Towards Preserving Model Coverage and Structural Code Coverage
© Raimund Kirner. 2009
Received: 12 August 2008
Accepted: 21 February 2009
Published: 23 June 2009
Embedded systems are often used in safety-critical environments. Thus, thorough testing of them is mandatory. To achieve a required structural code-coverage criteria it is beneficial to derive the test data at a higher program-representation level than machine code. Higher program-representation levels include, beside the source-code level, languages of domain-specific modeling environments with automatic code generation. For a testing framework with automatic generation of test data this will enable high retargetability of the framework. In this article we address the challenge of ensuring that the structural code coverage achieved at a higher program representation level is preserved during the code generations and code transformations down to machine code. We define the formal properties that have to be fullfilled by a code transformation to guarantee preservation of structural code coverage. Based on these properties we discuss how to preserve code coverage achieved at source-code level. Additionally, we discuss how structural code coverage at model level could be preserved. The results presented in this article are aimed toward the integration of support for preserving structural code coverage into compilers and code generators.
Testing is a mandatory process to assess the correct behavior of safety-critical systems. Even the increasing use of formal verification cannot make testing obsolete, as there is always a gap between the formal model and the real system with all the issues of integration.
The use of formal (=executable) models increasingly pervades the software engineering process. Formal models are used as part of the specification, as high-level software descriptions with automatic code generation, or as a tool for formal verification and model-based testing .
When generating test data it is beneficial to operate at the same representation level where the software is developed, which may be at the source-code level or at a domain-specific modeling environment like ezRealtime , MATLAB/Simulink [3, 4], Statemate , or Scade . The advantage of test-data generation at this high-level program representation is on the one side reduced complexity and availability of explicit knowledge of the program behavior that might get lost during code generation and compilation. On the other side, a test-data generator operating on such a high-level program representation could be easily retargeted to different platforms. Beside conventional testing, the support for retargetability is also of high interest for hybrid timing analysis, that is, an approach to determine the timing behavior of a program based on the combination of execution-time measurements and program analyses [7, 8].
Structural code-coverage criteria are metrics to analyze and quantify the control-flow coverage that is achieved for a given set of test data. Using a model-based or source-based test-data generator raises the challenge of ensuring that adequate structural code-coverage has been achieved at machine-code level . Code generators and compilers perform many transformations on the program or model given as input. Some of these code transformations can compromise structural code-coverage by copying, reordering, or moving conditions inside the program or even creating new conditions and decisions. For example, optimizations like loop unrolling, loop inversion, reverse if-conversion, and condition reordering  can disrupt full structural code-coverage. In general, full structural code-coverage cannot be guaranteed in this case without taking the burden of analyzing the machine code.
We propose an approach toward the preservation of structural code coverage when transforming the program. To achieve this, we introduce in Section 3 a notation to formally define structural code-coverage criteria. In Section 4 we present coverage preservation criteria for the different variants of structural code coverage. As described in Section 5, these criteria can help to extend a compiler with the ability of preserving coverage achieved at source level. The code coverage is preserved by prohibiting all code transformations that can disrupt the concrete structural code coverage metric. If full coverage preservation is not strictly required, the compiler may be used in a special mode where all available code transformations are allowed but a warning is emitted if structural code coverage may be compromised by an applied code optimization. Issues of preserving model coverage by code generators are discussed in Section 6.
2. Related Work
Structural coverage criteria are used as a supplementary criterion to monitor the progress of testing . The DO178b document introduces the modified condition-decision coverage (MCDC) as a supplementary criterion for testing systems of safety-criticality level A . Vilkomir proposes solutions to overcome some weaknesses of MCDC . Vilkomir and Bowen have formally modeled structural code-coverage criteria using the Z notation . The formalization we present in this article is basically equivalent, with the difference that we also support hidden-control flow , which is necessary to model code coverage for languages like ANSI C or ADA. Further, our notation is more compact, which has shown to be helpful for developing coverage-preservation criteria.
Model-based development aims to use high-level system representations within the system engineering process. For example, the Object Management Group proposes the Model-Driven Architecture, which explicitly differentiates between platform-independent and platform-specific models . Models can be used to automatically generate source code. Another model-based approach is model-based testing where abstract models are used to guide the generation of test data [1, 17]. Using models to verify the correctness of the system requires evidence of the model's correctness .
Directly related to our work is the relationship of achieved model coverage and the resulting code coverage. Baresel et al. analyzed this relationship empirically, finding some correlation between the degree of model coverage and the resulting degree of code coverage . Rajan et al. have shown for MCDC that the correlation of the degree of model coverage and the degree of code coverage depends on the code generation patterns . To test safety-critical systems we want to do better than relying on accidental coverage correlations.
Elbaum et al. empirically studied the preservation of code coverage for software evolution with different change levels. They concluded that even relatively small modifications in the software may impact the coverage in a way that is hard to predict . Their results also motivate our work for the preservation of code coverage.
A method complementary to our approach is described by Harman et al. Testability transformation results in a transformed program to be used by a test-data generator to improve its ability of generating test data for the original program .
3. Basic Definitions
In this section we give a list of basic definitions. These definitions are used to describe properties of structural code coverage and to preserve structural code coverage.
Control-Flow Graph (CFG). Is used to model the control flow of a program . A CFG consists of a set of nodes representing basic blocks (see below), a set of edges representing the control flow (also called control-flow edges), a unique entry node , and a unique end node .
Program Scope of A Program . Is a fragment of with well-defined interfaces for entry and exit. We denote the set of program scopes in a program as . The concrete partitioning of a program into scopes is application-specific. For example, in  a program partitioning is used that allows to trade the number of required test data against the number of instrumentation points. Another feature of scopes is that nested scopes can be used to hide details. This feature allows to reduce the program complexity of the surrounding scope.
Scoped Path. Of a program scope is a sequence of control-flow edges from an entry point of the scope to an exit point of the scope. In case of nested program scopes, the whole inner program scope is a single block in the paths of the outer program scope. A scoped path of a program scope is uniquely represented by its starting basic block and the necessary TRUE/FALSE evaluation result of all conditions along the scoped path. We denote the set of scoped paths in a program scope as . The paths within a program , that is, the scoped paths where the program scope subsumes the whole program, is denoted as .
Basic Block. Of a program is a code sequence of maximal length with a single entry point at the beginning and with the only allowed occurrence of a control-flow statement at its end. We denote the set of basic blocks in a program as . The set of all basic blocks along a scoped path is denoted as . Note that in cases of program paths with cycles, will contain multiple instances of the basic blocks in the program code. If a scoped path goes through a nested program scope, all the basic blocks from the nested program scope are hidden for this path. The starting basic block of a scoped path is denoted as .
Decision. Is a Boolean expression composed of conditions that are combined by Boolean operators. If a condition occurs more than once in the decision, each occurrence is a distinct condition . However, the input of a decision is the set of its conditions without duplicates. A decision is composed of one or more basic blocks. We denote the set of decisions of a program as .
There are source languages, where decisions are hidden by an implicit control flow. For example, in ANSI C due to the short-circuit evaluation the following statement a = (b && c); contains the decision (b && c). The short-circuit evaluation of ANSI C states that the second argument of the operators && and is not evaluated if the result of the operator is already determined by the first argument. See Section 5.4 for further details. The correct identification of hidden control flow is important, for example, to analyze decision coverage.
Condition. Is a Boolean expression. We consider only lowest-level conditions, that is, conditions that do not contain operators with Boolean arguments . A condition is composed of one or more basic blocks. We denote the set of conditions of a decision as . The set of all conditions within a program is denoted as .
The set of all conditions that directly control edges along a scoped path is denoted as . Note that in cases of program paths with cycles, will contain multiple instances of the conditions in the program code. If a scoped path goes through a nested program scope, all the conditions from the nested program scope are hidden for this path. To follow a certain path, it is also important whether a condition evaluates to TRUE/FALSE. Whether a condition has to be evaluated as TRUE or as FALSE is given by the syntactical structure of a program. For a given scoped path we denote by all the conditions that have to be evaluated as TRUE and by all the conditions that have to be evaluated as FALSE to follow . It holds that and .
Input Data . Defines the set of all possible valuations of the input variables of a program. (Valuation of a variable means the assignment of concrete values to it. The valuation of an expression means the assignment of concrete values to all variables within the expression.)
Test Data . Defines the set of valuations of the input variables that have been generated with structural code coverage analysis done at source-code level. Since exhaustive testing is intractable in practice, is assumed as a true subset of the program's input data space : . If we would consider exhaustive testing ( ) there would be no challenge of structural code-coverage preservation.
Consider the following example of C code to get an intuition about the meaning of the satisfiability valuations:
if (a==3 && b==2)
The definition of , , and depends on whether the programming language has hidden control flow (see Section 5.4). Above definitions allow to formally describe structural code coverage criteria. We will also use them to describe requirements to preserve structural code coverage.
