This work proposes NQC2, a non-intrusive code coverage collection mechanism based on QEMU plugins, designed to address the challenge of applying traditional coverage analysis—typically reliant on operating systems and file systems—to bare-metal embedded programs. By leveraging dynamic binary translation, NQC2 extracts execution path information from within QEMU during emulation and saves it directly to the host machine, without requiring modifications to the target program or a customized QEMU build. This approach enables, for the first time, zero-instrumentation coverage analysis for bare-metal embedded systems. Experimental results demonstrate that NQC2 achieves up to an 8.5× performance improvement over Xilinx’s comparable solution, significantly enhancing both the efficiency and applicability of testing for embedded software.

Code coverage analysis has become a standard approach in software development, facilitating the assessment of test suite effectiveness, the identification of under-tested code segments, and the discovery of performance bottlenecks. When code coverage of software for embedded systems needs to be measured, conventional approaches quickly meet their limits. A commonly used approach involves instrumenting the source files with added code that collects and dumps coverage information during runtime. This inserted code usually relies on the existence of an operating and a file system to dump the collected data. These features are not available for bare-metal programs that are executed on embedded systems. To overcome this issue, we present NQC², a plugin for QEMU. NQC² extracts coverage information from QEMU during runtime and stores them into a file on the host machine. This approach is even compatible with modified QEMU versions and does not require target-software instrumentation. NQC² outperforms a comparable approach from Xilinx by up to 8.5 x.