Backward Symbolic Execution with Loop Folding

Artifact for the paper Backward Symbolic Execution with Loop Folding that was accepted for Static Analysis Symposium (SAS) 2021. The artifact contains the whole infrastructure that we used for experiments. Scripts are automated and generate a PDF report.

Abstract of the paper:

Symbolic execution is an established program analysis technique that aims to search all possible execution paths starting in the initial program location. Due to the so-called path explosion problem, symbolic execution is usually unable to analyze all execution paths and thus it is not convenient for program verification as a standalone method. This paper focuses on backward symbolic execution (BSE), which searches program paths backward from the error location whose reachability should be proven or refuted. We show that this technique is equivalent to performing k-induction on control-flow paths. While standard BSE simply unwinds all program loops, we present an extension called loop folding that aims to derive loop invariants during BSE that are sufficient to prove the unreachability of the error location. The resulting technique called backward symbolic execution with loop folding (BSELF) can infer disjunctive loop invariants that are hard to derive for current techniques. Indeed, our experiments show that BESLF can verify some standard benchmarks that cannot be verified by state-of-the-art tools.