3.1. Structural Code-Coverage Criteria
Structural code-coverage criteria are metrics to analyze and quantify the control-flow coverage that is achieved for a given set of test data. Execution traces are used to collect the coverage information. In general, the satisfaction of a structural code-coverage criterion is not the primary test-case generation strategy in functional testing. Instead, structural code-coverage achieved during testing is analyzed as a supplementary measure to decide whether the implemented functionality has been sufficiently tested and does not contain any unintended functionality. However, there are also rare testing scenarios where the satisfaction of a certain code-coverage is the primary directive for test-data generation. For example, in measurement-based timing analysis an estimation of the worst-case execution time (WCET) is derived by systematic measurements .
In the following we review the properties of several structural code-coverage criteria.
Line Coverage. Is not a serious code coverage criterion, as without strict coding guidelines there is an ambiguous mapping from source lines to statements. In the extreme case one could write the whole program within one source line. Historically, line coverage was used as an easy hack when tools for analyzing statement coverage were missing. Thus, we do not discuss preservation of line coverage in this work.
Note that the boundary recognition of basic blocks can be tricky due to hidden control-flow. A statement in a high level language like ANSI C can consist of more than one basi cblock. For example, the ANSI C statement f=(a==3 && b==2); consists of multiple basic blocks due to the short-circuit evaluation order of ANSI C expressions.
Note that our definition requires in case of short-circuit operators that each condition is really executed. This is achieved by the semantics of . However, often definitions are used that do not explicitly consider short-circuit operators (e.g., ), thus having in case of short-circuit operators only a "virtual" coverage since they do not guarantee that the short-circuit condition is really executed for the evaluation to TRUE as well as for the evaluation to FALSE.
Condition/Decision Coverage (CDC). Requires that both, condition coverage and decision coverage are achieved.
The above definition of MCDC is the original definition given in the RTCA/DO178b document . However, this definition is rather strict, so that people thought of some less restrictive definitions. For example, it is not possible with the original definition to cover a decision with strongly coupled conditions. (Two conditions are strongly coupled, iff they have the same input data partitioning for their satisfiability valuation, i.e., .) As described in , there exist at least three definitions of MCDC:
(i)Unique-Cause MCDC: this is the original definition given in .
(ii)Unique-Cause + Masking MCDC: this definition of MCDC is less restrictive as it requires in case of strongly coupled conditions to test only that one of them covers the decision (masking) .
(iii)Masking MCDC: this is less restrictive than the two above, as it does not require the Unique-Cause. A condition is masked if its value cannot influence the outcome of a decision due to the overruling values of other conditions. For Masking MCDC it is sufficient to show that each condition can affect the outcome of the decision without being masked. However, Masking MCDC is not required to test whether conditions do independently cover the decision. It focuses more on testing the correct implementation of subexpressions within a Boolean expression.
According to Chilenski the metric Masking MCDC should be the preferred form of MCDC as it provides the same error detection probability but allows for more different test sets and thus the generation of test data more is cost-effective .
Within this article we focus on the original definition of MCDC. Extending above formal definition of MCDC to Unique-Cause + Masking MCDC or Masking MCDC is straight-forward. One has to exchange the predicate by another predicate that formalizes the semantics of the alternative MCDC criterion.
Multiple Condition Coverage (MCC). Requires besides DC and CC that each possible combination of outcomes of the conditions of each decision is executed at least once. MCC demands a rather high number of test cases: to achieve full MCC of a decision with conditions tests are necessary. MCC is desired in theory, but MCC tends to be infeasible for industrial code, because there are too many conditions per decision . Thus, in this work we do not address MCC.
Path Coverage (PC). Requires that each path of a program has been tested at least once. Since the number of paths within a program typically grows exponentially with the program size (PC is even stronger than MCC), we do not address PC.
Scoped Path Coverage (SPC). Is a coverage metric recently introduced by the authors. We use this type of code coverage for measurement-based timing analysis . In this article we formalize this coverage metric to reason about necessary properties of a compilation profile for preserving SPC. The basic idea of SPC is to partition the program into program scopes and cover all possible paths within each program scope. Actually, PC is just the special case of using SPC in combination with only one program scope covering the whole program .
The appropriate partitioning of a program into program scopes depends on the concrete testing goal. For example, in case of our research on measurement-based timing analysis  we use the partitioning of the program into scopes to achieve a compromise between precision of measurement results (the larger the segments the more precise) and number of necessary measurements.
Note, that the condition " " of (13) ensures that in the pathological case of having a program scope that is completely free of conditions, coverage of the only single path in the program scope is guaranteed.
Whether SPC is feasible in practice, depends on the program complexity itself and also on the application-specific partitioning of a program into program scopes.
The condition coverage (CC) needs a relative high number of test vectors. This is because of test vectors that enforce the entering of a program decision do not necessarily enforce the execution of a specific condition within the decision. Multiple condition coverage (MCC) has a relative high cost for testing a single decision. However, when looking at the whole program, then path coverage (PC) is typically much more complex, and depending on the definition of program scopes, scoped path coverage (SPC) requires significantly less test vectors than PC.
4. Preservation of Structural Code Coverage
When transforming a program, we are interested in the program properties that must be maintained by the code transformation such that a structural code coverage of the original program by the test-data set is preserved to the transformed program. Based on these properties one can adjust a source-to-source transformer or a compiler to use only those optimizations that preserve the intended structural code coverage.
The code coverage preservation can be applied on any type of code transformation, for example, on a source-to-source transformer or a compiler.
In this mode the coverage-preserving compiler will apply only those code optimizations that preserve the given code coverage metric. With this operation mode we assure coverage preservation at the cost of a potential degradation of performance.
In this mode the coverage-preserving compiler will apply all code transformations but it will emit a warning whenever a code transformation has been used that does not ensure the preservation of the given coverage metrics. The warning message should be as specific as possible to support the user in determining additional test data to regain code coverage for the optimized code.
The determination of the coverage profile for a given code transformation and the realization of a coverage-preserving compiler are not the focus of this article. Within this article we present the foundation for such a coverage preservation framework and discuss issues that challenge its applicability.
In the following we present coverage preservation criteria for several variants of structural code-coverage metrics. The important aspect is that these preservation criteria are independent of the concrete test data that achieve the structural code coverage at the original program.
4.1. Preserving Statement Coverage (SC)
Equation (15) of Theorem 4.1 provides a coverage preservation criterion for statement coverage. Equation (15) essentially says that for each basic block of the transformed program there exists a basic block of the original program such that reaching with a given test vector implies that also is reached with the same test vector.
Theorem 4.1 (Preservation of SC).
Part 2, showing necessity by indirect proof: Assuming there exists a basic block of such that for all basic blocks of it holds that , then each contains at least one input that is not in . If consists of exactly those inputs, then is never reached although SC holds in , which implies that SC is not preserved.
4.2. Preserving Condition Coverage (CC)
Equation (17) states that for each condition of the transformed program there exists at least one condition of the original program whose coverage implies that evaluates to TRUE and there exists at least one condition of the original program whose coverage implies that evaluates to FALSE.
Theorem 4.2 (Preservation of CC).
then it is possible that
which in both cases violates the preservation of CC.
Simplification of the CC Preservation Criteria
Working with the simple constraint of (20) may be sufficient in practice when analyzing the effect of concrete code transformations, since many transformations do not modify the conditions within a decision, but only their grouping into decisions. The simplified criterion is sufficient to allow only such code transformations that do not introduce new conditions with new unique satisfiability by the test data. Further, some transformations just invert a condition, which can be checked also with this simplified criterion.
4.3. Preserving Decision Coverage (DC)
Equation (21) of Theorem 4.3 provides a coverage preservation criterion for decision coverage. Equation (21) essentially says that for each decision of the transformed program there exists at least one decision of the original program whose coverage implies that evaluates to TRUE and there exists at least one decision of the original program whose coverage implies that evaluates to FALSE.
Theorem 4.3 (Preservation of DC).
then it is possible that
which in both cases violates the preservation of DC.
Guaranteeing Decision Coverage
Guaranteeing the preservation of a structural code coverage criterion that depends on the coverage of decisions of a program is challenging, since there are many ways to re-group conditions into hierarchies of decisions without changing the program semantics.
The criterion given in (21) imposes quite strong restrictions on the performed code transformations, since it requires that for each decision there is an adequate decision of the original program such that decision coverage is preserved. For example, consider the following code transformation:
Such a transformation is quite typical when source-code is transformed into assembly code. Actually, the only decision in the original code is (a==3 && b==2). Having decision coverage on the original code, there are numerous code transformations possible that do not preserve decision coverage.
The new criterion requires a different, but not stronger, structural code coverage at the original code to guarantee decision coverage at the transformed code. This criterion is typically more flexible when generating assembly code (which typically does not have control-flow statements with complex decisions). Further, in case that condition decision coverage (CDC) is fulfilled at the original program, one may chose between the criteria of (21) and (22) to guarantee decision coverage at the transformed program.
4.4. Preserving MCDC
Preserving MCDC coverage on a transformed program is especially challenging, since the code transformation may produce arbitrary groupings of conditions into decisions. Especially the requirement that each condition can independently influence the outcome of its conditions, is rather complex to check.
