbs, S.: Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium Foundations of Software Engineering, pp. 488–498 (2013)

    Google Scholar 

  45. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings 10th European Software Engineering Conference, pp. 263–272. ACM (2005). https://doi.org/10.1145/1081706.1081750

  46. Tateishi, T., Pistoia, M., Tripp, O.: Path- and index-sensitive string analysis based on monadic second-order logic. ACM Trans. Softw. Eng. Methodol. 22(4) (2013). Article 33

    Google Scholar 

  47. Tillmann, N., de Halleux, J.: Pex–white box test generation for.NET. In: Beckert, B., Hähnle, R. (eds.) TAP 2008. LNCS, vol. 4966, pp. 134–153. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79124-9_10

    Chapter  Google Scholar 

  48. Trinh, M.T., Chu, D.H., Jaffar, J.: S3: a symbolic string solver for vulnerability detection in web applications. In: Proceedings 2014 ACM SIGSAC Conference Computer and Communications Security, pp. 1232–1243. ACM (2014)

    Google Scholar 

  49. Trinh, M.-T., Chu, D.-H., Jaffar, J.: Progressive reasoning over recursively-defined strings. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 218–240. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41528-4_12

    Chapter  Google Scholar 

  50. Trinh, M.-T., Chu, D.-H., Jaffar, J.: Model counting for recursively-defined strings. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 399–418. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63390-9_21

    Chapter  Google Scholar 

  51. Zheng, Y., Ganesh, V., Subramanian, S., Tripp, O., Dolby, J., Zhang, X.: Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 235–254. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_14

    Chapter  Google Scholar 

  52. Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a Z3-based string solver for web application analysis. In: Proceedings 9th Joint Meeting on Foundations of Software Engineering, pp. 114–124. ACM (2013)

    Google Scholar 

Download references

Acknowledgments

This work is supported by the Australian Research Council (ARC) through Linkage Project Grant LP140100437 and Discovery Early Career Researcher Award DE160100568.

Author information

Authors and Affiliations

  1. University of Melbourne, Melbourne, VIC, Australia

    Roberto Amadini, Mak Andrlon, Peter Schachte & Harald  Søndergaard

  2. Monash University, Melbourne, VIC, Australia

    Graeme Gange & Peter J. Stuckey

Authors
  1. Roberto Amadini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mak Andrlon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Graeme Gange
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peter Schachte
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Harald  Søndergaard
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Peter J. Stuckey
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roberto Amadini .

Editor information

Editors and Affiliations

  1. Ecole Polytechnique de Montréal, Montréal, QC, Canada

    Louis-Martin Rousseau

  2. University of Western Macedonia, Kozani, Greece

    Kostas Stergiou

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Amadini, R., Andrlon, M., Gange, G., Schachte, P.,  Søndergaard, H., Stuckey, P.J. (2019). Constraint Programming for Dynamic Symbolic Execution of JavaScript. In: Rousseau, LM., Stergiou, K. (eds) Integration of Constraint Programming, Artificial Intelligence, and Operations Research. CPAIOR 2019. Lecture Notes in Computer Science(), vol 11494. Springer, Cham. https://doi.org/10.1007/978-3-030-19212-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-19212-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-19211-2

  • Online ISBN: 978-3-030-19212-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation