MC/dc coverage measurement of c programs



Download 90.75 Kb.
Date20.10.2016
Size90.75 Kb.
#6388
MC/DC coverage measurement of C programs

E. A. Gerlits

Institute for System Programming of the Russian Academy of Sciences, Moscow, Russia

Измерение тестового покрытия Си программ
по критерию MC/DC

Е. А. Герлиц

Федеральное бюджетное учреждение науки
Институт Системного Программирования Российской Академии Наук



Keywords: MC/DC, test coverage criterion, DO-178B, C language, avionics software, testing


MC/DC is a test coverage criterion which is usually applied in testing safety critical software including embedded software and especially dealing with avionics software. In this article, we discuss some practical issues connected with test coverage measurement for MC/DC written in C programming language and come up with the solutions to them. Chosen solutions influence on the quality of testing. The given article includes the part of our research wherein we perform testing of MC/DC coverage analysis tools for C/C++.

Kлючевые слова: MC/DC, критерий тестового
покрытия, DO-178B, язык Си, системы авионики, тестирование



Критерий тестового покрытия MC/DC широко применяется для тестирования критических по безопасности систем, встраиваемых систем и прежде всего систем авионики. В данной работе мы рассматриваем ряд проблем, возникающих на практике при измерении тестового покрытия по MC/DC программ, написанных на языке Си, а также приводим возможные решения данных проблем. Выбранные решения влияют на качество тестирования. Данная статья содержит часть результатов нашей работы по исследованию методов тестирования инструментов для анализа тестового покрытия по критерию MC/DC для языков Си/C++.

Contents


1 Introduction 2

1.1 Motivation 2

1.2 Overview of information sources on MC/DC 2

1.3 Originality of results 3

2 Issues 3

2.1 Recognizing a Boolean expression in C 3

2.2 C/DC versus MC/DC 6

2.3 Coverage of inline functions 7

2.4 Coverage of ternary operator inline if 7

3 Conclusion 8

References 8
1. Introduction
MC/DC is a structural coverage criterion originally defined in the DO-178B standard [1] dealing with the safety of civil avionics software. Avionics software must pass a certification procedure prior to being installed on an aircraft. During this procedure compliance with the requirements of the DO-178B standard is verified. One of those requirements is availability of an MC/DC adequate test suite for the most safety critical modules of the avionics software.

Definition 1. MC/DC [1]:

—every point of entry and exit in the program has been invoked at least once;

every condition in a decision has taken all possible outcomes at least once;

every decision in the program has taken all possible outcomes at least once;

every condition in a decision has been shown to affect that decisions outcome independently. A condition is shown to affect a decision’s outcome independently by varying just that condition while holding fixed all other possible conditions.

Definition 2. Decision [1]: A Boolean expression composed of conditions and zero or more Boolean operators. A decision without a Boolean operator is a condition. If a condition appears more than once in a decision, each occurrence is a distinct condition.

Definition 3. Condition [1]: A Boolean expression containing no Boolean operators.

MC/DC as it is defined in the standard is good at checking Boolean expressions [8, 16, 23] and control flow but it is not focused on arithmetic expressions and relational expressions on non Booleans [8].

1.1. Motivation

This paper discusses a number of issues related to MC/DC measurement of programs written in C programming language. Although MC/DC is supposed to provide a certain quality level for software, the solutions chosen for issues under consideration may influence the quality of testing significantly. The purpose of this paper is to propose solutions to qualitative MC/DC measurement of the programs written in C.

1.2. Overview of information sources on MC/DC

Published information sources related to MC/DC can be divided into the following categories:

— DO-178B standard [1];

— DO-248B, Final Report for Clarification of DO-178B [2];

— Certification authorities software team (CAST) papers [3, 4, 5];

— Official reports of Federal Aviation Administration (FAA), National Aeronautics and Space Administration (NASA) and other organizations dealing with aviation [8, 20, 12];

— Scientific articles [6, 9, 10, 11, 16, 19, 23];

— Available documentation about coverage analysis tools like user guides and reference manuals [13, 17, 18, 21, 22].

1.3. Originality of results

If there exists an appropriate solution to the problem that has already been published in international sources, we make references to them in the given article.

The issues discussed in this article have somehow been considered in the reports [8, 20]. These reports are primarily focused on the ADA language while this article is on C language. We take a different view on some issues and recommend some solutions different from those given in the reports. Particularly, we do not choose a solution as a compromise between the quality of testing and the cost of testing but we are trying to propose the strongest solution.

2. Issues

In this section, we reveal some practical issues related to MC/DC measurement of C programs and briefly describe some common solutions recommended in current sources and usually approved by certification authorities. Having presented the common solution, we explain its disadvantages and offer a better one.

2.1. Recognizing a Boolean expression in C

MC/DC definition states that all Boolean expressions in the program must be covered by MC/DC but the notion of Boolean expression is left undefined. The common approved solution to this issue is to follow the semantics of the target programming language.

The earliest dialects of C language including C90 don’t contain a built-in Boolean type [14]. A Boolean type was introduced in C99 as an unsigned integer type with two possible values 1 and 0, i.e. true and false [15]. Appearance of this new type didn’t affect the semantics of the operations in C. Some of them, e.g. ==, !=, might potentially be considered as Boolean operations over Boolean operands as in the case of many other programming languages, e.g. ADA, but they remained operations over integer domain returning an integer value.

According to the C language semantics, an expression is recognized to be Boolean if the result of its evaluation is two classes of values 0 and 1 (or equivalently 0 and not 0). Examples of Boolean expressions according to this approach include: controlling expressions of branch instructions like if, while, do-while, for; the outcome and the operands of short-circuit operations (&&, ||) and negation operation (!); the outcome of relational operations; the first operand of the ternary operator inline if (?:). Examples of expressions that are not considered to be Boolean according to this approach include: the outcome and the operands of bitwise operations, the operands of relational operations, the second and the third operand of the ternary operator inline if.

A Boolean subexpression is determined by recursion on the structure of the Boolean expression, i.e. it is a subexpression which is considered to be a Boolean expression. A condition is a Boolean subexpression that can not be further divided into Boolean subexpressions.

Thus a Boolean expression in C is an expression consisting of zero or more short-circuit Boolean operations (&&, ||), negation (!) and conditions. All other expressions are not considered to be Boolean according to the common approach which depends on the semantics of the target programming language.

Example 1



if (a == (b || c)) {…}

Let’s consider Example 1. The equality operation is not recognized as Boolean according to the semantics of C language therefore the whole expression is recognized as an atomic condition. To achieve MC/DC of this expression it’s enough to cover it to both true and false. In addition, the expression (b || c) is Boolean according to the semantics of C. It must be covered by MC/DC independently on the basis of containing expression because it is not recognized as its Boolean subexpression. Finally, if C99 dialect is used and variable a is of Boolean type, it must be recognized as Boolean expression consisting of zero Boolean operations and one condition. To achieve MC/DC of it, variable a must evaluate to both true and false. Table 1 contains an MC/DC adequate test suite for the expression from example 1.



Table 1

a


b


c


b || c


a == ( b || c )


t


f


t


t


t


f


f


f


f


f


f


t


f


t


f

















It is more common to recognize the expression from example 1 as a Boolean expression consisting of two Boolean operations and three conditions. For instance, we offer the example according to the semantics of Ada programming language. Example 2 contains the Ada version and table 2 contains an MC/DC adequate test suite for it.

Example 2:

if a == (b or else c) then…

Table 2

a


b


c


a == ( b or else c )


t


t


t


t


f


t


f


f


t


f


f


f


t


f


t


t


Intuitively, covering a Boolean expression as a whole by MC/DC is of better quality than covering its parts individually because the former implies the latter but not vice versa. Let’s consider example 3. The expression from example 1 is a specification now. Assume that we have erroneously coded it as a == (b || a). On the one hand, the MC/DC adequate test suite from table 1 does not reveal this bug because both the specification and the erroneous implementation calculate the same value on all truth vectors from the test suite. This is shown in table 3. On the other hand, when the target programming language is ADA and therefore the expression is considered to be Boolean as a whole, all MC/DC adequate test suites find this bug because they either contain the truth vector TFF or the truth vector FFT wherein the specification and the erroneous implementation have different values. Table 4 illustrates this statement.

Example 3:

Specification: a == (b || c)



Erroneous implementation: a == (b || a)

Thus according to the semantics of the target programming language ADA offers better test suites to reveal Boolean expressions than those in case of C language.


Table 3

a


b


c


a == ( b || c )


a == ( b || a )


t


f


t


t


t


f


f


f


f


f


f


t


f


f


f


















Table 4

a


b


c


a == ( b or else c )


a == ( b or else a )


t


t


t


t


t


f


t


f


f


f


t


f


f


f


t


t


f


t


t


t

In our opinion, the semantics of C language is not enough to recognize expressions that are essentially Boolean in a C program. In addition to its semantics it is necessary to rely on practical aspects of C programming language. Following this approach, operations like ==, !=, &, |, ^ can be recognized as Boolean when the programmer uses them to form Boolean expressions. This approach should reduce the gap between the quality of MC/DC adequate test suites in case of C programming language and languages such as ADA. Although automation of this approach may be problematic, we believe that the dynamic analysis of expression evaluation in the program and human assistance can help in designing a semi-automatic method.

As an alternative to our approach we suggest the evolution of the approach presented in [8] where the original MC/DC definition is extended on relational operations on integers.

2.2. C/DC versus MC/DC

There are some issues concerning MC/DC definition itself. For instance, it is not intended for Boolean expressions with strongly coupled conditions.

Definition 4. Coupled conditions [8]: Two or more conditions where changing one condition can cause the other condition(s) to change.

Definition 5. Strongly coupled conditions [8]: Conditions where changing one condition always changes the others.

These issues caused a lot of MC/DC interpretations [20, 6]. The most widespread interpretations are Masking MC/DC [8] and Unique Cause Masking MC/DC [8]1. The original definition and these two MC/DC interpretations were extended to handle Boolean expressions with short-circuit conditions [8]. Masking MC/DC is recommended for certification in [4]. Unique Cause Masking MC/DC is strictly stronger than Masking MC/DC therefore it is approved too.

Another solution proposed to handle short circuit operations is the method described in detail in [20]. It is based on understanding of the representation of short-circuit operations in assembler as a number of conditional jump instructions. The goal is to cover every branch instruction. If a Boolean expression contains only short circuit operations as in the case when Boolean expressions are detected on the basis of the semantics of C language, this approach is equivalent to the condition decision coverage (C/DC) performed on the level of source code. Example 4 contains a C/DC adequate test suite that is also adequate according to the method described in [20].

Example 4:



a && ( b || c)

C/DC test suite (a, b, c): {FTF−>F, TFT−>T, TTF−>T}

This method is adopted by certification authorities. In the given article we uphold the following point of view. The method described in [20] was initially presented in DO-248B [2] on Boolean expressions of the form a && b && . . . && c. All approved MC/DC interpretations produce the same test suite for the Boolean expressions of that form. The method hereafter was generalized to Boolean expressions with short-circuit conditions of any form. We believe that this method influences the quality of testing negatively, therefore it must be prohibited. All approved MC/DC interpretations are strictly stronger than C/DC. Example 5 below illustrates that a C/DC adequate test suite does not reveal a bug in an erroneous implementation while all MC/DC adequate test suites should find it because they must contain the truth vector TFF −> F to show the independence effect of condition b.

