Sound regular expression semantics for dynamic symbolic execution of JavaScript

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation Pub Date : 2018-10-10 DOI:10.1145/3314221.3314645

Blake Loring, Duncan Mitchell, Johannes Kinder

{"title":"Sound regular expression semantics for dynamic symbolic execution of JavaScript","authors":"Blake Loring, Duncan Mitchell, Johannes Kinder","doi":"10.1145/3314221.3314645","DOIUrl":null,"url":null,"abstract":"Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.","PeriodicalId":441774,"journal":{"name":"Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"20","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3314221.3314645","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 20

Abstract

Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.

查看原文本刊更多论文

JavaScript动态符号执行的合理正则表达式语义

在基于符号执行的工具中，用于测试生成和bug查找的正则表达式支持是不够的。主流正则表达式引擎的常见方面，如向后引用或贪婪匹配，被忽略或不精确地近似，导致测试覆盖率低或遗漏bug。在本文中，我们为ECMAScript 2015 (ES6)的完整正则表达式语言提出了一个模型，该模型适用于测试和执行函数的动态符号执行。我们使用字符串约束和经典正则表达式对正则表达式操作进行建模，并使用改进方案来解决匹配优先级和贪心问题。我们在JavaScript的动态符号执行引擎ExpoSE中实现了我们的模型，并在超过1000个包含正则表达式的Node.js包上对其进行了评估，证明了该策略是有效的，可以显著增加成功的正则表达式查询的数量，从而提高覆盖率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

自引率

0.00%

发文量