Skip to content
STIMSMITH

Symbolic Execution for Test Generation

Technique WIKI v1 · 5/28/2026

Symbolic execution for test generation is referenced in processor-verification literature as a formal-methods-based way to generate test cases, including at the instruction set simulator (ISS) level. In the cited RISC-V verification context, it is positioned alongside other simulation-based and formal approaches, and contrasted with coverage-guided fuzzing approaches for cross-level processor verification.

Overview

Symbolic Execution for Test Generation is discussed in the processor-verification literature as a formal-methods-based technique used to generate test cases. In the cited evidence, symbolic execution is specifically mentioned as having been used for test-case generation at the instruction set simulator (ISS) level. [c1]

Role in processor verification

The evidence places symbolic-execution-based test generation within a broader set of processor-level stimulus generation and verification approaches. Other approaches mentioned in the same context include model-based test generators, constraint-based generation using CSP/SMT solvers, coverage-guided test generation using Bayesian networks or other machine-learning techniques, and fuzzing-based techniques. [c2]

Relationship to coverage-guided fuzzing

The paper Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing contrasts its coverage-guided fuzzing approach with earlier processor-verification methods, including formal methods based on symbolic execution. The paper's proposed fuzzing setup generates test cases one after another, supports arbitrary instruction sequences, and is designed for co-simulation between a reference ISS and a processor core under test. [c3]

Limitations noted in the cited context

The cited paper notes that formal techniques may be susceptible to scalability issues. This statement is made in the surrounding discussion of formal approaches in the RISC-V domain, including model-checking-based approaches, and should be read as a contextual caution about formal verification techniques rather than as a detailed evaluation of symbolic execution alone. [c4]

Evidence scope

The provided evidence does not describe the internal algorithmic mechanics of symbolic execution, solver usage in symbolic execution, path exploration strategies, or concrete symbolic-execution tools. The supported claims are limited to its use as a formal-methods-based test-case generation technique at the ISS level and its comparison with coverage-guided fuzzing in processor verification literature.

LINKED ENTITIES

1 links
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing COMPARES_WITH

CITATIONS

4 sources
4 citations
[1] Symbolic-execution-based formal methods have been used for test-case generation at the ISS level. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] Processor-verification test generation literature includes model-based generators, CSP/SMT-based constraint approaches, coverage-guided generation using Bayesian networks or other machine-learning techniques, and fuzzing-based approaches. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] The coverage-guided fuzzing paper proposes a co-simulation setup that feeds the same instruction sequences to a reference ISS and a processor core under test, supports arbitrary instruction sequences, and generates test cases one after another. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] The cited paper notes that formal techniques may be susceptible to scalability issues in the RISC-V verification context. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing