3  Unit Testing for IoT Firmware

3.1 Learning Objectives

By the end of this chapter, you will be able to:

• Write Effective Unit Tests: Create unit tests for firmware logic using frameworks like Unity
• Mock Hardware Dependencies: Abstract and mock sensors, timers, and GPIO for testing
• Set Coverage Targets: Define appropriate coverage levels for different code criticality
• Implement Test-Driven Development: Apply TDD principles to embedded development

In 60 Seconds

Unit testing for IoT firmware validates individual functions and modules in isolation from hardware, enabling fast, automated regression detection. IoT firmware unit tests run on the host machine (x86/x64) using hardware abstraction layers with mocked peripherals. Frameworks like Unity (C), Ceedling (C with Unity+CMock), Catch2 (C++), and pytest with CFFI (Python bindings) enable TDD for embedded firmware. Well-structured unit tests serve as executable documentation and catch regressions within seconds rather than hours of hardware debugging.

import {InlineKnowledgeCheck} from "../assets/js/iotclass-inline-kc.js"

For Beginners: Unit Testing for IoT Firmware

Unit testing checks that individual components of your IoT system work correctly in isolation. Think of testing each ingredient in a recipe before combining them – if the flour is bad, you want to know before baking the whole cake. In IoT, unit tests verify that each sensor driver, algorithm, and communication module works as expected.

Sensor Squad: Testing One Piece at a Time

“Unit testing is like checking each ingredient before baking a cake!” said Max the Microcontroller. “You test the temperature conversion function: does Celsius to Fahrenheit produce the right answer? You test the MQTT payload formatter: does it create valid JSON? Each small piece is verified in isolation.”

Sammy the Sensor asked about hardware dependencies. “How do you test my sensor driver without real hardware?” Max explained, “Mocking! You create a fake version of the hardware interface that returns predictable values. When testing the temperature conversion, the mock always returns 25.0 degrees. This way, the test verifies the conversion math without needing a real sensor.”

Lila the LED described coverage. “Code coverage measures how much of your firmware has been tested. If your firmware has 100 functions and tests exercise 80 of them, you have 80% coverage. Safety-critical code like watchdog timers and fail-safe modes should have 100% coverage – no excuses.” Bella the Battery highlighted the cost benefit. “Unit tests catch about 70% of all bugs, and they are the cheapest tests to write and run. They execute in milliseconds on your development computer. Compare that to field testing which takes weeks and costs thousands of dollars. Always start with unit tests!”

3.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• Testing Fundamentals: Understanding the testing pyramid and IoT challenges
• Prototyping Software: Familiarity with firmware development

Key Takeaway

In one sentence: Unit tests validate individual functions in isolation, catching 70% of bugs at the lowest cost.

Remember this rule: If hardware touches the function, mock it. If timing matters, inject time. If it’s critical, cover it 100%.

---

3.3 What to Unit Test

Unit tests validate individual functions in isolation, mocking all external dependencies (hardware, network, time).

Test these firmware components:

1. Data processing algorithms
   • Sensor value filtering (moving average, outlier detection)
   • Data encoding/decoding (JSON, CBOR, Protobuf)
   • State machines (device modes, protocol states)
2. Business logic
   • Threshold detection (temperature > 30°C → trigger alert)
   • Event handling (button press → action mapping)
   • Configuration validation (valid Wi-Fi SSID format)
3. Protocol implementations
   • MQTT packet encoding/decoding
   • CoAP message parsing
   • Checksum calculations

Don’t unit test hardware interactions directly—use integration tests for GPIO, I2C, SPI (requires real hardware).

Try It: Test Categorization Explorer

viewof component_type = Inputs.select(
  ["Data processing algorithm", "Business logic / threshold", "Protocol implementation", "Utility function", "Hardware abstraction (GPIO/I2C)"],
  {label: "Firmware Component Type"}
)
viewof bug_severity = Inputs.select(
  ["Safety-critical (injury/death)", "Product failure (recall)", "User inconvenience", "Cosmetic / minor"],
  {label: "Bug Severity if Untested"}
)
viewof has_external_deps = Inputs.radio(["Yes", "No"], {value: "No", label: "Has hardware dependencies?"})

