I am new in program analysis area and after reading some materials in this area, I have some questions which I can not find the corresponding answers..
See, if I implement a tool : symbolic execution + concrete execution just like DART
then I think it should cover all the execution path while keeping the dynamic analysis features..
I am told that dynamic analysis can not cover all the execution path, but basically why? I think techniques like DART is quite mature now...
Others, like model checking, theoretically guarantee 100% code coverage...am I right?
Could anyone give me some help? Thank you!
The number of paths through a piece of code is exponential in the number of 'if' statements. For example, if you have a piece of code like this:
if (a) {
// do something
}
if (b) {
// do something
}
...
if (z) {
// do something
}
then there are 67108864 possible code paths, depending on the values of the 26 boolean variables.