Archive (Fall 2009)‎ > ‎One-Pagers‎ > ‎

OP6: Concolic vs. Symbolic

Consider the problem of testing a real-world program using a concolic execution engine vs. a symbolic execution engine. Identify one class of real-world programs for which the concolic approach is likely to find more bugs per unit of testing-time than the symbolic approach, and argue why this is so. Then identify one class of real-world programs for which the symbolic approach is more efficient than the concolic one, and explain why you believe you're right.

Note that I am not looking for a discussion of the peculiarities of one tool or another (e.g., you could conceivably tweak EXE to do concolic testing), but rather think about the fundamentals of the two approaches and how they play against each other. Also note that the two papers assigned for today discuss primarily unit testing; you should think about how the two approaches extend to full programs.