test_recommendation = {
  const severityMap = {
    "Safety-critical (injury/death)": {coverage: "100%", priority: "HIGHEST", color: "#E74C3C"},
    "Product failure (recall)": {coverage: "85-95%", priority: "HIGH", color: "#E67E22"},
    "User inconvenience": {coverage: "70-85%", priority: "MEDIUM", color: "#3498DB"},
    "Cosmetic / minor": {coverage: "50-70%", priority: "LOW", color: "#7F8C8D"}
  };
  const sev = severityMap[bug_severity];
  const testType = has_external_deps === "Yes" ? "Unit test with MOCKS (abstract hardware behind interfaces)" : "Direct unit test (no mocking needed)";
  const componentAdvice = {
    "Data processing algorithm": "Test with boundary values, empty inputs, overflow conditions, and NaN/Inf.",
    "Business logic / threshold": "Test exact boundaries (threshold - 1, threshold, threshold + 1) and state transitions.",
    "Protocol implementation": "Test valid packets, malformed packets, truncated messages, and replay attacks.",
    "Utility function": "Test edge cases: empty strings, zero values, maximum integer, null pointers.",
    "Hardware abstraction (GPIO/I2C)": "Unit test the abstraction layer with mocks. Integration-test the real hardware separately."
  };
  return {sev, testType, advice: componentAdvice[component_type]};
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${test_recommendation.sev.color}; margin-top: 0.5rem;">
<p><strong>Test Strategy for: ${component_type}</strong></p>
<table style="width:100%; border-collapse:collapse; margin-top:0.5rem;">
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Coverage Target</strong></td>
    <td style="padding:4px; border:1px solid #ddd; color: ${test_recommendation.sev.color}; font-weight: bold;">${test_recommendation.sev.coverage}</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Priority</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_recommendation.sev.priority}</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Test Approach</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_recommendation.testType}</td></tr>
</table>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">${test_recommendation.advice}</p>
</div>`

---

3.4 Unit Testing Frameworks

Popular embedded unit test frameworks:

Framework	Language	Features	Learning Curve
Unity	C	Lightweight, no dependencies	Easy
Google Test	C++	Mature, extensive assertions	Moderate
CppUTest	C/C++	Mock support, memory leak detection	Moderate
Embedded Unit	C	Minimal footprint for MCU	Easy

3.4.1 Example: Testing with Unity Framework

Function to test - sensor filtering:

// sensor_filter.c - Function to test
#include "sensor_filter.h"

#define FILTER_SIZE 5

static float filter_buffer[FILTER_SIZE];
static int filter_index = 0;
static bool filter_full = false;

float apply_moving_average(float new_value) {
    // Add new value to circular buffer
    filter_buffer[filter_index] = new_value;
    filter_index = (filter_index + 1) % FILTER_SIZE;

    if (filter_index == 0) {
        filter_full = true;
    }

    // Calculate average
    float sum = 0;
    int count = filter_full ? FILTER_SIZE : filter_index;
    for (int i = 0; i < count; i++) {
        sum += filter_buffer[i];
    }

    return sum / count;
}

void reset_filter(void) {
    filter_index = 0;
    filter_full = false;
}

Unit tests for the filter:

// test_sensor_filter.c - Unit tests
#include "unity.h"
#include "sensor_filter.h"

void setUp(void) {
    // Reset filter before each test
    reset_filter();
}

void tearDown(void) {
    // Clean up after each test
}

void test_first_value_returns_itself(void) {
    float result = apply_moving_average(25.0);
    TEST_ASSERT_EQUAL_FLOAT(25.0, result);
}

void test_two_values_return_average(void) {
    apply_moving_average(20.0);
    float result = apply_moving_average(30.0);
    TEST_ASSERT_EQUAL_FLOAT(25.0, result);
}

void test_full_buffer_calculates_correct_average(void) {
    // Fill buffer: [10, 20, 30, 40, 50]
    apply_moving_average(10.0);
    apply_moving_average(20.0);
    apply_moving_average(30.0);
    apply_moving_average(40.0);
    float result = apply_moving_average(50.0);

    // Average = (10 + 20 + 30 + 40 + 50) / 5 = 30
    TEST_ASSERT_EQUAL_FLOAT(30.0, result);
}

void test_circular_buffer_wraps_correctly(void) {
    // Fill buffer: [10, 20, 30, 40, 50]
    for (int i = 1; i <= 5; i++) {
        apply_moving_average(i * 10.0);
    }

    // Add 6th value (60) → replaces oldest (10)
    // New buffer: [60, 20, 30, 40, 50]
    float result = apply_moving_average(60.0);

    // Average = (60 + 20 + 30 + 40 + 50) / 5 = 40
    TEST_ASSERT_EQUAL_FLOAT(40.0, result);
}

void test_handles_negative_values(void) {
    apply_moving_average(-10.0);
    float result = apply_moving_average(10.0);
    TEST_ASSERT_EQUAL_FLOAT(0.0, result);
}

int main(void) {
    UNITY_BEGIN();
    RUN_TEST(test_first_value_returns_itself);
    RUN_TEST(test_two_values_return_average);
    RUN_TEST(test_full_buffer_calculates_correct_average);
    RUN_TEST(test_circular_buffer_wraps_correctly);
    RUN_TEST(test_handles_negative_values);
    return UNITY_END();
}

Running the tests:

$ gcc test_sensor_filter.c sensor_filter.c unity.c -o test_runner
$ ./test_runner

test_sensor_filter.c:12:test_first_value_returns_itself:PASS
test_sensor_filter.c:17:test_two_values_return_average:PASS
test_sensor_filter.c:23:test_full_buffer_calculates_correct_average:PASS
test_sensor_filter.c:33:test_circular_buffer_wraps_correctly:PASS
test_sensor_filter.c:45:test_handles_negative_values:PASS

