Modified condition/decision coverage

<h2 id="overview">Overview</h2>
<p>MC/DC requires all of the below during testing:<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a>
</p>
<ol><li>Each entry and exit point is invoked</li>
<li>Each decision takes every possible outcome</li>
<li>Each condition in a decision takes every possible outcome</li>
<li>Each condition in a decision is shown to independently affect the outcome of the decision.</li></ol>
<p>Independence of a condition is shown by proving that only one condition changes at a time.
</p><p>MC/DC is used in avionics software development guidance <a href="/facts/DO-178B/ftM3EIss">DO-178B</a> and <a href="/facts/DO-178C/nQoCfzL6">DO-178C</a> to ensure adequate <a href="/facts/Software_testing/VoXzG9Tb">testing</a> of the most critical (Level A) <a href="/facts/Software/RP79lVSW">software</a>, which is defined as that software which could <i>provide (or prevent failure of)</i> continued safe flight and landing of an aircraft. It is also highly recommended for <a href="/facts/Safety_integrity_level/qzHdBEDx">SIL</a> 4 in part 3 Annex B of the basic safety publication<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> and <a href="/facts/Automotive_Safety_Integrity_Level/8yvo9Eur">ASIL</a> D in part 6 of automotive standard <a href="/facts/ISO_26262/HWp4Cazz">ISO 26262</a>.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a>
</p><p>Additionally, NASA requires 100% MC/DC coverage for any safety critical software component in Section 3.7.4 of NPR 7150.2D.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a>
</p>
<h2 id="definitions">Definitions</h2>
Condition
A condition is a leaf-level <a href="/facts/Boolean_algebra_(logic)/VkCToAmg">Boolean</a> <a href="/facts/Expression_(programming)/eRlhoBeN">expression</a> (it cannot be broken down into simpler Boolean expressions).
Decision
A Boolean expression composed of conditions and zero or more <a href="/facts/Boolean_operator_(computer_programming)/qWS7Ef6n">Boolean operators</a>.  A decision without a Boolean operator is a condition. A decision does not imply a change of control flow, e.g. an assignment of a boolean expression to a variable is a decision for MC/DC.
Condition coverage
Every condition in a decision in the program has taken all possible outcomes at least once.
Decision coverage
Every point of entry and exit in the program has been invoked at least once, and every decision in the program has taken all possible outcomes at least once.
Condition/decision coverage
Every point of entry and exit in the program has been invoked at least once, every condition in a decision in the program has taken all possible outcomes at least once, and every decision in the program has taken all possible outcomes at least once.
Modified condition/decision coverage
Every point of entry and exit in the program has been invoked at least once, every condition in a decision in the program has taken all possible outcomes at least once, and each condition has been shown to affect that decision outcome independently. A condition is shown to affect a decision's outcome independently by varying just that condition while holding fixed all other possible conditions. The condition/decision criterion does not guarantee the coverage of all conditions in the module because in many <a href="/facts/Test_case/TVWkj0AQ">test cases</a>, some conditions of a decision are masked by the other conditions. Using the modified condition/decision criterion, each condition must be shown to be able to act on the decision outcome by itself, everything else being held fixed. The MC/DC criterion is thus much stronger than the condition/decision coverage.
<h2 id="criticism">Criticism</h2>

<p>It is a misunderstanding that by purely syntactic rearrangements of decisions (breaking them into several independently evaluated conditions using temporary variables, the values of which are then used in the decision) which do not change the semantics of a program can lower the difficulty of obtaining complete MC/DC coverage.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> 
</p><p>This is because MC/DC is driven by the program syntax. However, this kind of "cheating" can be done to simplify expressions, not simply to avoid MC/DC complexities. For example, assignment of the number of days in a month (excluding leap years) could be achieved by using either a switch statement or by using a table with an enumeration value as an index. The number of tests required based on the source code could be considerably different depending upon the coverage required, although semantically we would want to test both approaches with a minimum number of tests.
</p><p>
Another example that could be considered as  "cheating" to achieve higher MC/DC is:</p>/* Function A */

void function_a (int a, bool b, bool c, bool d, bool e, bool f)
{
    if (a == 100)
    {
        if (b || c)
            // statement 1
        
        if (d || e || f)
            // statement 2
    }
}
/* Function B */

void function_b (int a, bool b, bool c, bool d, bool e, bool f)
{
    bool a_is_equal_to_100  = a == 100 ;
    bool b_or_c             = b || c ;
    bool d_or_e_or_f        = d || e || f ;

