Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA

Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany

6806


Ganesh Gopalakrishnan
Shaz Qadeer (Eds.)

Computer Aided
Verification
23rd International Conference, CAV 2011
Snowbird, UT, USA, July 14-20, 2011
Proceedings

13


Volume Editors
Ganesh Gopalakrishnan
University of Utah
School of Computing
50 South Central Campus Dr.
Salt Lake City, UT 84112-9205, USA
E-mail:
Shaz Qadeer

Microsoft Research
One Microsoft Way
Redmond, WA 98052, USA
E-mail:

ISSN 0302-9743
e-ISSN 1611-3349
e-ISBN 978-3-642-22110-1
ISBN 978-3-642-22109-5
DOI 10.1007/978-3-642-22110-1
Springer Heidelberg Dordrecht London New York
Library of Congress Control Number: 2011930052
CR Subject Classification (1998): F.3, D.2, D.3, D.2.4, F.4.1, C.2
LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues

© Springer-Verlag Berlin Heidelberg 2011
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply,
even in the absence of a specific statement, that such names are exempt from the relevant protective laws
and regulations and therefore free for general use.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)



Preface

The International Conference on Computer-Aided Verification (CAV) is dedicated to the advancement of the theory and practice of computer-aided formal
analysis methods for hardware and software systems. Its scope ranges from theoretical results to concrete applications, with an emphasis on practical verification
tools and the underlying algorithms and techniques. This volume contains the
proceedings of the 23rd edition of this conference held in Snowbird, Utah, USA,
during July 14–20, 2011. The conference included two workshop days, a tutorial
day, and four days for the main program.
At CAV 2009, Bob Kurshan approached us with the idea of holding CAV
2011 in Salt Lake City. Encouraged by the enthusiastic support from late Amir
Pnueli, we had little hesitation in agreeing to Bob’s proposal. While the initial
proposal was to organize the conference on the campus of the University of Utah,
we eventually decided to hold it at the Snowbird resort near Salt Lake City. Our
decision was motivated by the dual desire to showcase the abundant natural
beauty of Utah and to provide a collegial atmosphere similar to a Dagstuhl
workshop.
We are happy to report that CAV is thriving, as evidenced by the large
number of submissions. We received 161 submissions and selected 35 regular
and 20 tool papers. We appreciate the diligence of our Program Committee and
our external reviewers due to which all (except two) papers received at least four
reviews. A big thank you to all our reviewers!
The conference was preceded by the eight affiliated workshops:
– The 4th International Workshop on Numerical Software Verification (NSV
2011), Thursday, 7/14
– 10th International Workshop on Parallel and Distributed Methods in Verifications (PDMC 2011), Thursday, 7/14
– The 4th International Workshop on Exploiting Concurrency Efficiently and
Correctly (EC2 2011), 7/14-7/15
– Frontiers in Analog Circuit Synthesis and Verification (FAC 2011), 7/14-7/15
– International Workshop on Satisfiability Modulo Theories, including SMTCOMP (SMT 2011), 7/14-7/15
– 18th International SPIN Workshop on Model Checking of Software (SPIN

2011), 7/14-7/15
– Formal Methods for Robotics and Automation (FM-R 2011), 7/15
– Practical Synthesis for Concurrent Systems (PSY 2011), 7/15
In addition to the presentations for the accepted papers, the conference also
featured four invited talks and four invited tutorials.
– Invited talks:
• Andy Chou (Coverity Inc.): “Static Analysis Tools in Industry: Notes
from the Front Line”


VI

Preface

• Vigyan Singhal and Prashant Aggarwal (Oski Technology): “Using Coverage to Deploy Formal Verification in a Simulation World”
• Vikram Adve (University of Illinois at Urbana-Champaign): “Parallel
Programming Should Be and Can Be Deterministic-by-default”
• Rolf Ernst (TU Braunschweig): “Formal Performance Analysis in Automotive Systems Design: A Rocky Ride to New Grounds”
– Invited tutorials:
• Shuvendu Lahiri (Microsoft Research): “SMT-Based Modular Analysis
of Sequential Systems Code”
• Vijay Ganesh (Massachussetts Institute of Technology): “HAMPI: A
String Solver for Testing, Analysis and Vulnerability Detection”
• Ranjit Jhala (University of California at San Diego): “Using Types for
Software Verification”
• Andre Platzer (Carnegie Mellon University): “Logic and Compositional
Verification of Hybrid Systems”
A big thank you to all our invited speakers!
We thank the members of the CAV Steering Committee —Michael Gordon,
Orna Grumberg, Bob Kurshan, and Ken McMillan— for their timely advice on

various organizational matters. Neha Rungta, our Workshop Chair, smoothly
handled the organization of the workshops. Eric Mercer, our Local Arrangements
Chair, set up the registration portal at Brigham Young University. Sandip Ray,
our Publicity Chair, helped publicize CAV 2011. We thank Aarti Gupta, past
CAV Chair, for her help and advice in running the conference and maintaining
its budget.
We thank Geof Sawaya for maintaining the CAV 2011 website. We are grateful to Wendy Adamson for arranging the beautiful Cliff Lodge facility at an
affordable price and really making the budget work in our favor. We thank Alfred Hofmann of Springer for publishing the paper and USB proceedings for CAV
2011. We thank Andrei Voronkov and his team for offering us EasyChair which
has proven invaluable at every juncture in conducting the work of CAV. We
thank the office staff of the School of Computing, University of Utah, especially
Karen Feinauer and Chris Coleman, for allowing us to use the school resources
for managing CAV activities.
We are especially grateful to our corporate sponsors —Microsoft Research,
Coverity, Google, NEC Research, Jasper, IBM, Intel, Fujitsu, and Nvidia— for
their donations. We are also grateful to Judith Bishop and Wolfram Schulte of
Microsoft Research for their substantial financial backing of CAV. We also thank
Lenore Zuck, Nina Amla, and Sol Greenspan who helped with obtaining an NSF
travel award.
CAV 2012 will be held in Berkeley, California.
April 2011

