Dynamic Symbolic Execution

• Dynamic Symbolic Execution is a program analysis technique that uses both concrete and symbolic execution to systematically explore multiple program paths.
• It employs constraint solving, typically via SMT solvers, to invert conditions and generate new inputs for paths not yet executed.
• The method faces challenges from exponential path growth due to conditionals, loops, and system interactions, driving ongoing research in scalability.

Dynamic Symbolic Execution (DSE) is a highly expressive program analysis methodology that systematically explores program paths by executing programs with symbolic representations of input data. DSE alternates between concrete and symbolic execution, leveraging constraint solving to generate new program inputs that direct execution along previously unexplored paths. Its versatility makes it central to automated test generation, bug finding, security vulnerability analysis, semantic differencing, and more. DSE has become the core analysis in numerous academic and industrial verification engines, but remains challenged by the exponential growth of explored paths due to conditionals, loops, pointers, and system interactions.

1. Formal Foundations and Execution Model

DSE treats a program as a transition system, with states parameterized by a symbolic store, a concrete store, and a path predicate. At each step, DSE concurrently:

• Executes the program on concrete inputs (tracking the real machine state).
• Symbolically interprets operations on symbolic variables, producing symbolic expressions and accumulating path constraints.
• At conditional branches, records the condition as a symbolic formula and selectively invokes a constraint solver (typically an SMT solver) to determine reachability and generate new inputs that invert the encountered branch, thereby directing exploration down an alternative path.

Given a sequence of symbolic constraints $c_1(x),\ldots,c_n(x)$ collected along a particular execution, DSE attempts