- Research Article
- Open Access
Towards Preserving Model Coverage and Structural Code Coverage
- Raimund Kirner1Email author
https://doi.org/10.1155/2009/127945
© Raimund Kirner. 2009
- Received: 12 August 2008
- Accepted: 21 February 2009
- Published: 23 June 2009
Abstract
Embedded systems are often used in safety-critical environments. Thus, thorough testing of them is mandatory. To achieve a required structural code-coverage criteria it is beneficial to derive the test data at a higher program-representation level than machine code. Higher program-representation levels include, beside the source-code level, languages of domain-specific modeling environments with automatic code generation. For a testing framework with automatic generation of test data this will enable high retargetability of the framework. In this article we address the challenge of ensuring that the structural code coverage achieved at a higher program representation level is preserved during the code generations and code transformations down to machine code. We define the formal properties that have to be fullfilled by a code transformation to guarantee preservation of structural code coverage. Based on these properties we discuss how to preserve code coverage achieved at source-code level. Additionally, we discuss how structural code coverage at model level could be preserved. The results presented in this article are aimed toward the integration of support for preserving structural code coverage into compilers and code generators.
Keywords
- Basic Block
- Test Vector
- Original Program
- Predicate Symbol
- Code Coverage
1. Introduction
Testing is a mandatory process to assess the correct behavior of safety-critical systems. Even the increasing use of formal verification cannot make testing obsolete, as there is always a gap between the formal model and the real system with all the issues of integration.
The use of formal (=executable) models increasingly pervades the software engineering process. Formal models are used as part of the specification, as high-level software descriptions with automatic code generation, or as a tool for formal verification and model-based testing [1].
When generating test data it is beneficial to operate at the same representation level where the software is developed, which may be at the source-code level or at a domain-specific modeling environment like ezRealtime [2], MATLAB/Simulink [3, 4], Statemate [5], or Scade [6]. The advantage of test-data generation at this high-level program representation is on the one side reduced complexity and availability of explicit knowledge of the program behavior that might get lost during code generation and compilation. On the other side, a test-data generator operating on such a high-level program representation could be easily retargeted to different platforms. Beside conventional testing, the support for retargetability is also of high interest for hybrid timing analysis, that is, an approach to determine the timing behavior of a program based on the combination of execution-time measurements and program analyses [7, 8].
Structural code-coverage criteria are metrics to analyze and quantify the control-flow coverage that is achieved for a given set of test data. Using a model-based or source-based test-data generator raises the challenge of ensuring that adequate structural code-coverage has been achieved at machine-code level [9]. Code generators and compilers perform many transformations on the program or model given as input. Some of these code transformations can compromise structural code-coverage by copying, reordering, or moving conditions inside the program or even creating new conditions and decisions. For example, optimizations like loop unrolling, loop inversion, reverse if-conversion, and condition reordering [10] can disrupt full structural code-coverage. In general, full structural code-coverage cannot be guaranteed in this case without taking the burden of analyzing the machine code.
We propose an approach toward the preservation of structural code coverage when transforming the program. To achieve this, we introduce in Section 3 a notation to formally define structural code-coverage criteria. In Section 4 we present coverage preservation criteria for the different variants of structural code coverage. As described in Section 5, these criteria can help to extend a compiler with the ability of preserving coverage achieved at source level. The code coverage is preserved by prohibiting all code transformations that can disrupt the concrete structural code coverage metric. If full coverage preservation is not strictly required, the compiler may be used in a special mode where all available code transformations are allowed but a warning is emitted if structural code coverage may be compromised by an applied code optimization. Issues of preserving model coverage by code generators are discussed in Section 6.
2. Related Work
Structural coverage criteria are used as a supplementary criterion to monitor the progress of testing [11]. The DO178b document introduces the modified condition-decision coverage (MCDC) as a supplementary criterion for testing systems of safety-criticality level A [12]. Vilkomir proposes solutions to overcome some weaknesses of MCDC [13]. Vilkomir and Bowen have formally modeled structural code-coverage criteria using the Z notation [14]. The formalization we present in this article is basically equivalent, with the difference that we also support hidden-control flow [15], which is necessary to model code coverage for languages like ANSI C or ADA. Further, our notation is more compact, which has shown to be helpful for developing coverage-preservation criteria.
Model-based development aims to use high-level system representations within the system engineering process. For example, the Object Management Group proposes the Model-Driven Architecture, which explicitly differentiates between platform-independent and platform-specific models [16]. Models can be used to automatically generate source code. Another model-based approach is model-based testing where abstract models are used to guide the generation of test data [1, 17]. Using models to verify the correctness of the system requires evidence of the model's correctness [18].
Directly related to our work is the relationship of achieved model coverage and the resulting code coverage. Baresel et al. analyzed this relationship empirically, finding some correlation between the degree of model coverage and the resulting degree of code coverage [19]. Rajan et al. have shown for MCDC that the correlation of the degree of model coverage and the degree of code coverage depends on the code generation patterns [20]. To test safety-critical systems we want to do better than relying on accidental coverage correlations.
Elbaum et al. empirically studied the preservation of code coverage for software evolution with different change levels. They concluded that even relatively small modifications in the software may impact the coverage in a way that is hard to predict [21]. Their results also motivate our work for the preservation of code coverage.
A method complementary to our approach is described by Harman et al. Testability transformation results in a transformed program to be used by a test-data generator to improve its ability of generating test data for the original program [22].
3. Basic Definitions
In this section we give a list of basic definitions. These definitions are used to describe properties of structural code coverage and to preserve structural code coverage.
Program
. Denotes the program before (
) and after (
) the transformations for which we want to preserve structural code coverage.