Ganesh Gopalakrishnan
Shaz Qadeer


Organization

Program Committee
Azadeh Farzan

Jasmin Fisher
Cormac Flanagan
Steven German
Dimitra Giannakopoulou
Ganesh Gopalakrishnan
Susanne Graf
Keijo Heljanko
William Hung
Franjo Ivancic
Joost-Pieter Katoen
Stefan Kowalewski
Daniel Kroening
Orna Kupferman
Robert P. Kurshan
Akash Lal
Kim G. Larsen
Ken Mcmillan
Madan Musuvathi
Michael Norrish
Madhusudan Parthasarathy
Shaz Qadeer
John Regehr
Andrey Rybalchenko
Sriram Sankaranarayanan
Roberto Sebastiani
Sanjit A. Seshia
Ofer Strichman
Murali Talupur
Serdar Tasiran
Ashish Tiwari

Tayssir Touili
Viktor Vafeiadis
Bow-Yaw Wang

University of Toronto, Canada
Microsoft Research, Cambridge, UK
University of California at Santa Cruz, USA
IBM Yorktown Heights, NY
RIACS/NASA Ames, USA
University of Utah, USA
Universit´e Joseph Fourier, CNRS,
VERIMAG, France
Helsinki University of Technology, Finland
Synopsys Inc., USA
NEC Labs America, USA
RWTH Aachen, Germany
RWTH Aachen, Germany
Oxford University, UK
Hebrew University, Israel
Cadence Design Systems, USA
Microsoft Research, Bangalore, India
Aalborg University, Denmark
Microsoft Research, Redmond, USA
Microsoft Research, Redmond, USA
NICTA, Australia
University of Illinois at Urbana-Champaign,
USA
Microsoft Research, Redmond, USA
University of Utah, USA
TU Munich, Germany

University of Colorado at Boulder, USA
University of Trento, Italy
University of California at Berkeley, USA
Technion, Israel
Intel, Santa Clara, USA
Koc University, Turkey
SRI International, Menlo Park, USA
LIAFA, CNRS, France and Universit´e Paris
Diderot
MPI-SWS, Germany
Academia Sinica, Taiwan


VIII

Organization

Additional Reviewers
A
Abraham, Erika
Ait Mohamed, Otmane
Alglave, Jade
Andres, Miguel E.
Asarin, Eugene
Atig, Faouzi
B
Baier, Christel
Balakrishnan, Gogul
Barakat, Kamal
Batty, Mark

Bauer, Andreas
Bell, Christian
Bensalem, Saddek
Berdine, Josh
Bhattacharya, Ritwik
Biallas, Sebastian
Biere, Armin
Bingham, Jesse
Boker, Udi
Bonakdarpour, Borzoo
Bouajjani, Ahmed
Bozzano, Marco
Brady, Bryan
Brauer, J¨
org
Brihaye, Thomas
Bruttomesso, Roberto
Buchholz, Peter
Burckhardt, Sebastian
C
Cabodi, Gianpiero
Cardelli, Luca
Case, Michael
Chan, Yang
Chaudhuri, Swarat
Chechik, Marsha
Chen, Taolue
Chen, Xiaofang
Chen, Yang


Chen, Yu-Fang
Cook, Byron
D
D’Argenio, Pedro R.
D’Silva, Vijay
Dang, Thao
David, Alexandre
De Moura, Leonardo
De Paula, Flavio M.
De Rougemont, Michel
Distefano, Dino
Donaldson, Alastair
Donz´e, Alexandre
Doyen, Laurent
Dragoi, Cezara
Duan, Jianjun
Dubrovin, Jori
Durairaj, Vijay
Dutertre, Bruno
E
Een, Niklas
Elenbogen, Dima
Elmas, Tayfun
Emmer, Moshe
Emmi, Michael
Enea, Constantin
F
Fahrenberg, Uli
Ferrante, Alessandro
Forejt, Vojtech

Franke, Dominik
Freund, Stephen
G
Gan, Xiang
Ganai, Malay
Ganesh, Vijay
Garg, Pranav
Garnier, Florent


Organization

Ghorbal, Khalil
Gimbert, Hugo
Girard, Antoine
Godefroid, Patrice
Gotsman, Alexey
Griggio, Alberto
Groce, Alex
Grundy, Jim
Gueckel, Dominique
Gupta, Ashutosh
Gurfinkel, Arie
H
Haemmerl´e, R´emy
Haensch, Paul
Haller, Leopold
Hartmanns, Arnd
He, Fei
He, Nannan

Heinen, Jonathan
Heizmann, Matthias
Holcomb, Daniel
Huang, Chung-Yang Ric
Humphrey, Alan
J
Jalbert, Nicholas
Janhunen, Tomi
Jansen, Christina
Janssen, Geert
Jha, Susmit
Jhala, Ranjit
Jiang, Jie-Hong Roland
Jin, Hoonsang
Jin, Naiyong
Jobstmann, Barbara
Jones, Robert
Junttila, Tommi
J¨
urjens, Jan
K
Kahlon, Vineet
Kaiser, Alexander
Kamin, Volker

Kim, Hyondeuk
Kincaid, Zachary
Kindermann, Roland
King, Andy
Kishinevsky, Michael

Kodakara, Sreekumar
Kotker, Jonathan
Krepska, Elzbieta
Krstic, Sava
Kwiatkowska, Marta
K¨
ahk¨
onen, Kari
K¨
opf, Boris
L
La Torre, Salvatore
Lahiri, Shuvendu
Launiainen, Tuomas
Leroux, Jerome
Levhari, Yossi
Lewis, Matt
Li, Guodong
Li, Jian-Qi
Li, Wenchao
Logozzo, Francesco
Lvov, Alexey
M
Mador-Haim, Sela
Maeda, Naoto
Majumdar, Rupak
Maler, Oded
Malkis, Alexander
Maoz, Shahar
Mardare, Radu

