EDUCATIONAL PURPOSES ONLY: A symbolic execution engine for studying formal verification concepts. Not for production use.
Project description
pysymex
python symbolic execution and formal verification research engine
Bytecode-level path exploration for supported Python programs, backed by Z3 and explicit unknown, unsupported, inconclusive, and blocked states when a definite answer is not justified.
[!WARNING] pysymex is an alpha research prototype for studying symbolic execution and formal verification concepts. It is not production verification software, a security audit substitute, or a guarantee that a target program is safe.
At a Glance
| Area | Current focus |
|---|---|
| Execution model | CPython bytecode execution for Python 3.11 through 3.13 |
| Reasoning engine | Z3-backed path constraints and feasibility checks |
| Result model | Definite issues only when the path is feasible; uncertainty remains explicit |
| Output formats | Text, JSON, Markdown, HTML, and SARIF |
| Primary interfaces | pysymex scan, pysymex analyze, pysymex verify, and Python APIs |
| Project phase | Alpha, research-oriented, closed to external pull requests |
Install
Use Python 3.11 or newer.
pip install pysymex
For local development from this repository:
git clone https://github.com/darkoss1/pysymex.git
cd pysymex
uv sync
uv sync creates .venv and sets the shell activation prompt to the project
name (pysymex). Prefer uv sync over bare uv venv for first-time setup.
Core runtime dependencies are pinned or constrained in pyproject.toml,
including z3-solver, pydantic, immutables, rich, and psutil.
Quick Start
Scan a file:
pysymex scan mycode.py
Scan a directory recursively:
pysymex scan src/ -r
Generate SARIF for CI systems:
pysymex scan src/ -r --format sarif -o report.sarif
Analyze a specific function:
pysymex analyze mycode.py -f risky_divide --args x:int y:int
Run the benchmark command:
pysymex benchmark --format markdown
Command Map
| Need | Interface |
|---|---|
| Scan a file or tree for supported issue patterns | pysymex scan PATH [-r] |
| Inspect one function with typed symbolic inputs | pysymex analyze FILE -f NAME --args x:int |
| Verify contract-decorated code | pysymex verify FILE -f NAME |
| Fail a CI job by severity and optionally write SARIF | pysymex check PATH --fail-on high --sarif report.sarif |
| Measure benchmark cases or compare baselines | pysymex benchmark [--case NAME] |
Python API
import asyncio
from pysymex import analyze
def risky_divide(x: int, y: int) -> int:
return x // y
result = asyncio.run(analyze(risky_divide, {"x": "int", "y": "int"}))
for issue in result.issues:
print(issue.kind)
print(issue.message)
print(issue.get_counterexample())
Use the Python API when you want direct access to symbolic execution results. Use the CLI when you want scanner workflows, report files, or CI-friendly output.
Supported Inputs and Reports
| Surface | Current support |
|---|---|
| Python versions | CPython 3.11, 3.12, and 3.13 bytecode families |
| CLI symbolic argument types | int, str, list, bool, and dict |
| Scan | Symbolic execution only (pysymex scan; static/pipeline modes removed) |
| Report formats | text, json, sarif, rich, html, and markdown |
| CI workflow | pysymex check for severity-gated exits; SARIF for external viewers |
| Sandbox boundary | Target loading can go through the sandbox bridge; denials remain visible |
Result Semantics
pysymex should not turn uncertainty into success. A result can include definite issues, unsupported behavior, blocked execution, or inconclusive paths depending on what the engine can justify.
| State | Meaning |
|---|---|
| Definite issue | A feasible path reaches a detector condition or runtime failure |
| No issue reported | No definite issue was found within the explored supported paths |
| Unsupported | The target used behavior outside the implemented semantic model |
| Unknown or inconclusive | Solver uncertainty, path limits, incomplete modeling, or other limits prevented a definite answer |
| Blocked | Isolation, import, sandbox, or environment policy prevented execution |
Practical Boundaries
| Boundary | What it means for users |
|---|---|
| Feasibility first | A definite bug report should correspond to a feasible path, not just a syntactic pattern |
| Bounded exploration | Timeouts, path limits, and iteration limits can leave reachable behavior unexplored |
| Model coverage | Builtins, stdlib calls, imports, and dynamic Python features are only as precise as their models |
| Solver uncertainty | Z3 unknown, timeouts, or encoding gaps must remain inconclusive instead of becoming success |
| Sandbox policy | Native isolation and sandbox bridge failures are blocked states, not proof that code is safe |
| Report confidence | JSON, SARIF, HTML, and Markdown change presentation, not the underlying certainty level |
Detection Surface
The detector surface includes runtime failures and static or logical signals. Coverage depends on supported syntax, bytecode, models, path limits, and solver outcomes.
