Questions: Symbolic Execution (Advanced)

State merging is a classic technique in program analysis. Instead of exploring one path with constraint {x > 5} and another with constraint {x <= 5} independently, you merge them into a single state with constraint {(x > 5) OR (x <= 5)} — which simplifies to true (always satisfiable). This reduces the state space, but if the merged constraint is complex, the SMT solver may take longer to solve it. The optimal choice of when to merge is a research problem: merge too aggressively and the SMT solver bogs down; merge too conservatively and you re-explore redundant paths.

Directed symbolic execution brings goal-oriented search to program analysis. In security testing, you might direct execution toward potential vulnerabilities (null pointer dereferences, buffer overflows). In fuzzing, you direct it toward uncovered branches. The heuristics guide the search without guaranteeing the goal is reached, but they often dramatically reduce exploration time by avoiding irrelevant paths. This is the key to making symbolic execution practical on real code: instead of exploring all paths (infeasible), explore the most promising ones.

Function inlining is simple but scales poorly. If a function f calls g which calls h, and you inline all calls, you get a monolithic expression with all the branches of h and g. If f is called 100 times and each call inlines g, and g calls h, you've explored the path through h one hundred times redundantly. Interprocedural analysis uses function summaries: after exploring all paths through g once, you save a summary (the mapping from inputs to possible outputs), and reuse this summary on subsequent calls to g. This amortizes the exploration cost across all calls.

This is a paradigm shift in scope. Traditional symbolic execution asks: 'What paths can the program take given all possible inputs?' Whole-system symbolic execution asks: 'What paths can the program and OS take given all possible inputs AND all possible system call returns AND all possible scheduling interleavings?' The added complexity is substantial, but the bugs found are often in the boundary between application and OS — race conditions, resource exhaustion, or incorrect assumptions about OS behavior. Tools like S2E and TriforceAFL use this approach to test entire software stacks including hypervisors, kernels, and user applications.