Mateescu, Maria
Mayr, Richard
Mereacre, Alexandru
Merschen, Daniel
Might, Matthew
Miner, Paul
Mishchenko, Alan
Mitra, Sayan
Mogavero, Fabio
Mover, Sergio
Murano, Aniello

IX


X

Organization

N
Nain, Sumit
Napoli, Margherita
Narasamdya, Iman
Nickovic, Dejan
Nimal, Vincent
Noll, Thomas
Norman, Gethin
Nuzzo, Pierluigi
Nyman, Ulrik
P

Palmer, Robert
Pandav, Sudhindra
Parente, Mimmo
Parker, David
Parlato, Gennaro
Pedersen, Mikkel L.
Pek, Edgar
Peled, Doron
Pike, Lee
Piskac, Ruzica
Piterman, Nir
Platzer, Andre
Popeea, Corneliu
Q
Qian, Kairong
Qiang, Katherine
Qiu, Xiaokang
Quesel, Jan-David
Quinton, Sophie

Rogalewicz, Adam
Rozanov, Mirron
Rozier, Kristin Yvonne
Rungta, Neha
Ryvchin, Vadim
S
Sa’Ar, Yaniv
Sahoo, Debashis
Sangnier, Arnaud
Sanner, Scott

Saxena, Prateek
Schewe, Sven
Schlich, Bastian
Schuppan, Viktor
Segerlind, Nathan
Sen, Koushik
Sepp, Alexander
Serbanuta, Traian
Sevcik, Jaroslav
Sezgin, Ali
Sharma, Subodh
Sheinvald, Sarai
Sighireanu, Mihaela
Sinha, Nishant
Spalazzi, Luca
Srba, Jiri
Srivastava, Saurabh
Stefanescu, Alin
Steffen, Bernhard
Stoelinga, Marielle
Stoller, Scott
Stursberg, Olaf
Szubzda, Grzegorz

R
T
Rajan, Ajitha
Ravi, Kavita
Reinbacher, Thomas
Rezine, Ahmed

Ridgeway, Jeremy
Rinetzky, Noam
Rintanen, Jussi
Rival, Xavier

Tautschnig, Michael
Thrane, Claus
Tiu, Alwen
Tonetta, Stefano
Tsai, Ming-Hsien
Tsay, Yih-Kuen
Tuerk, Thomas


Organization

V
Vardi, Moshe
Vaswani, Kapil
Vechev, Martin
Vestergaard, Rene
Vighio, Saleem
Visser, Willem
Viswanathan, Mahesh
Vojnar, Tomas
W
Wahl, Thomas
Wang, Chao
Wang, Farn
Wang, Liqiang

Wang, Zilong
Weissenbacher, Georg
Wickerson, John

Wieringa, Siert
Wolf, Verena
Y
Yahav, Eran
Yang, Yu
Yen, Hsu-Chun
Yorsh, Greta
Yrke Jørgensen, Kenneth
Yu, Andy
Yu, Fang
Yuan, Jun
Z
Zhang, Lijun
Zhang, Ting
Zhao, Lu
Zhou, Min
Zunino, Roberto

XI


Table of Contents

HAMPI: A String Solver for Testing, Analysis and Vulnerability
Detection (Invited Tutorial) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vijay Ganesh, Adam Kie˙zun, Shay Artzi, Philip J. Guo,

Pieter Hooimeijer, and Michael Ernst

1

Using Types for Software Verification (Invited Tutorial) . . . . . . . . . . . . . . .
Ranjit Jhala

20

SMT-Based Modular Analysis of Sequential Systems Code
(Invited Tutorial) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shuvendu K. Lahiri

21

Logic and Compositional Verification of Hybrid Systems
(Invited Tutorial) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Andr´e Platzer

28

Using Coverage to Deploy Formal Verification in a Simulation World
(Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vigyan Singhal and Prashant Aggarwal

44

Stability in Weak Memory Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jade Alglave and Luc Maranget


50

Verification of Certifying Computations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Eyad Alkassar, Sascha B¨
ohme, Kurt Mehlhorn, and
Christine Rizkallah

67

Parameter Identification for Markov Models of Biochemical
Reactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Aleksandr Andreychenko, Linar Mikeev, David Spieler, and
Verena Wolf

83

Getting Rid of Store-Buffers in TSO Analysis . . . . . . . . . . . . . . . . . . . . . . . .
Mohamed Faouzi Atig, Ahmed Bouajjani, and Gennaro Parlato

99

Malware Analysis with Tree Automata Inference . . . . . . . . . . . . . . . . . . . . .
Domagoj Babi´c, Daniel Reynaud, and Dawn Song

116

State/Event-Based LTL Model Checking under Parametric Generalized
Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kyungmin Bae and Jos´e Meseguer


132


XIV

Table of Contents

Resolution Proofs and Skolem Functions in QBF Evaluation and
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Valeriy Balabanov and Jie-Hong R. Jiang

149

The BINCOA Framework for Binary Code Analysis . . . . . . . . . . . . . . . . . .
S´ebastien Bardin, Philippe Herrmann, J´erˆ
ome Leroux, Olivier Ly,
Renaud Tabary, and Aymeric Vincent

165

CVC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clark Barrett, Christopher L. Conway, Morgan Deters,
Liana Hadarean, Dejan Jovanovi´c, Tim King,
Andrew Reynolds, and Cesare Tinelli

171

SLAyer: Memory Safety for Systems-Level Code . . . . . . . . . . . . . . . . . . . .
Josh Berdine, Byron Cook, and Samin Ishtiaq


