String analysis computes the string values to which a variable may be assigned. String analysis may be used to identify potentially malicious input that can result in a security vulnerability. For example, string analysis may be used to identify hypertext markup language (HTML) content, JavaScript content, or structured query language (SQL) queries generated by a program. String analysis may also be useful in reducing false positive reports due to the failure to consider sanitization of string values. The use of sanitizers (or input validation policies in general) may render a potentially malicious string safe to use. Conventional string analysis techniques model strings as regular expressions, which, if computed precisely, are not computed efficiently.