Main Content

Modified Condition and Decision Coverage in Simulink Design Verifier

Depending on the settings you apply for Simulink® Coverage™ coverage recording, there can be a difference between the definition of modified condition and decision (MCDC) coverage used for model coverage analysis in Simulink Coverage and the definition used for test case generation analysis in Simulink Design Verifier™.

MCDC Definitions for Simulink Coverage and Simulink Design Verifier

Simulink Design Verifier and Simulink Coverage represent MCDC objectives in two different ways:

  • Simulink Coverage treats each condition of a logical expression as an MCDC objective.

  • Simulink Design Verifier treats the true and false halves of each independence pair as separate MCDC objectives.

The Simulink Design Verifier Results window shows Justified for any justified MCDC objectives. Click on the corresponding View link to see the filter rule in the Simulink Design Verifier Analysis Filter window.

Unsatisfiable or undecided MCDC objectives include a Justify link. Click on this link to create a corresponding filter rule. Because every MCDC objective in Simulink Coverage corresponds to two MCDC objectives in Simulink Design Verifier, the Simulink Design Verifier MCDC objectives are justified in pairs.

For example, in the image below, when you click on the Justify link for the MCDC expression expression for output with input port 4 false, creates a filter rule that justifies this MCDC objective as well as the MCDC objective for when that expression is true.

On the left, the Simulink Design Verifier Results window shows results for the model analyzed. On the right, the Analysis Filter window shows justified MCDC outcomes and their rationales.

Simulink Design Verifier always uses the masking MCDC definition for test case generation. By default, Simulink Coverage also uses the masking MCDC definition when recording coverage. However, if you set the CovMcdcMode model configuration parameter to 'UniqueCause', Simulink Coverage instead uses the unique-cause MCDC definition when recording coverage. For information on the differences between the masking MCDC definition and the unique-cause MCDC definition, see Modified Condition and Decision Coverage (MCDC) Definitions in Simulink Coverage.

Setting the CovMcdcMode model configuration parameter to 'UniqueCause' can result in differences between MCDC reporting in Simulink Coverage and test generation in Simulink Design Verifier. An example of this difference can be seen in analysis results for logical expressions containing a mixture of AND and OR operators, as in this Stateflow® transition.

Stateflow transition 1 condition [(A && B) || C] that sets {out = 1;}. Transition 2 does not have a condition and sets {out = 0;}.

Given that A, B, and C are each separate inputs, there are five possible ways to evaluate the condition on the Stateflow transition, shown in the following table.

 ABC(A && B) || C
1FxFF
2FxTT
3TFFF
4TFTT
5TTxT

Satisfying MCDC for a Boolean variable requires a pair of condition evaluations, showing that a change in that variable alone changes the evaluation of the entire expression. In this example, MCDC can be satisfied for C with either the pair 1, 2 or the pair 3, 4. In both of those cases, the value of the expression changed because the value of C changed, while all other variable values stayed the same.

Each pair has a different set of values for A and B which are held constant, but each pair contains one evaluation where C and out are true and one evaluation where C and out are false. To satisfy MCDC for C, Simulink Design Verifier test generation analysis accepts any pair containing one evaluation of true values and one evaluation of false values for C and out. In this example, Simulink Design Verifier test generation analysis accepts not only pair 1, 2 and pair 3, 4 but also pair 1, 4 and pair 2, 3. Simulink Coverage model coverage analysis using the unique-cause MCDC definition is satisfied only by pair 1, 2 or by pair 3, 4.

The preceding example assumes that A, B, and C are all separate inputs. When input A is constrained to be the same value as C, as in this model, only a subset of condition evaluations are possible.

This subset of condition evaluations for the Stateflow transition is shown in the following table.

 ABC(A && B) || C
1FxFF
4TFTT
5TTxT

Evaluations 2 and 3 are no longer possible, so neither pair 1, 2 nor pair 3, 4 is possible. As a result, unique-cause MCDC for C can no longer be satisfied in Simulink Coverage model coverage analysis. Since pair 1, 4 is still possible, however, Simulink Design Verifier test generation analysis reports that MCDC for C is satisfiable.

The complexity of MCDC analysis for logical expressions with a mixture of AND and OR operators causes this difference between results from Simulink Coverage set to unique-cause MCDC analysis and Simulink Design Verifier. The default CovMcdcMode model configuration parameter value of 'Masking' does not cause this discrepancy. However, if you require the use of unique-cause MCDC analysis in Simulink Coverage, you can minimize this effect by using the IndividualObjectives test suite optimization for test generation analysis in Simulink Design Verifier For more information, see the Tip section of Test suite optimization (Simulink Design Verifier).

Related Topics

  • MCDC (Simulink Design Verifier)