178

CPAchecker: A Tool for Configurable Software Verification . . . . . . . . . .
Dirk Beyer and M. Erkan Keremoglu

184

Existential Quantification as Incremental SAT . . . . . . . . . . . . . . . . . . . . . . .
J¨
org Brauer, Andy King, and Jael Kriener

191

Efficient Analysis of Probabilistic Programs with an Unbounded
Counter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tom´
aˇs Br´
azdil, Stefan Kiefer, and Anton´ın Kuˇcera

208

Model Checking Algorithms for CTMDPs . . . . . . . . . . . . . . . . . . . . . . . . . . .
Peter Buchholz, Ernst Moritz Hahn, Holger Hermanns, and
Lijun Zhang

225

Quantitative Synthesis for Concurrent Programs . . . . . . . . . . . . . . . . . . . . .
ˇ y, Krishnendu Chatterjee, Thomas A. Henzinger,
Pavol Cern´

Arjun Radhakrishna, and Rohit Singh

243

Symbolic Algorithms for Qualitative Analysis of Markov Decision
Processes with B¨
uchi Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Krishnendu Chatterjee, Monika Henzinger, Manas Joglekar, and
Nisarg Shah
Smoothing a Program Soundly and Robustly . . . . . . . . . . . . . . . . . . . . . . . .
Swarat Chaudhuri and Armando Solar-Lezama
A Specialization Calculus for Pruning Disjunctive Predicates to
Support Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wei-Ngan Chin, Cristian Gherghina, R˘
azvan Voicu, Quang Loc Le,
Florin Craciun, and Shengchao Qin
Kratos – A Software Model Checker for SystemC . . . . . . . . . . . . . . . . . .
Alessandro Cimatti, Alberto Griggio, Andrea Micheli, Iman
Narasamdya, and Marco Roveri

260

277

293

310


Table of Contents


XV

Efficient Scenario Verification for Hybrid Automata . . . . . . . . . . . . . . . . . .
Alessandro Cimatti, Sergio Mover, and Stefano Tonetta

317

Temporal Property Verification as a Program Analysis Task . . . . . . . . . . .
Byron Cook, Eric Koskinen, and Moshe Vardi

333

Time for Statistical Model Checking of Real-Time Systems . . . . . . . . . . . .
Alexandre David, Kim G. Larsen, Axel Legay,
ˇ
Marius MikuCionis,
and Zheng Wang

349

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent
Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and
Thomas Wahl
Predator: A Practical Tool for Checking Manipulation of Dynamic
Data Structures Using Separation Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kamil Dudka, Petr Peringer, and Tom´
aˇs Vojnar


356

372

SpaceEx: Scalable Verification of Hybrid Systems . . . . . . . . . . . . . . . . . . . .
Goran Frehse, Colas Le Guernic, Alexandre Donz´e, Scott Cotton,
Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard,
Thao Dang, and Oded Maler

379

From Cardiac Cells to Genetic Regulatory Networks . . . . . . . . . . . . . . . . . .
Radu Grosu, Gregory Batt, Flavio H. Fenton, James Glimm,
Colas Le Guernic, Scott A. Smolka, and Ezio Bartocci

396

Threader: A Constraint-Based Verifier for Multi-threaded Programs . . . .
Ashutosh Gupta, Corneliu Popeea, and Andrey Rybalchenko

412

Interactive Synthesis of Code Snippets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tihomir Gvero, Viktor Kuncak, and Ruzica Piskac

418

Forest Automata for Verification of Heap Manipulation . . . . . . . . . . . . . . .
ˇ aˇcek, and
Peter Habermehl, Luk´

aˇs Hol´ık, Adam Rogalewicz, Jiˇr´ı Sim´
Tom´
aˇs Vojnar

424

Synthesizing Cyber-Physical Architectural Models with Real-Time
Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Christine Hang, Panagiotis Manolios, and Vasilis Papavasileiou

441

μZ- An Efficient Engine for Fixed Points with Constraints . . . . . . . . . . . .
Kryˇstof Hoder, Nikolaj Bjørner, and Leonardo de Moura

457

BAP: A Binary Analysis Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
David Brumley, Ivan Jager, Thanassis Avgerinos, and
Edward J. Schwartz

463


XVI

Table of Contents

HMC: Verifying Functional Programs Using Abstract Interpreters . . . . . .
Ranjit Jhala, Rupak Majumdar, and Andrey Rybalchenko


470

A Quantifier Elimination Algorithm for Linear Modular Equations and
Disequations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ajith K. John and Supratik Chakraborty

486

Bug-Assist: Assisting Fault Localization in ANSI-C Programs . . . . . . . . .
Manu Jose and Rupak Majumdar

504

Synthesis of Distributed Control through Knowledge Accumulation . . . . .
Gal Katz, Doron Peled, and Sven Schewe

510

Language Equivalence for Probabilistic Automata . . . . . . . . . . . . . . . . . . . .
Stefan Kiefer, Andrzej S. Murawski, Jo¨el Ouaknine,
Bj¨
orn Wachter, and James Worrell

526

Formalization and Automated Verification of RESTful Behavior . . . . . . .
Uri Klein and Kedar S. Namjoshi

541


Linear Completeness Thresholds for Bounded Model Checking . . . . . . . . .
Daniel Kroening, Jo¨el Ouaknine, Ofer Strichman,
Thomas Wahl, and James Worrell

557

Interpolation-Based Software Verification with Wolverine . . . . . . . . . . .
Daniel Kroening and Georg Weissenbacher

573

Synthesizing Biological Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hillel Kugler, Cory Plock, and Andy Roberts

579

PRISM 4.0: Verification of Probabilistic Real-Time Systems . . . . . . . . . . .
Marta Kwiatkowska, Gethin Norman, and David Parker

585

Program Analysis for Overlaid Data Structures . . . . . . . . . . . . . . . . . . . . . .
Oukseh Lee, Hongseok Yang, and Rasmus Petersen