Example 5:

Specification: (a && b) || c

Implementation: (a && !c) || c

C/DC test suite (a, b, c): {TTF−>T, FFF−>F, TFT−>T}

MC/DC test suite (a, b, c): {TTF−>T, TFF−>F, FFF−>F, FFT−>T}

2.3 Coverage of inline functions

A compiler inserts the body of an inline function in every place where the function is called. There are two common approaches to cover inline functions [20]:

1. Coverage is achieved on a cumulative basis, i.e. coverage of different parts of all inserted bodies of the inline function provides the coverage of the inline function.

2. All insertions of the body of an inline function must be covered separately like a usual code.

Either of the two approaches can be used accordingly [20]. This paper recommends the second approach as it usually requires more tests than the first one and therefore it is expected to achieve better quality of testing.

The first approach tolerates a potentially unsafe situation when only one insertion of the body of an inline function is completely covered while the other N bodies are not. Moreover, the first approach is usually implemented by compiling the source code with flags that disable inlining. In this way inline functions can be covered as traditional ones. This method does not conform to DO-178B because testing and coverage analysis must be performed on production code where inline functions are not the same as traditional ones.

It happens often that an inserted body of an inline function may not be completely covered due to the actual parameters. This situation is quite normal. The reason for this incomplete coverage is enough to be explained in an appropriate document.

2.4 Coverage of ternary operator inline if

All three operands of the ternary operator inline if (? :) can be Boolean expressions. According to the approach described in [20] the three operands must be covered as separate decisions. When the inline if operator appears inside a Boolean expression, it is implicitly replaced by a Boolean condition that is supposed to keep the outcome of the inline if. An MC/DC adequate test suite for the new structure is supposed to cover the original expression. Example 6 illustrates this approach. All expressions B, C, D and A && x are covered by MC/DC independently. The resulting test suite provides MC/DC for the original expression too.

Example 6:

Original expression: if (A && (B ?C : D)) {… }

Implicit expression: x = (B ? C :D); if(A && x) {… }

We propose an alternative approach to MC/DC measurement of inline if. When inline if appears in a more complex Boolean expression, it should be handled as a short circuit Boolean operation like &&, ||. To cover inline if operator (a ? b : c) we propose to use the following truth vectors. Independence effect of condition a is shown by two truth vectors such as {a = true, b = true}, {a = false, c = false} or {a = true, b = false}, {a = false, c = true}. Independence effect of condition b is shown by two truth vectors such as {a = true, b = true}, {a = true, b = false}. Independence effect of condition c is shown by two truth vectors such as {a = false, c = true}, {a = false, c = false}. The method can be naturally extended on the case when a, b, c are complex Boolean expressions.

Using our approach, a Boolean expression containing inline if is covered as a whole which is more common and is of a better quality than the original approach where parts of inline if are handled as distinct decisions and covered independently.
3. Conclusion

In this paper, we have considered some practical issues related to MC/DC measurement of programs written in C programming language. Although MC/DC is supposed to guarantee a certain level of safety, the quality of MC/DC adequate test suites for the same program may vary significantly depending on the solutions chosen for those issues. The solutions proposed in this paper should provide MC/DC measurement of high quality for the programs written in C. Here are our recommendations for qualitative MC/DC measurement:

— Cover all expressions that are Boolean according to the semantics of a programming language as well as expressions that are essentially Boolean.

— Measure Boolean expressions with short-circuit conditions using the original MC/DC definition, Unique Cause Masking MC/DC and Masking MC/DC but not the DO-248B approach approved in [20].

— Cover all insertions of the body of an inline function separately like a usual code.

— Cover Boolean expressions containing inline if operator as a whole instead of handling three parts of inline if as distinct decisions.



Our future investigations will include the development of a new method to detect Boolean expressions in C programs automatically and the creation of a test suite to verify MC/DC coverage analysis tools.

References

  1. DO-178B: Software considerations in airborne systems and equipment certification, 1992.

  2. DO-248B: Final report for clarification of DO-178B ”Software considerations in airborne systems and equipment certification”, 2001.