As the MCDC coverage preservation criterion is rather complex, we derive them in two steps. First, we describe a rather naive criterion that is relatively ease to understand. This criterion is sufficient but not necessary (too strict). Second, we describe a "realistic" (more detailed) criterion that is sufficient and necessary.
A Naive Coverage Preservation Criterion
Another drawback of this naive criterion is that it is based on a concrete set of test data that are used to achieve MCDC at the original program. To ensure coverage preservation in general, it would be necessary to ensure that the criterion holds for all possible sets of test data that achieve MCDC at the original program, which tends to be intractable in practice.
A Realistic Coverage Preservation Criterion
The criterion given in equ_preserve_mcdc states that for each condition of a decision of the transformed program there exist two sets of input data and whose members achieve the criterion needed for MCDC coverage. Further, there has to be a condition of the original program such that the is a subset of either the true-satisfiability valuation or the false-satisfiability valuation (tested with the predicate ). the same requirement as .
Theorem 4.4 (Preservation of MCDC).
(the test data do not provide MCDC coverage at the transformed program ) which in each case violates the preservation of MCDC: Case (a) and (b) violate the preservation of MCDC since they are in contradiction with the requirement that MCDC is achieved at the original program. Case (c) states that there exists a condition in the transformed program for which there are no test data to achieve unique cause coverage, which is required for MCDC.
4.5. Preserving Scoped Path Coverage (SPC)
As stated in Theorem 4.5, (32) provides a coverage preservation criterion for SPC. Equation (32) says that for each scoped path of the transformed program there exists a scoped path such that the reachability of the first basic block of implies the reachability of the first basic block of . Further, Equation (32) states that for each condition of that has to be evaluated to TRUE, there exists a condition of a scoped path in the original program that will imply the True evaluation of (by predicate ). Finally, Equation (32) states that for each condition of that has to be evaluated to FALSE, there exists a condition of a scoped path in the original program that will imply the FALSE evaluation of (by predicate ).
Theorem 4.5 (Preservation of SPC).
(one of the conditions of a scoped program path of the transformed program that has to be evaluated to False evaluates to True for all test vectors of ) which in each case violates the preservation of SPC.
5. Application of Coverage Preservation
In Section 4 we present some formal criteria that must be fulfilled to preserve a given structural code coverage criterion. In this section we discuss how to apply these coverage-preservation criteria to permit only those code transformations that preserve structural code coverage.
There are only two types of code transformations that can disrupt the preservation of structural code coverage:
(i)transformations that change the reachability of statements or conditions. For example, reordering the conditions within a decision can change the reachability of conditions and thus also statements.
(ii)transformations that add new conditional control-flow paths into the program. For example, branch optimization can introduce new conditional branches.
In the following we provide examples of how to determine with help of the introduced formalism whether a code transformation disrupts structural code coverage.
We use a small sample code and show how a concrete code transformation changes the code. We use a compact scheme to address elements of the code samples. For example, denotes the statement at source line 1. If there are multiple statements at the source line, we identify them by an additional index letter, for example, , , and so forth. Similarly, and address the decisions and conditions at source line . Based on this notation we use our formalism to describe by a graph the coverage relations between different program elements. denotes that the coverage of type at element implies the coverage of type at element . The possible coverage types are "R" (reaching), "T" (true-evaluation) and "F" (false-evaluation). A dotted line between elements from the original and the transformed code denotes that the two elements have the same coverage. A dotted arrow from an element of the original code to an element of the transformed code denotes that a coverage of the original node by the concrete test data implies also the coverage of the element in the transformed code. Structural code coverage is achieved, if all elements of the transformed code have a connection to an element of the original code. Elements of the transformed graph, for which coverage is not preserved, are marked by a surrounding box.
5.1. Transformations That Change Reachability
The coverage-relation graph in Figure 5 contains coverage types for statements, conditions, and decisions. From this graph we can conclude which structural code-coverage criteria are preserved by condition reordering. For example, missing the coverage of but not of implies that SC is still preserved. Also DC is preserved. However, coverage criteria that are based on the coverage of conditions are not guaranteed to be preserved. For example, preservation of CC or MCDC is not guaranteed. For simplicity, we do not discuss preservation of SPC, because analyzing SPC preservation would make it necessary to unroll the program to make the different scoped program paths explicit.
5.2. Transformations That Add New Paths
5.3. Transformations That Preserve Coverage
As a general pattern, if for each relevant expression of the transformed program there is a line or arrow to that expression originating from any expression of the same type in the original program, then the code coverage is preserved.