| Family | Examples |
|---|---|
| Arithmetic | division by zero, modulo by zero, overflow |
| Containers | index error, key error, missing attributes, symbolic container access |
| Runtime state | unbound local, name error, type error, value error, none dereference |
| Control flow | assertion failure, unreachable code, infinite loop signals |
| Resources | resource leak patterns |
| Contracts | precondition, postcondition, and contract validation failures |
| Logical checks | contradictions, impossible branches, path-level inconsistencies |
Architecture
pysymex/
api/ public Python API facade
cli/ command-line interface and formatters
scanner/ file and directory scanning workflows
execution/ symbolic VM, opcode dispatch, and execution strategies
core/ symbolic state, memory, solver, and shared types
models/ builtin, stdlib, and runtime behavior models
analysis/ detectors, scanner range checks, and higher-level analyses
sandbox/ isolation-facing execution boundaries
reporting/ text, JSON, Markdown, HTML, and SARIF report generation
tracing/ Z3 and execution trace support
The important boundary is trust: execution, solver, scanner, model, sandbox, and reporting layers should keep unsupported or inconclusive behavior visible instead of silently treating it as a successful verification result.
Examples
The examples directory contains small, numbered scenarios:
| File | Focus |
|---|---|
01_basic_safety_guards.py |
Basic guard patterns |
02_common_runtime_bugs.py |
Common runtime failures |
03_hidden_branch_constraints.py |
Nested branches found via symbolic scan |
04_contract_verification.py |
Contract checking |
05_deep_path_loops.py |
Loop and path-depth behavior |
06_sandbox_security.py |
Sandbox-oriented examples |
07_symbolic_containers.py |
Symbolic container behavior |
08_exception_handling.py |
Exception paths |
Development
Use the locked uv workflow when possible:
uv sync
uv run ruff check pysymex tests
uv run pyright pysymex tests
uv run pytest
Run a focused test while iterating:
uv run pytest tests/unit/path/to/test_file.py -q
Run multi-version Docker validation through the one-click script:
python tests/docker.py -- -q
Documentation
| Document | Purpose |
|---|---|
| docs/README.md | Documentation index and recommended read order |
| docs/API.md | Public Python API reference |
| docs/CLI.md | Command-line usage and examples |
| docs/LIMITATIONS.md | Supported scope, uncertainty states, and safety boundaries |
| docs/arch/README.md | Source-grounded architecture reference |
| docs/GLOSSARY.md | Terms used across the project |
An automatically generated Code Wiki is also available for exploratory architecture browsing: deepwiki.com/darkoss1/pysymex/. Treat it as secondary material that may lag behind this repository.
Contribution Policy
pysymex is currently open source but closed to external pull requests during its alpha phase. Issues and bug reports are welcome through the repository issue tracker.
See CONTRIBUTING.md for the current policy.
License
pysymex is licensed under the AGPL-3.0-only.
Research engine. Explicit uncertainty. Feasible bugs over optimistic claims.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pysymex-0.1.1a0.tar.gz.
File metadata
- Download URL: pysymex-0.1.1a0.tar.gz
- Upload date:
- Size: 1.2 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d2b6229c9c8e55b5bd2b8ab2b2daa4c9a88a70b3dcd790870748ee1160a58145
|
|
| MD5 |
a2174b6815013177c774aeacf5004dff
|
|
| BLAKE2b-256 |
33343fe138e22b508883fc936f93d4157fbd5d981342d48df81a814319ed9e2f
|
Provenance
The following attestation bundles were made for pysymex-0.1.1a0.tar.gz:
Publisher:
publish.yml on darkoss1/pysymex
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pysymex-0.1.1a0.tar.gz -
Subject digest:
d2b6229c9c8e55b5bd2b8ab2b2daa4c9a88a70b3dcd790870748ee1160a58145 - Sigstore transparency entry: 1737835975
- Sigstore integration time:
-
Permalink:
darkoss1/pysymex@6ce0948a6cca45775964c62f78568306caa2a1fb -
Branch / Tag:
refs/tags/v0.1.1a0 - Owner: https://github.com/darkoss1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6ce0948a6cca45775964c62f78568306caa2a1fb -
Trigger Event:
release
-
Statement type:
File details
Details for the file pysymex-0.1.1a0-py3-none-any.whl.
File metadata
- Download URL: pysymex-0.1.1a0-py3-none-any.whl
- Upload date:
- Size: 2.4 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
184440ee279245b368e2154da5312c7c570cf3aedeff4a95a38d13b59058c6fb
|
|
| MD5 |
b4acf9e3c48cbbc8b220bc6e7400a88c
|
|
| BLAKE2b-256 |
05a3422d6b0278292f228ce12378f8f3625662d659747e086d5a5f035d13808a
|
Provenance
The following attestation bundles were made for pysymex-0.1.1a0-py3-none-any.whl:
Publisher:
publish.yml on darkoss1/pysymex
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pysymex-0.1.1a0-py3-none-any.whl -
Subject digest:
184440ee279245b368e2154da5312c7c570cf3aedeff4a95a38d13b59058c6fb - Sigstore transparency entry: 1737836024
- Sigstore integration time:
-
Permalink:
darkoss1/pysymex@6ce0948a6cca45775964c62f78568306caa2a1fb -
Branch / Tag:
refs/tags/v0.1.1a0 - Owner: https://github.com/darkoss1
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6ce0948a6cca45775964c62f78568306caa2a1fb -
Trigger Event:
release
-
Statement type: