CNN-Based Fault Localization Method Using Memory-Updated Patterns for Integration Test in an Hil Environment

applied sciences

Article CNN-Based Fault Localization Method Using Memory-Updated Patterns for Integration Test in an HiL Environment

Ki-Yong Choi and Jung-Won Lee * Department of Electrical and Computer Engineering, Ajou University, Suwon 16499, Korea * Correspondence: [email protected]; Tel.: +82-31-219-1813

Received: 31 May 2019; Accepted: 9 July 2019; Published: 12 July 2019

Abstract: Automotive electronic components are tested via hardware-in-the-loop (HiL) testing at the unit and integration test stages, according to ISO 26262. It is difficult to obtain debugging information from the HiL test because the simulator runs a black-box test automatically, depending on the scenario in the test script. At this time, debugging information can be obtained in HiL tests, using memory-updated information, without the source code or the debugging tool. However, this method does not know when the fault occurred, and it is difficult to select the starting point of debugging if the execution flow of the software is not known. In this paper, we propose a fault-localization method using a pattern in which each memory address is updated in the HiL test. Via a sequential pattern-mining algorithm in the memory-updated information of the transferred unit tests, memory-updated patterns are extracted, and the system learns using a convolutional neural network. Applying the learned pattern in the memory-updated information of the integration test can determine the fault point from the normal pattern. The point of departure from the normal pattern is highlighted as a fault-occurrence time, and updated addresses are presented as fault candidates. We applied the proposed method to an HiL test of an OSEK/VDX-based electronic control unit. Through fault-injection testing, we could find the cause of faults by checking the average memory address of 3.28%, and we could present the point of fault occurrence with an average accuracy of 80%.

Keywords: automotive software; fault localization; hardware-in-the-loop (HiL); sequential pattern mining; convolutional neural network (CNN)

1. Introduction In recent years, electronic control units (ECUs) and software have been developed in a distributed manner because functions, such as driving assistants and passenger convenience functions, have diversified [1]. The functions developed in this distributed environment are integrated into the system as a black box [2]. An integrated system becomes more complex as the number of components increases, because of dynamic interactions and inter-component reuse [3]. The verification of automotive software has become a key process in ECU development, closely related to safety and performance [4]. The automotive industry has established “Road vehicles—Functional safety (ISO 26262)” as the verification of automotive software becomes increasingly important [5]. ISO 26262 proposes a V-Model and a hardware-in-the-loop (HiL) test for the quality assurance of key components related to safety in automobiles, and divides them into several stages, including unit tests and integration tests [6]. The HiL test is a black-box test that is executed automatically by the simulator in the scenario of the test script. It compares the output value with the expected value, and reports the result only as pass/fail [7]. That is, the reason for any failure is not provided. Therefore, it is necessary to study a means to find the cause of faults that occurred during the HiL test.

Appl. Sci. 2019, 9, 2799; doi:10.3390/app9142799 www.mdpi.com/journal/applsci Appl. Sci. 2019, 9, 2799 2 of 21

In general, developers can use existing debugging tools or software fault-localization methods to debug faults in the development of embedded systems, including ECUs. However, existing debugging tools have the following problems for application to HiL environments. First, the in-circuit emulator (ICE, e.g., Trace32, Multi-ICE), which is widely used as a debugging tool, requires a dedicated connector as a debugging interface. However, the system under test (SUT) of the HiL environment targets rarely exposes the debugging interface to the outside [8]. Second, existing debugging tools should be monitored step by step, using breakpoints. However, because the HiL test is performed automatically by the simulator, it is difficult to suspend the system [7]. In addition, many software fault-localization methods have been developed to detect faults efficiently in the white-box state based on the source code [9]. Therefore, the HiL test, a black box test, needs a method that can be applied without the source code. A typical method for finding the cause of a fault without any source code is a method using a test case. First, some studies have prioritized test cases using statistics and have detected faults via the spectrum-based fault-localization method [10,11]. In addition, a study determined the attribute that affects the fault by extracting rules based on the results of the test cases [12]. However, because the HiL test evaluates the actual operation result in the hardware, the test case must be generated considering the reaction time [4]. Therefore, the method using the test case needs to consider the time constraints for application to the HiL test. On the other hand, the cause of the fault can be found in the HiL environment by using memory. In the data-flow analysis, the data is defined and then used. Thus, depending on the definition-use (DU) chain, the footprints of all of the critical data processed by the central processing unit (CPU) while the software is running remain in memory. According to the coding rule of MISRA-C (MISRA-C: 2004 Rule 18.3, 20.4), which is a programming rule used in automotive systems, ECU memory is prohibited from reuse or from dynamic memory allocation [13]. In other words, the variables in the automotive software are statically assigned to the memory of the ECU, and the footprints of the software execution remain. Therefore, the execution history of the software can be checked by observing the memory periodically, and therefore the cause of the fault can be found. For this reason, we have developed a fault-localization method that uses the difference in memory-updated information between unit tests and integration tests [14]. The cause of the fault can be found by comparing the updated addresses in each unit test required for the normal operation of the integrated unit functions of the integration test. However, this method cannot specify when a fault occurs, and when the number of functions to be combined increases or becomes complicated, the major addresses of the executed functions become fault candidates, increasing the number of addresses to be checked. In addition, because this method does not know when the fault occurred, the interpretation of the results requires an understanding of the software’s execution flow and a background knowledge of the address symbols and the stored values. Therefore, a method suitable for the HiL environment is needed that can identify the time of occurrence and cause of the fault without any special knowledge. In this paper, we propose a fault-localization method that uses updated patterns of memory in integrated testing. First, in the preparation step, the address, symbol, stored value and update frequency of the memory used in the normal unit test are analyzed to generate memory-updated information that is necessary for a normal operation of the function. The sequential pattern-mining algorithm [15] is applied to the generated memory-updated information to extract the memory-updated pattern for normal operation. The updated features of the collected memory are learned by a machine-learning model, comprising a convolutional neural network (CNN), using memory-updated information and an updated pattern. Next, in the integration test, the updated feature is classified in the memory data of each frame, and the fault-occurrence timing is found by pattern matching with the updated pattern of the normal operation. Figure1 shows how the point of failure is found. In the integration test, a test script is constructed so that function A (four sequences) and B (five sequences) are successively called, such that the updated patterns of A and B appear in order. Therefore, if the integration test is executed normally, Appl. Sci. 2018, 8, x FOR PEER REVIEW 3 of 20

Appl.Figure Sci. 20191 shows, 9, 2799 how the point of failure is found. In the integration test, a test script is constructed3 of 21 so that function A (four sequences) and B (five sequences) are successively called, such that the updated patterns of A and B appear in order. Therefore, if the integration test is executed normally, the thememory-updated memory-updated pattern pattern should should show show the updatedupdated patterns patterns of of the the two two functions functions in order. in order. However, However,in the memory-updatedin the memory-updated pattern pattern of the failedof the integrationfailed integration test, A test, was A found was infound order in for order all sequences,for all sequences,but seq4 but and seq4 seq5 and of B seq5 were of repeated B were from repeat frameed from #n, where frame B #n, is called. where The B is updated called. patternsThe updated of B have patternsan abnormal of B have pattern an abnormal that is dipatternﬀerent that from is thedifferent normal from operation the normal at frame operation #n, and at itframe can be#n, seen and that it cana faultbe seen occurs that in a framefault occurs #n. Therefore, in frame if #n. our Ther debuggingefore, if starts our debugging from addresses starts that from should addresses be updated that to shouldseq4 be of updated B in frame to seq4 #n, the of B cause in frame can be#n, found the cause more can quickly. be found more quickly.

Figure Figure1. Example 1. Example of fault oflocalization fault localization of using of memory using memory-updated-updated patterns patterns in an integration in an integration test. test.

As aAs result, a result, the proposed the proposed method method can canfind findthe occu the occurrencerrence point point and andthe cause the cause of the of fault the fault in the in the integrationintegration test testby using by using the normal the normal operation operation acquired acquired in the in unit the unittest, test,without without the source the source code code or or the debuggingthe debugging tool toolin the in HiL the HiLenvironment. environment. The Theprop proposedosed method method is applied is applied to the to injected the injected faults faults by by the mutationthe mutation method method for evaluation for evaluation in the in HiL the HiLtest of test OSEK/VDX-based of OSEK/VDX-based ECU/SW. ECU/ SW.The Theexperimental experimental resultsresults show show the point the point of occurrence of occurrence within within an average an average of two of twoframes frames for 80% for 80% faults. faults. Only Only 3.28% 3.28% of of the memorythe memory addresses addresses in the in used the used memory memory are identified, are identified, and andthe cause the cause of the of fault the fault can be can found. be found. ThisThis result result shows shows that thatfaults faults are found are found even even if only if only 57% 57% of the of memory the memory is checked is checked by focusing by focusing on the on the faultfault candidates candidates compared compared to previous to previous studies studies on th one same the same environment. environment. The Theintegration integration test testcan also can also indicateindicate when when a fault a fault occurred occurred without without any anyspecial special background. background. ThisThis paper paper is composed is composed as follows. as follows. Section Section 2 describes2 describes related related work work in debugging in debugging in HiL in HiL environmentsenvironments and andfault-localization fault-localization methods methods usin usingg sequential sequential pattern pattern mining mining and andCNN. CNN. Section Section 3 3 definesdefines memory-updated memory-updated features features and and pattern pattern extracti extractionon for fornormal normal operation operation in inmemory. memory. In InSection Section 4, 4, wewe propose propose a a fault-localization methodmethod based based on on the the learning learning method method of theof updatedthe updated feature feature classifier classifierand matching and matching with the with normal the updatednormal pattern.updated Inpattern. Section 5In, weSection configure 5, we the configure HiL environment the HiL and environmenttest the fault-localization and test the fault-localization method by injecting method faults. by injecting Finally, faults. Section Finally,6 concludes Section with 6 concludes future work withdirections future work and directions conclusions. and conclusions.

2. Related2. Related Work Work The Theautomotive automotive industry industry conducts conducts HiL HiL testing atat the the unit unit and and integration integration test stagestest stages for electronic for electroniccomponents components developed developed in accordance in accordance with ISO with 26262. ISO In 26262. the HiL In test,the HiL which test, is performedwhich is performed automatically automaticallywithout the without source code,the source the simulator code, the evaluates simulator the evaluates output of the the output SUT for of the the injected SUT for input the injected as pass/ fail, inputmaking as pass/fail, it diffi makingcult to obtain it difficult debugging to obtain information debugging when information a fault occurs. when a fault occurs. In this section, we discuss debugging methods in HiL testing for automotive software, and discuss sequential pattern mining and CNN-based fault-localization methods. Appl. Sci. 2018, 8, x FOR PEER REVIEW 4 of 20 Appl. Sci. 2019, 9, 2799 4 of 21 In this section, we discuss debugging methods in HiL testing for automotive software, and discuss sequential pattern mining and CNN-based fault-localization methods. 2.1. Debugging in an HiL Environment 2.1. DebuggingAutomotive in a softwaren HiL Environment is affected by hardware problems as well as software problems. Therefore, the softwareAutomotive must software evaluate is its affected behavior by onhardware real hardware. problems The as HiLwell testas softwa is a methodre problems. of evaluating Therefore, the thehardware software on must which evaluate the software its behavior is installed on [real16]. ha Figurerdware.2 shows The HiL the HiL test testis a environment.method of evaluating When a testthe hardwarescript is input on which from the software host PC tois theinstalled HiL simulator, [16]. Figure the 2 HiLshows simulator the HiL inputstest environment. a signal to theWhen SUT a testbased script on theis input test script. from the The host HiL PC simulator to the HiL compares simulator, the the output HiL simulator from the SUT inputs to thea signal expected to the value SUT basedof the on test the script, test script. evaluates The theHiL result simulator as a passcompar or fail,es the and output reports from to the the SUT host to PC. the In expected this flow, value it is ofdi ffithecult test for script, the host evaluates PC to know the result exactly as whata pass is or happening fail, and inreports the SUT. to the In otherhost PC. words, In this the flow, output it ofis difficultthe SUT for can the be host checked PC to upon know failure, exactly but what the is internal happening operation in the ofSUT. the In SUT other is unknown. words, the Therefore, output of thean additionalSUT can be eff checkedort is needed upon to failure, know thebut internalthe internal operation operation in order of the to SUT find theis unknown. cause of the fault.

Figure 2. Hardware-in-the-loopHardware-in-the-loop (H (HiL)iL) test environment.

Generally, in-circuitin-circuit emulators emulators (ICEs) (ICEs) and and logic logic analyzers analyzers used forused debugging for debugging embedded embedded systems systemsare difficult are todifficult apply to to apply HiL testing. to HiL Debuggingtesting. Debugging using ICE, using such ICE, as Trace32such as andTrace32 Multi-ICE, and Multi-ICE, requires requiresdedicated dedicated connectors connectors as a whole as a whole system system synchronization synchronization and debugging and debugging interface, interface, to control to control the thesystem system at the at the instruction instruction level level [8]. [8]. However, However, because because the the HiL HiL test test isis performedperformed automaticallyautomatically by the simulator, it is didifficultfficult to controlcontrol at thethe instructioninstruction level, and the connector for debugging the completed ECU is rarely exposed. The The logic logic analyz analyzerer captures captures the I/O I/O signal, observes the timing relationship between the signals, and detects the fault signal through the relationship between the signal and the time difference difference [[17].17]. However, the logiclogic analyzer is suitable for the detection of error signals, but is unsuitable for any internal operation observation, and the tester needs background knowledge at the developer level in order to interpret thethe signals.signals. A typical way to find find the cause of the fault in a blackblack box test without any source code is to use a test case. Previous studiesstudies havehave prioritizedprioritized test test cases cases that that have have a a high high probability probability of of the the occurrence occurrence of ofa faulta fault with with statistics statistics that that have have been been detected detected using using a a spectrum-based spectrum-based fault-localizationfault-localization method or test history [10,11]. [10,11]. Testing Testing a high-priority test test case case first first reduces reduces the the time time ta takenken to to detect detect a a fault fault and, and, as aa result,result, allowsallows for for e ffiefficientcient debugging. debugging. However, However, these these studies studies focus focus on finding on finding test cases test cases that cause that causefaults faults in black-box in black-box testing, testing, rather rather than findingthan findi theng cause the cause of the of fault. the fault. Another Another study study found found the rule the rulethat causesthat causes the faultthe fault by analyzing by analyzing the relationthe relation between between the testthe casestest cases where where the faultthe fault occurred occurred [12]. This[12]. studyThis study extracted extracted the rule the that rule triggers that triggers the fault the and fault finds and the finds attribute the attribute that affects that the affects fault. However,the fault. However,this method this easily method finds easily the rulesfinds whenthe rules the when test cases the test are cases simple, are but simple, it requires but it requires more test more cases test to casesextract to the extract rules the of therules complex of the input.complex In input. other words,In other the words, test case-based the test case-based method requires method many requires test manycases totest determine cases to the determine internal operationthe internal that operatio causes then that actual causes fault, the or to actual know fault, the attribute or to know related the to attributethe fault. related The HiL to testthe shouldfault. The account HiL test for timeshould constraints account for because time theconstraints software because evaluates the the software actual evaluatesexecution the results actual in hardware.execution results in hardware.

2.2. Sequential Sequential Pattern Mining in Fault Localization Sequential pattern-mining algorithms find find frequent sequences that can be used to locate associations between multiple items or events in a sequence database [[15].15]. Thus, sequential pattern mining can be used to find find associations of events that occur in a time sequence. The fault-localization method usingusing the the pattern pattern was was mainly mainly performed performed using discriminativeusing discriminative pattern mining. pattern Fault-localization mining. Fault- localizationmethods that methods use discriminative that use discriminative pattern mining pattern focus onmining software focus behavior on software patterns. behavior [18] makes patterns. use [18]of the makes fact that use theof the function fact that call the tree function is different call tree between is different pass and between fail results. pass and fail results. Appl. Sci. 2019, 9, 2799 5 of 21

