This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: "Dynamic program analysis" – news · newspapers · books · scholar · JSTOR (February 2009) (Learn how and when to remove this template message)

Dynamic program analysis is analysis of computer software that involves executing the program in question (as opposed to static program analysis, which does not). Dynamic program analysis includes familiar techniques from software engineering such as unit testing, debugging, and measuring code coverage, but also includes lesser-known techniques like program slicing and invariant inference. Dynamic program analysis is widely applied in security in the form of runtime memory error detection, fuzzing, dynamic symbolic execution, and taint tracking.

For dynamic program analysis to be effective, the target program must be executed with sufficient test inputs[1] to cover almost all possible outputs. Use of software testing measures such as code coverage helps increase the chance that an adequate slice of the program's set of possible behaviors has been observed.[why?] Also, care must be taken to minimize the effect that instrumentation has on the execution (including temporal properties) of the target program.[why?][needs context] Dynamic analysis is in contrast to static program analysis. Unit tests, integration tests, system tests and acceptance tests use dynamic testing.[2]

Types of dynamic analysis

Code coverage

Computing the code coverage according to a test suite or a workload is a standard dynamic analysis technique.

Dynamic testing

Main article: Dynamic testing

Dynamic testing involves executing a program on a set of test cases.

Memory error detection


Main article: Fuzzing

Fuzzing is a testing technique that involves executing a program on a wide variety of inputs; often these inputs are randomly generated (at least in part). Gray-box fuzzers use code coverage to guide input generation.

Dynamic symbolic execution

Main article: Concolic testing

Dynamic symbolic execution (also known as DSE or concolic execution) involves executing a test program on a concrete input, collecting the path constraints associated with the execution, and using a constraint solver (generally, an SMT solver) to generate new inputs that would cause the program to take a different control-flow path, thus increasing code coverage of the test suite.[3] DSE can considered a type of fuzzing ("white-box" fuzzing).

Dynamic data-flow analysis

Dynamic data-flow analysis tracks the flow of information from sources to sinks. Forms of dynamic data-flow analysis include dynamic taint analysis and even dynamic symbolic execution.[4][5]

Invariant inference

Daikon is an implementation of dynamic invariant detection. Daikon runs a program, observes the values that the program computes, and then reports properties that were true over the observed executions, and thus likely true over all executions.

Security analysis

Dynamic analysis can be used to detect security problems.

Concurrency errors

Program slicing

Main article: Program slicing

For a given subset of a program’s behavior, program slicing consists of reducing the program to the minimum form that still produces the selected behavior. The reduced program is called a “slice” and is a faithful representation of the original program within the domain of the specified behavior subset. Generally, finding a slice is an unsolvable problem, but by specifying the target behavior subset by the values of a set of variables, it is possible to obtain approximate slices using a data-flow algorithm. These slices are usually used by developers during debugging to locate the source of errors.

Performance analysis

Most performance analysis tools use dynamic program analysis techniques.[citation needed]


Most dynamic analysis techniques are based on some kind of code instrumentation or transformation.

See also


  1. ^ Khatiwada, Saket; Tushev, Miroslav; Mahmoud, Anas (2018-01-01). "Just enough semantics: An information theoretic approach for IR-based software bug localization". Information and Software Technology. 93: 45–57. doi:10.1016/j.infsof.2017.08.012.
  2. ^ Myers, G. J. (1979). The Art of Software Testing. John Wiley and Sons.
  3. ^ Chen, Ting; Zhang, Xiao-song; Guo, Shi-ze; Li, Hong-yuan; Wu, Yue (2013-09-01). "State of the art: Dynamic symbolic execution for automated test generation". Future Generation Computer Systems. Including Special sections: Cyber-enabled Distributed Computing for Ubiquitous Cloud and Network Services & Cloud Computing and Scientific Applications — Big Data, Scalable Analytics, and Beyond. 29 (7): 1758–1773. doi:10.1016/j.future.2012.02.006. ISSN 0167-739X.
  4. ^ Chen, Ju; Han, Wookhyun; Yin, Mingjun; Zeng, Haochen; Song, Chengyu; Lee, Byoungyoung; Yin, Heng; Shin, Insik (2022). {SYMSAN}: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis. pp. 2531–2548. ISBN 978-1-939133-31-1.
  5. ^ Chang, Walter; Streiff, Brandon; Lin, Calvin (2008-10-27). "Efficient and extensible security enforcement using dynamic data flow analysis". Proceedings of the 15th ACM conference on Computer and communications security. CCS '08. New York, NY, USA: Association for Computing Machinery. pp. 39–50. doi:10.1145/1455770.1455778. ISBN 978-1-59593-810-7. S2CID 6888893.