Skip to main content
RapiTest - Functional testing for critical software
RapiCover - Low-overhead coverage analysis for critical software
RapiTime - In-depth execution time analysis for critical software
RapiTask - RTOS scheduling visualization
RVS Qualification Kits - Tool qualification for DO-178 B/C and ISO 26262 projects
RapiCouplingPreview - DCCC analysis
MACH178 - Multicore Avionics Certification for High-integrity DO-178C projects
MACH178 Foundations - Lay the groundwork for A(M)C 20-193 compliance
RapiDaemons - Analyze interference in multicore systems
RTBx - The ultimate data logging solution
Sim68020 - Simulation for the Motorola 68020 microprocessor
Data Coupling & Control Coupling
Training
Consultancy
Tool Integration
Support
RVS 3.23 Launched
Rapita System Announces New Distribution Partnership with COONTEC
Rapita partners with Asterios Technologies to deliver solutions in multicore certification
SAIF Autonomy to use RVS to verify their groundbreaking AI platform
How to measure stack usage through stack painting with RapiTest
What does AMACC Rev B mean for multicore certification?
How emulation can reduce avionics verification costs: Sim68020
Multicore timing analysis: to instrument or not to instrument
How to achieve multicore DO-178C certification with Rapita Systems
How to achieve DO-178C certification with Rapita Systems
Certifying Unmanned Aircraft Systems
DO-278A Guidance: Introduction to RTCA DO-278 approval
DO-178C Multicore In-person Training (Toulouse)
HISC 2025
In a recent "Daily WTF" I saw an example of "over-defensive programming" (http://thedailywtf.com/Articles/ButAnything-Can-Happen!.aspx) - one section stood out as interesting:
The "else if"
if (a < 10 && b >= 30 && c != null)
{
myFunctionA();
}
else if (a > 10 || b < 30 || c == null)
{
myFunctionB();
}
Was MC/DC a useful technique to use to show that this mistake had happened?
As a starting point, I put together four test vectors that provided complete modified decision/condition coverage of the first statement, which included three conditions:
To achieve MC/DC, there needed to be a pair of vectors for each condition that change the state of the condition:
Running the test with the four test vectors gave me 100% MC/DC on the “if” part of the code, but 0% on the “else if” part. However, the report did show that three test vectors were considered by the analysis for the "else if" part:
To achieve complete MC/DC for the second part, one more test vector is required: one where all three conditions are false. Looking at the statement, we see that the only case that could work is a=10, b >= 30 and c != NULL. Repeating the analysis with this vector gives us complete coverage.
This also leads to the final (implicit) else being covered:
If Doug had coded the "else if" part correctly, it simply wouldn't have been possible to achieve 100% MC/DC on this structure – there would be no test vector where the "else if" could be false.
So it seems that MC/DC was (indirectly) useful in showing the mistake in the code.
What other lessons can we draw from this?
- It is possible to write code that (if implemented correctly) makes it impossible to get 100% MC/DC. If you are working in an environment where you need to achieve 100% MC/DC, you need to be aware of this, and avoid this particular bear trap.
- The need to achieve high levels of MC/DC causes us to look very hard at tricky parts of the code. This is a Good Thing, and is one of the underlying reasons for DO-178B recommending the use of MC/DC for high-criticality software.
DO-178C webinars
White papers
Mitigation of interference in multicore processors for A(M)C 20-193
Developing DO-178C and ED-12C-certifiable multicore software
Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis
