Eight top code coverage

questions for DO-178B/C

White Paper
To meet DO-178B/C guidance, testing of airborne software should be supported
with structural code coverage measurements. This paper sets out eight key code
coverage questions for engineers working on embedded avionics systems.
It then introduces RapiCover, which is optimized for on-target structural
coverage analysis. RapiCover helps meet DO-178B/C guidelines, reduces
verification effort and supports engineers working with C, C++ and Ada.

On-target software verification solutions

Contents
1. Introduction 3

2. Eight top code coverage questions 4

2.1 What is code coverage? 4
2.2 Should we do on-target or on-host code coverage? 6
2.3 What are the challenges to on-target code
coverage, and how can we overcome them? 7
2.4 How can I use my code coverage results
to support certification? 8
2.5 What additional benefits come from measuring on-target? 9
2.6 How do I combine results from multiple tests? 9
2.7 How do I deal with missing code coverage? 10
2.8 What should I look for in a code coverage tool? 10

3. Product summary: RapiCover

11
3.1 Reduced timescales by running fewer on-target tests 11
3.2 Reduced risk through greater tool flexibility 12
3.3 Reduced effort for certification activities 13
3.4 Discover what RapiCover can do for you 14

4. About Rapita Systems 15

4.1 RVS 15
4.2 Early Access Program 15

5. Appendix: overview of code coverage criteria 16

5.1 Function Coverage 15
5.2 Call Coverage 15
5.3 Statement coverage 15
5.4 Decision coverage 15
5.5 Modified condition/decision coverage (MC/DC) 15

Eight top code coverage questions | page 2

1. Introduction
Supporting the test process with measurements of
structural code coverage is a key activity for DO-178B/C
compliance during the development of software for
airborne systems. In this white paper we consider eight
key questions:
» What is code coverage and how does
it benefit my project?
» Should we do on-target or on-host
coverage?
» What are the challenges to on-target
code coverage and how can we
overcome them?
» How can I use my code coverage
results to support certification?
» What additional benefits are derived
from measuring on-target?
» How do I combine results from
multiple tests?
» How do I deal with missing code
coverage?
» What should I look for in a code
coverage tool?
After we have addressed these
eight key questions, we introduce
RapiCover, a software tool designed
to efficiently perform structural
Eight top code coverage questions | page 3
Keep up to date
The Rapita Systems blog
addresses topics related
to on-target verification,
including code coverage
and DO-178B/C.
coverage analysis on code running on
www.rapitasystems.
an embedded target. The benefits of
com/blog
using RapiCover to conduct structural
coverage analysis on an embedded
target include:
» Reduced timescales by running
fewer on-target tests. Very lightweight
instrumentation means more
coverage information per test cycle.
» Reduced risk through greater tool
flexibility. Adapt RapiCover to work
with your system, rather than adapting
your system to work with another tool.
Collect coverage information via a
wide variety of mechanisms, making
it easier to integrate RapiCover into
your system.
» Reduced effort for certification
activities. Automatic combination
of results from multiple test runs
and the ability to justify missing
coverage makes the preparation of
coverage quicker.
2. Eight top code coverage questions

2.1 What is code coverage and how does it benefit my project?

Structural coverage analysis is an important verification tool

for establishing the completeness of testing.
DO-178B/C emphasises the use of requirements-based testing as an important part
of the software verification process. In requirements-based testing, the high and low- What to look for in a
level requirements are used to derive source code and the tests for that source code. code coverage tool:

Traceability between the requirements, the test cases and the source code demonstrates:
Can it support all
classes of code
» Every requirement has a test case. than 100%, this points to code that is not coverage? Can it
traceable to requirements, tests or both.
» All source code is traceable to a support different
requirement. Different coverage criteria (see table on variants such as
p.5) allow the degree of rigor in measuring
Measuring code coverage when the masking v. non-
the coverage to reflect the Development
test cases are executed is essential for masking MC/DC?
Assurance Level (DAL) of the system.
this process – where coverage is less

Eight top code coverage questions | page 4


DO-178B/C and
code coverage
RTCA DO-178B/C
(also referred to as
EUROCAE ED-12B)
provides guidance for
specific considerations
for airborne software. It
calls for demonstration
of code coverage to
a level determined
by the criticality of
the application under
consideration. The table
(right) lists a number of
coverage criteria used
to assess software
testing effectiveness.
The coverage criteria are
defined in the Appendix
(p.16).
Where code is well-structured and
derived directly from well-written
requirements and architecture, then a full
set of high- and low-level requirements-
based tests is entirely capable of
meeting many of the existing code
coverage criteria.
Eight top code coverage questions | page 5
Measurement Description Notes
Function coverage Each function has been called at Not required by DO-178B/C
least once
Call coverage Each function has been Not required by DO-178B/C
called at least once, and each
different function call has been
encountered at least once
Statement coverage Each statement in the code has Required for DO-178B/C Level
been encountered at least once A, B, C
Decision coverage Each decision (see box below) Required for DO-178B/C level
in the code has evaluated true at A, B
least once and evaluated false
at least once, and each function
entry and exit point has been
encountered at least once
Condition coverage Each condition (see box below) Not required by DO-178B/C
in the code has evaluated true at
least once and evaluated false at
least once
Modified Condition/ Decision coverage plus Required by DO-178B/C Level A
Decision Coverage each condition has been
shown to independently
affect the outcome of its
enclosing decision
What are conditions and decisions?
A condition is a Boolean expression that contains no Boolean
operators. Examples of conditions are: “true”, “iterations > 5” or
the name of a Boolean variable, such as “MaintenanceMode”. If the
same Boolean expression is repeated several times, each specific
instance is a different condition.
A decision is a combination of at least one condition with zero or more
Boolean operators to create an overall Boolean expression.
To illustrate the differences, consider:
if (A) { // “A” is a condition and a
... // decision
} else if (B && x < 14) { // “B” is a condition,
// “x < 14” is a condition,
// “B && x < 14” is a decision
A = !(x > 14); // “x > 14” is a condition
// “! (x > 14)” is a decision
2.2 Should we do on-target or on-host code coverage?
When developing software for an
embedded application, such as an
avionics system, verification activities can
be performed on-host or on-target.
On-target testing means the application
is tested on the hardware to be deployed
(the target). It may also be referred to as
host-target testing or cross-testing. On-host
testing means testing the application on a
host computer (such as the development
system used to build the application). This
may also be referred to as host-host testing.
2.2.1 On-target testing
The key principle behind testing an
application on-target is that code is
executed in the environment for which it was
designed, rather than in an environment
where it was never intended to be executed.
Test results are typically evaluated and
analysed on a host. This has the following
benefits:
» The “credibility gap”, the possibility that
some unanticipated difference exists
between executing on-host in a harness
and executing on-target, is minimized.
This results in a lower likelihood of
false-negative errors leading to errors
not being detected, and faulty software
being deployed, and of false-positive
reports where time is wasted tracking
down non-existent problems.
» The smaller “credibility gap” also
makes it easier to provide an argument
to certification authorities that testing
achieves an appropriate level of rigor.
» Ability to execute all code. Some parts
of your code might not be possible
to run on host (for example, device
specific code).
Eight top code coverage questions | page 6
2.2.2 On-host testing What to look for in a
code coverage tool:
On-host testing involves compiling
the application code to run on the Can it do on-host and
host processor, rather than the target
on-target testing?
processor. Typically the application also
requires a certain amount of adaptation
to work in the host environment due to
the following considerations:
» Running under a desktop OS rather
than the target’s RTOS may require
different API calls.
» If the embedded application
includes libraries, these may not
be available on the host (or may be
different, for example, in the case of
graphics libraries).
» Alternative interpretations of
ambiguous/undefined programming
language features or compiler bugs
may cause different behaviors
between the host and the target.
» The embedded application may
require access to specific hardware
features that are not available on the
host system.
However, there are benefits that can
arise from on-host testing:
» The target may not be available, or
there may be only limited access to it
when testing needs to take place.
» The “build-deploy-analyze” cycle may
be quicker than on-target testing.
» It is well suited to unit testing – a
test harness can be used to achieve
100% coverage, even when defensive
programming techniques are used.
2.2.3 What to choose?
The choice between on-host and
on-target testing is driven by a trade-
off between cost/convenience and
credibility of results.
In many cases, using a combination of
both techniques offers dual benefits:
2.3 What are the challenges to on-target code
coverage, and how can we overcome them?
One of the biggest challenges to
on-target code coverage is resource
limitations in embedded systems.
The standard approach to measuring
coverage is to instrument source code
to write tags into a memory buffer.
This approach evolved from host-
based testing – it is clear that
many commercially available code
coverage solutions today begin
with a host-based approach and
attempt to transfer it to an embedded
environment. This approach requires
a large RAM buffer to store the data
in, and each instrumentation point
requires a large number of instructions
(increasing execution time and
increasing code size). On a resource-
constrained platform this represents
a difficulty.
The exact nature of resource
constraints varies between systems.
Data areas might be limited or code
size constrained. On other systems
high CPU utilization might limit what
Eight top code coverage questions | page 7
» Unit testing and test case
development on-host gives the
advantages of rapid turnaround;
» System/integration testing on-target
provides the confidence that the code
to be deployed has been tested in its
intended environment.
Sidebar:
could be achieved. A code coverage
solution has to recognize these
limitations can exist, and to provide a
viable route to dealing with them.
There are a number of ways to address
resource constraints:
» Alternative data collection. In many
cases, using an in-memory data
structure to record coverage will
be sufficient. However, when there
is not enough room to store this
data structure, or if the execution
overhead of this approach is too
high, alternative approaches need
to be available. One such approach
involves recording a trace of
instrumentation points via an I/O
port. This avoids the need for a large
area of memory and simultaneously
makes instrumentation overheads
very low, typically 1-2 machine
instructions. Advanced debuggers
(e.g. Nexus or ARM ETM-based
tracing debuggers) can also be
used to collect data.
» Partial instrumentation. Rather
than completely instrumenting an
application, instrument specific parts of
it, perform the tests and combine the
results to provide an overall picture.
» Optimized instrumentation. Measuring
certain types of coverage, for example
MC/DC, can require significant
2.4 How can I use code coverage results to support certification?
If evidence of code coverage is mandatory
for the project, for example because the
customer requires strict adherence to
DO-178B/C guidance, it’s also important
to be able to provide evidence that the
process used to collect the data has
worked correctly.
The evidence must show that the tool
works correctly within the context of the
development environment for which it
is producing results. In the case of DO-
178B/DO-330, the following items are
recommended for tool qualification:
» PSAC (Plan for Software Aspects of
Certification). This references the TQP
and TAS (see below).
» TOR (Tool Operational Requirements).
This describes what the tool does, how
it is used and the environment in which
it performs.
» TAS (Tool Accomplishment Summary).
This is a summary of the data showing
Eight top code coverage questions | page 8
memory overheads. Instrumenting
What to look for in a
an embedded system for coverage code coverage tool:
requires knowledge of how
instrumentation is carried out. Once Can it adapt to
set up, there are opportunities to make different embedded
trade-offs between exactly how the environments?
level of coverage is achieved, and the
Can it cope with
amount of instrumentation required.
low memory
environments? Will
it support partial
instrumentation and
provide the ability to
combine results?
that all requirements in the TOR have
been verified.
» TVR (Tool Verification Records). This
comprises test cases, procedures
and results.
» TQP (Tool Qualification Plan). This
describes the process for qualifying
the tool.
These items combine two main kinds
of evidence:
» Generic evidence. This needs to be
What to look for in a
provided by the tool vendor to define code coverage tool:
the tool operational requirements, and
Is certification
verification evidence to demonstrate
that the tool meets the requirements. evidence available?
Will the tool vendor
» Specific evidence. The tool user
support you in
needs to demonstrate that the
tool works correctly in a specific generating specific
environment. Ideally the tool vendor certification
should provide support to simplify this
evidence?
process as much as possible.
2.5 What additional benefits come from measuring on-target?
When you instrument source code
and run your application on target,
you are opening the door to collecting
other information besides simply code
coverage. For example, if you collect
a trace (i.e. recording the sequence of
instrumentation points that are executed),
it is possible to identify which test cases
execute specific execution paths. Using
the traces, it is possible to step through
the code forwards and backwards.
If a trace also records the specific time
2.6 How do I combine results from multiple tests?
Your approach to testing may rely
upon combining coverage results from
a variety of different tests. This could
occur because:
» Your strategy includes upon a
combination of on-target and on-
host testing.
» You need multiple test cases
reflecting different system modes.
Eight top code coverage questions | page 9
at which instrumentation points are
What to look for in a
executed, it is possible to determine code coverage tool:
timing information. For example,
RapiTime uses such information Can it exploit the
to provide a wide range of timing effort that you’ve put
measurements that can be used for: in to integrate it with
» execution time measurement; your target to provide
additional
» worst-case execution time (WCET)
calculation; information?
» performance optimization.
» Possibly system constraints force you to
What to look for in a
instrument one only part of your system code coverage tool:
at a time (consider the advice in Section
2.3 to mitigate this issue). Can it combine
coverage data from
It may be necessary to perform the coverage
analysis for each of these tests individually,
multiple test
and to manually merge the results. scenarios into a
single report?
A better approach is to use a tool that
supports the combination of multiple
results into a single report.
2.7 How do I deal with missing code coverage?

