In
computer science
Computer science is the study of computation, automation, and information. Computer science spans theoretical disciplines (such as algorithms, theory of computation, information theory, and automation) to Applied science, practical discipli ...
, test coverage is a percentage measure of the degree to which the
source code
In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...
of a
program
Program, programme, programmer, or programming may refer to:
Business and management
* Program management, the process of managing several related projects
* Time management
* Program, a part of planning
Arts and entertainment Audio
* Progra ...
is executed when a particular
test suite
In software development, a test suite, less commonly known as a validation suite, is a collection of test cases that are intended to be used to test a software program to show that it has some specified set of behaviors. A test suite often contai ...
is run. A program with high test coverage has more of its source code executed during testing, which suggests it has a lower chance of containing undetected
software bug
A software bug is an error, flaw or fault in the design, development, or operation of computer software that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. The process of finding and correcting bugs i ...
s compared to a program with low test coverage.
Many different metrics can be used to calculate test coverage. Some of the most basic are the percentage of program
subroutine
In computer programming, a function or subroutine is a sequence of program instructions that performs a specific task, packaged as a unit. This unit can then be used in programs wherever that particular task should be performed.
Functions may ...
s and the percentage of program
statements
Statement or statements may refer to: Common uses
*Statement (computer science), the smallest standalone element of an imperative programming language
*Statement (logic), declarative sentence that is either true or false
*Statement, a declarative ...
called during execution of the test suite.
Test coverage was among the first methods invented for systematic
software testing
Software testing is the act of examining the artifacts and the behavior of the software under test by validation and verification. Software testing can also provide an objective, independent view of the software to allow the business to apprecia ...
. The first published reference was by Miller and Maloney in ''
Communications of the ACM
''Communications of the ACM'' is the monthly journal of the Association for Computing Machinery (ACM). It was established in 1958, with Saul Rosen as its first managing editor. It is sent to all ACM members.
Articles are intended for readers with ...
'', in 1963.
Coverage criteria
To measure what percentage of code has been executed by a
test suite
In software development, a test suite, less commonly known as a validation suite, is a collection of test cases that are intended to be used to test a software program to show that it has some specified set of behaviors. A test suite often contai ...
, one or more ''coverage criteria'' are used. These are usually defined as rules or requirements, which a test suite must satisfy.
Basic coverage criteria
There are a number of coverage criteria, but the main ones are:
* Function coveragehas each function (or
subroutine
In computer programming, a function or subroutine is a sequence of program instructions that performs a specific task, packaged as a unit. This unit can then be used in programs wherever that particular task should be performed.
Functions may ...
) in the program been called?
* Statement coveragehas each
statement in the program been executed?
* Edge coveragehas every
edge
Edge or EDGE may refer to:
Technology Computing
* Edge computing, a network load-balancing system
* Edge device, an entry point to a computer network
* Adobe Edge, a graphical development application
* Microsoft Edge, a web browser developed by ...
in the
control-flow graph
In computer science, a control-flow graph (CFG) is a representation, using graph notation, of all paths that might be traversed through a program during its execution. The control-flow graph was discovered by Frances E. Allen, who noted that ...
been executed?
** Branch coveragehas each branch (also called the
DD-path A decision-to-decision path, or DD-path, is a path of execution (usually through a flow graph representing a program, such as a flow chart) between two decisions. More recent versions of the concept also include the decisions themselves in their own ...
) of each control structure (such as in
''if'' and ''case'' statements) been executed? For example, given an ''if'' statement, have both the ''true'' and ''false'' branches been executed? (This is a subset of edge coverage.)
* Condition coveragehas each Boolean sub-expression evaluated both to true and false? (Also called predicate coverage.)
For example, consider the following
C function:
int foo (int x, int y)
Assume this function is a part of some bigger program and this program was run with some test suite.
* ''Function coverage'' will be satisfied if, during this execution, the function
foo
was called at least once.
* ''Statement coverage'' for this function will be satisfied if it was called for example as
foo(1,1)
, because in this case, every line in the function would be executed—including
z = x;
.
* ''Branch coverage'' will be satisfied by tests calling
foo(1,1)
and
foo(0,1)
because, in the first case, both
if
conditions are met and
z = x;
is executed, while in the second case, the first condition,
(x>0)
, is not satisfied, which prevents the execution of
z = x;
.
* ''Condition coverage'' will be satisfied with tests that call
foo(1,0)
,
foo(0,1)
, and
foo(1,1)
. These are necessary because in the first cases,
(x>0)
is evaluated to
true
, while in the second, it is evaluated to
false
. At the same time, the first case makes
(y>0)
false
, the second case does not evaluate
(y>0)
(because of the lazy-evaluation of the boolean operator), the third case makes it
true
.