Control-Flow Graph (CFG). Is used to model the control flow of a program [23]. A CFG
consists of a set of nodes
representing basic blocks (see below), a set of edges
representing the control flow (also called control-flow edges), a unique entry node
, and a unique end node
.
Program Scope of A Program
. Is a fragment of
with well-defined interfaces for entry and exit. We denote the set of program scopes in a program
as
. The concrete partitioning of a program into scopes is application-specific. For example, in [24] a program partitioning is used that allows to trade the number of required test data against the number of instrumentation points. Another feature of scopes is that nested scopes can be used to hide details. This feature allows to reduce the program complexity of the surrounding scope.
Scoped Path. Of a program scope
is a sequence of control-flow edges from an entry point of the scope to an exit point of the scope. In case of nested program scopes, the whole inner program scope is a single block in the paths of the outer program scope. A scoped path of a program scope
is uniquely represented by its starting basic block and the necessary TRUE/FALSE evaluation result of all conditions along the scoped path. We denote the set of scoped paths in a program scope
as
. The paths within a program
, that is, the scoped paths where the program scope subsumes the whole program, is denoted as
.
Basic Block. Of a program
is a code sequence of maximal length with a single entry point at the beginning and with the only allowed occurrence of a control-flow statement at its end. We denote the set of basic blocks in a program
as
. The set of all basic blocks along a scoped path
is denoted as
. Note that in cases of program paths with cycles,
will contain multiple instances of the basic blocks in the program code. If a scoped path goes through a nested program scope, all the basic blocks from the nested program scope are hidden for this path. The starting basic block of a scoped path
is denoted as
.
Decision. Is a Boolean expression composed of conditions that are combined by Boolean operators. If a condition occurs more than once in the decision, each occurrence is a distinct condition [25]. However, the input of a decision is the set of its conditions without duplicates. A decision is composed of one or more basic blocks. We denote the set of decisions of a program
as
.
There are source languages, where decisions are hidden by an implicit control flow. For example, in ANSI C due to the short-circuit evaluation the following statement a = (b && c); contains the decision (b && c). The short-circuit evaluation of ANSI C states that the second argument of the operators && and
is not evaluated if the result of the operator is already determined by the first argument. See Section 5.4 for further details. The correct identification of hidden control flow is important, for example, to analyze decision coverage.
Condition. Is a Boolean expression. We consider only lowest-level conditions, that is, conditions that do not contain operators with Boolean arguments [25]. A condition is composed of one or more basic blocks. We denote the set of conditions of a decision
as
. The set of all conditions within a program
is denoted as
.
The set of all conditions that directly control edges along a scoped path
is denoted as
. Note that in cases of program paths with cycles,
will contain multiple instances of the conditions in the program code. If a scoped path goes through a nested program scope, all the conditions from the nested program scope are hidden for this path. To follow a certain path, it is also important whether a condition evaluates to TRUE/FALSE. Whether a condition has to be evaluated as TRUE or as FALSE is given by the syntactical structure of a program. For a given scoped path
we denote by
all the conditions that have to be evaluated as TRUE and by
all the conditions that have to be evaluated as FALSE to follow
. It holds that
and
.
Input Data
. Defines the set of all possible valuations of the input variables of a program. (Valuation of a variable means the assignment of concrete values to it. The valuation of an expression means the assignment of concrete values to all variables within the expression.)
Test Data
. Defines the set of valuations of the input variables that have been generated with structural code coverage analysis done at source-code level. Since exhaustive testing is intractable in practice,
is assumed as a true subset of the program's input data space
:
. If we would consider exhaustive testing (
) there would be no challenge of structural code-coverage preservation.
Reachability Valuation
Defines the set of valuations of the input variables that trigger the execution of expression
, where
can be a condition, decision, or a basic block.
,
Defines the sets of valuations of the input variables that trigger the execution of the condition/decision
with a certain result of
:
is the input-dataset, where
refers to TRUE and
is the set, where
refers to FALSE. The following properties always hold for
,
:
Consider the following example of C code to get an intuition about the meaning of the satisfiability valuations:
void f (int a,b)
if (a==3 && b==2)
return 1;
return 0;
.
due to the hidden control flow caused by the short-circuit evaluation of ANSI C; see Section 5.4). It follows that
(b==2). With
the conditions a==3 and b==2 are both executed and evaluated to TRUE. Further, it holds that
The definition of
,
, and
depends on whether the programming language has hidden control flow (see Section 5.4). Above definitions allow to formally describe structural code coverage criteria. We will also use them to describe requirements to preserve structural code coverage.
3.1. Structural Code-Coverage Criteria
Structural code-coverage criteria are metrics to analyze and quantify the control-flow coverage that is achieved for a given set of test data. Execution traces are used to collect the coverage information. In general, the satisfaction of a structural code-coverage criterion is not the primary test-case generation strategy in functional testing. Instead, structural code-coverage achieved during testing is analyzed as a supplementary measure to decide whether the implemented functionality has been sufficiently tested and does not contain any unintended functionality. However, there are also rare testing scenarios where the satisfaction of a certain code-coverage is the primary directive for test-data generation. For example, in measurement-based timing analysis an estimation of the worst-case execution time (WCET) is derived by systematic measurements [24].
In the following we review the properties of several structural code-coverage criteria.
