“…Originally developed in the 1970s [19], [10], symbolic execution is a convenient building block for program analysis, since arbitrary query predicates can be combined with the logical program representation, and solutions to these constraints are program inputs illustrating the queried behavior. Some of the applications of symbolic execution include test generation [15,26], equivalence checking [25,28], vulnerability finding [31,32], program repair [22], invariant discovery [1], and protocol correctness checking [33]. Symbolic execution tools are available for many languages, including CREST [7] for C source code, KLEE [8] for C/C++ via LLVM, JDart [21] and Symbolic PathFinder (SPF) [24] for Java, and S2E [9], FuzzBALL [4], and angr [31] for binary code.…”