592

KLOVER: A Symbolic Execution and Automatic Test Generation Tool
for C++ Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Guodong Li, Indradeep Ghosh, and Sreeranga P. Rajan


609

Fully Symbolic Model Checking for Timed Automata . . . . . . . . . . . . . . . . .
Georges Morb´e, Florian Pigorsch, and Christoph Scholl

616

Complete Formal Hardware Verification of Interfaces for a FlexRay-Like
Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Christian M¨
uller and Wolfgang Paul

633

Synthia: Verification and Synthesis for Timed Automata . . . . . . . . . . . . . .
Hans-J¨
org Peter, R¨
udiger Ehlers, and Robert Mattm¨
uller

649


Table of Contents

FixBag: A Fixpoint Calculator for Quantified Bag Constraints . . . . . . . .
Tuan-Hung Pham, Minh-Thai Trinh, Anh-Hoang Truong, and
Wei-Ngan Chin


XVII

656

Analyzing Unsynthesizable Specifications for High-Level Robot
Behavior Using LTLMoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vasumathi Raman and Hadas Kress-Gazit

663

Practical, Low-Effort Equivalence Verification of Real Code . . . . . . . . . . .
David A. Ramos and Dawson R. Engler

669

Relational Abstractions for Continuous and Hybrid Systems . . . . . . . . . . .
Sriram Sankaranarayanan and Ashish Tiwari

686

Simplifying Loop Invariant Generation Using Splitter Predicates . . . . . . .
Rahul Sharma, Isil Dillig, Thomas Dillig, and Alex Aiken

703

Monitorability of Stochastic Dynamical Systems . . . . . . . . . . . . . . . . . . . . .
ˇ
A. Prasad Sistla, Miloˇs Zefran,
and Yao Feng


720

Equality-Based Translation Validator for LLVM . . . . . . . . . . . . . . . . . . . . .
Michael Stepp, Ross Tate, and Sorin Lerner

737

Model Checking Recursive Programs with Numeric Data Types . . . . . . . .
Matthew Hague and Anthony Widjaja Lin

743

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

761


HAMPI: A String Solver for Testing, Analysis and
Vulnerability Detection
Vijay Ganesh1 , Adam Kie˙zun2
Shay Artzi , Philip J. Guo4 , Pieter Hooimeijer5, and Michael Ernst6
3

1

Massachusetts Institute of Technology,
2
Harvard Medical School
3
IBM Research,

4
Stanford University,
5
University of Virginia,
6
University of Washington
, , ,
, ,

Abstract. Many automatic testing, analysis, and verification techniques for programs can effectively be reduced to a constraint-generation phase followed by a
constraint-solving phase. This separation of concerns often leads to more effective and maintainable software reliability tools. The increasing efficiency of offthe-shelf constraint solvers makes this approach even more compelling. However,
there are few effective and sufficiently expressive off-the-shelf solvers for string
constraints generated by analysis of string-manipulating programs, and hence researchers end up implementing their own ad-hoc solvers. Thus, there is a clear
need for an effective and expressive string-constraint solver that can be easily
integrated into a variety of applications.
To fulfill this need, we designed and implemented Hampi, an efficient and
easy-to-use string solver. Users of the Hampi string solver specify constraints using membership predicate over regular expressions, context-free grammars, and
equality/dis-equality between string terms. These terms are constructed out of
string constants, bounded string variables, and typical string operations such as
concatenation and substring extraction. Hampi takes such a constraint as input and
decides whether it is satisfiable or not. If an input constraint is satisfiable, Hampi
generates a satsfying assignment for the string variables that occur in it.
We demonstrate Hampi’s expressiveness and efficiency by applying it to program analysis and automated testing: We used Hampi in static and dynamic analyses for finding SQL injection vulnerabilities in Web applications with hundreds
of thousands of lines of code. We also used Hampi in the context of automated bug
finding in C programs using dynamic systematic testing (also known as concolic
testing). Hampi’s source code, documentation, and experimental data are available
at />
1 Introduction
Many automatic testing [4, 9], analysis [12], and verification [14] techniques for programs can be effectively reduced to a constraint-generation phase followed by a constraint solving phase. This separation of concerns often leads to more effective and
G. Gopalakrishnan and S. Qadeer (Eds.): CAV 2011, LNCS 6806, pp. 1–19, 2011.

c Springer-Verlag Berlin Heidelberg 2011


2

V. Ganesh et al.

maintainable tools. Such an approach to analyzing programs is becoming more effective as off-the-shelf constraint solvers for Boolean SAT [20] and other theories [5, 8]
continue to become more efficient. Most of these solvers are aimed at propositional
logic, linear arithmetic, theories of functions, arrays or bit-vectors [5].
Many programs (e.g., Web applications) take string values as input, manipulate them,
and then use them in sensitive operations such as database queries. Analyses of such
string-manipulating programs in techniques for automatic testing [6, 9, 2], verifying
correctness of program output [21], and finding security faults [25] produce string constraints, which are then solved by custom string solvers written by the authors of these
analyses. Writing a custom solver for every application is time-consuming and errorprone, and the lack of separation of concerns may lead to systems that are difficult to
maintain. Thus, there is a clear need for an effective and sufficiently expressive off-theshelf string-constraint solver that can be easily integrated into a variety of applications.
To fulfill this need, we designed and implemented Hampi1 , a solver for constraints
over bounded string variables. Hampi constraints express membership in bounded regular and context-free languages, substring relation, and equalities/dis-equalities over
string terms.
String terms in the Hampi language are constructed out of string constants, bounded
string variables, concatenation, and sub-string extraction operations. Regular expressions and context-free grammar terms are constructed out of standard regular expression operations and grammar productions, respectively. Atomic formulas in the Hampi
language are equality over string terms, the membership predicate for regular expressions and context-free grammars, and the substring predicate that takes two string terms
and asserts that one is a substring of the other. Given a set of constraints, Hampi outputs
a string that satisfies all the constraints, or reports that the constraints are unsatisfiable.
Hampi is designed to be used as a component in testing, analysis, and verification
applications. Hampi can also be used to solve the intersection, containment, and equivalence problems for bounded regular and context-free languages.
A key feature of Hampi is bounding of regular and context-free languages. Bounding makes Hampi different from custom string-constraint solvers commonly used in
testing and analysis tools [6]. As we demonstrate in our experiments, for many practical applications, bounding the input languages is not a handicap. In fact, it allows
for a more expressive input language that enables operations on context-free languages
that would be undecidable without bounding. Furthermore, bounding makes the satisfiability problem solved by Hampi more tractable. This difference is analogous to that