In some situations, there may be In such a situation, it is useful for

What to look for in a
legitimate reasons for not achieving any code coverage report to provide code coverage tool:
100% code coverage. the ability to justify uncovered code.
Summary reports could then show Is it possible to justify
For example, it might not be possible to
executed code, justified (but unexecuted why some code is not
construct test cases to execute defensive
code) and unjustified code. The executed, and to
programming constructs. In this case,
objective should be for all code to be
alternative forms of verification of this code report the proportion
either justified or executed.
could be agreed upon as acceptable. of executed code,
justified code and
neither executed nor
justified code?

2.8 What to look for in a code coverage tool

Summarizing the above, which » combine coverage reports from

represents knowledge collected from different tests;
our work with avionics software teams
» support justifications for code that
in the aerospace industry, we see that a
has not been executed.
code coverage tool should:

» support all classes of code coverage,

including the specific interpretations
used by your project;

» be capable of supporting on-host and

on-target testing;

» be suitable for different embedded

environments, including low memory
environments;

» support partial instrumentation;

» have certification evidence available;

» be able to collect other classes of

information;

Eight top code coverage questions | page 10

3. Product Summary: RapiCover
RapiCover is
a structural
coverage analysis
tool designed
specifically
to work with
embedded targets.

RapiCover is designed to
deliver three key benefits:

» Reduced timescales by
running fewer on-target
tests.

» Reduced risk through

greater tool flexibility.

» Reduced effort for

certification activities.
RapiCover screen shot

3.1 Reduced timescales by running fewer on-target tests

Running system and integration tests

What should I look for in a code coverage tool? RapiCover
can be time-consuming and runs the
risk of introducing schedule delays, Support all classes of code coverage ✔
especially if the availability of test rigs Including both masking and unique case MC/DC ✔
is limited. If instrumentation overheads
for code coverage are large, and
Support on-host and on-target testing ✔
system resources are limited, obtaining Suitable for low memory embedded environments ✔
coverage can only be achieved through
Support partial instrumentation ✔
multiple test builds. This increases
testing time, especially if additional time Have certification evidence available ✔
on test rigs needs to be negotiated. Ability to collect other classes of information ✔
RapiCover is designed specifically Combine multiple coverage reports ✔
for use in resource-constrained,
Justify non-executed code ✔
embedded applications. Because

