0

In which circumstances one cannot use symbolic execution for assertion checking? To illustrate, take the following example:

int a = A, b = B, c = C; \\symbolic

int x = 0, y = 0, z = 0;
if (a){
  x = -2
}
if (b < 5){
  if (!a && c) {y = 1;}
  z = 2;
}
assert (x + y + z != 3)

Here, we can employ a symbolic execution and find out that ¬A ^ (B < 5) ^ C violates our assertion. Now, suppose we change the first condition as follows:

if (a){
  x = x - 10;
  b = b + 5a;
}

With this change, we don't know the new value of x and b. So, can we still use a symbolic execution for assertion checking?

In general, are there any circumstances that we cannot use symbolic execution? i.e., situations where we have to analyze all possible runs of a program.

Elahe
  • 1,379
  • 2
  • 18
  • 34
  • 1
    In general, you can use symbolic execution in all of these contexts. The problem isn't really about whether you can use symbolic execution to reason about such programs, but rather if it is effective. When you have so many merge points (i.e., conditional where the test-expression itself is symbolic), you end up with the usual combinatorial explosion and your SAT/SMT solver will struggle to handle all the combinations. In such cases people usually use DART (directed automated random testing) in combination with symbolic execution to tame the state space explosion problem. – alias Feb 26 '21 at 18:09
  • Can you give me an example of the situation that symbolic execution is not effective and you just explained it? I mean a piece of pseudocode for example, with merge points (conditional) where the test-expression itself is symbolic. – Elahe Mar 01 '21 at 15:16
  • Wikipedia has a concise article with pointers to further reading: https://en.wikipedia.org/wiki/Symbolic_execution Essentially, any "unbounded" loop will give you an issue. Unbounded here means the loop counter/conditional is not concrete, i.e., depends on some symbolic input. – alias Mar 01 '21 at 17:22
  • thank you. So I think the limitation is was I kind of explained in the question: When the condition is dependent on the value of `b` and the value of `b` is not known in advance. – Elahe Mar 02 '21 at 10:18

0 Answers0