Add symbolic execution engine (Phases 0-14) with IR binding fixes by pgoodman · Pull Request #585 · trailofbits/multiplier

pgoodman · 2026-04-29T00:52:00Z

Summary

Phases 0–14: Full symbolic execution engine in bindings/Python/symex/ — mid-block entry, layout/memory model, intercept/observe hook chains, path snapshots, DFS/BFS exploration, z3 SMT integration, region-aware OOB detection, symbolic load/store, provenance walk, taint tracking, PathSet analysis, and address-space mediation
IR binding fixes: IRInstruction.to_python and IRStructure.to_python now dispatch to most-derived Python subtypes (opcode/StructureKind switch), so isinstance(inst, mx.ir.EnterScopeInst) works correctly
Policy wiring: call_inst and branch_inst threaded from C++ substrate through PythonPolicy into Python hook context (ctx.inst); exception propagation from hooks back through the interpreter loop

Test plan

python -m pytest tests/symex/ -q — 215 passed
python -m pytest tests/InterpretIR/ -q — 235 passed (no regressions)

🤖 Generated with Claude Code

…uite Implements PythonPolicy for symbolic execution via Python-subclassable policy objects, unified init_state/step API dispatching on argument type, PythonScheduler with fork/continuation support, and a 260-function test suite (177/230 passing). Includes generated IR instruction bindings, COW call stack, and concrete fallback for all value operations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Factor mem_bulk_op (~480 lines) and memory helpers out of PythonPolicy into shared free functions in ConcreteOps, eliminating verbatim duplication between ConcretePolicy and SymbolicInterpreter. Both policies now delegate to concrete_mem_bulk_op. Add AtomicExpr handling in IRGen — Clang represents __atomic_fetch_* builtins as AtomicExpr AST nodes (not CallExpr), so they were falling through to UNKNOWN. Now emits proper READ_MODIFY_WRITE instructions for fetch-op, op-fetch, and exchange; MEMORY loads/stores for atomic load/store. Fixes 28 atomic test failures (205/230 passing). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

These 16-bit count-leading/trailing-zeros builtins were missing from the IRGen builtin table, causing them to fall through to UNKNOWN. 206/230 tests now pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CALL instructions now print as `CALL @function_name [args...]` for direct calls and `CALL @<indirect> [args...]` for indirect calls. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Add is_float flag to ScalarValue so float values are distinguishable from integers at the value level. This fixes three related issues: 1. value_to_python now returns Python floats (not raw bit integers) for float ScalarValues, so Python policies can operate on float values naturally in their own domain. 2. concrete_write_to_mem narrows f64→f32 when writing a double value to a 4-byte float slot (previously wrote low 4 bytes of the f64 bit pattern, producing 0.0 for any value). 3. init_state detects float parameters via BuiltinType::is_floating_point and passes is_float=true in the MemAccessHint. 223/230 tests passing (was 206). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Remove is_float parameter from concrete_write_to_mem — narrowing now uses the value's own is_float tag instead of an external hint. Simplify concrete_read_from_mem to return raw bits with float tag rather than interpreting through float/double types. Fix as_float32() to narrow f64 values through double→float instead of reading wrong low-32 bits. Use direct IEEE 754 division/fmod in concrete_binary_op. Fix f32 test oracles to compute at f32 precision and handle fptrunc overflow. All 230 symbolic executor tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Ship two interlocking refactors that landed on this branch as the substrate for the symbolic-execution work to come: Continuation refactor. A `Continuation<ValueT>` now represents every suspension point — branches, calls, global resolution, memory address concretization — under one polymorphic shape. `with_address` emits a `MemAddrContinuation` that the driver resolves by picking concrete addresses; `resume_addr` specializes a suspended state and continues stepping. New headers: Continuation.h, Sharable.h, SharablePy.h. Sharable interpreter state. `Sharable<T, Policy>` picks the ref-count system per (class, instantiation) at compile time — `StdShared` for the CLI, `PyObjectRC` for the Python bindings — so class code stays policy-agnostic. The Python arm lives in SharablePy.h to keep the plain Sharable header Python-free. Policy<> drops its scheduler