0

I am new in program analysis area and after reading some materials in this area, I have some questions which I can not find the corresponding answers..

See, if I implement a tool : symbolic execution + concrete execution just like DART

then I think it should cover all the execution path while keeping the dynamic analysis features..

I am told that dynamic analysis can not cover all the execution path, but basically why? I think techniques like DART is quite mature now...

Others, like model checking, theoretically guarantee 100% code coverage...am I right?

Could anyone give me some help? Thank you!

lllllllllllll
  • 8,519
  • 9
  • 45
  • 80

1 Answers1

1

The number of paths through a piece of code is exponential in the number of 'if' statements. For example, if you have a piece of code like this:

if (a) {
  // do something
}
if (b) {
  // do something
}
...
if (z) {
  // do something
}

then there are 67108864 possible code paths, depending on the values of the 26 boolean variables.

Abednego
  • 452
  • 3
  • 4
  • 1
    67 million paths isn't a strong enough reason. The exponential is the reason. However, the exponential result comes from the assumption that the paths are independent. In practice they are not. Some conditions prevent others from occuring; so the real question is the number of *feasible* paths, not independent paths. Research I have seen from the 90s suggest big programs may have millions of feasible paths, and that could be processed. What we aren't good at is enumerating feasible paths. And yes, this still can get far out of hand. – Ira Baxter Feb 27 '14 at 15:42