  3. CAST position paper 10: What is a Decision in application of Modified Condition Decision Coverage (MCDC) and Decision Coverage (DC), 2002.

  4. CAST position paper 6: Rationale for accepting masking MCDC in certification projects, 2002.

  5. CAST position paper 17: Structural coverage of object code, 2003.

  6. Ammann P., Offutt J., and Huang H. Coverage criteria for logical expressions. In Proceedings of the 14th International Symposium on Software Reliability Engineering, ISSRE ’03, page 99. IEEE Computer Society Washington, DC, USA, November 2003. DOI: 10.1109/ISSRE.2003.1251034.

  7. Beizer B. Software Testing Techniques, Second Edition. The Coriolis Group, AZ, USA, 1990. ISBN: 1850328803.

  8. Chilenski J. An investigation of three forms of the modified condition decision coverage (mcdc) criterion. Technical Report DOT/FAA/AR-1/18, Office of Aviation Research, Washington, D.C., 2001.

  9. Chilenski J. J. and Miller S. Applicability of Modified Condition Decision Coverage to software testing. Software Engineering Journal, 7(5), 1994. DOI: 10.1049/sej.1994.0025.

  10. Dupuy A. and Leveson N. An empirical evaluation of the MCDC coverage criterion on the HETE-2 satellite software. In Proceedings of the 19th Digital Avionics Systems Conference, 19th DASC. IEEE Operations Center, NJ, USA, October 2000.

  11. Hayhurst K. J. and Veerhusen D. S. A practical approach to Modified Condition Decision Coverage. In Proceedings of the 20th Digital Avionics Systems Conference, 20th DASC. IEEE Operations Center, NJ, USA, October 2001. DOI: 10.1109/DASC.2001.963305.

  12. Hayhurst K. J., Veerhusen D. S., Chilenski J. J., and Rierson L. K. A practical tutorial on Modified Condition Decision Coverage. Technical Report NASA/TM-2001-210876, Langley Research Center, Hampton, Virginia, 2001.

  13. IBM. Test RealTime tool. [online]. http://www.ibm.com/.

  14. IEC ISO. ISO/IEC 9899:1990 programming languages C, 1990.

  15. IEC ISO. ISO/IEC 9899:1999 programming languages C, 1999.

  16. K. Kapoor and J.P. Bowen. Experimental evaluation of the variation in effectiveness for DC, FPC and MC/DC test criteria. In Proceedings of the International Symposium on Empirical Software Engineering, ISESE ’03, page 185. IEEE Computer Society Washington, DC, USA, September-October 2003. DOI: 10.1109/ISESE.2003.1237977.

  17. LDRA. TBsafe tool. [online]. http://www.ldra.com/.

  18. Parasoft. C/C++Test tool. [online]. http://www.parasoft.com/.

  19. Rajan A., Whalen M. W., and Heimdahl M. P. E. The effect of program and model structure on MC/DC test adequacy coverage. In Proceedings of the 13th international conference on software engineering, ICSE ’08, pages 161-170. ACM New York, NY, USA, May 2008. DOI: 10.1145/1368088.1368111.

  20. Santhanam V., Chilenski J.J., Waldrop R., Leavitt T., and Hayhurst K. J. Software verification tools assessment study. Technical Report DOT/FAA/AR-06/54, Office of Aviation Research, Washington, D.C., 2007.

  21. QA Systems. Cantata tool. [online]. http://www.qa-systems.com/.

  22. Testwell. Testwell CTC++ tool. [online]. http://www.testwell.fi/.

  23. 23. Yu Y. T. and Lau M. F. Comparing several coverage criteria for detecting faults in logical decisions. In Proceedings of the Quality Software, Fourth International Conference, QSIC ’04, pages 14–21. IEEE Computer Society Washington, DC, USA, September 2004.

1 We will further refer to the original MC/DC, Unique Cause Masking MC/DC and Masking MC/DC as the approved MC/DC interpretations.





Download 90.75 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page