Modified condition/decision coverageModified condition/decision coverage (MC/DC) is a code coverage criterion used in software testing. OverviewMC/DC requires all of the below during testing:[1]
Independence of a condition is shown by proving that only one condition changes at a time. MC/DC is used in avionics software development guidance DO-178B and DO-178C to ensure adequate testing of the most critical (Level A) software, which is defined as that software which could provide (or prevent failure of) continued safe flight and landing of an aircraft. It is also highly recommended for SIL 4 in part 3 Annex B of the basic safety publication[2] and ASIL D in part 6 of automotive standard ISO 26262.[3] Additionally, NASA requires 100% MC/DC coverage for any safety critical software component in Section 3.7.4 of NPR 7150.2D.[4] Definitions
Criticism
It is a misunderstanding that by purely syntactic rearrangements of decisions (breaking them into several independently evaluated conditions using temporary variables, the values of which are then used in the decision) which do not change the semantics of a program can lower the difficulty of obtaining complete MC/DC coverage.[5] This is because MC/DC is driven by the program syntax. However, this kind of "cheating" can be done to simplify expressions, not simply to avoid MC/DC complexities. For example, assignment of the number of days in a month (excluding leap years) could be achieved by using either a switch statement or by using a table with an enumeration value as an index. The number of tests required based on the source code could be considerably different depending upon the coverage required, although semantically we would want to test both approaches with a minimum number of tests.[citation needed] Another example that could be considered as "cheating" to achieve higher MC/DC is: /* Function A */
void function_a (int a, bool b, bool c, bool d, bool e, bool f)
{
if (a == 100)
{
if (b || c)
// statement 1
if (d || e || f)
// statement 2
}
}
/* Function B */
void function_b (int a, bool b, bool c, bool d, bool e, bool f)
{
bool a_is_equal_to_100 = a == 100 ;
bool b_or_c = b || c ;
bool d_or_e_or_f = d || e || f ;
if (a_is_equal_to_100)
{
if (b_or_c)
// statement 1
if (d_or_e_or_f)
// statement 2
}
}
if the definition of a decision is treated as if it is a boolean expression that changes the control flow of the program (the text in brackets in an 'if' statement) then one may think that Function B is likely to have higher MC/DC than Function A for a given set of test cases (easier to test because it needs less tests to achieve 100% MC/DC coverage), even though functionally both are the same.[6] However, what is wrong in the previous statement is the definition of decision. A decision includes 'any' boolean expression, even for assignments to variables. In this case, the three assignments should be treated as a decision for MC/DC purposes and therefore the changed code needs exactly the same tests and number of tests to achieve MC/DC than the first one. Some code coverage tools do not use this strict interpretation of a decision and may produce false positives (reporting 100% code coverage when indeed this is not the case). [citation needed] RC/DCIn 2002 Sergiy Vilkomir proposed reinforced condition/decision coverage (RC/DC) as a stronger version of the MC/DC coverage criterion that is suitable for safety-critical systems.[7][8] Jonathan Bowen and his co-author analyzed several variants of MC/DC and RC/DC and concluded that at least some MC/DC variants have superior coverage over RC/DC.[9] See alsoReferences
External links |
Portal di Ensiklopedia Dunia