Line Coverage. Is not a serious code coverage criterion, as without strict coding guidelines there is an ambiguous mapping from source lines to statements. In the extreme case one could write the whole program within one source line. Historically, line coverage was used as an easy hack when tools for analyzing statement coverage were missing. Thus, we do not discuss preservation of line coverage in this work.
is executed at least once. Statement coverage alone is quite weak for functional testing [26] and should best be considered as a minimal requirement. Using our above definitions, we can formally define SC as follows:
Note that the boundary recognition of basic blocks
can be tricky due to hidden control-flow. A statement in a high level language like ANSI C can consist of more than one basi cblock. For example, the ANSI C statement f=(a==3 && b==2); consists of multiple basic blocks due to the short-circuit evaluation order of ANSI C expressions.
has been tested at least once with each possible outcome. Decision coverage is also known as branch coverage or edge coverage. Decision coverage implies statement coverage:
Note that our definition requires in case of short-circuit operators that each condition is really executed. This is achieved by the semantics of
. However, often definitions are used that do not explicitly consider short-circuit operators (e.g., [27]), thus having in case of short-circuit operators only a "virtual" coverage since they do not guarantee that the short-circuit condition is really executed for the evaluation to TRUE as well as for the evaluation to FALSE.
Condition/Decision Coverage (CDC). Requires that both, condition coverage and decision coverage are achieved.
conditions in a decision,
test cases are required to achieve MCDC. Note that MCDC implies DC and CC. A formal definition of MCDC is given in (9) based on the set of input test data
. It requires that for each condition
of a decision
there exists two test vectors such that the predicate symbol
holds, which ensures that the two test vectors show different outcomes for
as well as
but the same outcomes for all other conditions within
. This is exactly how MCDC is described above
tests whether one of the test data
,
is a member of the input dataset
and the other one a member of the input data set
. If this predicate symbol is TRUE it is guaranteed that the expression
evaluates to both, TRUE and FALSE:
tests whether the input-data set
provides a constant outcome for the evaluation of
. Actually, the predicate symbol
is used to test whether there exists a test-data subset
for a given condition, such that the results of all other conditions remain unchanged. Thus, this predicate symbol is used to ensure that each condition can independently control the output of the decision:
The above definition of MCDC is the original definition given in the RTCA/DO178b document [12]. However, this definition is rather strict, so that people thought of some less restrictive definitions. For example, it is not possible with the original definition to cover a decision with strongly coupled conditions. (Two conditions
are strongly coupled, iff they have the same input data partitioning for their satisfiability valuation, i.e.,
.) As described in [25], there exist at least three definitions of MCDC:
(i)Unique-Cause MCDC: this is the original definition given in [12].
(ii)Unique-Cause + Masking MCDC: this definition of MCDC is less restrictive as it requires in case of strongly coupled conditions to test only that one of them covers the decision (masking) [15].
(iii)Masking MCDC: this is less restrictive than the two above, as it does not require the Unique-Cause. A condition is masked if its value cannot influence the outcome of a decision due to the overruling values of other conditions. For Masking MCDC it is sufficient to show that each condition can affect the outcome of the decision without being masked. However, Masking MCDC is not required to test whether conditions do independently cover the decision. It focuses more on testing the correct implementation of subexpressions within a Boolean expression.
According to Chilenski the metric Masking MCDC should be the preferred form of MCDC as it provides the same error detection probability but allows for more different test sets and thus the generation of test data more is cost-effective [25].
Within this article we focus on the original definition of MCDC. Extending above formal definition of MCDC to Unique-Cause + Masking MCDC or Masking MCDC is straight-forward. One has to exchange the predicate
by another predicate that formalizes the semantics of the alternative MCDC criterion.
Multiple Condition Coverage (MCC). Requires besides DC and CC that each possible combination of outcomes of the conditions of each decision is executed at least once. MCC demands a rather high number of test cases: to achieve full MCC of a decision with
conditions
tests are necessary. MCC is desired in theory, but MCC tends to be infeasible for industrial code, because there are too many conditions per decision [27]. Thus, in this work we do not address MCC.
Path Coverage (PC). Requires that each path of a program
has been tested at least once. Since the number of paths within a program typically grows exponentially with the program size (PC is even stronger than MCC), we do not address PC.
Scoped Path Coverage (SPC). Is a coverage metric recently introduced by the authors. We use this type of code coverage for measurement-based timing analysis [7]. In this article we formalize this coverage metric to reason about necessary properties of a compilation profile for preserving SPC. The basic idea of SPC is to partition the program
into program scopes and cover all possible paths within each program scope. Actually, PC is just the special case of using SPC in combination with only one program scope covering the whole program
.
The appropriate partitioning of a program into program scopes depends on the concrete testing goal. For example, in case of our research on measurement-based timing analysis [7] we use the partitioning of the program into scopes to achieve a compromise between precision of measurement results (the larger the segments the more precise) and number of necessary measurements.
Note, that the condition "
" of (13) ensures that in the pathological case of having a program scope that is completely free of conditions, coverage of the only single path in the program scope is guaranteed.
Whether SPC is feasible in practice, depends on the program complexity itself and also on the application-specific partitioning of a program into program scopes.
and && influence the control flow of the program due to the short-circuit evaluation in ANSI C. This small example is meant to support the definition of different variants of coverage metric. It is not meant to show the relative costs of the different variants of structural coverage metric.Example: Sufficient test vectors per coverage metric.
Test vector | ANSI C expression | Coverage criterion | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
A | B | C | if(A || (B && C) | SC | DC | CC | MCDC | MCC | PC | SPC |
F | F | F | F |
| ||||||
F | F | T | F |
|
|
|
|
| ||
F | T | F | F |
|
|
|
|
|
| |
F | T | T | T |
|
|
|
|
| ||
T | F | F | T |
|
|
|
|
|
|
|
T | F | T | T |
| ||||||
T | T | F | T |
| ||||||
T | T | T | T |
| ||||||
The condition coverage (CC) needs a relative high number of test vectors. This is because of test vectors that enforce the entering of a program decision do not necessarily enforce the execution of a specific condition within the decision. Multiple condition coverage (MCC) has a relative high cost for testing a single decision. However, when looking at the whole program, then path coverage (PC) is typically much more complex, and depending on the definition of program scopes, scoped path coverage (SPC) requires significantly less test vectors than PC.
