Coverage Classes
Coverage classes are the set of all meaningfully distinct execution paths through a smart contract, enumerated by analyzing branching conditions. Each coverage class represents a unique combination of branches taken during execution.
In Depth
In the context of smart contract auditing, coverage classes provide a systematic way to decompose code into reviewable units. By treating each branching condition (if statements, require checks, ternary operators) as a binary variable, you can enumerate all possible paths through a function. After deduplication — removing infeasible combinations and collapsing paths that cover the same code — you get a finite set of meaningfully distinct execution paths. These are extended with semantic classes (truncation boundaries, overflow boundaries, reentrancy points) to capture bug-relevant behavior that pure path coverage misses. Formal methods like symbolic execution can extract coverage classes automatically from source code, enabling systematic and reproducible code review.
Frequently Asked Questions
What are coverage classes in smart contract security?
Coverage classes are the enumerated set of all meaningfully distinct execution paths through a smart contract. They are derived by analyzing every branching condition in the code and identifying which unique combinations of branches lead to different code being executed. This allows auditors to systematically review every path rather than relying on intuition.
How are coverage classes different from code coverage?
Code coverage measures what percentage of lines or branches were hit during testing. Coverage classes go further: they enumerate every possible path and categorize them by type — non-reverting paths (normal execution), assertion-breaking paths (bugs), and revert paths (defensive checks). This gives auditors a complete map of the code rather than just a percentage.
What are semantic classes and how do they relate to coverage classes?
Semantic classes extend coverage classes with dimensions that capture specific bug categories. For example, a division operation creates a truncation boundary — the code behaves differently when the result truncates versus divides evenly. Similarly, external calls create reentrancy boundaries. These semantic dimensions split coverage classes into finer-grained units that are more useful for finding real vulnerabilities.