-----------------------
5 Tests 0 Failures 0 Ignored
OK

Try It: Moving Average Filter Simulator

viewof filter_size = Inputs.range([2, 10], {value: 5, step: 1, label: "Filter Buffer Size"})
viewof new_sensor_value = Inputs.range([-20, 80], {value: 25.0, step: 0.5, label: "New Sensor Reading (°C)"})
viewof add_value_btn = Inputs.button("Add Value to Buffer")

mutable filter_state = ({buffer: [], index: 0, full: false, history: []})

{
  add_value_btn;
  const st = mutable filter_state;
  const buf = st.buffer.length < filter_size ? [...st.buffer] : st.buffer.slice(0, filter_size);
  while (buf.length < filter_size) buf.push(null);
  const idx = st.index % filter_size;
  buf[idx] = new_sensor_value;
  const newIndex = (idx + 1) % filter_size;
  const newFull = st.full || (newIndex === 0 && st.history.length >= filter_size - 1);
  const count = newFull ? filter_size : newIndex === 0 ? filter_size : newIndex;
  const validValues = buf.slice(0, count).filter(v => v !== null);
  const avg = validValues.length > 0 ? validValues.reduce((a, b) => a + b, 0) / validValues.length : 0;
  const newHistory = [...st.history, {value: new_sensor_value, avg: avg}].slice(-20);
  mutable filter_state = {buffer: buf, index: newIndex, full: newFull, history: newHistory};
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #9B59B6; margin-top: 0.5rem;">
<p><strong>Circular Buffer State</strong> (size = ${filter_size}):</p>
<div style="display: flex; gap: 4px; margin: 0.5rem 0;">
  ${filter_state.buffer.slice(0, filter_size).map((v, i) =>
    `<div style="width: 48px; height: 48px; border: 2px solid ${i === (filter_state.index === 0 ? filter_size - 1 : filter_state.index - 1) % filter_size ? '#9B59B6' : '#7F8C8D'}; border-radius: 4px; display: flex; align-items: center; justify-content: center; font-size: 0.8em; background: ${v !== null ? '#fff' : '#eee'};">${v !== null ? v.toFixed(1) : '-'}</div>`
  ).join('')}
</div>
<p style="margin-top: 0.5rem;">Moving Average: <strong style="color: #2C3E50; font-size: 1.1em;">${filter_state.history.length > 0 ? filter_state.history[filter_state.history.length - 1].avg.toFixed(2) : '—'}°C</strong></p>
<p style="font-size: 0.85em; color: #555;">Values added: ${filter_state.history.length} | Buffer ${filter_state.full ? 'FULL (circular wrap active)' : 'FILLING'} | Write index: ${filter_state.index}</p>
${filter_state.history.length > 1 ? `<p style="font-size: 0.85em; color: #555; margin-top: 0.5rem;">Recent history: ${filter_state.history.slice(-5).map(h => h.value.toFixed(1)).join(' → ')}</p>` : ''}
</div>`

---

3.5 Mocking Hardware Dependencies

Problem: Firmware interacts with hardware (GPIO, I2C sensors, timers). You can’t unit test this without real hardware.

Solution: Abstract hardware behind interfaces, then mock the interfaces in tests.

3.5.1 Example: Mocking a Temperature Sensor

Abstract interface:

// sensor_interface.h - Abstract interface
typedef struct {
    float (*read_temperature)(void);
    bool (*is_available)(void);
} SensorInterface;

Production implementation (real hardware):

// sensor_hw.c
#include "sensor_interface.h"
#include "i2c_driver.h"

float hw_read_temperature(void) {
    uint8_t data[2];
    i2c_read_register(SENSOR_ADDR, TEMP_REG, data, 2);
    int16_t raw = (data[0] << 8) | data[1];
    return raw / 128.0; // Convert to Celsius
}

bool hw_is_available(void) {
    return i2c_device_present(SENSOR_ADDR);
}

SensorInterface hw_sensor = {
    .read_temperature = hw_read_temperature,
    .is_available = hw_is_available
};

Mock implementation for testing:

// test_mock_sensor.c - Mock for testing
#include "sensor_interface.h"

static float mock_temperature = 25.0;
static bool mock_available = true;

float mock_read_temperature(void) {
    return mock_temperature;
}

bool mock_is_available(void) {
    return mock_available;
}

SensorInterface mock_sensor = {
    .read_temperature = mock_read_temperature,
    .is_available = mock_is_available
};

// Helper functions for tests
void set_mock_temperature(float temp) {
    mock_temperature = temp;
}

void set_mock_availability(bool available) {
    mock_available = available;
}

Now test business logic without hardware:

void test_temperature_alert_triggered(void) {
    // Arrange: Set mock temperature to 35°C (above threshold)
    set_mock_temperature(35.0);

    // Act: Check if alert should trigger
    bool alert = check_temperature_alert(&mock_sensor, 30.0);

    // Assert: Alert should be triggered
    TEST_ASSERT_TRUE(alert);
}

void test_sensor_unavailable_returns_error(void) {
    // Arrange: Sensor not available
    set_mock_availability(false);

    // Act: Attempt to read temperature
    SensorStatus status = read_sensor_safe(&mock_sensor);

    // Assert: Should return error status
    TEST_ASSERT_EQUAL(SENSOR_ERROR, status);
}

Benefits:

• Tests run on your laptop (no hardware required)
• Tests run in milliseconds (no I2C delays)
• Tests are deterministic (no environmental noise)
• Can simulate sensor failures, edge cases

Try It: Mock Sensor Test Simulator

viewof mock_temp = Inputs.range([-40, 125], {value: 35.0, step: 0.5, label: "Mock Temperature (°C)"})
viewof alert_threshold = Inputs.range([0, 100], {value: 30.0, step: 1, label: "Alert Threshold (°C)"})
viewof sensor_available = Inputs.radio(["Available", "Unavailable"], {value: "Available", label: "Sensor Status"})
viewof sensor_noise = Inputs.range([0, 10], {value: 0, step: 0.5, label: "Simulated Noise (±°C)"})

mock_test_results = {
  const noise = (Math.random() - 0.5) * 2 * sensor_noise;
  const reading = mock_temp + noise;
  const isAvailable = sensor_available === "Available";
  const alertTriggered = isAvailable && reading > alert_threshold;
  const tests = [
    {
      name: "test_sensor_availability",
      pass: true,
      detail: isAvailable ? "Sensor reports AVAILABLE" : "Sensor reports UNAVAILABLE → returns SENSOR_ERROR"
    },
    {
      name: "test_temperature_reading",
      pass: isAvailable,
      detail: isAvailable ? `Read ${reading.toFixed(1)}°C (mock: ${mock_temp}°C ± ${sensor_noise}°C noise)` : "SKIPPED — sensor unavailable"
    },
    {
      name: "test_alert_threshold",
      pass: true,
      detail: alertTriggered ? `ALERT: ${reading.toFixed(1)}°C > ${alert_threshold}°C threshold` : isAvailable ? `No alert: ${reading.toFixed(1)}°C ≤ ${alert_threshold}°C` : "No alert: sensor unavailable"
    },
    {
      name: "test_error_handling",
      pass: true,
      detail: !isAvailable ? "Correctly returned SENSOR_ERROR status" : "Sensor available — error path not taken"
    }
  ];
  return {tests, reading, alertTriggered, isAvailable};
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #E67E22; margin-top: 0.5rem;">
<p><strong>Mock Sensor Unit Test Results:</strong></p>
<div style="font-family: monospace; font-size: 0.85em; background: #1a1a2e; color: #e0e0e0; padding: 0.75rem; border-radius: 4px; margin-top: 0.5rem;">
${mock_test_results.tests.map(t =>
  `<div style="margin: 2px 0;"><span style="color: ${t.pass ? '#16A085' : '#E74C3C'};">${t.pass ? 'PASS' : 'FAIL'}</span> ${t.name}: <span style="color: #7F8C8D;">${t.detail}</span></div>`
).join('')}
<div style="margin-top: 8px; border-top: 1px solid #333; padding-top: 4px;">
-----------------------<br/>
${mock_test_results.tests.length} Tests ${mock_test_results.tests.filter(t => !t.pass).length} Failures 0 Ignored<br/>
${mock_test_results.tests.every(t => t.pass) ? '<span style="color: #16A085;">OK</span>' : '<span style="color: #E74C3C;">FAIL</span>'}
</div>
</div>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">
${!mock_test_results.isAvailable ?
  'The mock sensor is set to unavailable. Notice how the test suite validates error handling without real hardware.' :
  mock_test_results.alertTriggered ?
  `Alert triggered! The mock returns ${mock_test_results.reading.toFixed(1)}°C which exceeds the ${alert_threshold}°C threshold.` :
  `No alert. Try setting the mock temperature above ${alert_threshold}°C to trigger the alert path.`}
${sensor_noise > 0 ? ` Noise of ±${sensor_noise}°C simulates real-world sensor jitter.` : ''}
</p>
</div>`

---

3.6 Code Coverage Targets

What is code coverage? Percentage of code lines executed during testing.

Coverage targets for IoT firmware:

Code Category	Coverage Target	Rationale
Critical safety paths	100%	Failure = injury/death (medical, automotive)
Core business logic	85-95%	Bugs = product failure
Protocol implementations	80-90%	Must handle edge cases
Utility functions	70-80%	Lower risk
Hardware abstraction	50-70%	Tested in integration tests

Putting Numbers to It

Code coverage measures test completeness, but the relationship between coverage and defect detection is logarithmic — diminishing returns above 85%.

\[\text{Defect Detection Rate} \approx 1 - e^{-k \times \text{Coverage}}\]

For typical IoT firmware with defect detection constant \(k = 2.5\):

\[ \begin{align} \text{50% coverage:} & \quad 1 - e^{-2.5 \times 0.50} = 1 - e^{-1.25} = 71\% \text{ defects caught} \\ \text{85% coverage:} & \quad 1 - e^{-2.5 \times 0.85} = 1 - e^{-2.13} = 88\% \text{ defects caught} \\ \text{100% coverage:} & \quad 1 - e^{-2.5 \times 1.00} = 1 - e^{-2.50} = 92\% \text{ defects caught} \end{align} \]

Moving from 85% to 100% coverage (18% more effort) only catches 4% more defects. The optimal target is 85% for most code, 100% for safety-critical paths where every defect matters.

viewof coverage_percent = Inputs.range([0, 100], {value: 85, step: 5, label: "Code Coverage (%)"})
viewof k_constant = Inputs.range([1.0, 5.0], {value: 2.5, step: 0.1, label: "Defect Detection Constant (k)"})

defect_detection_rate = 1 - Math.exp(-k_constant * (coverage_percent / 100))

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #2C3E50; margin-top: 0.5rem;">
<p><strong>Coverage Explorer:</strong></p>
<p>At <strong>${coverage_percent}%</strong> code coverage with k = ${k_constant.toFixed(1)}, your tests will detect approximately <strong>${(defect_detection_rate * 100).toFixed(1)}%</strong> of defects.</p>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">
${coverage_percent >= 85 ?
  `<span style="color: #16A085;">✓ Good coverage.</span> Moving from 85% to 100% typically only adds 4% more defect detection.` :
  coverage_percent >= 70 ?
  `<span style="color: #E67E22;">⚠ Moderate coverage.</span> Increasing to 85% would significantly improve defect detection.` :
  `<span style="color: #E74C3C;">⚠ Low coverage.</span> You're missing many defects. Aim for at least 70-85% coverage.`}
</p>
</div>`

Example: Smart smoke detector firmware

Critical safety path (100% coverage required):
- Smoke detection algorithm
- Alert triggering logic
- Battery monitoring

Core business logic (90% coverage):
- Wi-Fi connection management
- Cloud reporting
- Configuration storage

Utility (70% coverage):
- LED blinking patterns
- Beep sound generation

Tools for measuring coverage:

Tool	Platform	Integration
gcov/lcov	GCC	Generate HTML coverage reports
Bullseye	Embedded C	Commercial, supports MCU cross-compilation
Squish Coco	C/C++	Source-based instrumentation

Coverage does not equal Quality: 100% coverage doesn’t mean bug-free. It means every line was executed at least once—not that every edge case was tested.

viewof total_mutations = Inputs.range([10, 500], {value: 140, step: 10, label: "Total Mutations Introduced"})
viewof mutations_killed = Inputs.range([0, total_mutations], {value: 98, step: 1, label: "Mutations Killed"})

mutations_survived = total_mutations - mutations_killed
mutation_score = (mutations_killed / total_mutations) * 100
bugs_escaping = 100 - mutation_score

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #3498DB; margin-top: 0.5rem;">
<p><strong>Mutation Testing Calculator:</strong></p>
<table style="width:100%; border-collapse:collapse; margin-top:0.5rem;">
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Mutation Score</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${mutation_score.toFixed(1)}%</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Mutations Survived</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${mutations_survived} (${bugs_escaping.toFixed(1)}% bugs escape)</td></tr>
</table>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">
${mutation_score >= 85 ?
  `<span style="color: #16A085;">✓ Excellent test quality.</span> Your assertions are strong.` :
  mutation_score >= 70 ?
  `<span style="color: #E67E22;">⚠ Moderate test quality.</span> ${bugs_escaping.toFixed(0)}% of bugs escape. Strengthen assertions.` :
  `<span style="color: #E74C3C;">⚠ Weak test quality.</span> ${bugs_escaping.toFixed(0)}% of bugs escape. Many tests execute code without validating correctness.`}
</p>
</div>`

---

3.7 Knowledge Check

InlineKnowledgeCheck({
  questionId: "kc-testing-unit-1",
  question: "You're building a smart door lock with Wi-Fi connectivity. Your firmware has 15,000 lines of code. You have time to write 200 unit tests. How should you allocate testing effort to maximize defect detection?",
  options: [
    "Write 200 tests evenly distributed across all modules to achieve uniform coverage percentage",
    "Focus all 200 tests on the lock mechanism control code since it's the most critical function",
    "Use risk-based allocation: 50% on lock control, 30% on Wi-Fi connectivity, 20% on crypto/security",
    "Write tests only for code that has caused bugs in the past, ignoring untested new features"
  ],
  correctAnswer: 2,
  feedback: [
    "Incorrect. Uniform coverage treats all code as equally important. A bug in the LED blink function is not as critical as a bug in lock authentication.",
    "Incorrect. While lock control is critical, ignoring Wi-Fi connectivity and security would leave major attack surfaces untested.",
    "Correct! Risk-based test allocation focuses effort on: 1) Safety-critical functions (lock control - life/property), 2) High-failure-rate components (Wi-Fi - connectivity bugs dominate support), 3) Security-sensitive code (authentication bypass = recall).",
    "Incorrect. While historical data is valuable, new features often contain the most bugs (untested code paths)."
  ],
  hint: "Think about the impact and likelihood of different failure types."
})