4. Preservation of Structural Code Coverage
that this code coverage is preserved while the program
is transformed into another program
. This scenario is shown in Figure 1. Of course if a program will be transformed, also the sets of basic blocks
, the set of program decisions
, or program scopes
may get changed. As shown in Figure 1, the interesting question is whether a concrete code transformation preserves the structural code coverage of interest.
Coverage-preserving program transformation.
When transforming a program, we are interested in the program properties that must be maintained by the code transformation such that a structural code coverage of the original program by the test-data set
is preserved to the transformed program. Based on these properties one can adjust a source-to-source transformer or a compiler to use only those optimizations that preserve the intended structural code coverage.
then this coverage is also fulfilled at the transformed program with the same test data:
The code coverage preservation can be applied on any type of code transformation, for example, on a source-to-source transformer or a compiler.
Determination of a coverage profile.
Application of a coverage profile.
Safe Mode
In this mode the coverage-preserving compiler will apply only those code optimizations that preserve the given code coverage metric. With this operation mode we assure coverage preservation at the cost of a potential degradation of performance.
Full-Optimization Mode
In this mode the coverage-preserving compiler will apply all code transformations but it will emit a warning whenever a code transformation has been used that does not ensure the preservation of the given coverage metrics. The warning message should be as specific as possible to support the user in determining additional test data to regain code coverage for the optimized code.
The determination of the coverage profile for a given code transformation and the realization of a coverage-preserving compiler are not the focus of this article. Within this article we present the foundation for such a coverage preservation framework and discuss issues that challenge its applicability.
In the following we present coverage preservation criteria for several variants of structural code-coverage metrics. The important aspect is that these preservation criteria are independent of the concrete test data
that achieve the structural code coverage at the original program.
4.1. Preserving Statement Coverage (SC)
Equation (15) of Theorem 4.1 provides a coverage preservation criterion for statement coverage. Equation (15) essentially says that for each basic block
of the transformed program there exists a basic block
of the original program such that reaching
with a given test vector implies that also
is reached with the same test vector.
Theorem 4.1 (Preservation of SC).
achieves statement coverage on a given program
, then (15) provides a sufficient—and without further knowledge about the program and the test data (there is now knowledge about the test data or the program assumed), also necessary—criterion for guaranteeing preservation of statement coverage on a transformed program
.
Proof.
Preservation of SC: Part 1, showing sufficiency: Since
is assumed to achieve SC on
, it holds for each
that
. Since (15) states that
it follows that for each
we also have
. Thus, SC is preserved at
.
Part 2, showing necessity by indirect proof: Assuming there exists a basic block
of
such that for all basic blocks
of
it holds that
, then each
contains at least one input that is not in
. If
consists of exactly those inputs, then
is never reached although SC holds in
, which implies that SC is not preserved.
4.2. Preserving Condition Coverage (CC)
To define a coverage preservation criterion for CC (Theorem 4.2) we use the auxiliary predicate
given in (16).
is only TRUE if the set of input data
includes at least the true-satisfiability valuation
or the false-satisfiability valuation
of expression
, where
is either a condition or a decision. The predicate
is used for the coverage preservation criterion of CC (and also DC) to test whether the evaluation of any expression
of the original program to both, TRUE and FALSE, implies that the test data include at least one element of
, needed for the coverage of an expression in the transformed program
Equation (17) states that for each condition
of the transformed program there exists at least one condition of the original program whose coverage implies that
evaluates to TRUE and there exists at least one condition of the original program whose coverage implies that
evaluates to FALSE.
Theorem 4.2 (Preservation of CC).
achieves condition coverage on a given program
, then (17) provides a sufficient—and without further knowledge about the program and the test data, also necessary—criterion for guaranteeing preservation of condition coverage on a transformed program
:
Proof.
is assumed to achieve CC on
, it holds for each
that
and
. Since (17) states that for each
it holds that
we also have
Thus, CC is preserved at
.
Part 2, showing necessity by indirect proof: Assuming there exists a condition
of program
such that for all conditions
of program
it either holds that
(a)
(b)
then it is possible that
(a)
:
(b)
:
which in both cases violates the preservation of CC.
Simplification of the CC Preservation Criteria
is kept equal or simply is inverted. This would result in the simpler criterion given in (20)
Working with the simple constraint of (20) may be sufficient in practice when analyzing the effect of concrete code transformations, since many transformations do not modify the conditions within a decision, but only their grouping into decisions. The simplified criterion is sufficient to allow only such code transformations that do not introduce new conditions with new unique satisfiability by the test data. Further, some transformations just invert a condition, which can be checked also with this simplified criterion.
4.3. Preserving Decision Coverage (DC)
To define a coverage preservation criterion for DC (Theorem 4.3) we use the auxiliary predicate
given in (16), which is also used for preserving CC.
Equation (21) of Theorem 4.3 provides a coverage preservation criterion for decision coverage. Equation (21) essentially says that for each decision
of the transformed program there exists at least one decision of the original program whose coverage implies that
evaluates to TRUE and there exists at least one decision of the original program whose coverage implies that
evaluates to FALSE.
Theorem 4.3 (Preservation of DC).
achieves decision coverage on a given program
, then (21) provides a sufficient—and without further knowledge about the program and the test data, also necessary—criterion for guaranteeing preservation of decision coverage on a transformed program
Proof.
Preservation of DC: Part 1, showing sufficiency: since
is assumed to achieve DC on
, it holds for each
that
and
. Since (21) states that for each
(1)
(2)
it follows that for each
we also have
and
. Thus, DC is preserved at
.