This study examines many test cases to find test cases that are likely to cause a fault in order to give priority to the test cases. The study in [19] obtained a software behavior graph that can show the relationship between a function and a code block. This study provides discriminative nodes for software behavior graphs in pass/fail conditions. In [20], the execution history of the software is tracked to find patterns of repeated events. The fault is located by looking for normal execution and other event patterns. This type of fault-localization study first obtains the normal pattern and uses the difference to locate the fault. Therefore, if a normal execution pattern is acquired in the unit test and an abnormal pattern of the integration test is found, the time when the fault occurs can be determined. However, because it is difficult to know the internal operation information of the HiL test, a method for acquiring an execution pattern is required. Vehicle software must always be deterministic, because it is closely related to the safety of the passenger. It should always perform the same process and output the same result under the same conditions. If the execution state of the vehicle software is stored at regular intervals, the execution pattern of the software can be extracted using the sequential pattern-mining algorithm. Thus, a periodic collection of ECU memory during the HiL test can be used to extract a sequential pattern of execution traces of the remaining software in memory. This can be used to locate the faults that occur in the integration test if the normal operation pattern of the vehicle software that was operating normally in the unit test is extracted.

2.3. Fault Localization Using Convolutional Neural Network CNN is a type of multilayer neural network whose main feature is recognizing visual patterns directly from pixel images through a minimal preprocessing process. It is less affected by human intervention and background knowledge, because the network learns its own patterns. Some studies have found fault conditions by learning data collected from embedded systems. These studies mainly extract feature points of the input data using 1D CNN. The purpose of [21] is to find bearing faults by inputting motor current signals. The fault is found by learning the current signal when the motor bearing is normal and faulty. In contrast, [22] finds a faulty gear using the vibration of the gearbox when a problem occurs in the gear by learning the vibrations of several healthy conditions, including the fault condition. [23] also finds the faulty gear when a problem occurs in the gear, but this by learning the noise from four types of gearboxes, including the fault condition. However, most of these studies are based upon learning raw data values from existing faults to determine the presence of faults, and cannot provide the debugging time or the causes of faults in integrated tests. To understand the cause of the fault in the integration test of the HiL environment in a black box, it is necessary to study the following conditions. First, the method should be applicable to HiL environments, such as physical constraints, without source code or debugging tools. Second, it should be able to extract the execution pattern through traces of software execution. Finally, it is necessary to recognize the occurrence of a fault by the observing the memory information of the normal operation, as well as to find the occurrence time and the cause of the fault.

3. Data Preparations for Fault Localization In this chapter, we introduce the necessary preparations for fault localization using the features and patterns that update each address in memory for software execution. First, the data-preparation process is deﬁned, followed by a description of the memory data-acquisition method and memory-updated information analysis method. Next, the mining of the memory-updated pattern and the annotation method of memory-updated features for training are introduced.

3.1. Data-Preparation Process Figure3 summarizes the preparation process of the fault localization using the training of the memory-updated pattern. To acquire and analyze data periodically and use it for fault localization, Appl. Sci. 2019, 9, 2799 6 of 21

Appl.the processSci. 2018, is8, x divided FOR PEER into REVIEW four vertical steps: (1) Data acquisition, (2) updated information analysis,6 of 20 (3) updated pattern detection, and (4) memory transformation for imaging and annotation. Furthermore, Furthermore, two two horizontal horizontal phases phases are are necessary necessary for for class class annotation annotation based based on on ground ground truth truth for fortraining: training: (1) The(1) unitThe testunit phase test phase and (2) and the integration(2) the integration test phase. test First, phase. the commonFirst, the steps common periodically steps periodicallycollect memory collect during memory the during HiL test, the analyze HiL test the, analyze memory the data,memory and data, generate and generate memory-updated memory- updatedinformation. information. From the From next the steps, next there steps, are there differences are differences according accord to testing phase. to test At phase. the unit At testthe step,unit testwhich step, collects which normal collects operation normal information,operation information, the memory-updated the memory-updated pattern is found pattern by applyingis found theby applyingsequential the pattern-mining sequential pattern-mining algorithm into algorithm memory-updated into memory-updated information on information each frame. CNNson each facilitate frame. CNNsautomatic facilitate feature automatic extraction feature in unit tests,extraction where in the un trainingit tests, is where performed, the training which enables is performed, an exploitation which enablesof the ability an exploitation to identify of and the distinguish ability to identify the features and ofdistinguish each frame the in features the integration of each test,frame which in the is integrationan inference test, phase. which Thus, is anfor inference convenience phase. ofThus, use asfor theconvenience input data of of use CNN, as the the input memory-updated data of CNN, thepattern memory-updated is transformed pattern into an is image. transformed In other into words, an image. the image In other presents words, the the total image memory presents in matrix the totalform memory by mapping in matrix a pixel form of the by matrixmapping to ana pixel address of the and matrix defining to an it address as a frame. and As defining shown it in as the a frame. figure, Asupdated shown (U) in isthe determined figure, updated by whether (U) is determined the value stored by whether in each the address value isstored changed in each for eachaddress frame is changedacquired for in eacheach collectionframe acquired period. in This each is collection then transformed period. This into is image then files,transformed which represent into image whether files, whichthe address represent of each whether frame the has address been updated of each as frame a marked has been pixel updated (updated) as or a marked a blank pixelpixel (not(updated) updated). or aThe blank transformed pixel (not image updated). file is labeledThe transformed by class, which image is thefile updatedis labeled feature, by class, as itwhich meets is the the sequence updated of feature,the generated as it meets updated the patterns.sequence Likewise,of the generat the integrationed updated test, patterns. which Likewise, is the target the that integration is finding test, the whichfault, transformsis the target the that memory-updated is finding the fault, information transforms of the the memory-updated frame into the image information file. of the frame into the image file.