Eight top code coverage questions | page 11

there is considerable variation between
embedded systems, both in their
requirements and their underlying
technology, RapiCover provides a
range of highly-optimized solutions for
the instrumentation code it generates.
This flexibility allows you to make the
best use of the resources available on
your platform.
This results in best-in-class
instrumentation overheads for an
on-target code coverage tool, and
consequently fewer test builds.
3.2 Reduced risk through greater tool flexibility
Rather than adapting your system to
work with another tool, you can adapt
how RapiCover works with your system.
RapiCover also helps this flexibility
by working with a wide variety of data
capture mechanisms.
An early design objective for RapiCover
was to make it easy to deploy into any
RapiCover Coverage
data set
Simulator
HOST
Figure 1: Data collection alternatives for RapiCover
Eight top code coverage questions | page 12
About instrumentation
Performing structural code analysis requires some way of identifying
which parts of the code have been executed. One of the most widely-
used approaches for this is source-code instrumentation. In this
approach, instrumentation code is inserted into the source code during
the build process. The instrumentation code is used to signal that
a specific function, line, condition or decision (depending upon the
coverage type required) has been executed. Done in a naïve way, this
can negatively impact the executable code in two ways:
» Too many instrumentation points. Adding more instrumentation points
than necessary doesn’t improve the information generated, but does
result in greater memory requirements and longer execution times.
» High overhead for each instrumentation point. If the implementation of
an instrumentation point is inefficient, this has a multiplicative effect on
the overheads of the system.
development environment, whether
they be highly customized, extremely
complex or legacy systems.
The two key factors to consider in a
deployment of a coverage tool are:
build system integration and coverage
data collection.
Embedded Target
RTBx
Logic
Analyser I/O port
Debugger Nexus/ETM
CPU
buffer
Network
(e.g.)
RAM
Ethernet
» Build System Integration.
RapiCover is designed to work with
any combination of compiler (C, C++
or Ada), processor and real-time
operating system (RTOS). Its use of
command-line tools and the ability
to choose between two alternative
strategies for integrating RapiCover
into pre-existing build systems
ensures a seamless integration.
» Coverage Data Collection
RapiCover is designed with the
flexibility to handle data from a
wide variety of possible sources.
This flexibility means that when
creating an integration with a specific
target, you can select the most
convenient collection mechanism,
including legacy approaches such
as CodeTEST probes. Figure 1
shows alternative data collection
approaches.
3.3 Reduced effort for certification activities
Automatic combination of results from
multiple test runs and the ability to
justify missing coverage makes the
preparation of coverage Software
Verification Results quicker.
A major driver for the use of code
coverage is the need to meet DO-178B/C
objectives. In addition to providing
options for achieving DO-178B/DO-330
tool qualification, RapiCover also aims
to make the process of gathering and
presenting code coverage results easier.
This is achieved in the following ways:
» Multiple format report export.
RapiCover provides you with the ability
to browse coverage data using our
eclipse-based viewer and to export the
Eight top code coverage questions | page 13
To enable a rapid, high-impact integration
into your development environment Rapita
Systems provide the option of a target-
integration service. In this service, Rapita
Systems’ engineers will work with your
team to establish an optimal integration
into your development environment. This
integration will be consistent with Rapita
Systems’ DO-178B/C tool qualification
process, ensuring that tool qualification
runs smoothly.
A RapiCover integration is based
upon the RVS (Rapita Verification Suite)
core toolflow. This makes it easy to
extend the integration to support other
RVS components such as RapiTime
(measurement-based worst-case
execution time analysis), RapiTask
(visualization of scheduling behavior)
or newer developments based upon
Rapita Systems’ Early Access Program
(see Section 4).
same information into CSV, text, XML or
aligned with source code.
» Combination of reports from
multiple sources. Coverage data
is often generated at multiple phases
of the test program, for example: unit
test, integration test and system test.
RapiCover supports the consolidation
of this data into a single report.
» Justification of missing coverage.
Where legitimate reasons exist that
specific parts of the code cannot be
executed, RapiCover provides an
automated way of justifying this. The
summary report shows code that is
executed, code that is justified and code
that is neither executed nor justified.
 Text export of summary report

To facilitate your use of RapiCover enables you to generate evidence

within a DO-178B/C project, we provide that RapiCover works correctly on
several options for tool qualification: your own system.

» Qualification Data. This gives you » Qualification Service. Engineers

access to documents necessary
to support tool qualification of
RapiCover.
» Qualification Kit. In addition to the
qualification data, this provides test
code and supporting framework that
from Rapita Systems work with
you to apply the RapiCover tests
to your system and to develop the
necessary qualification arguments
for your certification case.

3.4 Discover What RapiCover can do for you

» Contact us to find out more about RapiCover:

» E: [email protected]

» Request a trial version to experience RapiCover for yourself:

http://www.rapitasystems.com/trial
» To keep informed about RapiCover developments (and to receive other technical articles
in the area of on-target verification), sign up for our monthly RapiTimes newsletter:
http://www.rapitasystems.com/rapita/mailing_list

Eight top code coverage questions | page 14

4. About Rapita Systems
RVS
Founded in 2004, Rapita Systems develops on-target
embedded software verification solutions for customers
around the world in the avionics and automotive electronics
industries. Our tools help to reduce the cost of measuring,
optimizing and verifying the timing performance and test
effectiveness of their critical real-time embedded systems. Early Access
Program examples