Part 2, showing necessity by indirect proof: assuming there exists a decision
such that for all conditions
it either holds that
(a)
(b)
then it is possible that
(a)
or
(b)
which in both cases violates the preservation of DC.
Guaranteeing Decision Coverage
Guaranteeing the preservation of a structural code coverage criterion that depends on the coverage of decisions of a program is challenging, since there are many ways to re-group conditions into hierarchies of decisions without changing the program semantics.
The criterion given in (21) imposes quite strong restrictions on the performed code transformations, since it requires that for each decision
there is an adequate decision
of the original program such that decision coverage is preserved. For example, consider the following code transformation:
if (a==3)
if (a==3 && b==2)
if (b==2)
c();
c();
inlined style
noninlined style
Such a transformation is quite typical when source-code is transformed into assembly code. Actually, the only decision in the original code is (a==3 && b==2). Having decision coverage on the original code, there are numerous code transformations possible that do not preserve decision coverage.
The new criterion requires a different, but not stronger, structural code coverage at the original code to guarantee decision coverage at the transformed code. This criterion is typically more flexible when generating assembly code (which typically does not have control-flow statements with complex decisions). Further, in case that condition decision coverage (CDC) is fulfilled at the original program, one may chose between the criteria of (21) and (22) to guarantee decision coverage at the transformed program.
4.4. Preserving MCDC
Preserving MCDC coverage on a transformed program is especially challenging, since the code transformation may produce arbitrary groupings of conditions into decisions. Especially the requirement that each condition can independently influence the outcome of its conditions, is rather complex to check.
As the MCDC coverage preservation criterion is rather complex, we derive them in two steps. First, we describe a rather naive criterion that is relatively ease to understand. This criterion is sufficient but not necessary (too strict). Second, we describe a "realistic" (more detailed) criterion that is sufficient and necessary.
A Naive Coverage Preservation Criterion
is used in the same way as the real criterion: it is used to express that only input data that fulfill MCDC at the original program have to be considered for coverage preservation
This naive criterion is not necessary since it requires the coverage preservation of the conditions in the transformed program
by a single condition from the original program
.
Another drawback of this naive criterion is that it is based on a concrete set of test data
that are used to achieve MCDC at the original program. To ensure coverage preservation in general, it would be necessary to ensure that the criterion holds for all possible sets of test data
that achieve MCDC at the original program, which tends to be intractable in practice.
A Realistic Coverage Preservation Criterion
given in (24). The predicate
is similar to the predicate symbol
, with the difference that it performs the control check on all members of two sets of input data. The predicate
is used for the coverage preservation of MCDC to test whether the condition
of the original program refers to TRUE for one input data set
or
and refers to FALSE for the other. Besides
, also the predicate
(10) is used to describe the preservation criterion for MCDC coverage
The criterion given in equ_preserve_mcdc states that for each condition
of a decision
of the transformed program there exist two sets of input data
and
whose members achieve the
criterion needed for MCDC coverage. Further, there has to be a condition of the original program such that the
is a subset of either the true-satisfiability valuation or the false-satisfiability valuation (tested with the predicate
).
the same requirement as
.
Theorem 4.4 (Preservation of MCDC).
achieves MCDC coverage on a given program
, then (25) provides a sufficient—and without further knowledge about the program and the test data, also necessary—criterion for guaranteeing preservation of MCDC coverage on a transformed program
Proof.
is assumed to achieve MCDC on
, it holds for each
and for each
that there exist at least two test vectors
such that
. Since
as defined in (10) for each condition is the formal definition of MCDC it directly follows that
is a sufficient criterion to ensure that MCDC is preserved at program
.
with a condition
such that for all input-data subsets
it either holds that
condition coverage is not fulfilled; this case is already excluded by assumption of having MCDC coverage at
)
; this case is already excluded by assumption of having MCDC coverage at
)
(the test data
do not provide MCDC coverage at the transformed program
) which in each case violates the preservation of MCDC: Case (a) and (b) violate the preservation of MCDC since they are in contradiction with the requirement that MCDC is achieved at the original program. Case (c) states that there exists a condition in the transformed program for which there are no test data to achieve unique cause coverage, which is required for MCDC.
4.5. Preserving Scoped Path Coverage (SPC)
To define a coverage preservation criterion for SPC (Theorem 4.5) we use the auxiliary predicate
given in (31).
is only TRUE if there is at least one condition from the set of conditions
whose true-satisfiability valuation is a subset of the input data
or there is at least one condition from the set of conditions
whose false-satisfiability valuation is a subset of the input data
. The predicate
is used for the coverage preservation criterion of SPC to test whether for a condition in the transformed program with true/false-satisfiability valuation
there exist two conditions in the original program whose true/false coverage are a subset of
As stated in Theorem 4.5, (32) provides a coverage preservation criterion for SPC. Equation (32) says that for each scoped path
of the transformed program there exists a scoped path
such that the reachability of the first basic block of
implies the reachability of the first basic block of
. Further, Equation (32) states that for each condition
of
that has to be evaluated to TRUE, there exists a condition
of a scoped path in the original program that will imply the True evaluation of
(by predicate
). Finally, Equation (32) states that for each condition
of
that has to be evaluated to FALSE, there exists a condition
of a scoped path in the original program that will imply the FALSE evaluation of
(by predicate
).
Theorem 4.5 (Preservation of SPC).
achieves scoped path coverage on a given program
, then (32) provides a sufficient—and without further knowledge about the program and the test data, also necessary—criterion for guaranteeing preservation of scoped path coverage on a transformed program
Proof.
is assumed to achieve SPC on
, it holds for each
and each
with
that there exists test data
with
Thus, SPC is preserved at
.
such that for all scoped program paths
it either holds that
is not executed with the given test data
)
that has to be evaluated to True evaluates to False for all test vectors of
)
(one of the conditions of a scoped program path of the transformed program
that has to be evaluated to False evaluates to True for all test vectors of
) which in each case violates the preservation of SPC.
