Modified Condition and Decision Coverage in Simulink Design Verifier
Depending on the settings you apply for Simulink® Coverage™ coverage recording, there can be a difference between the definition of modified condition and decision (MCDC) coverage used for model coverage analysis in Simulink Coverage and the definition used for test case generation analysis in Simulink Design Verifier™.
MCDC Definitions for Simulink Coverage and Simulink Design Verifier
Simulink Design Verifier and Simulink Coverage represent MCDC objectives in two different ways:
Simulink Coverage treats each condition of a logical expression as an MCDC objective.
Simulink Design Verifier treats the true and false halves of each independence pair as separate MCDC objectives.
The Simulink Design Verifier Results window shows Justified for any justified MCDC objectives. Click on the corresponding View link to see the filter rule in the Simulink Design Verifier Analysis Filter window.
Unsatisfiable or undecided MCDC objectives include a Justify link. Click on this link to create a corresponding filter rule. Because every MCDC objective in Simulink Coverage corresponds to two MCDC objectives in Simulink Design Verifier, the Simulink Design Verifier MCDC objectives are justified in pairs.
For example, in the image below, when you click on the Justify
link for the MCDC expression expression for output with input port 4 false, creates a filter rule that justifies
this MCDC objective as well as the MCDC objective for when that expression is
true.
Simulink
Design Verifier always uses the masking MCDC definition for test case generation. By
default, Simulink
Coverage also uses the masking MCDC definition when recording coverage. However, if
you set the CovMcdcMode model configuration parameter to
'UniqueCause', Simulink
Coverage instead uses the unique-cause MCDC definition when recording coverage. For
information on the differences between the masking MCDC definition and the unique-cause
MCDC definition, see Modified Condition and Decision Coverage (MCDC) Definitions in Simulink Coverage (Simulink Coverage).
Setting the CovMcdcMode model configuration parameter to
'UniqueCause' can result in differences between MCDC reporting in
Simulink
Coverage and test generation in Simulink
Design Verifier. An example of this difference can be seen in analysis results for logical
expressions containing a mixture of AND and OR
operators, as in this Stateflow® transition.
![Stateflow transition 1 condition [(A && B) || C] that sets {out = 1;}. Transition 2 does not have a condition and sets {out = 0;}.](mcdcdiff_transition.png)
Given that A, B, and C are
each separate inputs, there are five possible ways to evaluate the condition on the
Stateflow transition, shown in the following table.
A | B | C | (A && B) || C | |
|---|---|---|---|---|
| 1 | F | x | F | F |
| 2 | F | x | T | T |
| 3 | T | F | F | F |
| 4 | T | F | T | T |
| 5 | T | T | x | T |
Satisfying MCDC for a Boolean variable requires a pair of condition evaluations,
showing that a change in that variable alone changes the evaluation of the entire
expression. In this example, MCDC can be satisfied for C with either
the pair 1, 2 or the pair 3, 4. In both of those cases, the value of the expression
changed because the value of C changed, while
all other variable values stayed the same.
Each pair has a different set of values for A and
B which are held constant, but each pair contains one evaluation
where C and out are true and one evaluation where
C and out are false. To satisfy MCDC for
C, Simulink
Design Verifier test generation analysis accepts any
pair containing one evaluation of true values and one evaluation of false values for
C and out. In this example, Simulink
Design Verifier test generation analysis accepts not only pair 1, 2 and pair 3, 4 but also
pair 1, 4 and pair 2, 3. Simulink
Coverage model coverage analysis using the unique-cause MCDC definition is
satisfied only by pair 1, 2 or by pair 3, 4.
The preceding example assumes that A, B, and
C are all separate inputs.
When input A is constrained to be the same value as
C, as in this model, only a subset of condition evaluations are
possible.
This subset of condition evaluations for the Stateflow transition is shown in the following table.
A | B | C | (A && B) || C | |
|---|---|---|---|---|
| 1 | F | x | F | F |
| 4 | T | F | T | T |
| 5 | T | T | x | T |
Evaluations 2 and 3 are no longer possible, so
neither pair 1, 2 nor pair 3, 4 is possible. As a result, unique-cause MCDC for
C can no longer be satisfied
in Simulink
Coverage model coverage analysis. Since pair 1, 4 is still possible, however,
Simulink
Design Verifier test generation analysis reports that MCDC for C is
satisfiable.
The complexity of MCDC analysis for logical expressions with a mixture of
AND and OR operators causes this difference
between results from Simulink
Coverage set to unique-cause MCDC analysis and Simulink
Design Verifier. The default CovMcdcMode model configuration parameter
value of 'Masking' does not cause this discrepancy. However, if you
require the use of unique-cause MCDC analysis in Simulink
Coverage, you can minimize this effect by using the
IndividualObjectives test suite optimization for test
generation analysis in Simulink
Design Verifier For more information, see the Tip section of Test suite optimization.
Related Topics
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)