A Length-aware Regular Expression SMT Solver

Motivated by program analysis, security, and verification applications, we study various fragments of a rich first-order quantifier-free (QF) theory $T_{LRE,n,c}$ over regular expression (regex) membership predicate, linear integer arithmetic over string length, string-number conversion predicate, and string concatenation. Our contributions are the following. On the theoretical side, we prove a series of (un)decidability and complexity theorems for various fragments of $T_{LRE,n,c}$, some of which have been open for several years. On the practical side, we present a novel length-aware decision procedure for the QF first-order theory $T_{LRE}$ with regex membership predicate and linear arithmetic over string length. The crucial insight that enables our algorithm to scale for instances obtained from practical applications is that these instances contain a wealth of information about upper and lower bounds on lengths of strings which can be used to simplify operations on automata representing regexes. We showcase the power of our algorithm via an extensive empirical evaluation over a large and diverse benchmark of over 57000 regex-heavy instances, derived from a mix of industrial applications, instances contributed by other solver developers, as well as randomly-generated ones. Specifically, our solver outperforms five other state-of-the-art string solvers, namely, CVC4, Z3str3, Z3-Trau, OSTRICH and Z3seq, over this benchmark.