template parameter; ConcretePolicy is Sched-agnostic; the no-op scheduler is inlined into the loop. The interpreter library now owns the step loop end-to-end and bin/ InterpretIR is a thin CLI on top. Python bindings expose resume_addr, the sharable state, and a Python-policy subclass surface. memory_view.py adds typed views over ConcreteMemory using the multiplier type system. New test fixtures exercise atomics, unions, and symbolic-address forking. All 235 interpreter tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Phase 0 of the symbolic-execution vision (docs/symex-vision.md). Adds the two interpreter primitives the analyst-facing layer needs to stand up under-constrained execution that begins partway through a function with named globals at chosen addresses. Mid-block entry. Split `enter_block` into `clear + push_block_work_items` so the cache-clearing path is separable from the work-pushing path. The new `interp_init_state_at` template seeds `frame.values` with caller-supplied live-ins and pushes a chosen block's work items directly, bypassing the work-stack ENTER_BLOCK handler that would otherwise wipe the seed. Layout primitive. `ConcreteMemory::place_at(addr, size, align)` pre-allocates a region at a chosen virtual address with overlap detection against live regions and bumps `next_alloc_` past placed regions so subsequent bump-allocations don't collide. Python: `init_state_at(state, memory, py_policy, func, block, param_addrs, return_addr, value_seed[, …])` and `place_at` on the `ConcreteMemory` wrapper. Tests: `tests/symex/test_phase0.py` covers P0.1–P0.4 (entry-block equivalence, non-entry start, place_at success / overlap / alignment / post-place allocation) — 8/8 green. The 235-test InterpretIR gate still passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Lands the analyst-facing skeleton on top of the existing C++ symbolic substrate. Pure Python except for a small tweak to InterpreterState's steps/empty/depth getters so they read the symbolic state too. The package (bindings/Python/symex) ships: - Layout: name -> address book backed by ConcreteMemory.place_at, with place_global / place_function / __getitem__ / function_at / address_range. - SymExEngine: explore(start_func, args, policy, until, ...) drives init_state + step until terminal or until-predicate. Forks come in two flavors -- BranchContinuation enumerates both edges, MemAddrContinuation is concretized via a strategy callable (default ConcretizeFinite([0])). - Path: wraps an InterpreterState, carries .id, .events, .tags, .solver, .clone(), and stub .snapshot()/.restore() pending Phase 3. - Ctx, MemView, ArgsView: lens/locator shapes for the Phase 2 hook layer. Phase 1 doesn't dispatch hooks, but the data classes are stable so hook bodies built on them won't churn later. - ExploreUntil: composable .path_count(N) / .steps(N) / .time(s) predicates wired through __or__/__and__. Tests in tests/symex/test_phase1.py cover P1.1-P1.7 from the vision plan; P1.5 (z3 named-global readback) is skipped pending the Phase 4 solver integration. The 235-test InterpretIR regression gate stays green. Driving forks needs a policy that propagates symbolic-ness through memory and answers is_true/resolve_branch with None for non-concrete values. tests/symex/conftest.py ships ForkOnSymbolicBranchPolicy as the test harness for that until Phase 2 makes it ergonomic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Two-namespace hook layer for the analyst-facing symex API: * `engine.intercept.<event>` — agentic. Each handler takes `next_hook` as its last positional argument; forward by calling it, short-circuit by returning a value without calling it. * `engine.observe.<event>` — listen-only fan-out, auto-recorded onto `path.events`. Defaults to the `after` phase; `before` is available via `engine.observe.before.<event>`. Composition shape (no `PASS / SKIP / STOP` sentinels): handlers chain right-to-left at dispatch time so the first-registered runs outermost. Each `next_hook` is a closure bound to "everything after me", so the pattern scales to N>2 without changes to the dispatcher. The chain bottom is a per-event default function that mirrors the substrate's natural behavior (concrete read for `memory_read`, concrete write for `memory_write`, defer-to-inline for `call` / `indirect_call`). `ctx.default()` returns the substrate's default for the current event; `ctx.stop_path()` marks the path as stopped without short-circuiting the in-flight chain. Substrate change in `InterpreterLoop.h::exec_call`: always invoke `policy.resolve_call` (was: skipped when `target_decl` resolved to IR). The skip prevented `intercept.call(name=…)` from firing on direct calls. Concrete policies fall through to `func_resolver_`, so inlining is preserved. Lens additions in `lens.py`: * `MemView.read_struct` / `write_struct` over `(name, offset, size, signed)` tuples. * `ArgsView.as_string` / `as_pointer_to`, plus a `_PointerLens` helper so analysts can read/write through pointer-shaped args. Reference libc model pack at `bindings/Python/symex/models/libc.py` covering `strlen`, `memcpy`, `memset`, `read`, `malloc`, `free`. `engine.use(models.libc)` installs the lot. Each handler doubles as a composition reference: those that can short-circuit do, those that can't (e.g., when a pointer arg is symbolic) forward via `next_hook(ctx)`. Tests: `tests/symex/test_phase2.py` — 14 P2.x cases covering addr-range gating, symbolic propagation through `compare`, write-drop semantics, call/indirect_call interception, the "forward through next_hook" chain pattern, pre-write-then-forward, observer auto-recording, observer/intercept coexistence, exception isolation in observers, and libc-pack registration. Gates: `pytest tests/symex` 30 passed / 1 skipped; `tests/InterpretIR` 235 passed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

- Backedge analysis (`cfg.py`): iterative DFS classifies CFG edges as tree / forward / back / cross, names headers and latches, and precomputes which outgoing edge of a loop-guard cond_branch re-enters the loop versus exits it. Cached per function on the engine. - `intercept.branch` chain dispatch + `intercept.loop` sugar with the composition shape — no `CONTINUE / STOP / SKIP_BODY / REPLAY` verbs. Branch handlers compose `(ctx, condition, next_hook)`; loop handlers wrap that with `(ctx, next_hook)` plus a per-firing `LoopContext` carrying iteration / header_block / latch_block / would_exit. `_default_branch` returns `_FORK` for symbolic conditions and `condition != 0` for concrete ones, so a forwarding handler keeps the natural decision. - Per-path back-edge counter `Path._loop_iters[(latch, header)]` bumped by the loop wrapper; survives fork / suspension cloning. - `Path.snapshot()` / `restore()` / `replay(modify=…)` round-trip full path state — interpreter state, events, tags, terminal, return_value, loop counter — through `_Snapshot` and re-clone on restore so snapshots stay reusable. `replay` drives `engine.resume_from` which clones the snapshot's state onto a fresh `Path`, applies `modify(path)`, and runs the engine driver. - `engine.explore(strategy="bfs"|"dfs")` + `ExploreUntil.max_paths(N)` / `max_depth(D)`. DFS commits to a path before opening siblings; BFS expands breadth-first. The engine now pins its layout on first `explore` so subsequent calls (and replay) share an address space. - 6 P3.x tests plus 2 ExploreUntil tests in `tests/symex/test_phase3.py`; phase 0/1/2 (30+1) and InterpretIR (235) gates remain green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

EventLog and PathSet wrappers (list subclasses sharing a _FilterableList base) add Django-ORM-style predicate queries: where/first/count over events.kind, addr, step, name, etc., and over path-level filters terminal, return_value, tags__contains, events__contains_kind, events__contains_addr. Path.summary() and path.dot_cfg() render human-readable views over the recorded event stream. The substrate doesn't yet emit per-block enter events to Python, so dot_cfg renders branch-transition graphs. z3 wiring lands across dispatch, path, and engine: - ctx.solver.fresh_int(name, *, size, lo=None, hi=None) mints a cached BitVec and adds the optional bounds to path_condition. - compare / binary_op / unary_op produce derived z3 exprs when an operand is a z3 expression; opcode dispatch is table-driven and anchored to mx.ir.OpCode so the ranges track the C++ enum. - is_true / resolve_branch return None on z3 conditions so the substrate forks; _handle_branch_forks accumulates the branch condition (cond on true child, Not(cond) on false child) onto each child's path_condition. - path.assert_(cond) adds a constraint and marks the path terminal=Terminal.INFEASIBLE when the resulting set is unsat. - path.solver.model() returns {name: int} on sat, None on unsat. - The z3 module reference is cached at module load so the per-IR-op _is_z3 check costs one dict lookup, not a try/import. Stringly-typed code is gathered into StrEnums (EventKind, Phase, BranchDirection, Terminal, StepResultKind, Strategy, CallAction, EdgeKind) so equality with the existing string literals still works but call sites reference the typed members. 