Your browser does not support JavaScript! Skip to main content
Free 30-day trial DO-178C Handbook RapiCoupling Preview DO-178C Multicore Training Multicore Resources
Rapita Systems
 

Industry leading verification tools & services

Rapita Verification Suite (RVS)

  RapiTest - Unit/system testing  RapiCover - Structural coverage analysis  RapiTime - Timing analysis (inc. WCET)  RapiTask - Scheduling visualization  RapiCoverZero - Zero footprint coverage analysis  RapiTimeZero - Zero footprint timing analysis  RapiTaskZero - Zero footprint scheduling analysis  RapiCouplingPreview - DCCC analysis

Multicore Verification

  MACH178  MACH178 Foundations  Multicore Timing Solution  RapiDaemons

Engineering Services

  V&V Services  Data Coupling & Control Coupling  Object code verification  Qualification  Training  Consultancy  Tool Integration  Support

Industries

  Civil Aviation (DO-178C)   Automotive (ISO 26262)   Military & Defense   Space

Other

RTBx Mx-Suite Software licensing Product life cycle policy RVS Assurance issue policy RVS development roadmap

Latest from Rapita HQ

Latest news

SAIF Autonomy to use RVS to verify their groundbreaking AI platform
RVS 3.22 Launched
Hybrid electric pioneers, Ascendance, join Rapita Systems Trailblazer Partnership Program
Magline joins Rapita Trailblazer Partnership Program to support DO-178 Certification
View News

Latest from the Rapita blog

How to certify multicore processors - what is everyone asking?
Data Coupling Basics in DO-178C
Control Coupling Basics in DO-178C
Components in Data Coupling and Control Coupling
View Blog

Latest discovery pages

control_tower DO-278A Guidance: Introduction to RTCA DO-278 approval
Picture of a car ISO 26262
DCCC Image Data Coupling & Control Coupling
Additional Coe verification thumb Verifying additional code for DO-178C
View Discovery pages

Upcoming events

Avionics and Testing Innovations 2025
2025-05-20
DASC 2025
2025-09-14
DO-178C Multicore In-person Training (Fort Worth, TX)
2025-10-01
DO-178C Multicore In-person Training (Toulouse)
2025-11-04
View Events

Technical resources for industry professionals

Latest White papers

Mitigation of interference in multicore processors for A(M)C 20-193
Sysgo WP
Developing DO-178C and ED-12C-certifiable multicore software
DO178C Handbook
Efficient Verification Through the DO-178C Life Cycle
View White papers

Latest Videos

Rapita Systems - Safety Through Quality
Simulation for the Motorola 68020 microprocessor with Sim68020
AI-driven Requirements Traceability for Faster Testing and Certification
Multicore software verification with RVS 3.22
View Videos

Latest Case studies

GMV case study front cover
GMV verify ISO26262 automotive software with RVS
Kappa: Verifying Airborne Video Systems for Air-to-Air Refueling using RVS
Supporting DanLaw with unit testing and code coverage analysis for automotive software
View Case studies

Other Resources

 Webinars

 Brochures

 Product briefs

 Technical notes

 Research projects

 Multicore resources

Discover Rapita

Who we are

The company menu

  • About us
  • Customers
  • Distributors
  • Locations
  • Partners
  • Research projects
  • Contact us

US office

+1 248-957-9801
info@rapitasystems.com
Rapita Systems, Inc.
41131 Vincenti Ct.
Novi
MI 48375
USA

UK office

+44 (0)1904 413945
info@rapitasystems.com
Rapita Systems Ltd.
Atlas House
Osbaldwick Link Road
York, YO10 3JB
UK

Spain office

+34 93 351 02 05
info@rapitasystems.com
Rapita Systems S.L.
Parc UPC, Edificio K2M
c/ Jordi Girona, 1-3
Barcelona 08034
Spain

Working at Rapita

Careers

Careers menu

  • Current opportunities & application process
  • Working at Rapita
Back to Top Contact Us

Code coverage without instrumentation

Breadcrumb

  1. Home
Thomas Yau
2018-10-18

Typically, to collect structural coverage results from software tests, you apply instrumentation to source code. But what if you can't apply instrumentation (because you only have access to object code), or just don't want to (to reduce instrumentation overheads and ensure that what you test is what you deploy)?

