This talk will show how to use constraint-based execution to automatically generate inputs to (ideally) cover all feasible program paths in real code. This ability can be used to automatically generate test cases, prove functional equivalence, or generate "inputs of death" that man the basis of security exploits.

I will discuss how to make the approach work with real code and then focus on several novel tricks, including ways to counter exponential path blowup and a simple twist on constraint execution that lets us take an arbitrary piece of code, rip it out of its surrounding environment and, without setup, run it and get a clean stream of errors out.

I will also discuss some of the sharper tradeoffs between using this dynamic approach and static analysis for bug finding, drawing on seven years experience with the latter.