Skip to main content

EDUCATIONAL PURPOSES ONLY: A symbolic execution engine for studying formal verification concepts. Not for production use.

Project description

pysymex

python symbolic execution and formal verification research engine

Bytecode-level path exploration for supported Python programs, backed by Z3 and explicit unknown, unsupported, inconclusive, and blocked states when a definite answer is not justified.

Python 3.11+ Status Solver License


[!WARNING] pysymex is an alpha research prototype for studying symbolic execution and formal verification concepts. It is not production verification software, a security audit substitute, or a guarantee that a target program is safe.

At a Glance

Area Current focus
Execution model CPython bytecode execution for Python 3.11 through 3.13
Reasoning engine Z3-backed path constraints and feasibility checks
Result model Definite issues only when the path is feasible; uncertainty remains explicit
Output formats Text, JSON, Markdown, HTML, and SARIF
Primary interfaces pysymex scan, pysymex analyze, pysymex verify, and Python APIs
Project phase Alpha, research-oriented, closed to external pull requests

Install

Use Python 3.11 or newer.

pip install pysymex

For local development from this repository:

git clone https://github.com/darkoss1/pysymex.git
cd pysymex
uv sync

uv sync creates .venv and sets the shell activation prompt to the project name (pysymex). Prefer uv sync over bare uv venv for first-time setup.

Core runtime dependencies are pinned or constrained in pyproject.toml, including z3-solver, pydantic, immutables, rich, and psutil.

Quick Start

Scan a file:

pysymex scan mycode.py

Scan a directory recursively:

pysymex scan src/ -r

Generate SARIF for CI systems:

pysymex scan src/ -r --format sarif -o report.sarif

Analyze a specific function:

pysymex analyze mycode.py -f risky_divide --args x:int y:int

Run the benchmark command:

pysymex benchmark --format markdown

Command Map

Need Interface
Scan a file or tree for supported issue patterns pysymex scan PATH [-r]
Inspect one function with typed symbolic inputs pysymex analyze FILE -f NAME --args x:int
Verify contract-decorated code pysymex verify FILE -f NAME
Fail a CI job by severity and optionally write SARIF pysymex check PATH --fail-on high --sarif report.sarif
Measure benchmark cases or compare baselines pysymex benchmark [--case NAME]

Python API

import asyncio

from pysymex import analyze


def risky_divide(x: int, y: int) -> int:
    return x // y


result = asyncio.run(analyze(risky_divide, {"x": "int", "y": "int"}))

for issue in result.issues:
    print(issue.kind)
    print(issue.message)
    print(issue.get_counterexample())

Use the Python API when you want direct access to symbolic execution results. Use the CLI when you want scanner workflows, report files, or CI-friendly output.

Supported Inputs and Reports

Surface Current support
Python versions CPython 3.11, 3.12, and 3.13 bytecode families
CLI symbolic argument types int, str, list, bool, and dict
Scan Symbolic execution only (pysymex scan; static/pipeline modes removed)
Report formats text, json, sarif, rich, html, and markdown
CI workflow pysymex check for severity-gated exits; SARIF for external viewers
Sandbox boundary Target loading can go through the sandbox bridge; denials remain visible

Result Semantics

pysymex should not turn uncertainty into success. A result can include definite issues, unsupported behavior, blocked execution, or inconclusive paths depending on what the engine can justify.

State Meaning
Definite issue A feasible path reaches a detector condition or runtime failure
No issue reported No definite issue was found within the explored supported paths
Unsupported The target used behavior outside the implemented semantic model
Unknown or inconclusive Solver uncertainty, path limits, incomplete modeling, or other limits prevented a definite answer
Blocked Isolation, import, sandbox, or environment policy prevented execution

Practical Boundaries

Boundary What it means for users
Feasibility first A definite bug report should correspond to a feasible path, not just a syntactic pattern
Bounded exploration Timeouts, path limits, and iteration limits can leave reachable behavior unexplored
Model coverage Builtins, stdlib calls, imports, and dynamic Python features are only as precise as their models
Solver uncertainty Z3 unknown, timeouts, or encoding gaps must remain inconclusive instead of becoming success
Sandbox policy Native isolation and sandbox bridge failures are blocked states, not proof that code is safe
Report confidence JSON, SARIF, HTML, and Markdown change presentation, not the underlying certainty level

Detection Surface

The detector surface includes runtime failures and static or logical signals. Coverage depends on supported syntax, bytecode, models, path limits, and solver outcomes.