FigureFigure 3. 3. ProcessProcess of of data data preparation preparation for for fault fault localization localization using using memory-updated memory-updated patterns. patterns. 3.2. HiL Testing and Data Collection 3.2. HiL Testing and Data Collection The memory-updated feature can be offered to debug faults during HiL testing of automotive The memory-updated feature can be offered to debug faults during HiL testing of automotive software [14]. To generate memory-updated information, the following three types of data are necessary. software [14]. To generate memory-updated information, the following three types of data are First, the metadata of tests, such as I/O specifications and test results, are collected through test reports necessary. First, the metadata of tests, such as I/O specifications and test results, are collected through or scripts. Second, the executable file of the software is statically analyzed to collect the symbol name test reports or scripts. Second, the executable file of the software is statically analyzed to collect the or section information of the memory data to be collected. Third, based on the section information symbol name or section information of the memory data to be collected. Third, based on the section obtained through the static analysis, the memory data is collected for every execution period of the information obtained through the static analysis, the memory data is collected for every execution main task. period of the main task.

Appl. Sci. 2019, 9, 2799 7 of 21

Appl. Sci. 2018, 8, x FOR PEER REVIEW 7 of 20 Collecting executed software memory at every execution period of the main task in an HiL test requiresCollecting additional executed space. software However, memory it is impossibleat every execut to alterion period the hardware of the main for testing.task in an Therefore, HiL test requireswe developed additional a high-volume space. However, data-collecting it is impossible method to considering alter the hardware the communicative for testing. loadTherefore, of ECU we in developedHiL environments, a high-volume as shown data-collect in Figureing4. method In Figure considering4, the test executorthe communicative of the host load PC processesof ECU in theHiL environments,test script and as manages shown thein Figure test result. 4. In Figure The data 4, collectorthe test executor requests of the the memory host PC data processes from thethe SUTtest script(test agent) and manages and determines the test whetherresult. The the data collected collec memorytor requests data the is updated.memory data The testfrom agent the SUT transmits (test agent)the memory and determines data of the whether observation the collected range in memory the SUT duringdata is testupdated. time, inThe accordance test agent totransmits the request. the memoryThe data data collector of the and observation the test agent range use in an the automotive SUT during communication test time, in accordance network, suchto the as request. a controller The dataarea collector network and (CAN). the test agent use an automotive communication network, such as a controller area network (CAN).

Figure 4. Data collector in HiL test environment. Figure 4. Data collector in HiL test environment. With this method, the memory value of the variables section can be dumped without any loss, With this method, the memory value of the variables section can be dumped without any loss, and periodically. Dumped memory at the period (T) within the main task is defined as a frame and is and periodically. Dumped memory at the period (T) within the main task is defined as a frame and presented by Equation (1). The memory address is compared with the prior frame as Equation (2), is presented by Equation (1). The memory address is compared with the prior frame as Equation (2), and checks the updated with the change in the value saved in the address (memory updated: MU). and checks the updated with the change in the value saved in the address (memory updated: MU). F { V |V is the value of the address A at time T k; k is an index number} (1) Fk ≡k {≡∀V∀A,k |VA,kA,k isA,k the value of the address A at time T k;× k is an index number} (1) ( 1, 1,V, VA,k1 V,,VA,k MUA,k == − ; k is ;a kframe-index is a frame-index number number (2) (2) 0, 0,V, VA,k1 V=,VA,k − 3.3. Analysis of Updated Memory 3.3. Analysis of Updated Memory Synthesizing the collected memory data and analyzing the updated status enables the constitution Synthesizing the collected memory data and analyzing the updated status enables the of memory-updated information (MUI). The MUI is composed of an address (A), a memory-updated constitution of memory-updated information (MUI). The MUI is composed of an address (A), a frequency (MUFA,R) indicating the number of times the value is updated within the set frame range, memory-updated frequency (MUFA,R) indicating the number of times the value is updated within the the value set of the address at each frame (VA,k) and the symbol name of the address (SymA). set frame range, the value set of the address at each frame (VA,k) and the symbol name of the address (SymA). MUI {A, MUF , {V }, Sym |R is a set of the frame index} (3) A,R ≡ A,R A,k A MUIA,R ≡ {A, MUFA,R, {VA,k}, SymA|R is a set of the frame index} (3) Analyzing the composed MUI enables addresses to be found, which is necessary to operate the functionAnalyzing normally. the composed By checking MUI enables the number addresses of inputs to be and found, the timewhich interval is necessary of the to test operate metadata, the functionthe address normally. is found By at checking which the the updated number intervalof inputs has and the the same time value interval as theof the time test interval metadata, among the addressthe addresses is found of smallerat which updates the updated than theinterval number has ofthe inputs. same value In other as words,the time the interval address among updated the addresseswith an equal of smaller time interval updates of than the input the number is sought. of Thisinputs. address In other is defined words, as the an address input-driven updated updated with anaddress equal (IDUA).time interval The IDUAof the isinput updated is sought. by the Th loadedis address input is fordefined testing as thean input-driven functions, and updated is also addressnecessary (IDUA). for normal The operation.IDUA is updated Because automotiveby the loaded software input shouldfor testing operate the deterministicallyfunctions, and is under also necessary for normal operation. Because automotive software should operate deterministically under identical conditions, it outputs a constant result when performing the determined process. Therefore, IDUA updated by input is updated with a constant pattern. Appl. Sci. 2019, 9, 2799 8 of 21 identical conditions, it outputs a constant result when performing the determined process. Therefore, Appl.IDUA Sci. updated 2018, 8, x FOR by input PEER REVIEW is updated with a constant pattern. 8 of 20 To obtain the memory-updated pattern of the input, this IDUA that is updated after the input To obtain the memory-updated pattern of the input, this IDUA that is updated after the input is is loaded, and the input-driven updated range (IDUR) is distinguished, which is the frame interval loaded, and the input-driven updated range (IDUR) is distinguished, which is the frame interval until until the result is output. Applying the sequential pattern-mining algorithm for this IDUR enables the the result is output. Applying the sequential pattern-mining algorithm for this IDUR enables the extraction of the memory-updated pattern of the functional operation. extraction of the memory-updated pattern of the functional operation. 3.4. Finding Memory-Updated Patterns Using Sequential Pattern-Mining Algorithm 3.4. Finding Memory-Updated Patterns Using Sequential Pattern-Mining Algorithm Automotive software is divided into application software, which executes functions, andAutomotive infrastructure software software, is whichdivided aids into in applicat executionion [software,24]. At thewhich IDUR, executes the addresses functions, of and the infrastructureinfrastructure software, software, which such aids as the in execution support function[24]. At the of IDUR, the address, the addresses or the of function the infrastructure related to software,the kernel such to maintain as the support the OS, function along with of the the address, IDUA related or the to function the function, related are to updated.the kernel Owing to maintain to the thenecessity OS, along of the with infrastructure’s the IDUA relate helpd in to operation, the function, the proposedare updated. method Owing should to the look necessity for the updateof the infrastructure’s help in operation, the proposed method should look for the update pattern among pattern among all updated addresses in the IDUR. Thus, applying the sequential pattern-mining all updated addresses in the IDUR. Thus, applying the sequential pattern-mining algorithm [25] to algorithm [25] to this IDUR in a normally operating unit test makes it possible to seek the updated this IDUR in a normally operating unit test makes it possible to seek the updated patterns of the patterns of the normal operation of a function. We modified the open-source code from [26] for normal operation of a function. We modified the open-source code from [26] for application in application in memory-updated information. In the memory-updated information of the IDUR, memory-updated information. In the memory-updated information of the IDUR, each IDUA defines each IDUA defines the updated frame as the event, and defines the updated addresses as items at the the updated frame as the event, and defines the updated addresses as items at the event. Additionally, event. Additionally, it lists events in the sequence of the frame and defines those as a single sequence. it lists events in the sequence of the frame and defines those as a single sequence. Figure 5 shows an Figure5 shows an example of searching for the updated pattern by applying sequential pattern mining example of searching for the updated pattern by applying sequential pattern mining to the memory- to the memory-updated information. updated information.