Condition coverage does not necessarily imply branch coverage. For example, consider the following code fragment:
if a and b then
Condition coverage can be satisfied by two tests:
*
a=true
,
b=false
*
a=false
,
b=true
However, this set of tests does not satisfy branch coverage since neither case will meet the
if
condition.
Fault injection
In computer science, fault injection is a testing technique for understanding how computing systems behave when stressed in unusual ways. This can be achieved using physical- or software-based means, or using a hybrid approach. Widely studied phys ...
may be necessary to ensure that all conditions and branches of
exception-handling code have adequate coverage during testing.
Modified condition/decision coverage
A combination of function coverage and branch coverage is sometimes also called decision coverage. This criterion requires that every
point of entry and exit in the program has been invoked at least once, and every decision in the program has taken on all possible outcomes at least once. In this context, the decision is a
boolean expression
In computer science, a Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean con ...
comprising conditions and zero or more boolean operators. This definition is not the same as branch coverage,
[Position Paper CAST-10 (June 2002). ]
What is a "Decision" in Application of Modified Condition/Decision Coverage (MC/DC) and Decision Coverage (DC)?
' however, the term ''decision coverage'' is sometimes used as a synonym for it.
[MathWorks. ]
'
Condition/decision coverage requires that both decision and condition coverage be satisfied. However, for
safety-critical
A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:
* death or serious injury to people
* loss or severe damage to equipment/property
* environme ...
applications (such as
avionics software
Avionics software is embedded software with legally mandated safety and reliability concerns used in avionics. The main difference between avionic software and conventional embedded software is that the development process is ''required by law' ...
) it is often required that modified condition/decision coverage (MC/DC) be satisfied. This criterion extends condition/decision criteria with requirements that each condition should affect the decision outcome independently.
For example, consider the following code:
if (a or b) and c then
The condition/decision criteria will be satisfied by the following set of tests:
* a=true, b=true, c=true
* a=false, b=false, c=false
However, the above tests set will not satisfy modified condition/decision coverage, since in the first test, the value of 'b' and in the second test the value of 'c' would not influence the output. So, the following test set is needed to satisfy MC/DC:
* a=false, b=true, c=false
* a=false, b=true, c=true
* a=false, b=false, c=true
* a=true, b=false, c=true
Multiple condition coverage
This criterion requires that all combinations of conditions inside each decision are tested. For example, the code fragment from the previous section will require eight tests:
* a=false, b=false, c=false
* a=false, b=false, c=true
* a=false, b=true, c=false
* a=false, b=true, c=true
* a=true, b=false, c=false
* a=true, b=false, c=true
* a=true, b=true, c=false
* a=true, b=true, c=true
Parameter value coverage
Parameter value coverage (PVC) requires that in a method taking parameters, all the common values for such parameters be considered. The idea is that all common possible values for a parameter are tested. For example, common values for a string are: 1)
null
Null may refer to:
Science, technology, and mathematics Computing
*Null (SQL) (or NULL), a special marker and keyword in SQL indicating that something has no value
*Null character, the zero-valued ASCII character, also designated by , often used ...
, 2) empty, 3) whitespace (space, tabs, newline), 4) valid string, 5) invalid string, 6) single-byte string, 7) double-byte string. It may also be appropriate to use very long strings. Failure to test each possible parameter value may result in a bug. Testing only one of these could result in 100% code coverage as each line is covered, but as only one of seven options are tested, there is only 14.2% PVC.
Other coverage criteria
There are further coverage criteria, which are used less often:
*
Linear Code Sequence and Jump Linear code sequence and jump (LCSAJ), in the broad sense, is a software analysis method used to identify structural units in code under test. Its primary use is with dynamic software analysis to help answer the question "How much testing is enough ...
(LCSAJ) coverage a.k.a. JJ-Path coverage has every LCSAJ/JJ-path been executed?
[M. R. Woodward, M. A. Hennell, "On the relationship between two control-flow coverage criteria: all JJ-paths and MCDC", Information and Software Technology 48 (2006) pp. 433-440]
* Path coverageHas every possible route through a given part of the code been executed?
* Entry/exit coverageHas every possible call and return of the function been executed?
* Loop coverageHas every possible loop been executed zero times, once, and more than once?
