It may be useful to know whether a given function in a software application may potentially be called. For example, a static analysis (e.g., the secure computing mode, or seccomp utility of Linux) may seek to determine whether specific system calls are invoked by an application. In addition, a need may exist to perform the static analysis without analyzing source code, which may be out of date or unavailable, for example, when executing cloud-based applications, or when analyzing binary blobs. Typically, tools that analyze compiled applications use dynamic tracing, where the application is executed to discover what calls are actually made. However, dynamic tracing may result in an incomplete set of calls since the dynamically observed calls depend on the specific inputs and code paths exercised during a particular execution.