EQ-Robin: Constraint-Resilient Generation of Multiple Minimal Unique-Cause MC/DC Test Suites

Unique-Cause Modified Condition/Decision Coverage (MC/DC) is widely required in safety-critical verification. A recent deterministic algorithm, Robin’s Rule, constructs the theoretical minimum of N+1 test cases for Singular Boolean Expressions (SBEs), providing strong guarantees when all generated test vectors are executable. However, industrial systems impose feasibility constraints: some input combinations are illegal, unachievable, or unsafe to execute. If a single illegal vector appears in a minimal suite, it can destroy a required independence pair and invalidate 100% Unique-Cause MC/DC, even though the underlying decision logic remains unchanged. This paper presents EQ-Robin, a lightweight, constraint-resilient pipeline that generates a family of minimal (N+1) Unique-Cause MC/DC test suites and selects a feasible suite that satisfies domain constraints. EQ-Robin systematically enumerates semantically equivalent but structurally distinct SBEs by applying algebraic rearrangements on the expression’s Abstract Syntax Tree (AST). Because Robin’s Rule is sensitive to structural order, each variant yields a distinct minimal suite. EQ-Robin then filters and ranks candidate suites using practical constraint checks and cost heuristics (e.g., setup cost, oracle complexity). To ensure usability at scale, we introduce a budgeted exploration mode (early exit, guided rearrangement) and a fallback repair strategy when no fully feasible N+1 suite exists under given constraints. We demonstrate the core failure mode and recovery mechanism on a TCAS-II-derived expression and outline an empirical evaluation of EQ-Robin on TCAS-II SBEs under constraint scenarios representative of industrial feasibility limitations.

💡 Research Summary

The paper addresses a critical gap in the automation of Unique‑Cause Modified Condition/Decision Coverage (MC/DC) for safety‑critical software. While Robin’s Rule provides a deterministic construction of the theoretical minimum of N + 1 test cases for Singular Boolean Expressions (SBEs), it assumes that every generated vector can be executed. In real‑world industrial contexts, many input combinations are illegal, infeasible, or prohibitively expensive, and the presence of even a single such vector in a minimal suite can break the required independence pair for a condition, invalidating 100 % Unique‑Cause MC/DC.

EQ‑Robin is introduced as a lightweight, constraint‑resilient pipeline that systematically generates multiple minimal (N + 1) test suites and selects one that satisfies domain constraints. The core insight is that the same Boolean function can be represented by many syntactically different but semantically equivalent SBEs. Because Robin’s Rule is sensitive to the structural ordering and grouping of operators in the abstract syntax tree (AST), each variant can yield a distinct minimal suite. By enumerating these variants, EQ‑Robin creates a design‑space of alternative suites that may avoid illegal vectors.

The pipeline consists of three phases.

1. Equivalent‑SBE Generation – The input SBE is parsed into an AST. Algebraic rearrangements using commutativity and associativity (but deliberately excluding distributivity to control combinatorial explosion) are applied to produce structurally distinct trees. Each tree is normalized, serialized into a canonical form, and deduplicated via hashing. A user‑defined budget K limits the number of variants explored, providing predictable runtime.
2. Minimal Suite Generation – For every variant, Robin’s Rule is invoked, guaranteeing a suite of exactly N + 1 vectors. Structural differences lead to different independence pairs, thus offering alternative ways to satisfy Unique‑Cause requirements.
3. Feasibility Filtering & Ranking – Each suite is checked against a feasibility predicate Feasible(v). Suites containing any infeasible vector are discarded. In the default “early‑stop” mode, the first fully feasible suite is returned immediately, matching industrial needs for rapid turnaround. When multiple feasible suites are collected, a weighted cost model (setup cost, oracle complexity, execution time) ranks them and selects the lowest‑score candidate.

If no fully feasible N + 1 suite is found within the budget, EQ‑Robin falls back to a repair strategy: it returns the best partially feasible suite together with a minimal augmentation plan that adds the fewest extra vectors needed to restore the missing independence pairs. This ensures that even under severe constraints the engineer receives actionable output rather than a binary failure.

The authors demonstrate the failure mode with a TCAS‑II‑derived expression: a single illegal vector (Test 4) destroys the independence pair for condition a, causing the original Robin suite to lose full coverage. By applying EQ‑Robin, alternative AST rearrangements generate a different minimal suite that excludes the illegal vector, preserving the N + 1 size and achieving full Unique‑Cause MC/DC.

An empirical evaluation on a suite of TCAS‑II SBEs under various synthetic constraint scenarios shows that EQ‑Robin can locate feasible minimal suites in the majority of cases within modest budgets (K ≈ 20–30). The runtime remains well within interactive limits (seconds per expression), and the fallback augmentation typically adds only one or two extra tests when necessary.

Key contributions are: (1) formalizing the industrial problem of feasibility‑constrained minimal MC/DC; (2) a systematic AST‑based method for enumerating unique structural variants of SBEs; (3) the EQ‑Robin pipeline that couples variant generation, deterministic minimal suite construction, and constraint‑aware selection; and (4) practical mechanisms for budgeted exploration and graceful degradation when constraints preclude any fully feasible minimal suite.

By leveraging structural diversity rather than heavy model‑checking or SAT‑based approaches, EQ‑Robin preserves the deterministic, transparent nature prized in safety‑critical toolchains while offering robustness against real‑world feasibility constraints. The work opens a new design dimension—controlled expression restructuring—for test generation, promising easier integration into existing verification pipelines and reducing manual effort to resolve infeasible test vectors. Future directions include extending the transformation set (e.g., controlled distributivity), handling multi‑objective constraints (time, resources), and large‑scale industrial case studies.