* State coverageHas each state in a
finite-state machine
A finite-state machine (FSM) or finite-state automaton (FSA, plural: ''automata''), finite automaton, or simply a state machine, is a mathematical model of computation. It is an abstract machine that can be in exactly one of a finite number o ...
been reached and explored?
* Data-flow coverageHas each variable definition and its usage been reached and explored?
[Ting Su, Ke Wu, Weikai Miao, Geguang Pu, Jifeng He, Yuting Chen, and Zhendong Su. "A Survey on Data-Flow Testing". ACM Comput. Surv. 50, 1, Article 5 (March 2017), 35 pages.]
Safety-critical
A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:
* death or serious injury to people
* loss or severe damage to equipment/property
* environme ...
or
dependable applications are often required to demonstrate 100% of some form of test coverage.
For example, the
ECSS-E-ST-40C standard demands 100% statement and decision coverage for two out of four different criticality levels; for the other ones, target coverage values are up to negotiation between supplier and customer.
[ECSS-E-ST-40C: Space engineering - Software. ECSS Secretariat, ESA-ESTEC. March, 2009]
However, setting specific target values - and, in particular, 100% - has been criticized by practitioners for various reasons (cf.
[C. Prause, J. Werner, K. Hornig, S. Bosecker, M. Kuhrmann (2017): ]
Is 100% Test Coverage a Reasonable Requirement? Lessons Learned from a Space Software Project
'. In: PROFES 2017. Springer. Last accessed: 2017-11-17)
Martin Fowler writes: "I would be suspicious of anything like 100% - it would smell of someone writing tests to make the coverage numbers happy, but not thinking about what they are doing".
[Martin Fowler's blog]
TestCoverage.
Last accessed: 2017-11-17
Some of the coverage criteria above are connected. For instance, path coverage implies decision, statement and entry/exit coverage. Decision coverage implies statement coverage, because every statement is part of a branch.
Full path coverage, of the type described above, is usually impractical or impossible. Any module with a succession of
decisions in it can have up to
paths within it; loop constructs can result in an infinite number of paths. Many paths may also be infeasible, in that there is no input to the program under test that can cause that particular path to be executed. However, a general-purpose algorithm for identifying infeasible paths has been proven to be impossible (such an algorithm could be used to solve the
halting problem
In computability theory, the halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running, or continue to run forever. Alan Turing proved in 1936 that a g ...
).
Basis path testing In software engineering, basis path testing, or structured testing, is a white box method for designing test cases. The method analyzes the control-flow graph of a program to find a set of linearly independent paths of execution. The method normall ...
is for instance a method of achieving complete branch coverage without achieving complete path coverage.
Methods for practical path coverage testing instead attempt to identify classes of code paths that differ only in the number of loop executions, and to achieve "basis path" coverage the tester must cover all the path classes.
In practice
The target software is built with special options or libraries and run under a controlled environment, to map every executed function to the function points in the source code. This allows testing parts of the target software that are rarely or never accessed under normal conditions, and helps reassure that the most important conditions (function points) have been tested. The resulting output is then analyzed to see what areas of code have not been exercised and the tests are updated to include these areas as necessary. Combined with other test coverage methods, the aim is to develop a rigorous, yet manageable, set of regression tests.
In implementing test coverage policies within a software development environment, one must consider the following:
* What are coverage requirements for the end product certification and if so what level of test coverage is required? The typical level of rigor progression is as follows: Statement, Branch/Decision,
Modified Condition/Decision Coverage Modified condition/decision coverage (MC/DC) is a code coverage criterion used in software testing.
Overview
MC/DC requires all of the below during testing:
#Each entry and exit point is invoked
#Each decision takes every possible outcome
#Each co ...
(MC/DC), LCSAJ (
Linear Code Sequence and Jump Linear code sequence and jump (LCSAJ), in the broad sense, is a software analysis method used to identify structural units in code under test. Its primary use is with dynamic software analysis to help answer the question "How much testing is enough ...
)
* Will coverage be measured against tests that verify requirements levied on the system under test (
DO-178B
DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RT ...
)?
* Is the object code generated directly traceable to source code statements? Certain certifications, (i.e. DO-178B Level A) require coverage at the assembly level if this is not the case: "Then, additional verification should be performed on the object code to establish the correctness of such generated code sequences" (
DO-178B
DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RT ...
) para-6.4.4.2.
Software authors can look at test coverage results to devise additional tests and input or configuration sets to increase the coverage over vital functions. Two common forms of test coverage are statement (or line) coverage and branch (or edge) coverage. Line coverage reports on the execution footprint of testing in terms of which lines of code were executed to complete the test. Edge coverage reports which branches or code decision points were executed to complete the test. They both report a coverage metric, measured as a percentage. The meaning of this depends on what form(s) of coverage have been used, as 67% branch coverage is more comprehensive than 67% statement coverage.