InlineKnowledgeCheck({
  questionId: "kc-testing-unit-2",
  question: "Your team implements mutation testing on firmware for a battery-powered IoT sensor. The test suite has 87% line coverage. Mutation testing introduces 140 mutations (change > to >=, flip true/false). Results: 98 mutations killed, 42 survived. What does this reveal?",
  options: [
    "70% mutation score is excellent - the test suite is ready for production",
    "42 surviving mutations indicate weak or missing assertions - tests execute code but don't validate correctness",
    "Mutation testing is flawed - surviving mutations are in non-critical code",
    "Increase line coverage to 100% to kill all mutations"
  ],
  correctAnswer: 1,
  feedback: [
    "Incorrect. A 70% mutation score means 30% of bugs are NOT caught - that's 1 in 3 bugs escaping to production.",
    "Correct! Mutation testing reveals the difference between 'code executed' vs 'behavior validated'. Tests that pass regardless of code changes have weak assertions.",
    "Incorrect. Surviving mutations indicate missing tests, not non-critical code. If code is critical enough to write, it's critical enough to test.",
    "Incorrect. Line coverage doesn't improve mutation score - the problem isn't executing code, it's validating correctness."
  ],
  hint: "Think about the difference between 'this line ran' vs 'this line produced the correct result'."
})

---

Worked Example: Achieving 100% Coverage for Safety-Critical Dosing Algorithm

Scenario: Developing firmware for a connected insulin pump. The FDA requires documented evidence that safety-critical code paths have been thoroughly tested. Initial coverage: 73%.

Given:

• Total firmware: 45,000 lines of C code
• Safety-critical modules: 8,200 lines (glucose calculation, dosing algorithm, alert system)
• Dosing algorithm: 45 lines, 8 decision branches (6/8 tested)
• Target: 100% branch coverage for safety-critical, 85% for business logic

Analysis of uncovered branches:

$ gcov dosing_algorithm.c --branch-probabilities

Uncovered branches:
- Line 456: boundary case (glucose < 20 mg/dL) - never tested
- Line 678: dual-sensor disagreement (>15% difference) - never tested

Finding: The two uncovered branches are both error handling and edge cases: 1. Sensor reading < 20 mg/dL (hypoglycemic boundary) 2. Dual-sensor disagreement > 15% (safety interlock)

Solution: Add targeted unit tests for boundary conditions:

// Test 1: Boundary condition
void test_glucose_at_hypoglycemic_boundary(void) {
    set_mock_glucose(20);  // Exactly at minimum valid
    DoseResult result = calculate_dose(20, 100);  // glucose, target
    assert(result.status == DOSE_CALCULATED);
    assert(result.units >= 0);
}

// Test 2: Dual-sensor disagreement
void test_dual_sensor_disagreement_triggers_alert(void) {
    set_sensor_a_reading(120);
    set_sensor_b_reading(145);  // 20.8% difference
    GlucoseResult result = get_calibrated_glucose();
    assert(result.confidence == LOW);
    assert(result.requires_fingerstick == true);
}

Result: Coverage 73% → 100%. FDA audit pass.

Key Insight: High coverage in safety-critical systems requires intentional testing of failure modes, not just happy paths. 73% of uncovered branches are typically error handling and edge cases that developers forget to test.

Decision Framework: Allocating Unit Test Coverage by Code Risk

Code Category	Coverage Target	Rationale	Example
Safety-critical	100%	Regulatory requirement (FDA, ISO 26262)	Dosing algorithm, brake control
Core business logic	85-95%	Bugs = product failure	MQTT reconnection, sensor reading
Protocol implementation	80-90%	Must handle edge cases	CoAP message parsing
Utility functions	70-80%	Lower risk, high reuse	String formatting, time conversion
Hardware abstraction	50-70%	Tested in integration	GPIO drivers, I2C reads

Key Insight: Uniform coverage treats all code equally. Risk-based allocation focuses effort where bugs cause the most damage.

viewof total_tests = Inputs.range([50, 500], {value: 200, step: 10, label: "Total Test Budget"})
viewof safety_critical_pct = Inputs.range([0, 100], {value: 50, step: 5, label: "Safety-Critical Allocation (%)"})
viewof core_logic_pct = Inputs.range([0, 100 - safety_critical_pct], {value: 30, step: 5, label: "Core Business Logic (%)"})
viewof security_pct = Inputs.range([0, 100 - safety_critical_pct - core_logic_pct], {value: 20, step: 5, label: "Security/Crypto (%)"})

test_allocation = {
  const safety_tests = Math.round(total_tests * safety_critical_pct / 100);
  const core_tests = Math.round(total_tests * core_logic_pct / 100);
  const security_tests = Math.round(total_tests * security_pct / 100);
  const remaining = total_tests - safety_tests - core_tests - security_tests;
  return {safety_tests, core_tests, security_tests, remaining};
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid #16A085; margin-top: 0.5rem;">
<p><strong>Risk-Based Test Allocation:</strong></p>
<table style="width:100%; border-collapse:collapse; margin-top:0.5rem;">
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Safety-Critical</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_allocation.safety_tests} tests (${safety_critical_pct}%)</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Core Business Logic</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_allocation.core_tests} tests (${core_logic_pct}%)</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Security/Crypto</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_allocation.security_tests} tests (${security_pct}%)</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Other (utilities, HAL)</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${test_allocation.remaining} tests (${((test_allocation.remaining / total_tests) * 100).toFixed(0)}%)</td></tr>
</table>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">
${safety_critical_pct >= 40 ?
  `<span style="color: #16A085;">✓ Good allocation.</span> Safety-critical code is well-covered.` :
  `<span style="color: #E67E22;">⚠ Consider increasing safety-critical allocation.</span> Most defects in critical code have severe consequences.`}
</p>
</div>`

Common Mistake: Confusing Code Coverage with Test Quality

The Mistake: Reporting “92% line coverage” and assuming the code is well-tested, while mutation testing reveals 35% of bugs escape detection.