4.1 RVS 4.2 Early Access Examples of

RVS (Rapita Verification Suite) provides Program technologies available

in Rapita Systems’
a framework for on-target verification
We participate in many collaborative Early Access Program
for embedded, real-time software. It
research programs, with a large variety of include:
provides accurate and useful results
organizations. This results in our development
» ED4i. Automatic
by observing software running on its
of a wide range of advanced technologies in
generation of diverse
actual target hardware. By providing
various pre-production stages.
code for reliability.
targeted services alongside RVS, Rapita
Systems provides a complete solution Rapita Systems’ customers have found » RapiCheck.
to customers working in the aerospace access to this technology has been Constraint checking
and automotive industries. very useful. of code running on

Working with us in our Early Access an embedded target.

RVS helps you to verify:
» Software timing performance (RapiTime);
» Structural code coverage (RapiCover);
» Scheduling behavior (RapiTask);
» Other properties (via Rapita Systems’
“Early Access Program”).
Program gives you the ability to use
» Data dependency
our pre-production technology for your
tool. Supports
specific needs. Access to this technology
the conversion of
is normally provided through defined
sequential code for
engineering services and gives you the
multicore targets.
opportunity to influence the development
of the technology into a product.

Eight top code coverage questions | page 15

5. Appendix: overview of
code coverage criteria
5.1 Function Coverage
Of the coverage levels discussed here, The example below contains three
function coverage is the easiest to functions: main, activity_a and
achieve. It demonstrates whether each activity_b:
function was called in some way during
Function coverage of this program
your tests. This level of coverage is a
demonstrates:
reasonable indicator that the tests have
exercised a representative subset of the » the program started;
entire functionality of your system, without
» the for-loop executed at least once;
guaranteeing that every line of code has
been executed during testing. Function » at least one of the two switch-
coverage can reveal problems with dead statement cases shown was taken.
code (which is an issue for DO-178B/C) or
Function coverage does not, however,
incomplete requirements-based testing.
reveal:
It can be difficult to achieve full function
» whether both of the two switch-
coverage when working with generic
statement cases shown were taken;
or configurable components that may
contain more functionality than that used » whether activity_a ever returned
by the specific application. When this from within its own loop;
happens, however, it is relatively easy to
» whether activity_b ran any
review the function behaviour and option
iterations of its loop.
selections to justify any omissions in
function coverage.
activity.c
void activity_a(void) {
...
main.c while (x > 0) {
void main(void) { if (y < 0) {
... return;
for (i = 0; i < N; i++) { }
switch (msg[i]) { ...
case 0: }
activity_a(); ...
activity_b(); return;
break; }
case 1:
activity_b(); void activity_b(void) {
activity_a(); ...
break; while (x > 0) {
} ...
} }
} return
}

Eight top code coverage questions | page 16

5.2 Call Coverage

Call coverage represents a slight The two approaches are equivalent if

increase in complexity over function each caller can only call one program Support for call-pair
coverage.
coverage. The term “call coverage” can unit, that is if no caller uses function
actually be used to refer to two slightly pointers, dynamic dispatching or any When function pointers

different types of coverage: similar method. are used, detecting

» Call-pair coverage. A call pair is
the combination of a statement in one
program unit (typically procedure,
function or method) calling to another
program unit (the callee). Call-pair
coverage shows which of these pairs
are exercised by a given set of tests.
» Call site coverage. A call site is the
point in the program text from which
which call sites are
It is important to locate particular responsible for calling
statements rather than performing the specific functions is
analysis at the level of entire program difficult when using an
units, because there could be multiple “array of booleans”. A
calls made to a particular unit from side effect of collecting a
another particular unit. The following trace of instrumentation
figure shows an example of program points is that call pair
structure and identified call pairs: coverage between
function pointers and

the call is made. Call site coverage functions can easily be

shows whether all such points have detected.

been exercised.

main.c activity.c
void main(void) { void activity_a(void) {
void (*fp_act)(void); ...
... while (x > 0) {
for (i = 0; i < MSG_SIZE; i++) { if (y < 0) {
switch (msg[i]) { return;
case 0: }
activity_a(); ...
activity_b(); }
break; ...
case 1: return;
activity_b(); }
(*fp_act)();
break; void activity_b(void) {
} ...
} while (x > 0) {
KEY } ...
call site }
call pairs return
}

