Symbolic execution is a powerful program analysis technique that systematically explores multiple paths. However, despite important technical advances, symbolic often struggles to reach deep parts of the code due well-known path explosion problem and constraint solving limitations.

Symbolic execution (SE) is a widely used program analysis technique. Existing SE engines model the memory space by associating objects with concrete addresses, where representation of each allocated object determined during its allocation. We present novel addressing underlying an can be dynamically modified even after allocation, using symbolic addresses rather than ones. demonstrate benefits our in two application scenarios: dynamic inter- and intra-object partitioning. In former, we show...

Symbolic execution is a powerful program analysis technique which allows executing programs with symbolic inputs. Modern tools use concrete modeling of object sizes, that does not allow symbolic-size allocations. This leads to concretizations and enforces the user set size input ahead time, thus potentially leading loss coverage during analysis. We present bounded model in an can have range values limited by user-specified bound. Unfortunately, this amplifies problem path explosion, due...

We propose a novel fine-grained integration of pointer analysis with dynamic analysis, including symbolic execution. This is achieved via past-sensitive an on-demand instantiated abstraction the state on which it invoked. evaluate our technique in three application scenarios: chopped execution, resolution, and write integrity testing. Our preliminary results show that approach can have significant impact these scenarios, by effectively improving precision standard only modest performance overhead.

We address the problem of constraint encoding explosion which hinders applicability state merging in symbolic execution. Specifically, our goal is to reduce number disjunctions and if-then-else expressions introduced during merging. The main idea dynamically partition states into groups according a similar uniform structure detected their path constraints, allows efficiently encode merged memory using quantifiers. To added complexity solving quantified we propose specialized procedure that...

Symbolic execution (SE) is a popular program analysis technique. SE heavily relies on satisfiability queries during path exploration, often resulting in the majority of time being spent solving these queries. Hence, it not surprising that one most vital optimizations engines use query caching. To increase cache hit rate, are transformed into normal form, which used as key for updating cache. An obstacle to caching involving pointers presence numerical address values, assigned by engine...

We address the problem of constraint encoding explosion which hinders applicability state merging in symbolic execution. Specifically, our goal is to reduce number disjunctions and if-then-else expressions introduced during merging. The main idea dynamically partition states into groups according a similar uniform structure detected their path constraints, allows efficiently encode merged memory using quantifiers. To added complexity solving quantified we propose specialized procedure that...