[SystemSafety] MC/DC coverage assumptions

Ian Broster ianb at rapitasystems.com
Wed Feb 28 16:10:34 CET 2018


> The algorithm they used for MC/DC assumes that a function containing
> a single branch (e.g., an if-statement with no else part) and
> the test involves a single condition (i.e., no AND or OR conditions),
> then 100% MC/DC coverage is assumed, even if 100% branch coverage is
> not obtained.
>
> Somebody please tell me that this is not an assumption made by
> commercial packages when calculating MC/DC coverage.

I can only comment for Rapita's RapiCover tool, but I have come across 
various expectations and interpretations that might provide insight into 
the issue.

We might interpret a single condition decision "if (a) {}" in two ways:

  (a) there are no MC/DC obligations here (because there is one 
condition and it's the same as branch coverage)
  (b) there is an MC/DC obligation here (because there is a decision)

RapiCover uses option (b) by default, but some customers have expected 
(a), perhaps from other tools.

Where option (a) is the expectation, you are arguing that MC/DC doesn't 
apply. Therefore it would be wrong to then say that you have achieved 
the MC/DC coverage of the decision (because you cannot claim to have 
achieved something that doesn't apply). I suspect that this is the cause 
of the odd numbers.

Although we believe that option (b) is the right choice, there are some 
unexpected consequences. For example, you get an ambiguous situation 
with assignments as follows:

if (a && b) {} /* this is MC/DC */
x = a && b; /* this is MC/DC  */
if (x) {} /* this is MC/DC */

but:

if (a) {} /* this is MC/DC */
x=a; /* Is this MC/DC?  RapiCover default is NOT MC/DC, but customer can 
opt to treat as MC/DC */
if (x) {} /* this is MC/DC */


Ian



-- 
Dr Ian Broster
General Manager, Rapita Systems Ltd
Mob: +44 7963 469 090. Skype: ianb1469



More information about the systemsafety mailing list