if (a_is_equal_to_100)
    {
        if (b_or_c)
            // statement 1
            
        if (d_or_e_or_f)
            // statement 2
    }
}
<p>if the definition of a decision is treated as if it is a boolean expression that changes the control flow of the program (the text in brackets in an 'if' statement) then one may think that  Function B is likely to have higher MC/DC than Function A for a given set of test cases (easier to test because it needs less tests to achieve 100% MC/DC coverage), even though functionally both are the same.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> 
</p><p>However, what is wrong in the previous statement is the definition of decision. A decision includes 'any' boolean expression, even for assignments to variables. In this case, the three assignments should be treated as a decision for MC/DC purposes and therefore the changed code needs exactly the same tests and number of tests to achieve MC/DC than the first one. Some code coverage tools do not use this strict interpretation of a decision and may produce false positives (reporting 100% code coverage when indeed this is not the case). 
</p>
<h2 id="rcdc">RC/DC</h2>
<p>In 2002 <a href="/facts/Sergiy_Vilkomir/FutpMuaX">Sergiy Vilkomir</a> proposed reinforced condition/decision coverage (RC/DC) as a stronger version of the MC/DC coverage criterion that is suitable for <a href="/facts/Safety-critical_system/vhVc7NJU">safety-critical systems</a>.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a><a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> 
</p><p><a href="/facts/Jonathan_Bowen/rNN1Y3vy">Jonathan Bowen</a> and his co-author analyzed several variants of MC/DC and RC/DC and concluded that at least some MC/DC variants have superior coverage over RC/DC.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a>
</p>
<h2 id="see-also">See also</h2>
<ul><li><a href="/facts/Elementary_comparison_testing/7kbBqLUX">Elementary comparison testing</a></li></ul>

<h2 id="external-links">External links</h2>
<ul><li><a href="https://web.archive.org/web/20200501012151/https://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-10.pdf">What is a "Decision" in Application of Modified Condition/Decision Coverage (MC/DC) and Decision Coverage (DC)? (May 1, 2020 archive)</a></li>
<li><a href="http://www.tc.faa.gov/its/worldpac/techrpt/ar01-18.pdf">An Investigation of Three Forms of the Modified Condition Decision Coverage (MCDC) Criterion</a></li></ul>

<h2 id="references">References</h2>

<ol>
<li id="fn:1"><p>Hayhurst, Kelly; Veerhusen, Dan; Chilenski, John; Rierson, Leanna (May 2001). "A Practical Tutorial on Modified Condition/ Decision Coverage" (PDF). NASA. <a href="https://shemesh.larc.nasa.gov/fm/papers/Hayhurst-2001-tm210876-MCDC.pdf" target="_blank">https://shemesh.larc.nasa.gov/fm/papers/Hayhurst-2001-tm210876-MCDC.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li>
<li id="fn:2"><p>IEC 61508-3:2010 <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li>
<li id="fn:3"><p>ISO 26262-2011 Part 6 Table 12 <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li>
<li id="fn:4"><p>"NASA Software Engineering Requirements". NASA. <a href="https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=7150&s=2D" target="_blank">https://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=7150&s=2D</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li>
<li id="fn:5"><p>Rajan, Ajitha; Heimdahl, Mats; Whalen, Michael (March 2003). "The Effect of Program and Model Structure on MC⁄DC Test Adequacy Coverage" (PDF). {{cite journal}}: Cite journal requires |journal= (help) <a href="https://homepages.inf.ed.ac.uk/arajan/My-Pubs/tosem-main.pdf" target="_blank">https://homepages.inf.ed.ac.uk/arajan/My-Pubs/tosem-main.pdf</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li>
<li id="fn:6"><p>http://www.hbni.ac.in/phdthesis/engg/ENGG02201004005.pdf [bare URL PDF] <a href="http://www.hbni.ac.in/phdthesis/engg/ENGG02201004005.pdf" target="_blank">http://www.hbni.ac.in/phdthesis/engg/ENGG02201004005.pdf</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li>
<li id="fn:7"><p>Vilkomir, S.A.; Bowen, J.P. (2002). Reinforced condition/decision coverage (RC/DC): A new criterion for software testing. Lecture Notes in Computer Science. Vol. 2272. Springer-Verlag. pp. 291–308. doi:10.1007/3-540-45648-1_15. ISBN 978-3-540-43166-4. {{cite book}}: |journal= ignored (help) <a href="978-3-540-43166-4" target="_blank">978-3-540-43166-4</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li>
<li id="fn:8"><p>Vilkomir, S.A.; Bowen, J.P. (2006). "From MC/DC to RC/DC: formalization and analysis of control-flow testing criteria". Formal Aspects of Computing. 18 (1). Springer Nature: 42–62. doi:10.1007/s00165-005-0084-7. S2CID 10467796. <a href="/wiki/Sergiy_Vilkomir" target="_blank">/wiki/Sergiy_Vilkomir</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li>
<li id="fn:9"><p>Kapoor, Kalpesh; Bowen, Jonathan P (2005). "A formal analysis of MCDC and RCDC test criteria". Software Testing, Verification and Reliability. 15 (1). Wiley Online Library: 21–40. doi:10.1002/stvr.306. S2CID 35276126. <a href="/wiki/Jonathan_Bowen" target="_blank">/wiki/Jonathan_Bowen</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li>
</ol>

Modified condition/decision coverage open-in-new

Modified condition/decision coverage