Why It Happens: Coverage measures if code executed, not if behavior validated. Tests that call functions without assertions achieve coverage without catching bugs.

Example of False Coverage:

// Test that achieves 100% coverage but catches nothing
void test_temperature_conversion() {
    float result = celsius_to_fahrenheit(25.0);
    // NO ASSERTION - test passes regardless of result
}

// This test has coverage but would pass even if function returns garbage

The Fix: Use mutation testing to measure assertion strength. Mutate code (change > to >=, + to -) and verify tests fail. A 70% mutation score means 30% of bugs go undetected.

Key Insight: Coverage is necessary but not sufficient. Strong tests require both execution (coverage) and validation (assertions).

Try It: Assertion Strength Estimator

viewof num_test_functions = Inputs.range([1, 100], {value: 20, step: 1, label: "Number of Test Functions"})
viewof avg_assertions_per_test = Inputs.range([0, 10], {value: 2, step: 0.5, label: "Average Assertions per Test"})
viewof tests_with_zero_assertions = Inputs.range([0, num_test_functions], {value: 3, step: 1, label: "Tests with ZERO Assertions"})
viewof line_coverage_input = Inputs.range([0, 100], {value: 90, step: 1, label: "Reported Line Coverage (%)"})

assertion_analysis = {
  const totalAssertions = Math.round((num_test_functions - tests_with_zero_assertions) * avg_assertions_per_test);
  const assertionDensity = totalAssertions / num_test_functions;
  const weakTestPct = (tests_with_zero_assertions / num_test_functions) * 100;
  const estimatedMutationScore = Math.min(100, Math.max(0,
    line_coverage_input * (1 - weakTestPct / 100) * (Math.min(avg_assertions_per_test, 3) / 3)
  ));
  const effectiveCoverage = line_coverage_input * (1 - weakTestPct / 200);
  const bugEscapeRate = 100 - estimatedMutationScore;
  let grade, gradeColor;
  if (estimatedMutationScore >= 85) { grade = "STRONG"; gradeColor = "#16A085"; }
  else if (estimatedMutationScore >= 70) { grade = "MODERATE"; gradeColor = "#E67E22"; }
  else if (estimatedMutationScore >= 50) { grade = "WEAK"; gradeColor = "#E74C3C"; }
  else { grade = "VERY WEAK"; gradeColor = "#E74C3C"; }
  return {totalAssertions, assertionDensity, weakTestPct, estimatedMutationScore, effectiveCoverage, bugEscapeRate, grade, gradeColor};
}

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${assertion_analysis.gradeColor}; margin-top: 0.5rem;">
<p><strong>Assertion Strength Analysis:</strong></p>
<table style="width:100%; border-collapse:collapse; margin-top:0.5rem;">
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Total Assertions</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${assertion_analysis.totalAssertions}</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Assertion Density</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${assertion_analysis.assertionDensity.toFixed(1)} per test</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Tests with No Assertions</strong></td>
    <td style="padding:4px; border:1px solid #ddd; color: ${assertion_analysis.weakTestPct > 10 ? '#E74C3C' : '#16A085'};">${tests_with_zero_assertions} (${assertion_analysis.weakTestPct.toFixed(0)}%)</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Reported Line Coverage</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${line_coverage_input}%</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Estimated Mutation Score</strong></td>
    <td style="padding:4px; border:1px solid #ddd; font-weight: bold; color: ${assertion_analysis.gradeColor};">${assertion_analysis.estimatedMutationScore.toFixed(0)}% (${assertion_analysis.grade})</td></tr>
<tr><td style="padding:4px; border:1px solid #ddd;"><strong>Estimated Bug Escape Rate</strong></td>
    <td style="padding:4px; border:1px solid #ddd;">${assertion_analysis.bugEscapeRate.toFixed(0)}%</td></tr>
</table>
<p style="margin-top: 0.5rem; font-size: 0.9em; color: #555;">
${tests_with_zero_assertions > 0 ?
  `<span style="color: #E74C3C;">Warning:</span> ${tests_with_zero_assertions} test(s) have no assertions — they execute code without checking results. These inflate coverage without catching bugs. ` : ''}
${avg_assertions_per_test < 1.5 ?
  `<span style="color: #E67E22;">Tip:</span> Aim for 2-3 assertions per test to validate inputs, outputs, and side effects. ` : ''}
${assertion_analysis.estimatedMutationScore >= 85 ?
  `<span style="color: #16A085;">Your test suite has strong assertion coverage.</span> Most code mutations would be caught.` :
  `<span style="color: ${assertion_analysis.gradeColor};">Consider adding more assertions</span> — ${assertion_analysis.bugEscapeRate.toFixed(0)}% of bugs may escape your test suite.`}
</p>
</div>`