In this blog, we'll explore some methods we’ve been developing to perform instrumentationless code coverage analysis by using branch traces – traces generated from program execution that contain information on which branches were taken. The methods include one using a machine emulator (QEMU), and another using hardware (Intel Processor Trace).

Zero-instrumentation coverage on an emulator

We modified QEMU, an open source machine emulator that supports multiple popular operating systems, to collect coverage without instrumentation. To do this, we made the emulator produce a branch trace when it runs, which we can later parse to determine which elements of the object code were executed.

We compile the test program to an ELF file, so it runs “bare metal”, without an OS. If we didn’t do this, the generated trace would contain all the branches that executed in the kernel as well as in our program, and we would have to remove this data from the trace before subsequent processing.

We then run the trace through RapiCover to produce a coverage report. Figure 1 demonstrates the overall process on a snippet of code from the project.

Zero-instrumentation coverage on hardware

Okay, so we can collect coverage data without instrumentation from a simulator we have full control over – can we do the same from physical hardware, where we don’t have that control?

To explore this, we used Intel Processor Trace (IPT), a feature built into newer Intel chipsets that lets you collect branch trace information from CPU cores.

We turn on IPT via the Linux perf tool, and then run our program. Next, we use the IPT C library to decode the output data and produce a branch trace in a format that our tools can read.

IPT compresses data to reduce performance overheads, storing only whether each branch is taken or not. We can’t use the compressed data directly, as it isn't clear which branch is taken. To restore this information, we disassemble the program, generate a control flow graph (CFG) from the disassembly, and match elements in the CFG to the IPT trace.

Again, we use RapiCover to analyze the results. Figure 2 shows the overall process.

Figure 2. Process for collecting coverage via Intel Processor Trace

Closing remarks

A benefit of using branch traces to analyze structural coverage is that it means we can collect coverage from any executable written in any language, as long as we can obtain a disassembly of the object code. The programs we used while developing the Intel Processor Trace method, for example, were written in assembly language!

We’re continuing to explore new methods to collect coverage data with zero instrumentation. If you’re interested in obtaining zero-instrumentation coverage of your code, contact us to see how we can help.

DO-178C webinars

DO178C webinars

White papers

Mitigation of interference in multicore processors for A(M)C 20-193
Sysgo WP Developing DO-178C and ED-12C-certifiable multicore software
DO178C Handbook Efficient Verification Through the DO-178C Life Cycle
A Commercial Solution for Safety-Critical Multicore Timing Analysis

Related blog posts

False positive and false negative in software testing

.
2019-05-22

1000 conditions per decision ought to be enough for anybody

.
2019-01-28

Merging coverage data from multiple test runs

.
2017-01-31

How do I demonstrate the safe use of instrumented source code analysis?

.
2015-08-21

Pagination

  • Current page 1
  • Page 2
  • Page 3
  • Page 4
  • Page 5
  • Page 6
  • Next page Next ›
  • Last page Last »
  • Solutions
    • Rapita Verification Suite
    • RapiTest
    • RapiCover
    • RapiTime
    • RapiTask
    • MACH178

    • Verification and Validation Services
    • Qualification
    • Training
    • Integration
  • Latest
  • Latest menu

    • News
    • Blog
    • Events
    • Videos
  • Downloads
  • Downloads menu

    • Brochures
    • Webinars
    • White Papers
    • Case Studies
    • Product briefs
    • Technical notes
    • Software licensing
  • Company
  • Company menu

    • About Rapita
    • Careers
    • Customers
    • Distributors
    • Industries
    • Locations
    • Partners
    • Research projects
    • Contact
  • Discover
    • Multicore Timing Analysis
    • Embedded Software Testing Tools
    • Worst Case Execution Time
    • WCET Tools
    • Code coverage for Ada, C & C++
    • MC/DC Coverage
    • Verifying additional code for DO-178C
    • Timing analysis (WCET) & Code coverage for MATLAB® Simulink®
    • Data Coupling & Control Coupling
    • Aerospace Software Testing
    • Automotive Software Testing
    • Certifying eVTOL
    • DO-178C
    • AC 20-193 and AMC 20-193
    • ISO 26262
    • What is CAST-32A?

All materials © Rapita Systems Ltd. 2025 - All rights reserved | Privacy information | Trademark notice Subscribe to our newsletter