5.4. Modeling Hidden Control Flow
Some programming languages include statements that provide hidden control flow. For example, the logical operators && and of ANSI C/C++ have a short-circuit evaluation semantics, which in fact already is conditional control flow. The short-circuit evaluation of ANSI C/C++ states that the second argument of the operators && and is not evaluated if the final result of the operator is already determined by the first argument.
For example, lets look at the following code:
Above code might be translated into the following assembly code, which demonstrates how the short-circuit evaluation of ANSI C/C++ works:
If we do not explicitly address the hidden control-flow with the coverage preservation framework, we risk to loose full structural code-coverage as soon as the program is transformed into a new program with explicit control flow instead of the hidden, implicit control-flow.
5.5. Towards Automatic Calculation of Coverage Profiles
In this section we have demonstrated that the formalism provided in this article is helpful for determining the coverage profile of a code transformation. However, in Section 4 we argue that the calculation of the coverage profile could be done automatically, given the formal coverage preservation criterion and a formal description of the code transformation.
The code transformations can be formalized in an axiomatic semantics [28, 29], that is, by providing preconditions, postconditions, and invariants of the code transformation. Even model checking can be used to analyze code transformations . There exist specific frameworks to model code transformations, for example OPTIMIX . Such frameworks seem to be well-suited as a starting point for future research on automating the calculation the coverage profile of a code transformation.
6. Challenges for Preservation of Model Coverage
The structural code-coverage criteria presented in Section 3.1 are typically applied to source code or machine code. They have been developed already before model-based development became an issue. However, these structural code-coverage criteria are also getting started to be applied to implementation models of modeling environments like MATLAB/Simulink/Stateflow [3, 4] from Mathworks, Statemate  from Telelogic, or Scade  from Esterel Technologies. An implementation model in general is a program implementation in a domain-specific modeling language for which automatic code generation is used to generate the source-level implementation. In this section we discuss some important differences for identifying the structural code-coverage at source-code level and implementation-model level:
(i)The modeling language may use a different implementation style (e.g., data flow instead of control flow).
Code generation may be parametrizable (i.e., model semantics and implementation depends on the code generation settings).
(iv)Many modeling environments are under continuous development. Thus, the semantics of language constructs may change over time. Further, modeling languages are rarely standardized, often each tool provider has its own modeling language.
Though it brings in further challenges, structural code-coverage is also used for such modeling languages [19, 20]. One can still identify the control-decisions in such models, though above arguments illustrate why this can be tricky.
With the use of a structural code-coverage metric on modeling languages one can also directly use the coverage preservation criteria we presented in Section 4. To demonstrate how to do this, we examine some elements of the MATLAB/Simulink modeling environment. The main conclusions from the given examples may also apply to other modeling languages. We also discuss potential problems that lead to further research in that area.
The identified potential problems do not only apply to implementation models with automatic code generation but also to manual coding.
6.1. A Simple Example
The code shows a single decision with one condition inside. In this concrete example it is valid to define the scope of decision coverage (or MCDC) as the single MATLAB/Simulink element. The generated source code for this element contains the whole decision, thus generating test data for decision coverage (or MCDC) based on the hidden control-flow of the Switch element results in a full decision coverage (or MCDC) at source code level.
Coverage criteria that are not based on the decisions, are easier to preserve, since coverage of conditions or basic blocks can be directly derived from the coverage of a single Matlab/Simulink element. Thus, structural code coverage like SC, CC, or SPC can be directly preserved based on the hidden control-flow.
In the following we show that it is not always that easy to apply decision-based structural code-coverage criteria like DC or MCDC to the Matlab/Simulink language and to ensure their preservation.
6.2. Identifying Code Structures in Models
In Section 6.1 we have seen how to use the implicit control flow of a data-flow element to apply a structural code-coverage metric. Given that a code generator creates explicit control flow, for example, as C code, there is the question whether it is valid to analyze Matlab/Simulink elements in isolation because the code generator can combine the logic of several data-flow elements into a single C statement. Looking only at the Matlab/Simulink elements without considering that the concrete behavior of the code generator, does not allow, for example, to identify the set of conditions that will be grouped into a single decision.
The decisions in this code example are the assignments of a logical expression to a program variable. This is just a compact form instead of using an if/then construct. Now lets look at the inlined implementation variant of this model, which is generated by default by the code generator Real-Time Workshop of Matlab 6.5.1 and Simulink 5.1. In the inlined implementation variant we get a single decision:
Actually, achieving structural code coverage on the non-inlined implementation variant requires in general a smaller number of test data. For example, Rajan et al. have shown that full MCDC coverage at the non-inlined implementation variant yielded only about 13.6% MCDC coverage at the inlined implementation variant .