Eight top code coverage questions | page 17

5.3 Statement coverage

To achieve statement coverage, it is activity.c

necessary for each statement in the void activity_a(void) {
source code to have been executed ...
while (x > 0) {
by at least one test in the test suite. If a if (y < 0) {
particular statement cannot be covered, return;
}
it is important to identify why. This may ...
reveal dead code, for example, or it }
...
may be code that cannot be traced to a return;
requirement or architectural structure. }

Statement coverage is particularly useful void activity_b(void) {

...
when dealing with loops and returns. }
Consider our example code again:

Statement coverage reveals the answers

to questions such as:
» Did every branch of the switch-
statement get executed at least once?
» Did each while-loop run at least once?
In particular, for this program,
statement coverage could determine
whether testing was sufficient to
show that the first return statement in
activity_a was executed.

» Did the code within each if-statement

run at least once?

Eight top code coverage questions | page 18

5.4 Decision coverage

Decision coverage criteria assess the

ability of a set of tests to adequately 1 int sin_a_1000 ( int v )

2 {
exercise the routes through the logic of
3 int Interpolate_Index = 0;
a program. They are derived solely from
4 while ( Sin_Graph[Interpolate_Index+1].x != Sin_Graph_Sentinel )
the structure of the code.
5 {

The code example contains two decisions. 6 int x1 = Sin_Graph[Interpolate_Index].x;

The first governs the while-loop at line four, 7 int y1 = Sin_Graph[Interpolate_Index].y;

and the second is the expression for the 8 int x2 = Sin_Graph[Interpolate_Index+1].x;

9 int y2 = Sin_Graph[Interpolate_Index+1].y;
if-statement at line eleven.
10
For decision coverage, the typical 11 if ( v >= x1 && v < x2 )
criterion is that execution has reached 12 {

every point of entry and exit in the code, 13 return (y1 + (v - x1) * (y2 - y1) / (x2 - x1));

and that for each decision in the source 14 }

code that decision has resulted in each 15 Interpolate_Index++;

possible outcome (true, false) at least 16 }

17 return Sin_Graph_Default;
once. For the example code, this would
18 }
mean:

» entry into function sin_a_1000

reaches line 4;
» function sin_a_1000 has exited on
line 13 at least once;
» function sin_a_1000 has exited on
line 17 at least once;
» the expression governing the while-
loop was true at least once, meaning
that there was at least one non-
sentinel entry in Sin_Graph and the
loop body was executed;
» the expression governing the if-
statement was true at least once,
meaning that the lookup value was
located within one of the interpolation
regions for at least one test;
» the expression governing the if-
statement was false at least once,
meaning that there is at least one run
for which the lookup value was not in
every region of Sin_Graph.

» the expression governing the while-

loop was false at least once, meaning
that a sentinel entry was found in
Sin_Graph and execution skipped to
the bottom of the loop;

Eight top code coverage questions | page 19

5.5 Modified condition/decision coverage (MC/DC)
Modified condition/decision coverage
(MC/DC) extends decision coverage.
Instead of just examining the outcome
of each decision, the coverage check
also shows that for each condition in
the source code, that condition has
resulted in each possible outcome (true,
false) at least once, and also that each
condition in a decision has been
shown to independently affect that
decision’s outcome.
The additional checks for MC/DC for the
example program show:
» The value of v>=x1 has been true at
least once.
» The value of v>=x1 has been false
at least once. In the below report, we
see that this is not the case.
Rapita Systems Inc.
41131 Vincenti Ct.
Novi, MI 48375
Email: [email protected] | Website: www.rapitasystems.com
Document ID: MC-WP-002 Eight top code coverage questions v4LR
» The value of v<x2 has been true at
least once.
» The value of v<x2 has been false at
least once.
» The value of v>=x1 independently
affected the outcome of the whole
expression, meaning that it has taken
values of true and false while the
value of v<x2 was true.
» The value of v<x2 independently
affected the outcome of the whole
expression, meaning that it has taken
values of true and false while the
value of v>=x2 was true.
Tel (USA): Rapita Systems Ltd. Tel (UK/International):
+1 248-957-9801 Atlas House, Osbaldwick Link Road +44 (0)1904 413945
York , YO10 3JB
Registered in England & Wales: 5011090