Generally, test coverage tools incur computation and logging in addition to the actual program thereby slowing down the application, so typically this analysis is not done in production. As one might expect, there are classes of software that cannot be feasibly subjected to these coverage tests, though a degree of coverage mapping can be approximated through analysis rather than direct testing.
There are also some sorts of defects which are affected by such tools. In particular, some
race condition
A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of t ...
s or similar
real time
Real-time or real time describes various operations in computing or other processes that must guarantee response times within a specified time (deadline), usually a relatively short time. A real-time process is generally one that happens in defined ...
sensitive operations can be masked when run under test environments; though conversely, some of these defects may become easier to find as a result of the additional overhead of the testing code.
Most professional software developers use C1 and C2 coverage. C1 stands for statement coverage and C2 for branch or condition coverage. With a combination of C1 and C2, it is possible to cover most statements in a code base. Statement coverage would also cover function coverage with entry and exit, loop, path, state flow, control flow and data flow coverage. With these methods, it is possible to achieve nearly 100% code coverage in most software projects.
Usage in industry
Test coverage is one consideration in the safety certification of avionics equipment. The guidelines by which avionics gear is certified by the
Federal Aviation Administration
The Federal Aviation Administration (FAA) is the largest transportation agency of the U.S. government and regulates all aspects of civil aviation in the country as well as over surrounding international waters. Its powers include air traffic m ...
(FAA) is documented in
DO-178B
DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RT ...
[RTCA/]DO-178B
DO-178B, Software Considerations in Airborne Systems and Equipment Certification is a guideline dealing with the safety of safety-critical software used in certain airborne systems. It was jointly developed by the safety-critical working group RT ...
, ''Software Considerations in Airborne Systems and Equipment Certification, Radio Technical Commission for Aeronautics,'' December 1, 1992 and
DO-178C
DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The do ...
.
[RTCA/]DO-178C
DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The do ...
, ''Software Considerations in Airborne Systems and Equipment Certification, Radio Technical Commission for Aeronautics,'' January, 2012.
Test coverage is also a requirement in part 6 of the automotive safety standard
ISO 26262
ISO 26262, titled "Road vehicles – Functional safety", is an international standard for functional safety of electrical and/or electronic systems that are installed in serial production road vehicles (excluding mopeds), defined by the Interna ...
''Road Vehicles - Functional Safety''.
See also
*
Cyclomatic complexity
Cyclomatic complexity is a software metric used to indicate the complexity of a program. It is a quantitative measure of the number of linearly independent paths through a program's source code. It was developed by Thomas J. McCabe, Sr. in 1976 ...
*
Intelligent verification
{{Use American English, date = April 2019
Intelligent Verification, including intelligent testbench automation, is a form of functional verification of electronic hardware designs used to verify that a design conforms to specification before devic ...
*
Linear Code Sequence and Jump Linear code sequence and jump (LCSAJ), in the broad sense, is a software analysis method used to identify structural units in code under test. Its primary use is with dynamic software analysis to help answer the question "How much testing is enough ...
*
Modified Condition/Decision Coverage Modified condition/decision coverage (MC/DC) is a code coverage criterion used in software testing.
Overview
MC/DC requires all of the below during testing:
#Each entry and exit point is invoked
#Each decision takes every possible outcome
#Each co ...
*
Mutation testing
Mutation testing (or ''mutation analysis'' or ''program mutation'') is used to design new software tests and evaluate the quality of existing software tests. Mutation testing involves modifying a program in small ways. Each mutated version is call ...
*
Regression testing
Regression testing (rarely, ''non-regression testing'') is re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change. If not, that would be called a '' regre ...
*
Software metric
In software engineering and development, a software metric is a standard of measure of a degree to which a software system or process possesses some property. Even if a metric is not a measurement (metrics are functions, while measurements are t ...
*
Static code analysis
In computer science, static program analysis (or static analysis) is the analysis of computer programs performed without executing them, in contrast with dynamic program analysis, which is performed on programs during their execution.
The term i ...
*
White box testing
White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality ...
*
Java code coverage tools Java code coverage tools are of two types: first, tools that add statements to the Java source code and require its recompilation. Second, tools that instrument the bytecode, either before or during execution. The goal is to find out which parts of ...
References
{{DEFAULTSORT:Code Coverage
Software metrics
Software testing tools