FigureFigure 5. ExampleExample of of sequential sequential pa patternttern mining mining of of memory-updated memory-updated information.

The example presents an experiment that tests the left signal of the Turn signal. Figure1 indicates The example presents an experiment that tests the left signal of the Turn signal. Figure 1 the index for the identifying test and the input number, and the frame number identifying the IDUR indicates the index for the identifying test and the input number, and the frame number identifying according to the input. In the example, in the second input of the 1808th unit test, the IDUR is five the IDUR according to the input. In the example, in the second input of the 1808th unit test, the IDUR frames from 66 to 70. In the case of repeated experiments of test cases with different unit functions, is five frames from 66 to 70. In the case of repeated experiments of test cases with different unit each IDUR appears as many times as there are frames according to which the software operates. functions, each IDUR appears as many times as there are frames according to which the software Applying the sequential pattern-mining algorithm with minimum support 0.8 in (2) to the updated operates. Applying the sequential pattern-mining algorithm with minimum support 0.8 in (2) to the address of these frames yields the result shown in (3). In (3), the updated addresses are shown updated address of these frames yields the result shown in (3). In (3), the updated addresses are in each sequence of the most frequent sequential pattern and symbol name. These addresses are shown in each sequence of the most frequent sequential pattern and symbol name. These addresses defined as the featured addresses of each sequence. Addresses #10677 and #10681 use the symbol are defined as the featured addresses of each sequence. Addresses #10677 and #10681 use the symbol names g_CanRxQueue, unlike other addresses. These addresses are the addresses of the infrastructure names g_CanRxQueue, unlike other addresses. These addresses are the addresses of the software with CAN-related addresses. In the case of normal operation, this software is necessary for infrastructure software with CAN-related addresses. In the case of normal operation, this software is the application and infrastructure software. Accordingly, the address of infrastructure is also saved in necessary for the application and infrastructure software. Accordingly, the address of infrastructure the memory-updated pattern. In the same way, the updated patterns of the addresses required for all is also saved in the memory-updated pattern. In the same way, the updated patterns of the addresses unit functions are extracted. The frequent sequential pattern discovered in subfigure (3) is defined as required for all unit functions are extracted. The frequent sequential pattern discovered in subfigure the featured addresses of each sequence, index of the tested unit function and featured frame index (3) is defined as the featured addresses of each sequence, index of the tested unit function and that distinguishes the features of the frame with the sequence number, and saved as (4). In other words, featured frame index that distinguishes the features of the frame with the sequence number, and saved as (4). In other words, the Featured Frame Index is defined as a set of {Unit Function index, number of Sequences in the Unit Function index, Featured Addresses}.

Appl. Sci. 2019, 9, 2799 9 of 21 the Featured Frame Index is defined as a set of {Unit Function index, number of Sequences in the Unit Function index, Featured Addresses}. Appl. Sci. 2018, 8, x FOR PEER REVIEW 9 of 20 3.5. Transformation Memory-Updated Patterns to Image Data and Labeling Memory-Updated Features 3.5. TransformationCNN, which isMemory-Updated a multilayer neural Patterns network to Image in machine Data and learning, Labeling has Memory-Updated an advantage in Features that it directly recognizesCNN, which the visual is a patternmultilayer of pixel neural images network though in minimummachine learning, preprocessing. has an As advantage the networks in that trains it directlydirectly, recognizes it is operated the by visual humans, pattern but not of apixeffectedl images by background though minimum knowledge. preprocessing. Therefore, using As CNN, the networksthe updated trains feature directly, can beit automaticallyis operated by extracted humans, from but thenot learning affected process by background of the unit knowledge. test without Therefore,the intervention using CNN, of the the tester. updated In this feature way, can it isbe possible automatically to distinguish extracted the from class the by learning identifying process the ofupdated the unit feature test without in the the inference intervention process of ofthe the tester. integration In this way, test. Theit is memory-updatedpossible to distinguish information the class is bytransformed identifying into the a updated snapshot, feature corresponding in the inference to a pixel process in the image of the file, integration in order to test. be used The morememory- easily updatedas an input information to the CNN. is transformed The size of the into transformed a snapshot snapshot, corresponding from the to memory-updated a pixel in the image information file, in orderin each to framebe used is more defined easily as the as heightan input and to widththe CNN. obtained The size by Equation of the transformed (4), where thesnapshot coordinate from (x,the y) memory-updatedof a point in the snapshot information is mapped in each with frame each is defined address, as as the in height Equation and (5). width Here, obtained the width by isEquation adjusted (4),flexibly where as the it iscoordinate in accordance (x, y) with of a point the collected in the snapshot memory is size. mapped with each address, as in Equation (5). Here, the width is adjusted flexibly as it is in accordance with the collected memory size. Height = min {h N; h (Number of Addresses Width)} (4) Height = min {h ∈∈ N; h ≥ (Number of Addresses÷ Width)} (4) Address = y Width + x; (x, y) is the pixel position (5) Address = y ×× Width + x; (x, y) is the pixel position (5) Figure6a shows an example of transform the memory-updated to snapshot. In the figure, the imageFigure file6a shows of snapshot an example has width of transform 160 and heightthe memory-updated 184. From Equation to snapshot. (2), the In memory-updated the figure, the imagestatus file of 29,440of snapshot addresses has width is marked 160 and as aheight red pixel 184. whenFrom MUEquationA,k has (2), a valuethe memory-updated of 1 and white when status it ofhas 29,440 a value addresses of 0. Because is marked the coordinates as a red pixel of the when marked MUA,k points has a are value (31,117), of 1 and the addresswhite when of the it point has a is value18,751 of (i.e., 0. Because 160 117 the +coordinates31). In Figure of the6b, marked Test Index points #1808 are has(31,117), IDUR the frames address 66–70 of the inFigure point is5, 18,751 and it × (i.e.,generates 160 × 117 the + memory-updated 31). In Figure 6b, Test status Index of each #1808 frame has IDUR into the frames image 66–70 file. Asin Figure in the figure,5, and it the generates memory thedata memory-updated of all of the frames status is transformed of each frame into into image the im files,age and file. the As transformedin the figure, image the memory file is used data forof all the oftraining the frames phase is transformed of the unit test into and image as well files, as and to detect the transformed the occurrence image point file ofis used faults for using the atraining trained phaseclassifier of the in theunit integration test and as test.well as to detect the occurrence point of faults using a trained classifier in the integration test.

FigureFigure 6. 6. ExampleExample of of transforming transforming memory-updat memory-updateded information information into into image image files. ﬁles. (a) (Examplea) Example of a of memory-updateda memory-updated snapshot; snapshot; (b)( btransforming) transforming each each frame frame into into image image files. ﬁles.

The generated image files in unit test are labeled by class for training. First, because the frames The generated image files in unit test are labeled by class for training. First, because the frames 66–70 are classified as the application frame (IDUR) in Figure5, as Equation (6) it is labeled class as 66–70 are classified as the application frame (IDUR) in Figure 5, as Equation (6) it is labeled class as application (App) and the other frames are infrastructure (Infra) class. The updated addresses of frames application (App) and the other frames are infrastructure (Infra) class. The updated addresses of labeled as application are compared to the featured address of Figure5(4) to check the unit function frames labeled as application are compared to the featured address of Figure 5(4) to check the unit functionindex and index featured and featured frame index. frame By index. Equations By Equati (7) andons (8), (7) find and the (8), updated find the address updated of address the application of the application frame in the featured addresses of each index as a unit function and featured frame and label the corresponding index number as class. The labeled image files are classified into the infrastructure, or have a unit function label and featured frame label in the application. The files are also used for the training data of the updated feature-classification model. Appl. Sci. 2019, 9, 2799 10 of 21 frame in the featured addresses of each index as a unit function and featured frame and label the corresponding index number as class. The labeled image files are classified into the infrastructure, or have a unit function label and featured frame label in the application. The files are also used for the trainingAppl. Sci. 2018 data, 8 of, x FOR the updatedPEER REVIEW feature-classification model. 10 of 20 ( App,App, k ∈IDUR k IDUR ClassClassApp,k == ∈ ; k is; a k frame-index is a frame-index number number(6 (6)) , Infra,Infra,k ∉IDUR k < IDUR

