Sound regular expression semantics for dynamic symbolic execution of JavaScript

Blake Loring; Duncan Mitchell; Johannes Kinder

doi:10.1145/3314221.3314645

Sound regular expression semantics for dynamic symbolic execution of JavaScript

Blake Loring, Duncan Mitchell, Johannes Kinder

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

75 Downloads (Pure)

Abstract

Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.

Original language	English
Title of host publication	PLDI'19
Subtitle of host publication	Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation
Publisher	ACM
Pages	425-438
Number of pages	14
ISBN (Electronic)	978-1-4503-6712-7/19/06
DOIs	https://doi.org/10.1145/3314221.3314645
Publication status	Published - 8 Jun 2019
Event	40th ACM SIGPLAN Conference on Programming Language Design and Implementation - Phoenix Convention Center, Phoenix, United States Duration: 24 Jun 2019 → … https://pldi19.sigplan.org/home

Conference

Conference	40th ACM SIGPLAN Conference on Programming Language Design and Implementation
Abbreviated title	PLDI'19
Country/Territory	United States
City	Phoenix
Period	24/06/19 → …
Internet address	https://pldi19.sigplan.org/home

Access to Document

10.1145/3314221.3314645

Accepted ManuscriptAccepted author manuscript, 738 KB

https://www.unibw.de/patch/papers/pldi19-regex.pdf

Centre for Doctoral Training in Cyber Security
Cid, C., Crampton, J., Martin, K. M. & Paterson, K.
Eng & Phys Sci Res Council EPSRC
1/04/13 → 31/12/19
Project: Research

Cite this

@inproceedings{a18f2ca3150b484fb7923ac88155fe2d,

title = "Sound regular expression semantics for dynamic symbolic execution of JavaScript",

abstract = "Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.",

author = "Blake Loring and Duncan Mitchell and Johannes Kinder",

year = "2019",

month = jun,

day = "8",

doi = "10.1145/3314221.3314645",

language = "English",

pages = "425--438",

booktitle = "PLDI'19",

publisher = "ACM",

note = "40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI'19 ; Conference date: 24-06-2019",

url = "https://pldi19.sigplan.org/home",

}

Loring, B, Mitchell, D & Kinder, J 2019, Sound regular expression semantics for dynamic symbolic execution of JavaScript. in PLDI'19: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, pp. 425-438, 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, Phoenix, Arizona, United States, 24/06/19. https://doi.org/10.1145/3314221.3314645

TY - GEN

T1 - Sound regular expression semantics for dynamic symbolic execution of JavaScript

AU - Loring, Blake

AU - Mitchell, Duncan

AU - Kinder, Johannes

PY - 2019/6/8

Y1 - 2019/6/8

N2 - Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.

AB - Support for regular expressions in symbolic execution-based tools for test generation and bug finding is insufficient. Common aspects of mainstream regular expression engines, such as backreferences or greedy matching, are ignored or imprecisely approximated, leading to poor test coverage or missed bugs. In this paper, we present a model for the complete regular expression language of ECMAScript 2015 (ES6), which is sound for dynamic symbolic execution of the test and exec functions. We model regular expression operations using string constraints and classical regular expressions and use a refinement scheme to address the problem of matching precedence and greediness. We implemented our model in ExpoSE, a dynamic symbolic execution engine for JavaScript, and evaluated it on over 1,000 Node.js packages containing regular expressions, demonstrating that the strategy is effective and can significantly increase the number of successful regular expression queries and therefore boost coverage.

U2 - 10.1145/3314221.3314645

DO - 10.1145/3314221.3314645

M3 - Conference contribution

SP - 425

EP - 438

BT - PLDI'19

PB - ACM

T2 - 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

Y2 - 24 June 2019

ER -

Sound regular expression semantics for dynamic symbolic execution of JavaScript

Abstract

Conference

Access to Document

Projects

Centre for Doctoral Training in Cyber Security

Cite this