[SystemSafety] MC/DC coverage assumptions
Haim Kuper
h3k at 012.net.il
Wed Feb 28 17:07:56 CET 2018
IMHO,
Derek is correct: The authors have simplified (WRONGLY) the Decision and
MC/DC coverage criteria.
If you read the original DO178C definitions for DC and MC/DC:
Decision coverage - Every point of entry and exit in the program has been
invoked at least once and every decision in the program has taken on all
possible outcomes at least once.
Modified condition/decision coverage - Every point of entry and exit in the
program has been invoked at least once, every condition in a decision in the
program has taken all possible outcomes at least once, every decision in the
program has taken all possible outcomes at least once, and each condition in
a decision has been shown to independently affect that decision's outcome. A
condition is shown to independently affect a decision's outcome by: (1)
varying just that condition while holding fixed all other possible
conditions, or (2) varying just that condition while holding fixed all other
possible conditions that could affect the outcome.
You can simply see that the author's interpretation cover only 50% of the
coverage BY DEFINITION, which if FULLY WRONG.
You probably can force the coverage-tool to any other easier assumptions,
but this way you miss the whole idea of true coverage.
As usual - the KEEP IT SIMPLE method always win.
Regards,
Haim Kuper
Regards,
Haim Kuper
-----Original Message-----
From: systemsafety
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Derek M Jones
Sent: Wednesday, February 28, 2018 4:35 PM
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: [SystemSafety] MC/DC coverage assumptions
All,
I was recently reading a paper that compared unit testing of industrial
embedded software with some open source programs.
The comparison included a table of statement, branch and MC/DC coverage,
items in the table included: aerospace software, automotive software and
subway signal software
The MC/DC coverage numbers were a lot better than the statement and branch
coverage. This is obviously a mistake, at best they can be as good as.
I emailed the authors, who have been very prompt replying.
The latest reply was a bit surprising.
The algorithm they used for MC/DC assumes that a function containing a
single branch (e.g., an if-statement with no else part) and the test
involves a single condition (i.e., no AND or OR conditions), then 100% MC/DC
coverage is assumed, even if 100% branch coverage is not obtained.
Sounds like a mistake in their algorithm. However, they claim there is some
amount of existing practice and even call out Testbed as behaving like this
(I don't have a copy to check this out).
Somebody please tell me that this is not an assumption made by commercial
packages when calculating MC/DC coverage.
The authors admit that MC/DC coverage cannot be better than statement and
branch coverage, and admit the current presentation of MC/DC coverage in the
table could be misleading. They are going to release a version with
corrected data.
--
Derek M. Jones Software analysis
tel: +44 (0)1252 520667 blog:shape-of-code.coding-guidelines.com
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20180228/cc9ef9be/attachment-0001.html>
More information about the systemsafety
mailing list