between model-checking and bounded model-checking [1].
As one example application, Hampi’s input language can encode constraints on SQL
queries to find possible injection attacks, such as:
Find a string v of at most 12 characters, such that the SQL query “SELECT msg
FROM messages WHERE topicid=v” is a syntactically valid SQL statement,
and that the query contains the substring “OR 1=1”.

1

This paper is an extended version of the HAMPI paper accepted at the International Symposium on Software Testing and Analysis (ISSTA) 2009 conference. A journal version is under
submission.


HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection

3

Note that “OR 1=1” is a common tautology that can lead to SQL injection attacks.
Hampi either finds a string value that satisfies these constraints or answers that no satisfying value exists. For the above example, the string “1 OR 1=1” is a valid solution.
HAMPI Overview: Hampi takes four steps to solve input string constraints.
1. Normalize the input constraints to a core form, which consists of expressions of
the form v ∈ R or v R, where v is a bounded string variable, and R is a regular
expression.
2. Translate core form string constraints into a quantifier-free logic of bit-vectors. A
bit-vector is a bounded, ordered list of bits. The fragment of bit-vector logic that
Hampi uses allows standard Boolean operations, bit comparisons, and extracting
sub-vectors.
3. Invoke the STP bit-vector solver [8] on the bit-vector constraints.
4. If STP reports that the constraints are unsatisfiable, then Hampi reports the same.
Otherwise, STP will generate a satisfying assignment in its bit-vector language, so

Hampi decodes this to output an ASCII string solution.
Experimental Results Summary: We ran four experiments to evaluate Hampi. Our
results show that Hampi is efficient and that its input language can express string constraints that arise from real-world program analysis and automated testing tools.
1. SQL Injection Vulnerability Detection (static analysis): We used Hampi in a static
analysis tool [23] for identifying SQL injection vulnerabilities. We applied the analysis tool to 6 PHP Web applications (total lines of code: 339,750). Hampi solved all
constraints generated by the analysis, and solved 99.7% of those constraints in less
than 1 second per constraint. All solutions found by Hampi for these constraints
were less than 5 characters long. These experiments bolster our claim that bounding the string constraints is not a handicap.
2. SQL Injection Attack Generation (dynamic analysis): We used Hampi in Ardilla, a
dynamic analysis tool for creating SQL injection attacks [17]. We applied Ardilla
to 5 PHP Web applications (total lines of code: 14,941). Hampi successfully replaced a custom-made attack generator and constructed all 23 attacks on those applications that Ardilla originally constructed.
3. Input Generation for Systematic Testing: We used Hampi in Klee [3], a systematictesting tool for C programs. We applied Klee to 3 programs with structured input
formats (total executable lines of code: 4,100). We used Hampi to generate constraints that specify legal inputs to these programs. Hampi’s constraints eliminated
all illegal inputs, improved the line-coverage by up to 2× overall (and up to 5× in
parsing code), and discovered 3 new error-revealing inputs.
1.1 Paper Organization
We first introduce Hampi’s capabilities with an example (§2), then present Hampi’s input
format and solving algorithm (§3), and present experimental evaluation (§4). We briefly
touch upon related work in (§5).


4
1

V. Ganesh et al.
$my_topicid = $_GET[’topicid’];

2
3
4


$sqlstmt = "SELECT msg FROM messages WHERE topicid=’$my_topicid’";
$result = mysql_query($sqlstmt);

5
6
7
8
9

//display messages
while($row = mysql_fetch_assoc($result)){
echo "Message " . $row[’msg’];
}

Fig. 1. Fragment of a PHP program that displays messages stored in a MySQL database. This
program is vulnerable to an SQL injection attack. Section 2 discusses the vulnerability.
1
2

//string variable representing ’$my topicid’ from Figure 1
var v:6..12;
// size is between 6 and 12 characters

3
4
5
6
7
8

9
10

//simple SQL context-free grammar
cfg SqlSmall := "SELECT " (Letter)+ " FROM " (Letter)+ " WHERE " Cond;
cfg Cond
:= Val "=" Val | Cond " OR " Cond";
cfg Val
:= (Letter)+ | "’" (LetterOrDigit)* "’" | (Digit)+;
cfg LetterOrDigit := Letter | Digit;
cfg Letter := [’a’-’z’] ;
cfg Digit := [’0’-’9’] ;

11
12
13

//the SQL query $sqlstmt from line 3 of Figure 1
val q := concat("SELECT msg FROM messages WHERE topicid=’", v, "’");

14
15
16
17

//constraint conjuncts
assert q in SqlSmall;
assert q contains "OR ’1’=’1’";

Fig. 2. Hampi input that, when solved, produces an SQL injection attack vector for the vulnerability from Figure 1


