Directed Symbolic Execution

In this paper, the authors study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. They propose two new directed symbolic execution strategies that aim to solve this problem: Shortest-Distance Symbolic Execution (SDSE) uses a distance metric in an inter-procedural control flow graph to guide symbolic execution toward a particular target; and Call-Chain-Backward Symbolic Execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program.