5. Application of Coverage Preservation
In Section 4 we present some formal criteria that must be fulfilled to preserve a given structural code coverage criterion. In this section we discuss how to apply these coverage-preservation criteria to permit only those code transformations that preserve structural code coverage.
There are only two types of code transformations that can disrupt the preservation of structural code coverage:
(i)transformations that change the reachability of statements or conditions. For example, reordering the conditions within a decision can change the reachability of conditions and thus also statements.
(ii)transformations that add new conditional control-flow paths into the program. For example, branch optimization can introduce new conditional branches.
In the following we provide examples of how to determine with help of the introduced formalism whether a code transformation disrupts structural code coverage.
We use a small sample code and show how a concrete code transformation changes the code. We use a compact scheme to address elements of the code samples. For example,
denotes the statement at source line 1. If there are multiple statements at the source line, we identify them by an additional index letter, for example,
,
, and so forth. Similarly,
and
address the decisions and conditions at source line
. Based on this notation we use our formalism to describe by a graph the coverage relations between different program elements.
denotes that the coverage of type
at element
implies the coverage of type
at element
. The possible coverage types are "R" (reaching), "T" (true-evaluation) and "F" (false-evaluation). A dotted line between elements from the original and the transformed code denotes that the two elements have the same coverage. A dotted arrow from an element of the original code to an element of the transformed code denotes that a coverage of the original node by the concrete test data implies also the coverage of the element in the transformed code. Structural code coverage is achieved, if all elements of the transformed code have a connection to an element of the original code. Elements of the transformed graph, for which coverage is not preserved, are marked by a surrounding box.
5.1. Transformations That Change Reachability
Example: condition reordering.
is surrounded by a box, which means that this coverage is not preserved during optimization. This means that the second condition at line 1 of the transformed program (a > 5) is not guaranteed to be evaluated to FALSE.
Coverage preservation of condition reordering.
The coverage-relation graph in Figure 5 contains coverage types for statements, conditions, and decisions. From this graph we can conclude which structural code-coverage criteria are preserved by condition reordering. For example, missing the coverage of
but not of
implies that SC is still preserved. Also DC is preserved. However, coverage criteria that are based on the coverage of conditions are not guaranteed to be preserved. For example, preservation of CC or MCDC is not guaranteed. For simplicity, we do not discuss preservation of SPC, because analyzing SPC preservation would make it necessary to unroll the program to make the different scoped program paths explicit.
5.2. Transformations That Add New Paths
Example: loop inversion.
Coverage preservation of loop inversion.
5.3. Transformations That Preserve Coverage
Example: loop reversal.
Coverage Preservation of Loop Reversal.
As a general pattern, if for each relevant expression of the transformed program there is a line or arrow to that expression originating from any expression of the same type in the original program, then the code coverage is preserved.
5.4. Modeling Hidden Control Flow
Some programming languages include statements that provide hidden control flow. For example, the logical operators && and
of ANSI C/C++ have a short-circuit evaluation semantics, which in fact already is conditional control flow. The short-circuit evaluation of ANSI C/C++ states that the second argument of the operators && and
is not evaluated if the final result of the operator is already determined by the first argument.
For example, lets look at the following code:
if (a && (b ∣ ∣ c)
Above code might be translated into the following assembly code, which demonstrates how the short-circuit evaluation of ANSI C/C++ works:
if (!a) goto
skip;
if (
b) goto
process;
if (!c) goto
skip;
process:
skip:
If we do not explicitly address the hidden control-flow with the coverage preservation framework, we risk to loose full structural code-coverage as soon as the program is transformed into a new program with explicit control flow instead of the hidden, implicit control-flow.
5.5. Towards Automatic Calculation of Coverage Profiles
In this section we have demonstrated that the formalism provided in this article is helpful for determining the coverage profile of a code transformation. However, in Section 4 we argue that the calculation of the coverage profile could be done automatically, given the formal coverage preservation criterion and a formal description of the code transformation.
The code transformations can be formalized in an axiomatic semantics [28, 29], that is, by providing preconditions, postconditions, and invariants of the code transformation. Even model checking can be used to analyze code transformations [30]. There exist specific frameworks to model code transformations, for example OPTIMIX [31]. Such frameworks seem to be well-suited as a starting point for future research on automating the calculation the coverage profile of a code transformation.
6. Challenges for Preservation of Model Coverage
The structural code-coverage criteria presented in Section 3.1 are typically applied to source code or machine code. They have been developed already before model-based development became an issue. However, these structural code-coverage criteria are also getting started to be applied to implementation models of modeling environments like MATLAB/Simulink/Stateflow [3, 4] from Mathworks, Statemate [5] from Telelogic, or Scade [6] from Esterel Technologies. An implementation model in general is a program implementation in a domain-specific modeling language for which automatic code generation is used to generate the source-level implementation. In this section we discuss some important differences for identifying the structural code-coverage at source-code level and implementation-model level:
(i)The modeling language may use a different implementation style (e.g., data flow instead of control flow).
- (iii)
Code generation may be parametrizable (i.e., model semantics and implementation depends on the code generation settings).
(iv)Many modeling environments are under continuous development. Thus, the semantics of language constructs may change over time. Further, modeling languages are rarely standardized, often each tool provider has its own modeling language.
Though it brings in further challenges, structural code-coverage is also used for such modeling languages [19, 20]. One can still identify the control-decisions in such models, though above arguments illustrate why this can be tricky.