2 Example: SQL Injection
SQL injections are a prevalent class of Web-application vulnerabilities. This section
illustrates how an automated tool [17, 25] could use Hampi to detect SQL injection
vulnerabilities and to produce attack inputs.
Figure 1 shows a fragment of a PHP program that implements a simple Web application: a message board that allows users to read and post messages stored in a MySQL
database. Users of the message board fill in an HTML form (not shown here) that communicates the inputs to the server via a specially formatted URL, e.g., http://www.
mysite.com/?topicid=1. Input parameters passed inside the URL are available in the
$ GET associative array. In the above example URL, the input has one key-value pair:
topicid=1. The program fragment in Figure 1 retrieves and displays messages for the
given topic.
This program is vulnerable to an SQL injection attack. An attacker can read all messages in the database (including ones intended to be private) by crafting a malicious
URL like:
OR ’1’=’1

Upon being invoked with that URL, the program reads the string
1’ OR ’1’=’1


HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection

5

as the value of the $my topicid variable, constructs an SQL query by concatenating it
to a constant string, and submits the following query to the database in line 4:
SELECT msg FROM messages WHERE topicid=’1’ OR ’1’=’1’

The WHERE condition is always true because it contains the tautology ’1’=’1’. Thus,
the query retrieves all messages, possibly leaking private information.
A programmer or an automated tool might ask, “Can an attacker exploit the topicid

parameter and introduce a OR ’1’=’1’ tautology into a syntactically-correct SQL query
at line 4 in the code of Figure 1?” The Hampi solver answers such questions and creates
strings that can be used as exploits.
The Hampi constraints in Figure 2 formalize the question in our example. Automated
vulnerability-scanning tools [17, 25] can create Hampi constraints via either static or
dynamic program analysis (we demonstrate both static and dynamic techniques in our
evaluation in Sections 4.1 and 4.2, respectively). Specifically, a tool could create the
Hampi input shown in Figure 2 by analyzing the code of Figure 1.
We now discuss various features of the Hampi input language that Figure 2 illustrates.
(Section 3.1 describes the input language in more detail.)
– Keyword var (line 2) introduces a string variable v. The variable has a size in the
range of 6 to 12 characters. The goal of the Hampi solver is to find a string that,
when assigned to the string variable, satisfies all the constraints. In this example,
Hampi will search for solutions of sizes between 6 and 12.
– Keyword cfg (lines 5–10) introduces a context-free grammar, for a fragment of the
SQL grammar of SELECT statements.
– Keyword val (line 13) introduces a temporary variable q, declared as a concatenation of constant strings and the string variable v. This variable represents an SQL
query corresponding to the PHP $sqlstmt variable from line 3 in Figure 1.
– Keyword assert defines a constraint. The top-level Hampi constraint is a conjunction of assert statements. Line 16 specifies that the query string q must be a member of the context-free language SqlSmall (syntactically-correct SQL). Line 17
specifies that the variable v must contain a specific substring (e.g., the OR ’1’=’1’
tautology that can lead to an SQL injection attack).
Hampi can solve the constraints specified in Figure 2 and find a value for v such as
1’ OR ’1’=’1

which is a value for $ GET[’topicid’] that can lead to an SQL injection attack.

3 The Hampi String Constraint Solver
Hampi finds a string that satisfies constraints specified in the input, or decides that no
satisfying string exists. Hampi works in four steps, as illustrated in Figure 3:
1.

2.
3.
4.

Normalize the input constraints to a core form (§3.2).
Encode core form constraints in bit-vector logic (§3.3).
Invoke the STP solver [8] on the bit-vector constraints (§3.3).
Decode the results obtained from STP (§3.3).

Users can invoke Hampi with a text-based command-line front-end (using the input
grammar in Figure 4) or with a Java API to directly construct the Hampi constraints.


6

V. Ganesh et al.

String Constraints

HAMPI
Normalizer
Core String Constraints
Encoder
Bit−vector Constraints
STP Solver
Bit−vector
Solution
Decoder
String Solution


No Solution Exists

Fig. 3. Schematic view of the Hampi string constraint solver. Input enters at the top, and output
exits at the bottom. Section 3 describes the Hampi solver.

3.1 Hampi Input Language for String Constraints
We now discuss the salient features of Hampi’s input language (Figure 4) and illustrate
them on examples. The language is expressive enough to encode string constraints generated by typical program analysis, testing, and security applications. Hampi’s language
supports declaration of bounded string variables and constants, concatenation and extraction operation over string terms, equality over string terms, regular-language operations, membership predicate, and declaration of context-free and regular languages,
temporaries and constraints.
Declaration of String Variable (var keyword). A Hampi input must declare a single
string variable and specify its size range as lower and upper bounds on the number
of characters. If the input constraints are satisfiable, then Hampi finds a value for the
variable that satisfies all constraints. For example, the following line declares a string
variable named v with a size between 5 and 20 characters:
var v:5..20;

Extraction Operation. Hampi supports extraction of substrings from string terms (as
shown in Figure 4). An example of extraction operation is as follows:
var longv:20;
val v1 := longv[0:9];

where 0 is the offset (or starting character of the extraction operation), and 9 is the
length of the resultant string, in terms of the number of characters of longv.


HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection

7


Input

Var Stmt∗

Hampi input (with a single string variable)

Var

var Id : Int..Int

string variable (length lower..upper bound)

Stmt

Cfg | Reg | Val | Assert

statement

Cfg
CfgProdRHS

cfg Id := CfgProdRHS
CFG declaration in EBNF

context-free language
Extended Backus-Naur Form (EBNF)

Reg
RegElem
|

|
|
|
|

reg Id := RegElem
StrConst
Id
fixsize( Id , Int)
or( RegElem ∗ )
concat( RegElem ∗ )
star( RegElem )

regular-language
string constant
variable reference
CFG fixed-sizing
union
concatenation
Kleene star
temporary variable

|
|
|

val Id :=ValElem
Id
StrConst
concat( ValElem ∗ )

ValElem[offset : length]

concatenation
extraction(ValElem, offset, length)

|
|
|

assert Id [not]? in Reg
assert Id [not]? in Cfg
assert Id [not]? contains StrConst
assert Id [not]? = Id

regular-language membership
context-free language membership
substring
word equation (equality/dis-equality)

Val
ValElem

Assert

Id
StrConst
Int

String identifier
“String literal constant”

Non-negative integer

Fig. 4. Summary of Hampi’s input language. Terminals are bold-faced, nonterminals are italicized. A Hampi input (Input) is a variable declaration, followed by a list of these statements:
context-free-grammar declarations, regular-language declarations, temporary variables, and assertions.

