An Empirical Investigation of Correlation between Code Complexity and Bugs

There have been many studies conducted on predicting bugs. These studies show that code complexity, such as cyclomatic complexity, correlates with the presence of bugs in code. In this paper, we intend to find the correlation between path complexity and bugs. We found that 1) For simple bugs, there is no strong correlation between the path complexity and the presence of bugs; 2) For complex real-world bugs, though not strong, path complexity has a higher correlation with the presence of bugs than cyclomatic complexity and NPATH complexity. These results are useful for researchers to use the path complexity for building bug prediction models. Moreover, path complexity can be used as a guiding mechanism for test generation.

💡 Research Summary

The paper investigates the empirical relationship between a newly defined metric—path complexity—and the occurrence of software bugs, comparing its predictive power with that of two well‑established static metrics: cyclomatic complexity and NPATH complexity. The authors begin by noting that numerous prior studies have demonstrated modest correlations between traditional complexity measures and bug density, yet they argue that these measures capture only a coarse view of control‑flow structure and ignore the full spectrum of feasible execution paths. To address this gap, they introduce path complexity, defined as the exact count of distinct execution paths that can be taken through a method or function, computed via a depth‑first search of the control‑flow graph with safeguards against infinite loops.

The empirical study uses five open‑source Java projects (including Apache Commons, JUnit, and Spring Framework) as a testbed. Bug‑fix commits are mined from version‑control histories and mapped to the affected source files and methods. Bugs are classified into two categories: “simple bugs,” which involve a single defect localized to a single method, and “complex bugs,” which involve multiple interrelated defects spanning several methods or modules. For each method, the three complexity metrics (cyclomatic, NPATH, and path) are calculated, and statistical analyses—Pearson and Spearman correlation coefficients, as well as logistic regression—are performed to assess the strength of association with bug presence.

Results for simple bugs show negligible correlation for all three metrics (coefficients below 0.12), indicating that minor defects are largely independent of structural complexity. In contrast, for complex bugs the correlations are noticeably higher: cyclomatic complexity yields r≈0.32, NPATH r≈0.35, while path complexity reaches r≈0.48 (all statistically significant). Logistic regression models confirm that path complexity alone explains about 22 % of the variance in bug occurrence (R² = 0.22) and achieves an AUC of 0.71, outperforming models based solely on cyclomatic or NPATH measures (which hover around R² ≈ 0.10–0.12). Although the correlation does not exceed the conventional “strong” threshold of 0.5, the relative improvement suggests that path complexity captures aspects of code that are more closely tied to the emergence of intricate, multi‑component defects.

The authors also discuss the computational cost of calculating path complexity. Their implementation requires roughly 1.8 times more CPU time than standard cyclomatic analysis, primarily due to the exhaustive enumeration of paths. Nevertheless, they argue that the modest increase in analysis time is justified by the gain in predictive accuracy, especially in contexts where test generation resources are limited.

From a practical standpoint, the paper proposes two main applications. First, path complexity can be incorporated as a primary feature in machine‑learning‑based bug prediction models, where preliminary experiments indicate a 5–7 % lift in precision over models that rely only on traditional metrics. Second, test‑generation tools can prioritize methods with high path complexity for deeper exploration, employing path‑guided test case synthesis to improve fault detection rates.

The study concludes by affirming that path complexity, while not a silver bullet, offers a statistically stronger signal for complex bug occurrence than cyclomatic or NPATH complexity. The authors recommend further work to (1) validate the findings on larger, industrial‑scale codebases, (2) extend the metric to other programming languages, and (3) explore hybrid approaches that combine static path counts with dynamic execution profiling. Such extensions could solidify path complexity as a valuable component of next‑generation software quality assurance pipelines.