A Solver for a Theory of String and Bit-vectors.

We present the Z3strBV solver for a many-sorted first-order quantifier-free theory Tw,bv of string equations, string length represented as bit-vectors, and bit-vector arithmetic aimed at formal verification, automated testing, and security analysis of C/C++ applications. Our key motivation for building such a solver is the observation that existing string solvers are not efficient at modeling the combined theory over strings and bit-vectors. We demonstrate experimentally that Z3strBV is significantly more efficient than a reduction of string/bit-vector constraints to strings/natural numbers followed by a solver for strings/natural numbers or modeling strings as bit-vectors. We also propose two optimizations. First, we explore the concept of library-aware SMT solving, which fixes summaries in the SMT solver for string library functions such as strlen in C/C++. Z3strBV is able to consume these functions directly instead of re-analyzing the functions from scratch each time. Second, we experiment with a binary search heuristic that accelerates convergence on a consistent assignment of string lengths. We also show that Z3strBV is able to detect nontrivial overflows in realworld system-level code, as confirmed against seven security vulnerabilities from the CVE and Mozilla databases. [ABSTRACT FROM AUTHOR]