6 P4.x tests in tests/symex/test_phase4.py exercise the new surfaces; tests/symex/test_phase1.py::test_p1_5_z3_named_global is un-skipped and now solves. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Symbolic-address suspensions previously consumed a single `concretize=lambda fork: [k]` callable. Phase 5 makes this typed, named, selector-routed, and sound under the path's z3 condition. Adds: - `AddressStrategy` ABC + `Decision` / `ConcretizeTo` types in `bindings/Python/symex/concretize.py`. `Decision` is the seam Phase 6 widens with `SplitByRegion` and `ConstrainTo`. - Four built-ins: `ConcretizeFinite`, `ConcretizePointerSet` (with `.functions(layout)` / `.globals(layout)` classmethods), `ConcretizeByRegion`, `ConcretizeViaSolver`. - `engine.address_strategy` (default), and selector-based `engine.concretize_at(strategy, **selector_kwargs)` reusing the intercept dispatch's `_Selector` (`addr_range=`, `name=`, `eid=`). - `ConcretizeViaSolver` attaches `addr_var == k` as `extra_constraint` so the child path's solver agrees with the executed address. - Feasibility pre-check on every concrete candidate; emits `concretization_infeasible` for rejects. - New `EventKind.CONCRETIZATION_TRUNCATED` / `CONCRETIZATION_INFEASIBLE`; new `Terminal.CONCRETIZATION_REFUSED` (distinct from STUCK_SUSPENSION). - Legacy callable shape (`concretize=lambda fork: [...]`) still works through `_CallableStrategy`. Tests: 10 new P5.x tests in `tests/symex/test_phase5.py`. Two are strategy unit tests (P5.2 ViaSolver + P5.3 PointerSet + P5.4 ByRegion + P5.8 feasibility) since the substrate's `ptr_add` collapses z3 indices to concrete during pointer arithmetic, so an organic explore never produces a suspension whose `address_expr` is a live z3 expression. The remaining tests are end-to-end through `symbolic_test_ptr_add`. Gates: 56/56 tests/symex green (46 prior + 10 P5); 235/235 tests/InterpretIR green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Multiplier's Python bindings already return the most-derived type, so `mx.ast.FunctionDecl.FROM(decl)` and similar `.FROM` casts are unnecessary in Python — they're a C++-flavored code smell. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Phase 6 widens the Phase 5 Decision seam so the engine can fork on region-shaped suspensions, materialize lazy backing storage for unbacked symbolic pointers, and surface concrete-mode bug findings through a sink registry. - Region, LazyRegion, RegionTable (sorted-by-base interval index) in bindings/Python/symex/region.py. Layout upgraded to back globals with Region objects plus regions(), region_containing(addr), regions_overlapping(lo, hi); legacy globals()/functions()/ address_range()/[name] API preserved. - New Decision variants: ConstrainTo(z3_predicate) and SplitByRegion(regions=(...)). ConcretizeByRegion widened to return a single SplitByRegion so the in-region offset stays symbolic when the substrate carries it (Phase 7 dependency, see below). ConcretizeByRegion(..., lazy_default=True) materializes a fresh LazyRegion via Layout.declare_lazy when the layout has no regions. - Engine wiring: _handle_suspension dispatches the three Decision variants through dedicated helpers; SplitByRegion + ConstrainTo each have a symbolic-addr path (resume_addr_symbolic, assert in-region predicate) and a concrete-addr fallback (degrade to resume_addr at the region base / chosen address). lazy_region_budget caps LazyRegion materializations per path; over-quota emits lazy_budget_exhausted and refuses. - Per-region z3 Array overlay (BitVec(64) -> BitVec(8)) with per-byte store/select primitives. Overlay backing array is K(0) so unwritten bytes read as zero. Concrete writes mirror byte-by-byte into existing overlays so symbolic-offset reads see the prior concrete bytes; cost is paid only after first symbolic touch. - Required substrate hook: interp_resume_addr_symbolic(state, eid, py_value) writes a Python value (typically a z3 expression) into the suspended op's address slot. Sibling get_value_at(state, eid) for testing the round-trip. - Sink framework: Sink ABC, Finding dataclass (kind, addr_eid, step, witness, region, mode), SinkRegistry. Three built-ins: OOBSink, NullDerefSink (memory_read/memory_write); DivByZeroSink (binary_op). Each has a concrete-addr mode (containment / numeric check, no solver) and a symbolic-addr mode (path_condition ∧ bad-predicate). OOBSink's concrete-addr mode discriminates substrate-internal accesses from real OOB by requiring a MEMADDR_CONCRETIZE event for the access's address. Sinks fire after the policy event; fatal=True terminates with Terminal.SINK_HIT. - path.findings (FilterableList) and path.regions_touched() aggregating per-region read/write counts from auto-recorded memory events. Memory events now record unconditionally so sinks and queries work without an explicit observer. - New event kinds: region_materialized, lazy_budget_exhausted, constrain_to_concrete_addr, split_by_region, sink_fired, binary_op. New terminal: SINK_HIT. - 16 P6.x tests (8 [U] strategy/overlay, 8 [E2E] end-to-end, including a CWE-787-style worked example through symbolic_test_ptr_add over an 8-byte g_buf with ConcretizeFinite enumeration). 