With the use of a structural code-coverage metric on modeling languages one can also directly use the coverage preservation criteria we presented in Section 4. To demonstrate how to do this, we examine some elements of the MATLAB/Simulink modeling environment. The main conclusions from the given examples may also apply to other modeling languages. We also discuss potential problems that lead to further research in that area.
The identified potential problems do not only apply to implementation models with automatic code generation but also to manual coding.
6.1. A Simple Example
Simulink model switch.
Implementation of switch element.
The code shows a single decision with one condition inside. In this concrete example it is valid to define the scope of decision coverage (or MCDC) as the single MATLAB/Simulink element. The generated source code for this element contains the whole decision, thus generating test data for decision coverage (or MCDC) based on the hidden control-flow of the Switch element results in a full decision coverage (or MCDC) at source code level.
Coverage criteria that are not based on the decisions, are easier to preserve, since coverage of conditions or basic blocks can be directly derived from the coverage of a single Matlab/Simulink element. Thus, structural code coverage like SC, CC, or SPC can be directly preserved based on the hidden control-flow.
In the following we show that it is not always that easy to apply decision-based structural code-coverage criteria like DC or MCDC to the Matlab/Simulink language and to ensure their preservation.
6.2. Identifying Code Structures in Models
In Section 6.1 we have seen how to use the implicit control flow of a data-flow element to apply a structural code-coverage metric. Given that a code generator creates explicit control flow, for example, as C code, there is the question whether it is valid to analyze Matlab/Simulink elements in isolation because the code generator can combine the logic of several data-flow elements into a single C statement. Looking only at the Matlab/Simulink elements without considering that the concrete behavior of the code generator, does not allow, for example, to identify the set of conditions that will be grouped into a single decision.
Simulink model expr_or_and.
expr = (In2 && In3); /
decision 1
/
Out1 = (In2 && In3); /
decision 2
/
The decisions in this code example are the assignments of a logical expression to a program variable. This is just a compact form instead of using an if/then construct. Now lets look at the inlined implementation variant of this model, which is generated by default by the code generator Real-Time Workshop of Matlab 6.5.1 and Simulink 5.1. In the inlined implementation variant we get a single decision:
Out1 = (In1
(In2 && In3);
Actually, achieving structural code coverage on the non-inlined implementation variant requires in general a smaller number of test data. For example, Rajan et al. have shown that full MCDC coverage at the non-inlined implementation variant yielded only about 13.6% MCDC coverage at the inlined implementation variant [20].
Without the knowledge about the behavior of the code generator it is not possible to formulate a preservation criterion for decision coverage (DC) or MCDC coverage that is both, sufficient and necessary independently of the exploited implementation variant. Maybe more surprisingly, this problem also arises for condition coverage (CC) because given that
= (In2 && In3), the chosen implementation variant in this concrete example influences the set
(where the condition
is reached with an evaluation to True). The problem also arises for statement coverage (SC) because inlining reduces the reachability valuation of (In2 && In3).
6.3. The Complexity of Model Coverage
In Section 6.2 we raised the question of how much model elements have to be considered together to identify the scopes of structural code-coverage criteria. Now we argue that this scoping problem can also arise within a single element due to the rather complex code that may be generated for a Matlab/Simulink element.
Simulink model lookup table.
Implementation of the lookup table using binary search.
BINARYSEARCH_real_T_Near_iL.
Without plotting the implementations for the other look-up policies, one can see that the Look-Up Table element results in rather complex control flow.
To conclude, specifying structural code-coverage criteria at the model-level that are both, sufficient and necessary, is not possible without knowledge about the behavior of the code generator.
7. Summary and Conclusion
Structural code-coverage criteria are a useful supplementary criterion to monitor the progress of testing. There are several application scenarios where the test data have been obtained at a different program representation as where the test data are executed: when using model-based testing, when the software has evolved over time, or the test-data generation is done on higher program representations to achieve easy retargetability of the test-data generation. In all such cases there is the question of whether the structural code coverage achieved at the original program representation is also fulfilled at the transformed program representation.
Within this article we analyzed the problem of preserving structural code coverage when transforming the program model or program code. We introduced a notation for formalizing structural code-coverage. This notations is convenient to also express test-data independent criteria for preserving the code coverage. These criteria may be used to prove whether a given program transformation does always preserve the structural code coverage of interest. Further, the presented preservation criteria are naturally applied on source-to-source program transformations or on optimizing program compilation. And they may be also applied on model coverage, for which we identified some additional challenges.
Future work is to develop automatic proofs to decide whether a program transformation preserves structural code coverage. In our current analysis we focused on preservation of full coverage. It is also interesting to look on preservation of partial structural code coverage.
Declarations
Acknowledgments
We would like to thank Susanne Kandl and the anonymous reviewers for valuable comments on earlier versions of this article. The research leading to these results has received funding from the Austrian Science Fund (Fonds zur Förderung der wissenschaftlichen Forschung) within the research project "Sustaining Entire Code-Coverage on Code Optimization" (SECCO) under contract P20944-N13.