Without the knowledge about the behavior of the code generator it is not possible to formulate a preservation criterion for decision coverage (DC) or MCDC coverage that is both, sufficient and necessary independently of the exploited implementation variant. Maybe more surprisingly, this problem also arises for condition coverage (CC) because given that = (In2 && In3), the chosen implementation variant in this concrete example influences the set (where the condition is reached with an evaluation to True). The problem also arises for statement coverage (SC) because inlining reduces the reachability valuation of (In2 && In3).
6.3. The Complexity of Model Coverage
In Section 6.2 we raised the question of how much model elements have to be considered together to identify the scopes of structural code-coverage criteria. Now we argue that this scoping problem can also arise within a single element due to the rather complex code that may be generated for a Matlab/Simulink element.
Without plotting the implementations for the other look-up policies, one can see that the Look-Up Table element results in rather complex control flow.
To conclude, specifying structural code-coverage criteria at the model-level that are both, sufficient and necessary, is not possible without knowledge about the behavior of the code generator.
7. Summary and Conclusion
Structural code-coverage criteria are a useful supplementary criterion to monitor the progress of testing. There are several application scenarios where the test data have been obtained at a different program representation as where the test data are executed: when using model-based testing, when the software has evolved over time, or the test-data generation is done on higher program representations to achieve easy retargetability of the test-data generation. In all such cases there is the question of whether the structural code coverage achieved at the original program representation is also fulfilled at the transformed program representation.
Within this article we analyzed the problem of preserving structural code coverage when transforming the program model or program code. We introduced a notation for formalizing structural code-coverage. This notations is convenient to also express test-data independent criteria for preserving the code coverage. These criteria may be used to prove whether a given program transformation does always preserve the structural code coverage of interest. Further, the presented preservation criteria are naturally applied on source-to-source program transformations or on optimizing program compilation. And they may be also applied on model coverage, for which we identified some additional challenges.
Future work is to develop automatic proofs to decide whether a program transformation preserves structural code coverage. In our current analysis we focused on preservation of full coverage. It is also interesting to look on preservation of partial structural code coverage.
We would like to thank Susanne Kandl and the anonymous reviewers for valuable comments on earlier versions of this article. The research leading to these results has received funding from the Austrian Science Fund (Fonds zur Förderung der wissenschaftlichen Forschung) within the research project "Sustaining Entire Code-Coverage on Code Optimization" (SECCO) under contract P20944-N13.
- Broy M, Jonsson B, Katoen J-P, Leucker M, Pretschner A (Eds): Model-Based Testing of Reactive Systems: Advanced Lectures, Lecture Notes in Computer Science. Volume 3472. Springer, Berlin, Germany; 2005.Google Scholar
- Cruz F, Barreto R, Cordeiro L, Maciel P: ezRealtime: a domain-specific modeling tool for embedded hard real-time software synthesis. Proceedings of the Conference on Design, Automation and Test in Europe (DATE '08), March 2008, Munich, Germany 1510-1515.View ArticleGoogle Scholar
- The MathWorks Inc : Using MATLAB Version 6. The Mathworks, Natick, Mass, USA; 2002.Google Scholar
- The MathWorks Inc : Using Simulink Version 5. The Mathworks, Natick, Mass, USA; 2002.Google Scholar
- Harel D, Lachover H, Naamad A, et al.: STATEMATE: a working environment for the development of complex reactive systems. IEEE Transactions on Software Engineering 1990,16(4):403-414. 10.1109/32.54292View ArticleGoogle Scholar
- Dormoy F-X: Scade 6: a model based solution for safety critical software development. Proceedings of the 4th European Congress on Embedded Real Time Software (ERTS '08), January-February 2008, Toulouse, France 1-9.Google Scholar
- Wenzel I, Kirner R, Rieder B, Puschner P: Measurement-based timing analysis. Proceedings of the 3rd International Symposium on Leveraging Applications of Formal Methods, Verification and Validation, October 2008, Porto Sani, Greece 1-15.Google Scholar