Family Examples
Arithmetic division by zero, modulo by zero, overflow
Containers index error, key error, missing attributes, symbolic container access
Runtime state unbound local, name error, type error, value error, none dereference
Control flow assertion failure, unreachable code, infinite loop signals
Resources resource leak patterns
Contracts precondition, postcondition, and contract validation failures
Logical checks contradictions, impossible branches, path-level inconsistencies

Architecture

pysymex/
  api/                  public Python API facade
  cli/                  command-line interface and formatters
  scanner/              file and directory scanning workflows
  execution/            symbolic VM, opcode dispatch, and execution strategies
  core/                 symbolic state, memory, solver, and shared types
  models/               builtin, stdlib, and runtime behavior models
  analysis/             detectors, scanner range checks, and higher-level analyses
  sandbox/              isolation-facing execution boundaries
  reporting/            text, JSON, Markdown, HTML, and SARIF report generation
  tracing/              Z3 and execution trace support

The important boundary is trust: execution, solver, scanner, model, sandbox, and reporting layers should keep unsupported or inconclusive behavior visible instead of silently treating it as a successful verification result.

Examples

The examples directory contains small, numbered scenarios:

File Focus
01_basic_safety_guards.py Basic guard patterns
02_common_runtime_bugs.py Common runtime failures
03_hidden_branch_constraints.py Nested branches found via symbolic scan
04_contract_verification.py Contract checking
05_deep_path_loops.py Loop and path-depth behavior
06_sandbox_security.py Sandbox-oriented examples
07_symbolic_containers.py Symbolic container behavior
08_exception_handling.py Exception paths

Development

Use the locked uv workflow when possible:

uv sync
uv run ruff check pysymex tests
uv run pyright pysymex tests
uv run pytest

Run a focused test while iterating:

uv run pytest tests/unit/path/to/test_file.py -q

Run multi-version Docker validation through the one-click script:

python tests/docker.py -- -q

Documentation

Document Purpose
docs/README.md Documentation index and recommended read order
docs/API.md Public Python API reference
docs/CLI.md Command-line usage and examples
docs/LIMITATIONS.md Supported scope, uncertainty states, and safety boundaries
docs/arch/README.md Source-grounded architecture reference
docs/GLOSSARY.md Terms used across the project

An automatically generated Code Wiki is also available for exploratory architecture browsing: deepwiki.com/darkoss1/pysymex/. Treat it as secondary material that may lag behind this repository.

Contribution Policy

pysymex is currently open source but closed to external pull requests during its alpha phase. Issues and bug reports are welcome through the repository issue tracker.

See CONTRIBUTING.md for the current policy.

License

pysymex is licensed under the AGPL-3.0-only.


Research engine. Explicit uncertainty. Feasible bugs over optimistic claims.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pysymex-0.1.1a0.tar.gz (1.2 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pysymex-0.1.1a0-py3-none-any.whl (2.4 MB view details)

Uploaded Python 3

File details

Details for the file pysymex-0.1.1a0.tar.gz.

File metadata

  • Download URL: pysymex-0.1.1a0.tar.gz
  • Upload date:
  • Size: 1.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pysymex-0.1.1a0.tar.gz
Algorithm Hash digest
SHA256 d2b6229c9c8e55b5bd2b8ab2b2daa4c9a88a70b3dcd790870748ee1160a58145
MD5 a2174b6815013177c774aeacf5004dff
BLAKE2b-256 33343fe138e22b508883fc936f93d4157fbd5d981342d48df81a814319ed9e2f

See more details on using hashes here.

Provenance

The following attestation bundles were made for pysymex-0.1.1a0.tar.gz:

Publisher: publish.yml on darkoss1/pysymex

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pysymex-0.1.1a0-py3-none-any.whl.

File metadata

  • Download URL: pysymex-0.1.1a0-py3-none-any.whl
  • Upload date:
  • Size: 2.4 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pysymex-0.1.1a0-py3-none-any.whl
Algorithm Hash digest
SHA256 184440ee279245b368e2154da5312c7c570cf3aedeff4a95a38d13b59058c6fb
MD5 b4acf9e3c48cbbc8b220bc6e7400a88c
BLAKE2b-256 05a3422d6b0278292f228ce12378f8f3625662d659747e086d5a5f035d13808a

See more details on using hashes here.

Provenance

The following attestation bundles were made for pysymex-0.1.1a0-py3-none-any.whl:

Publisher: publish.yml on darkoss1/pysymex

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page