Authors’ Affiliations
References
- Broy M, Jonsson B, Katoen J-P, Leucker M, Pretschner A (Eds): Model-Based Testing of Reactive Systems: Advanced Lectures, Lecture Notes in Computer Science. Volume 3472. Springer, Berlin, Germany; 2005.Google Scholar
- Cruz F, Barreto R, Cordeiro L, Maciel P: ezRealtime: a domain-specific modeling tool for embedded hard real-time software synthesis. Proceedings of the Conference on Design, Automation and Test in Europe (DATE '08), March 2008, Munich, Germany 1510-1515.View ArticleGoogle Scholar
- The MathWorks Inc : Using MATLAB Version 6. The Mathworks, Natick, Mass, USA; 2002.Google Scholar
- The MathWorks Inc : Using Simulink Version 5. The Mathworks, Natick, Mass, USA; 2002.Google Scholar
- Harel D, Lachover H, Naamad A, et al.: STATEMATE: a working environment for the development of complex reactive systems. IEEE Transactions on Software Engineering 1990,16(4):403-414. 10.1109/32.54292View ArticleGoogle Scholar
- Dormoy F-X: Scade 6: a model based solution for safety critical software development. Proceedings of the 4th European Congress on Embedded Real Time Software (ERTS '08), January-February 2008, Toulouse, France 1-9.Google Scholar
- Wenzel I, Kirner R, Rieder B, Puschner P: Measurement-based timing analysis. Proceedings of the 3rd International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, October 2008, Porto Sani, Greece 1-15.Google Scholar
- Kirner R, Puschner P, Wenzel I: Measurement-based worst-case execution time analysis using automatic test-data generation. Proceedings of the 4th International Workshop on Worst-Case Execution Time Analysis, June 2004, Catania, Italy 67-70.Google Scholar
- Kirner R: SCCP/x: a compilation profile to support testing and verification of optimized code. Proceedings of the International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES '07), September-October 2007, Salzburg, Austria 38-42.Google Scholar
- Muchnick SS: Advanced Compiler Design & Implementation. Morgan Kaufmann, San Fransisco, Calif, USA; 1997.Google Scholar
- Whalen M, Rajan A, Heimdahl M, Miller S: Coverage metrics for requirements-based testing. Proceedings of the International Symposium on Software Testing and Analysis (ISSTA '06), July 2006, Portland, Me, USA 25-36.Google Scholar
- Software considerations in airborne systems and equipment certification RTCA/DO-178B, 1992Google Scholar
- Vilkomir SA, Bowen JP: From MC/DC to RC/DC: formalization and analysis of control-flow testing criteria. Formal Aspects of Computing 2006,18(1):42-62. 10.1007/s00165-005-0084-7MATHView ArticleGoogle Scholar
- Vilkomir SA, Bowen JP: Formalization of software testing criteria using the Z notation. Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC '01), October 2001, Honolulu, Hawaii, USA 351-356.Google Scholar
- Chilenski JJ, Miller SP: Applicability of modified condition/decision coverage to software testing. Software Engineering Journal 1994,9(5):193-200. 10.1049/sej.1994.0025View ArticleGoogle Scholar
- Object Management Group : MDA Guide Version 1.0.1. document no. omg/2003-06-01, June 2003Google Scholar
- Heimdahl MPE, Whalen M, Rajan A, Miller SP: Testing strategies for model-based development. National Aeronautics and Space Administration, Hampton, Va, USA; April 2006.Google Scholar
- Rajan A, Whalen M, Heimdahl M: Model validation using automatically generated requirements-based tests. Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium (HASE '07), November 2007, Dallas, Tex, USA 95-104.View ArticleGoogle Scholar
- Baresel A, Conrad M, Sadeghipour S, Wegener J: The interplay between model coverage and code coverage. Proceedings of the 11th European International Conference on Software Testing, Analysis and Review (EuroSTAR '03), December 2003, Amsterdam, The Netherlands Google Scholar
- Rajan A, Whalen M, Heimdahl M: The effect of program and model structure on MC/DC test adequacy coverage. Proceedings of the 30th International Conference on Software Engineering, May 2008, Leipzig, Germany 161-170.Google Scholar
- Elbaum S, Gable D, Rothermel G: The impact of software evolution on code coverage information. Proceedings of the IEEE International Conference on Software Maintenance (ICSM '01), November 2001, Florence, Italy 170-179.Google Scholar
- Harman M, Hu L, Hierons R, et al.: Testability transformation. IEEE Transactions on Software Engineering 2004,30(1):3-16. 10.1109/TSE.2004.1265732View ArticleGoogle Scholar
- Aho AV, Sethi R, Ullman JD: Compilers, Principles, Techniques, and Tools. Addison-Wesley, Reading, Mass, USA; 1997.Google Scholar
- Wenzel I, Rieder B, Kirner R, Puschner P: Automatic timing model generation by CFG partitioning and model checking. In Proceedings of the Conference on Design, Automation and Test in Europe (DATE '05), March 2005, Munich, Germany. Volume 1. IEEE; 606-611.Google Scholar
- Chilenski JJ: An investigation of three forms of the modified condition decision coverage (MCDC) criterion. Boeing Commercial Airplane Group, Seattle, Wash, USA; April 2001.Google Scholar
- Myers GJ: The Art of Software Testing. John Wiley & Sons, New York, NY, USA; 1979.Google Scholar
- Hayhurst KJ, Veerhusen DS, Chilenski JJ, Rierson LK: A practical tutorial on modified condition/decision coverage. National Aeronautics and Space Administration, Hampton, Va, USA; May 2001.Google Scholar
- Floyd R: Assigning meaning to programs. In Mathematical Aspects of Computer Science, Proceedings of Symposia in Applied Mathematics. Volume 19. American Mathematical Society, Providence, RI, USA; 1976:19-32.View ArticleGoogle Scholar
- Hoare CAR: An axiomatic basis for computer programming. Communications of the ACM 1969,12(10):576-580. 10.1145/363235.363259MATHView ArticleGoogle Scholar
- Lacey D, Jones ND, Wyk EV, Frederiksen CC: Compiler optimization correctness by temporal logic. Higher Order and Symbolic Computation 2003,17(3):173-206.View ArticleGoogle Scholar
- Aßmann U: How to uniformly specify program analysis and transformation with graph rewrite systems. In Proceedings of the 6th International Conference on Compiler Construction (CC '96), April 1996, Linköping, Sweden. Edited by: Fritzson P. Springer; 121-135.View ArticleGoogle Scholar
Copyright
This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
