Cottontail is a cutting-edge concolic execution engine powered by large language models (LLMs), designed for highly structured test input generation. Presented at IEEE Symposium on Security and Privacy (S&P) 2026, Cottontail advances the state-of-the-art in automated software testing by integrating expressive program path representation, LLM-driven constraint solving, and history-guided seed acquisition.
(A fun fact: the logo of Cottontail is generated by Google Gemini 😀).
- Expressive Coverage Tree (ECT): A high-level representation of structural program paths to help structure-aware path constraint selection for comprehensive program analysis.
- LLM-Driven Constraint Solver: Smartly solves path constraints to generate syntactically valid and path-constraint satisfiable test inputs.
- History-Guided Seed Acquisition: Efficiently discovers new, highly structured test inputs to maximize coverage, based on the naming convention of the functions.
- Sound Analysis: All test cases from LLM are validated to ensure that the resulting behaviors are sound, consistent with the underlying principles of concolic execution.
Please check the full source code and setup at the cottontail repository.
If you use Cottontail in your research, please cite:
@inproceedings{cottontail-sp26,
author={Tu, Haoxin and Lee, Seongmin and Li, Yuxian and Chen, Peng and Jiang, Lingxiao and Böhme, Marcel},
title={{Cottontail: Large Language Model-Driven Concolic Execution for Highly Structured Test Input Generation}},
booktitle={2026 IEEE Symposium on Security and Privacy (SP)},
ISSN = {2375-1207},
pages = {2064-2082},
year={2026},
doi = {10.1109/SP63933.2026.00110},
url = {https://doi.ieeecomputersociety.org/10.1109/SP63933.2026.00110},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
If you have any questions about the current project or want to collaborate in the future, please file the issues or reach out to haoxintu@gmail.com.