Declaration of Multiple Variables. The user can simulate having multiple variables by
declaring a single long string variable and using the extract operation: Disjoint extractions of the single long variable can act as multiple variables. For example, to declare
two string variables of length 10 named v1 and v2, use:
var longv:20;
val v1 := longv[0:9];
val v2 := longv[10:9];

The val keyword declares a temporary (derived) variable and will be described later in
this section.
Declarations of Context-free Languages (cfg keyword). Hampi input can declare
context-free languages using grammars in the standard notation: Extended Backus-Naur
Form (EBNF). Terminals are enclosed in double quotes (e.g., "SELECT"), and productions are separated by the vertical bar symbol (|). Grammars may contain special symbols for repetition (+ and *) and character ranges (e.g., [a-z]). For example, lines 5–10
in Figure 2 show the declaration of a context-free grammar for a subset of SQL.


8

V. Ganesh et al.

Hampi’s format for context-free grammars is as expressive as that of widely-used
tools such as Yacc/Lex; in fact, we have written a simple syntax-driven script that transforms a Yacc specification to Hampi format (available on the Hampi website). Hampi can
only solve constraints over bounded context-free grammars. However, the user does not
have to manually specify bounds, since Hampi automatically derives a bound by analyzing the bound on the input string variable and the longest possible string that can be
constructed out of concatenation and extraction operations.
Declarations of Regular Languages (reg keyword). Hampi input can declare regular

languages using the following regular expressions: (i) a singleton set with a string constant, (ii) a concatenation/union of regular languages, (iii) a repetition (Kleene star) of
a regular language, (iv) bounding of a context-free language, which Hampi does automatically. Every regular language can be expressed using the first three of those operations [22].
For example, (b*ab*ab*)* is a regular expression that describes the language of
strings over the alphabet {a,b}, with an even number of a symbols. In Hampi syntax
this is:
reg Bstar := star("b");
// ’helper’ expression
reg EvenA := star(concat(Bstar, "a", Bstar, "a", Bstar));

The Hampi website contains a script to convert Perl Compatible Regular Expressions
(PCRE) into Hampi syntax. Also note that context-free grammars in Hampi are implicitly
bounded, and hence are regular expressions.
Temporary Declarations (val keyword). Temporary variables are shortcuts for expressing constraints on expressions that are concatenations of the string variable and
constants or extractions. For example, line 13 in Figure 2 declares a temporary variable
named q by concatenating two constant strings to the variable v:
val q := concat("SELECT msg FROM messages WHERE topicid=’", v, "’");

Constraints (assert keyword). Hampi constraints specify membership of variables
in regular and context-free languages, substrings, and word equations. Hampi solves for
the conjunction of all constraints listed in the input.
– Membership Predicate (in): Assert that a variable is in a context-free or regular
language. For example, line 16 in Figure 2 declares that the string value of the
temporary variable q is in the context-free language SqlSmall:
assert q in SqlSmall;

– Substring Relation (contains): Assert that a variable contains the given string
constant. For example, line 17 in Figure 2 declares that the string value of the
temporary variable q contains an SQL tautology:
assert q contains "OR ’1’=’1’";


– String Equalities (=): Asserts that two string terms are equal (also known as word
equations). In Hampi, both sides of the equality must ultimately originate from the
same single string variable. For example, the extract operator can assert that two
portions of a string must be equal:


HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection

S
|
Constraint
|
Constraint
|
StrExp
|
|
|
RegExp
|
|
|

Constraint
S ∧ Constraint
StrExp ∈ RegExp
StrExp
RegExp
StrExp = StrExp
StrExp

StrExp
Var
StrConst
StrExp StrExp
StrExp[offset : length]
StrConst
RegExp + RegExp
RegExp RegExp
RegExp

9

conjunction
membership
non-membership
equality
dis-equality
input variable
string constant
concatenation
extraction
constant
union
concatenation
star

Fig. 5. The grammar of core form string constraints. Var, StrConst, and Int are defined in Figure 4.
var v:20;
val v1 := v[0:9];
val v2 := v[10:9];

assert v1 = 2v;

All of these constraints may be negated by preceding them with a not keyword.
3.2 Core Form of String Constraints
After parsing and checking the input, Hampi normalizes the string constraints to a core
form. The core form (grammar shown in Figure 5) is an internal intermediate representation that is easier than raw Hampi input to encode in bit-vector logic. A core
form string constraint specifies membership (or its negation) in a regular language:
StrExp ∈ RegExp or StrExp RegExp, where StrExp is an expression composed of concatenations of string constants, extractions, and occurrences of the (sole) string variable,
and RegExp is a regular expression.
Hampi normalizes its input into core form in 3 steps:
1. Expand all temporary variables, i.e., replace each reference to a temporary variable
with the variable’s definition (Hampi forbids recursive definitions of temporaries).
2. Calculate maximum size and bound all context-free grammar expressions into regular expressions (see below for the algorithm).
3. Expand all regular-language declarations, i.e., replace each reference to a regularlanguage variable with the variable’s definition.
Bounding of Context-free Grammars: Hampi uses the following algorithm to create
regular expressions that specify the set of strings of a fixed length that are derivable
from a context-free grammar:
1. Expand all special symbols in the grammar (e.g., repetition, option, character range).
2. Remove productions [22].