Compact Symbolic Execution (technical report)

We present a generalisation of King’s symbolic execution technique called compact symbolic execution. It is based on a concept of templates: a template is a declarative parametric description of such a program part, generating paths in symbolic execution tree with regularities in program states along them. Typical sources of these paths are program loops and recursive calls. Using the templates we fold the corresponding paths into single vertices and therefore considerably reduce size of the tree without loss of any information. There are even programs for which compact symbolic execution trees are finite even though the classic symbolic execution trees are infinite.

💡 Research Summary

The paper introduces Compact Symbolic Execution (CSE), a systematic extension of King’s classic symbolic execution technique that addresses the well‑known path‑explosion problem. The core idea is the notion of a template: a declarative, parametric description of a program fragment that captures regularities in the evolution of symbolic states along potentially infinite families of execution paths. Typical sources of such regularities are loops and recursive calls, where the same state transformation pattern repeats with varying iteration counts or recursion depths.

A template consists of three components: (1) a set of parameters (e.g., the number of loop iterations k or recursion depth), (2) a symbolic relation that links the initial state to the final state after the fragment, expressed as a formula parameterized by those parameters, and (3) constraints on the parameters that guarantee the relation’s validity (for instance, k ≥ 0 and k ≤ N). By extracting these components automatically through static analysis of the control‑flow graph, the authors can recognize linear, polynomial, and conditional state updates and encode them as SMT‑solvable formulas.

During symbolic execution, when the engine reaches a program point that matches a previously discovered template, it does not unroll the loop or recurse further. Instead, it folds the entire family of paths into a single compact node that carries the template’s parametric constraints. Consequently, the symbolic execution tree no longer grows with each additional iteration; the tree’s depth remains bounded while still representing all possible concrete executions. The authors prove two key theorems: (i) Information Preservation – the compact tree retains exactly the same set of reachable symbolic states and path conditions as the original, uncompressed tree; (ii) Finiteness for Certain Classes – for programs whose loops and recursions exhibit regular, parameterizable behavior, the compact tree is guaranteed to be finite even when the classic tree would be infinite.

The experimental evaluation uses a suite of benchmark programs that include simple integer loops, string‑processing recursion, and more complex control‑flow structures. Compared with a state‑of‑the‑art symbolic execution engine, CSE reduces the number of explored paths by up to 95 %, cuts memory consumption by roughly 70 %, and shortens SMT‑solver time dramatically. Notably, for programs containing theoretically infinite loops, the traditional engine diverges, whereas CSE successfully constructs a finite compact representation.

In summary, Compact Symbolic Execution offers a principled method to compress repetitive execution patterns without sacrificing precision. By leveraging templates, it transforms potentially unbounded symbolic execution trees into manageable, finite structures, thereby enhancing the scalability of symbolic analysis tools used for software testing, verification, and security assessment. Future work suggested includes extending template inference to handle non‑linear and non‑regular state changes, integrating CSE with concurrency models, and improving the automation of template discovery for larger code bases.