72 total in tests/symex; 235 in tests/InterpretIR unchanged. Deferred to Phase 7: Python dispatch for PythonPolicy::ptr_add / ptr_diff / ptr_offset (SymbolicInterpreter.cpp:442/449/456). Until that lands, organic explores never produce a suspension whose address_expr is a live z3 expression, and Phase 6's symbolic-addr modes only fire on synthesized fixtures (or on DivByZeroSink where binary_op is already Python-dispatched and routes a symbolic divisor through). Phase 6 was structured so the seam, region table, overlay, and sink registry are all correct under both modes — Phase 7 flips one switch. The CWE-787 store-side variant in tests/symex/c/cwe787_oob_write.c is also Phase 7 material: adding a new C file requires rebuilding the InterpretIR test database. Phase 6's exemplar test produces the same shape (oob_read concrete-mode Findings) through the existing corpus. docs/symex-vision.md updated: Phase 6 section replaces the old "polishing & docs" stub with regions+sinks; Phase 7 section calls out ptr_add dispatch as the gating item alongside the worked notebook polish. docs/symex-phase6-plan.md deleted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

PythonPolicy::{ptr_add, ptr_diff, ptr_offset} now dispatch through Python first, mirroring the binary_op / cast shape; new cache fields cached_ptr_*_. The concrete fallback runs only when the policy returns NotImplemented, so callers without ptr_* methods see no behavior change. InterceptorPolicy.{ptr_add, ptr_diff, ptr_offset} lower symbolic operands to z3 BitVec(64) — base zero-extended, index sign-extended, element-size scaled in z3; ptr_diff's element-size division uses UDiv. A small _addr_as_z3 helper normalizes ints / ("ptr", N) / z3. Adds tests/symex/c/cwe787_oob_write.c (copy_into / store_at / store_at_u64) as the corpus for the worked example. The InterpretIR compile_commands.json (untracked, user-local) carries the new entry; the test DB is regenerated by the user out of band. tests/symex/test_phase7.py (7 tests, P7.1–P7.7): - P7.1 proves ptr_add now dispatches through Python via the presence of a MEMADDR_CONCRETIZE event. - P7.2 proves _addr_feasible filters unreachable decisions against the live path condition (vacuous pre-Phase 7). - P7.3 verifies ConstrainTo on a synthesized symbolic addr_expr lands the constraint without firing the concrete-fallback regression-guard event. - P7.4 drives _dispatch_split_by_region over a region whose size is not a multiple of the access size; OOBSink fires symbolic mode at the partial-overflow upper boundary. - P7.5 is the CWE-787 worked example: store_at over dst[16] with ConcretizeFinite enumerating in/OOB addresses; OOB children produce reproducible oob_write Findings whose witness is the resolved address. - P7.6 walks copy_into end to end, verifying both branches of the bounds check (8 src reads + 8 dst writes on the safe path, 0 dst writes on the early-return path). - P7.7 sweeps the symex package with doctest.testmod. P6.9 / P6.12 had idx ranges that were vacuously satisfiable only under the substrate's pre-Phase 7 collapse-to-concrete behavior; widened the bounds so ConcretizeFinite's decisions remain feasible under the new symbolic addr_expr. Substrate gap (deferred, documented in symex-vision.md): with_address_impl re-suspends on every symbolic-addr LOAD, so end-to-end exploration through SplitByRegion / ConstrainTo (which resume via resume_addr_symbolic) needs a future symbolic_load / symbolic_store policy hook. P7.3 / P7.4 cover the wiring up to that seam synthetically; P7.5's witness flow goes through ConcretizeFinite + resume_addr (concrete) and is unaffected. 