---

Matching Exercise: Key Concepts

Order the Steps

Label the Diagram

💻 Code Challenge

3.8 Summary

Unit testing forms the foundation of IoT quality assurance:

• Test pure logic: Data processing, business logic, protocol parsing
• Mock hardware: Abstract interfaces allow testing without physical devices
• Set risk-based coverage: 100% for safety-critical, 85%+ for core logic
• Measure quality, not just coverage: Use mutation testing to validate assertion strength
• Run fast: Unit tests should execute in seconds, enabling frequent runs

---

3.9 Knowledge Check

Quiz: Unit Testing for IoT Firmware

Try It Yourself: Unit Testing Exercise

Objective: Write unit tests for a sensor data averaging function with 100% branch coverage.

What You’ll Need:

• C compiler (gcc)
• Unity test framework (ThrowTheSwitch/Unity)
• Text editor or IDE

The Function to Test:

// sensor_filter.c
#include <stddef.h>
#include <stdbool.h>

#define FILTER_SIZE 5

static float filter_buffer[FILTER_SIZE];
static int filter_index = 0;
static bool filter_full = false;

float apply_moving_average(float new_value) {
    filter_buffer[filter_index] = new_value;
    filter_index = (filter_index + 1) % FILTER_SIZE;

    if (filter_index == 0) {
        filter_full = true;
    }

    float sum = 0;
    int count = filter_full ? FILTER_SIZE : filter_index;
    for (int i = 0; i < count; i++) {
        sum += filter_buffer[i];
    }

    return sum / count;
}

void reset_filter(void) {
    filter_index = 0;
    filter_full = false;
}

Your Task: Write tests that achieve 100% branch coverage:

1. Test first value (1 value in buffer, not full)
2. Test partial buffer (2-4 values, not full)
3. Test full buffer (exactly 5 values)
4. Test circular wrap (6th value overwrites oldest)
5. Test negative values (ensure math works correctly)
6. Test zero values (division by count)

Expected Test Output:

test_first_value_returns_itself:PASS
test_partial_buffer_averages_correctly:PASS
test_full_buffer_calculates_average:PASS
test_circular_buffer_wraps:PASS
test_handles_negative_values:PASS
test_handles_zero_values:PASS

6 Tests 0 Failures 0 Ignored

Coverage Check:

gcc -fprofile-arcs -ftest-coverage test_sensor_filter.c sensor_filter.c unity.c -o test_runner
./test_runner
gcov sensor_filter.c

What to Observe: 100% line and branch coverage. Every if statement and loop executed at least once.

Challenge Extension: Add mutation testing - change > to >=, + to -, etc. in the source and verify tests fail.

---

Common Pitfalls

1. Testing Implementation Details Instead of Behavior

Unit tests that verify “function X calls function Y with argument Z” are brittle — they break whenever the implementation changes even if behavior is correct. Test observable behavior: given input A, the output is B. For IoT firmware: given a temperature ADC reading of 2048 (12-bit ADC, 3.3V ref, NTC thermistor), the formatted temperature string is “25.0°C”. Testing that “adc_to_temperature calls voltage_divider_calc” couples tests to implementation, preventing safe refactoring.

2. Not Mocking Non-Deterministic Hardware Dependencies

Firmware functions that read real sensors, get current time, or generate random numbers produce non-deterministic outputs that make unit tests unrepeatable. Replace non-deterministic hardware with mocks: inject a time source as a function pointer (mock returns a fixed timestamp), inject a sensor read function (mock returns a programmable sequence of values), inject an entropy source (mock returns deterministic test patterns). Non-determinism in unit tests is a design flaw in the hardware abstraction layer, not an inherent limitation.

3. Targeting 100% Line Coverage Instead of Branch Coverage

Line coverage (every line executed at least once) misses many bugs: a function with if-else has two branches but one line of code. For example: distance_alert = (distance < 10); is one line but has two branches (distance<10=true and distance<10=false). Target branch coverage (every true/false outcome of every conditional executed): 80% branch coverage finds significantly more bugs than 100% line coverage. Use gcov/lcov for C firmware coverage, focusing on branch coverage metrics.

4. Ignoring Setup and Teardown Causing Test State Pollution

Unit tests that leave global state modified (global variables, static function state, mock expectations not cleared) cause subsequent tests to fail with confusing errors. Symptoms: tests pass individually but fail when run together; test results depend on execution order. Use setUp() to initialize all state before each test and tearDown() to clean up after each test. In C with Unity/CMock: UnityBegin() before test, call MockModule_Init() in setUp, MockModule_Verify() and MockModule_Destroy() in tearDown.

3.10 What’s Next?

Continue your testing journey with these chapters:

• Integration Testing: Test hardware-software interactions and protocols
• Hardware-in-the-Loop Testing: Validate firmware against simulated sensor inputs
• Testing Overview: Return to the complete testing guide

Previous	Current	Next
Testing Pyramid & Challenges	Unit Testing for IoT Firmware	Integration Testing for IoT Systems