- Kirner R, Puschner P, Wenzel I: Measurement-based worst-case execution time analysis using automatic test-data generation. Proceedings of the 4th International Workshop on Worst-Case Execution Time Analysis, June 2004, Catania, Italy 67-70.Google Scholar
- Kirner R: SCCP/x: a compilation profile to support testing and verification of optimized code. Proceedings of the International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (CASES '07), September-October 2007, Salzburg, Austria 38-42.Google Scholar
- Muchnick SS: Advanced Compiler Design & Implementation. Morgan Kaufmann, San Fransisco, Calif, USA; 1997.Google Scholar
- Whalen M, Rajan A, Heimdahl M, Miller S: Coverage metrics for requirements-based testing. Proceedings of the International Symposium on Software Testing and Analysis (ISSTA '06), July 2006, Portland, Me, USA 25-36.Google Scholar
- Software considerations in airborne systems and equipment certification RTCA/DO-178B, 1992Google Scholar
- Vilkomir SA, Bowen JP: From MC/DC to RC/DC: formalization and analysis of control-flow testing criteria. Formal Aspects of Computing 2006,18(1):42-62. 10.1007/s00165-005-0084-7MATHView ArticleGoogle Scholar
- Vilkomir SA, Bowen JP: Formalization of software testing criteria using the Z notation. Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC '01), October 2001, Honolulu, Hawaii, USA 351-356.Google Scholar
- Chilenski JJ, Miller SP: Applicability of modified condition/decision coverage to software testing. Software Engineering Journal 1994,9(5):193-200. 10.1049/sej.1994.0025View ArticleGoogle Scholar
- Object Management Group : MDA Guide Version 1.0.1. document no. omg/2003-06-01, June 2003Google Scholar
- Heimdahl MPE, Whalen M, Rajan A, Miller SP: Testing strategies for model-based development. National Aeronautics and Space Administration, Hampton, Va, USA; April 2006.Google Scholar
- Rajan A, Whalen M, Heimdahl M: Model validation using automatically generated requirements-based tests. Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium (HASE '07), November 2007, Dallas, Tex, USA 95-104.View ArticleGoogle Scholar
- Baresel A, Conrad M, Sadeghipour S, Wegener J: The interplay between model coverage and code coverage. Proceedings of the 11th European International Conference on Software Testing, Analysis and Review (EuroSTAR '03), December 2003, Amsterdam, The Netherlands Google Scholar
- Rajan A, Whalen M, Heimdahl M: The effect of program and model structure on MC/DC test adequacy coverage. Proceedings of the 30th International Conference on Software Engineering, May 2008, Leipzig, Germany 161-170.Google Scholar
- Elbaum S, Gable D, Rothermel G: The impact of software evolution on code coverage information. Proceedings of the IEEE International Conference on Software Maintenance (ICSM '01), November 2001, Florence, Italy 170-179.Google Scholar
- Harman M, Hu L, Hierons R, et al.: Testability transformation. IEEE Transactions on Software Engineering 2004,30(1):3-16. 10.1109/TSE.2004.1265732View ArticleGoogle Scholar
- Aho AV, Sethi R, Ullman JD: Compilers, Principles, Techniques, and Tools. Addison-Wesley, Reading, Mass, USA; 1997.Google Scholar
- Wenzel I, Rieder B, Kirner R, Puschner P: Automatic timing model generation by CFG partitioning and model checking. In Proceedings of the Conference on Design, Automation and Test in Europe (DATE '05), March 2005, Munich, Germany. Volume 1. IEEE; 606-611.Google Scholar
- Chilenski JJ: An investigation of three forms of the modified condition decision coverage (MCDC) criterion. Boeing Commercial Airplane Group, Seattle, Wash, USA; April 2001.Google Scholar
- Myers GJ: The Art of Software Testing. John Wiley & Sons, New York, NY, USA; 1979.Google Scholar
- Hayhurst KJ, Veerhusen DS, Chilenski JJ, Rierson LK: A practical tutorial on modified condition/decision coverage. National Aeronautics and Space Administration, Hampton, Va, USA; May 2001.Google Scholar
- Floyd R: Assigning meaning to programs. In Mathematical Aspects of Computer Science, Proceedings of Symposia in Applied Mathematics. Volume 19. American Mathematical Society, Providence, RI, USA; 1976:19-32.View ArticleGoogle Scholar
- Hoare CAR: An axiomatic basis for computer programming. Communications of the ACM 1969,12(10):576-580. 10.1145/363235.363259MATHView ArticleGoogle Scholar
- Lacey D, Jones ND, Wyk EV, Frederiksen CC: Compiler optimization correctness by temporal logic. Higher Order and Symbolic Computation 2003,17(3):173-206.View ArticleGoogle Scholar
- Aßmann U: How to uniformly specify program analysis and transformation with graph rewrite systems. In Proceedings of the 6th International Conference on Compiler Construction (CC '96), April 1996, Linköping, Sweden. Edited by: Fritzson P. Springer; 121-135.View ArticleGoogle Scholar
This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.