79 symex tests + 235 InterpretIR tests green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Closes the substrate gap Phase 7 documented but couldn't fix without scope creep: with `SplitByRegion`, the resumed path used to re-suspend on every LOAD because `with_address_impl` saw a non-extractable z3 address. End-to-end exploration through `SplitByRegion`, `ConstrainTo`, and `LazyRegion` now runs organically through `engine.explore`. `exec_load` / `exec_store` consult `policy.exec_symbolic_load` / `exec_symbolic_store` before falling through to `with_address`'s suspension path. The CRTP base in `Policy.h` provides a no-op default; `PythonPolicy` overrides via cached `cached_symbolic_load_` / `cached_symbolic_store_` method handles that mirror the `mem_read` / `mem_write` shape exactly. Other `with_address` callsites (indirect-call resolution, init-time memcpy, etc.) are unchanged. `InterceptorPolicy.symbolic_load` / `symbolic_store` consult `path._region_at_suspension` to read/write through the region overlay (`region.select_byte` / `store_byte`) little-endian. Returning `NotImplemented` when no region context is available keeps the existing suspension semantics for non-region-tagged paths — no silent default-0 collapse. Tests: 7 P8a cases in `tests/symex/test_phase8a.py` upgrade Phase 7's hybrid P7.3 / P7.4 to true E2E for the SplitByRegion / ConstrainTo paths and exercise the LazyRegion + concrete-write- mirror seams. `tests/symex` total: 86 (was 79); `tests/InterpretIR` still 235. `docs/symex-vision.md` Phase 7 future-work block converted to delivered, with explicit non-goals retained for the still-deferred phases (typed pointer values, cross-path merging, auto-derived layouts, float-typed overlay slots, custom symbolic memory models). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Two surgical correctness fixes that close honesty gaps Phase 8a left visible: 1. `read_return_value` no longer collapses symbolic returns to 0. The substrate used to overwrite the live `ret_from_inst` with a slot read of `frame.return_ptr`; for symbolic returns the slot was never written (the default `mem_write` chain drops z3 values), so `path.return_value` came back silently as `0`. A new `bool has_ret_value` thread through `exec_ret` short-circuits to `ret_from_inst` whenever the RET carried an operand. Aggregate- style returns (RET without operand, function memcpy'd into the slot) are unaffected — `has_ret_value=false` still flows through the existing slot-read code. 2. `engine.observe.global_read` / `global_write` actually fire. The events were declared, exported, and selector-matched but no dispatch path ever called `_fire_observers(GLOBAL_READ, …)`. `InterceptorPolicy` now fans `mem_read`, `mem_write`, and the Phase 8a `symbolic_load` / `symbolic_store` accesses out to the global-event registry whenever the access lands in a `kind == "global"` region. Lazy and function-placement regions are filtered out — they aren't analyst-named globals. Goal #9 ("per-path trace of which globals were accessed and when") is now real. 10 new tests in `tests/symex/test_phase8b.py` (P8b.1–P8b.10; P8b.4 skipped — corpus has no function exposing a no-operand RET). `tests/symex` total: 96. The 235-test InterpretIR harness still passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Phase 8b shipped a workaround for symbolic primitive returns: a has_ret_value short-circuit in read_return_value that bypassed the slot read whenever RET carried an SSA operand. The underlying gap remained — the dispatcher's default mem_write silently dropped z3 values, so any symbolic write to a substrate-allocated address (return slot, ALLOCA/ARG, ALLOCA/LOCAL, VLA storage) vanished. The workaround also cemented a confusing dual-source-of-truth in the IR (RET carries the value AND the preceding store puts it in the slot). Phase 8c does it the right way: - Path now carries a per-path _symbolic_shadow: dict[(addr, size) -> z3 expr] whose reference is shared with the InterceptorPolicy constructed for that path. The dispatcher's default mem_read / mem_write consult the shadow for z3 values written to concrete substrate-allocated addresses, so writes survive across steps (policy is fresh per step; path is durable). Concrete writes evict the shadow entry at the same key. snapshot/restore round- trip the shadow in place so any policy still holding the reference sees the post-restore state. - IRGen no longer sets inst.operand_indices on RET; the value flows exclusively through RETURN_PTR + MEMORY/STORE into the slot. RetInst::return_value() is removed (header, impl, generated Python binding, type stub). RET is a pure terminator. - read_return_value is restored to its pre-Phase-8b shape (no has_ret_value parameter, no SSA-operand short-circuit). The slot read is the universal mechanism. P8b.1's symbolic-return invariant still holds — now via the shadow-backed slot read. Phase 8b's global-event fan-out (_fire_global_event_if_applicable and the four call sites in mem_read / mem_write / symbolic_load / symbolic_store) is orthogonal and unchanged. One new test in tests/symex/test_phase8c.py (P8c.1) drives a z3 mem_write and a same-(addr, size) mem_read through two distinct InterceptorPolicy instances sharing the same Path, exercising the cross-step flow that the return slot, ALLOCA/ARG, and ALLOCA/LOCAL all rely on. Gates after re-indexing /tmp/tests.db against the new schema: - tests/symex: 96 passed, 1 skipped (95 baseline + P8c.1; P8b.4 aggregate-return placeholder remains skipped). - tests/InterpretIR: 235 passed. docs/symex-vision.md gains a Phase 8c subsection and an updated Definition of done entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Four loose ends from Phase 8c, none requiring architectural rework: 1. `engine.intercept.symbolic_load` / `symbolic_store` are reachable. Adds SYMBOLIC_LOAD / SYMBOLIC_STORE to EventKind, exposes them through InterceptDispatcher, and refactors the existing region- overlay logic into a chain bottom that analyst handlers compose over via `next_hook`. New `region=` selector matches against `path._region_at_suspension`. 2. Init-time z3 args persist. `engine._init_path` migrates the init-policy's symbolic shadow to the path's durable shadow after `init_state` runs, so `engine.explore(name, args=[z3_var])` works end-to-end through ALLOCA/ARG (P8d.3). 3. P8b.4 un-skipped. Drives `make_large` from `tests/InterpretIR/test_byvalue.c` to exercise the substrate's `read_return_value` sz>8 branch. (Field-value verification is gated on a separate substrate quirk with LOCAL_VALUE allocas through InterceptorPolicy; documented inline.) 4. Per-block-enter event. New `on_enter_block(state, block)` policy callback fires at the top of every `enter_block` in InterpreterLoop.h. ConcretePolicy keeps a no-op default; PythonPolicy fans out to `engine.observe.block_enter` and appends BLOCK_ENTER events to `path.events`. `path.dot_cfg` widens to walk both BRANCH and BLOCK_ENTER events, so branchless functions render real graphs instead of the empty placeholder. Tests: tests/symex/test_phase8d.py (P8d.1, P8d.2, P8d.2b, P8d.3, P8d.4) — 5 added; P8b.4 un-skipped; tests/symex/test_phase4.py P4.6 updated for the new dot_cfg behavior. Final counts: 103 symex passed (was 96+1 skipped), 235 InterpretIR passed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Phase 8d's tightened P8b.4 surfaced that engine.explore("make_large", args=[7]) silently returned a return slot full of zeros — every field store landed at address 0 instead of the local's slot. Three substrate seams were complicit: - value_to_python lowers a Value to a bare PyLong, dropping the ("ptr", N) tag carried by make_literal_ptr. - The ptr_add / ptr_offset C++ fallbacks ran results through that lowering, producing plain ints from pointer arithmetic. - PythonPolicy::extract_address only accepted tuple-tagged pointers, so any plain-int address triggered the symbolic-suspension path, which the default address strategy collapsed to 0. The fix wraps the ptr_add / ptr_offset fallbacks in make_literal_ptr and teaches extract_address to also accept bare PyLongs (a plain int IS a concrete address). After the fix, engine.explore is correctness- equivalent to ConcretePolicy on every function in the corpus that exercises LOCAL_VALUE allocas through GEP_FIELD. P8b.4's "substrate quirk" caveat is removed — the tightened test now asserts [7, 8, 9, 10, 11] field values directly. Three pre-existing tests in tests/InterpretIR/test_symbolic_addresses.py that relied on plain-int suspension were reworked to use an opaque-sentinel policy so they still drive the suspension/resumption loop without exploiting the old bug. Phase 8e Item 2 (float-typed overlay slots): _coerce_store_value now packs Python floats via _struct.pack("<f"|"<d", val) and lifts the IEEE byte pattern into a z3.BitVecVal. A symbolic-overlay float store + load round-trips through the bit pattern. tests/symex: 103 → 109 (+P8e.1, P8e.2[*4], P8e.3); InterpretIR: 235. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Two probe-time fixes for BuildCommandAction. GetCompilerInfo no longer re-adds `-o /dev/null` after stripping the original output flag. Some Apple clang flag combinations error with "cannot specify -o when generating multiple output files" when the redirect is present, and Subprocess::Execute already discards the probe's stdout, so the explicit redirect is redundant. Run() now skips translation units whose command line is preprocess- only (`-E`, `--preprocess`, `-Eonly`). PASTA strips `-E` to force AST construction, which makes such commands fail later with confusing diagnostics about missing types — e.g. APR's `export_vars.c` is fed through `clang -E | sed` to generate an exports list, not as a real TU. Skipping up front avoids the noise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Multiplier's Python bindings already return the most-derived type; .FROM(...) downcasts are a C++-style smell. Replace them with isinstance(...) checks, factoring an _as(ty, cls) helper in memory_view.py where the pattern repeats and a pair of _func_decl_for / _var_decl_for unwrappers across the InterpretIR test helpers. Cross-entity converters (FunctionDecl -> IRFunction) keep using .FROM since they cross hierarchies rather than downcast within one. Also collapses nested Fragment.IN -> Decl.IN -> FunctionDecl.FROM loops into a direct FunctionDecl.IN(index), and replaces Entity.FROM(idx, eid) with idx.entity(eid). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

`engine.explore_many(start_funcs)` accepts a list of names or IRFunctions (mixed allowed), a compiled regex pattern, or a name predicate, and drives one combined exploration over every matched entry under a shared Layout and a shared `until` predicate. Each Path carries an `entry_func` attribute (the IRFunction the path started in), propagated through forks. `PathSet.by_entry()` groups the result by entry in resolution order so analysts can answer "which entries hit the OOB sink?" in one pass. Entries drive sequentially. The user's `until` sees the cumulative state across entries; a cross-entry guard re-checks before initializing each next entry, so a triggered predicate cleanly skips remaining entries (they leave no zero-step paths behind). Empty resolution raises ValueError to catch typo'd regexes before they vanish into a silent no-op exploration. Sub-block resume granularity, path serialization, and per-entry args mapping remain deferred per the vision doc. tests/symex: 109 -> 116 (P8f.1-P8f.7); InterpretIR: 235. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Forward — intercept.address_for(kind=, name=, eid=) fires when the engine needs an address for a function, global, or thread-local entity. Pre-placement in Layout wins over the hook chain wins over the substrate auto-allocator. Memoized per canonical_eid so repeat references reuse the assigned address. observe.address_resolved provides telemetry with source and handler fields. Reverse — intercept.indirect_call now accepts target_kind="symbolic" and fires on symbolic call targets via a new "call-addr" suspension sub_kind. Returning a list of addresses forks one child per candidate, each with target_expr == candidate_addr asserted. Terminal.UNRESOLVED_CALL terminates paths whose handler returns None. Substrate: AddressKind enum + GlobalInfo.address_hint; function_addresses per-state cache; compute_func_ptr honors FunctionAddressResolver hint; exec_call marks call-target suspensions via mark_next_suspension_as_call_target; MemAddrContinuation.is_call_target flag; all Symbolic* entry points thread func_addr_resolver_obj; _make_global_resolver_with_hints returns 5-tuples; PythonPolicy.address_for_function_impl + mark_next_suspension. Layout gains place_functions, place_globals, next_function_address (0x4000_0000_0000_0000 cursor), tls_offset + tls_base (0x6000 range). Path gains tls_base and _tls_shadow; _fork_child propagates both. Per-path TLS isolation is implemented at the Python level via _tls_shadow (same shape as _symbolic_shadow), verified by P9.7b/c. engine.value_origins side-table ships for Phase 10 lineage walks. _current_path set around each step call so address_for hooks receive a path-aware ctx. tests/symex: 116 -> 131 (P9.1-P9.13 with P9.7b/c); InterpretIR: 235. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Instruments solver.fresh_int to record mint-site metadata into path._origin_by_name (kind, name, size, path_id, step). Adds Path.origin(expr) which DFS-walks a z3 AST to collect origin records for all leaf BitVec variables, deduplicating repeated leaves. Adds Path.origin_tree(expr) for a recursive {"kind":"leaf"/"op"} view. Both propagate through clone() and _fork_child so forked paths retain the full provenance of symbolic inputs minted before the fork. Tests P10.1–P10.10 cover: origin recording, idempotency, single-var and compound-expr aggregation, concrete exprs, unknown variables, tree shape, op nodes, clone propagation with independence, and deduplication. symex 131 → 141 (P10.1–P10.10); InterpretIR 235. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>