Symbolic execution suffers from poor scalability due to path explosion. To address this, we propose a path prioritization scheduling method based on Minimum Path Cover (MPC), the first to incorporate MPC into symbolic execution path selection. Our approach jointly constructs multiple MPCs to synergistically optimize both coverage completeness and path diversity, overcoming the limited generalizability of conventional heuristic strategies. The method integrates static control-flow graph analysis, MPC solving, and multi-objective path selection, and is implemented within the KLEE framework. Experimental evaluation demonstrates that, compared to KLEE’s best-performing built-in strategy, our method improves basic block coverage by 19.6% and line coverage by 24.4%, detects 24 additional security vulnerabilities, and reduces peak memory consumption by up to 93.5%.

Symbolic execution is a powerful program analysis technique that can formally reason the correctness of program behaviors and detect software bugs. It can systematically explore the execution paths of the tested program. But it suffers from an inherent limitation: path explosion. Path explosion occurs when symbolic execution encounters an overwhelming number (exponential to the program size) of paths that need to be symbolically reasoned. It severely impacts the scalability and performance of symbolic execution. To tackle this problem, previous works leverage various heuristics to prioritize paths for symbolic execution. They rank the exponential number of paths using static rules or heuristics and explore the paths with the highest rank. However, in practice, these works often fail to generalize to diverse programs. In this work, we propose a novel and effective path prioritization technique with path cover, named Empc. Our key insight is that not all paths need to be symbolically reasoned. Unlike traditional path prioritization, our approach leverages a small subset of paths as a minimum path cover (MPC) that can cover all code regions of the tested programs. To encourage diversity in path prioritization, we compute multiple MPCs. We then guide the search for symbolic execution on the small number of paths inside multiple MPCs rather than the exponential number of paths. We implement our technique Empc based on KLEE. We conduct a comprehensive evaluation of Empc to investigate its performance in code coverage, bug findings, and runtime overhead. The evaluation shows that Empc can cover 19.6% more basic blocks than KLEE's best search strategy and 24.4% more lines compared to the state-of-the-art work cgs. Empc also finds 24 more security violations than KLEE's best search strategy. Meanwhile, Empc can significantly reduce the memory usage of KLEE by up to 93.5%.