Class == #idx;#idx; MU MUα == 1,1, αα ∈ setset of of the the featured featured addr addressesesses in in unit unit function function #idx #idx (7)(7) ,Function,k ,,k ∈ { } ClassFeature,k = #idx; MUα,k = 1, α set of the featured addresses in featured frame #idx (8) Class, = #idx; MU, = 1, α ∈∈ set{ of the featured addresses in featured frame #idx } (8) 4. Fault-Localization Method Using Memory-Updated Patterns 4. Fault-Localization Method Using Memory-Updated Patterns Using the memory-updated features and the memory-updated pattern of the normal operation obtainedUsing in thethe passedmemory-updated unit test, the features cause of and the faultthe me canmory-updated be found in the pattern memory-updated of the normal information operation ofobtained the failed in integrationthe passed test. unit In test, this section,the cause we describeof the fault the processescan be found of the fault-localizationin the memory-upda methodted andinforma the detailstion of ofthe each failed step. integration test. In this section, we describe the processes of the fault- localization method and the details of each step. 4.1. Fault-Localization Process 4.1. Fault-LocaAn ECUlization that has Process passed a unit test performs an integration test under various conditions. Therefore,An ECU when that a fault has occurspassed in a the unit integration test performs test, it an means integration that the functiontest under that various operates conditions. normally inTherefore, the unit when test is a integrated fault occurs and in the operates integration abnormally. test, it means In this that paper, the function we use that the memory-updatedoperates normally featurein the unit and test the memory-updatedis integrated and operates patterns ofabno therma ECUlly. that In this are operatedpaper, we normally use the inmemory-updated the unit test to findfeature the a faultynd the pattern memory-upda of the memory-updatedted patterns of the information ECU that of are the operated faulty integrated normallytest in the and unit present test to it asfind the the fault faulty occurred pattern point. of the Addresses memory-updated to be updated inform atation that time of the are faulty presented integrated as fault test candidates. and present it as Figurethe fault7 summarizes occurred point. the Addresses process of to localizing be updated the at location that time and are occurrence presented ofas afault fault candidates. with the memory-updatedFigure 7 summarizes patterns the prepared process in of Section localizing3 and the the location image ofand each occurrence frame. The of a process fault with of the the proposedmemory-updated fault-localization patterns method prepared is dividedin Section into 3 aand unit the test image phase of and each an integratedframe. The test process phase. of First, the inproposed the unit fault-loca test phase,lization the updated method feature is divided classification into a unit model test phase is learned and byan integrated using the normal test phase. updated First, patternin the unit prepared test phase, in the the data updated preparation feature and classific the labeledation model image is file. learned Next, by in using the integrated the norma testl updated phase, thepattern updated prepared feature in the classifier data preparation is used to classify and the the labele imaged image files preparedfile. Next, previously in the integrated according test phase, to the memory-updatedthe updated feature feature. classifier The is classified used to frameclassify is th comparede image files to the prepared memory-updated previously pattern according of normal to the operationmemory-updated to determine feature. the sequenceThe classified of the frame suspected is compared fault that isto not the matched. memory-updated This sequence pattern frame of andnormal the previousoperation sequence to determine are specified the sequence as fault-occurrence of the suspected points, fault and that the is not addresses matched. to beThis updated sequence in the corresponding sequence are presented as fault candidates.

FigureFigure 7.7. ProcessProcess ofof faultfault localizationlocalization usingusing memory-updatedmemory-updated patterns.patterns.

4.2. Training of Updated Features The data preparation step is performed on the memory data normally operated in the unit test, and the image file having the class of the updated feature, such as the unit function and the featured frame, together with the normal updated pattern, is generated. In the next step, we design an updated feature classifier that learns the labeled image file and learns the updated feature. At this time, the neural network design should consider the characteristics of the memory-updated snapshot. Appl. Sci. 2019, 9, 2799 11 of 21

4.2. Training of Updated Features The data preparation step is performed on the memory data normally operated in the unit test, and the image file having the class of the updated feature, such as the unit function and the featured frame, together with the normal updated pattern, is generated. In the next step, we design an updated featureAppl. Sci. 2018 classifier, 8, x FOR that PEER learns REVIEW the labeled image file and learns the updated feature. At this11 time,of 20 the neural network design should consider the characteristics of the memory-updated snapshot. A neural network model using CNN is eeffectiveffective for the recognition of neighboring features, while maintaining the spatial information information of of the the imag image,e, using using aa convolution convolution layer layer as as a a2D 2D filter filter and and a apooling pooling layer layer for for feature feature enhancement enhancement [27]. [27]. Howeve However,r, the the memory-updated memory-updated snapshots snapshots of automotive software havehave di differentfferent characteristics characteristics from from typical typical 2D images,2D images, because because each pixel each represents pixel represents an address. an address.When building automotive software, it is divided into sections according to its purpose, and the addressWhen to bebuilding allocated automotive to memory software, is determined it is divided according into sections to the objectaccording fileor to function.its purpose, Therefore, and the mostaddress nearby to be addresses allocated areto memory used in theis determined same function acco orrding belong to the to theobject same file object or function. file. Because Therefore, each pixelmost innearby the snapshot addresses image are used corresponds in the same to an function address or in belong memory, to the the same nearby object addresses file. Because are located each closepixel toin the horizon.snapshot Aimage vertically corresponds near pixel to isan actually address an in addressmemory, spaced the nearby a distance addresses in the are horizontal located direction,close to the and horizon. is less related.A vertically Furthermore, near pixel at is the actually boundary an address of the snapshot,spaced a distance the next addressin the horizontal is on the otherdirection, side and of the is less image. related. As a Furthermore, result, when applying at the boundary CNN, as of in the other snapshot, studies the discussed next address in Section is on 2.3the, theother memory-updated side of the image. snapshots As a result, must when be converted applying CNN, to 1D foras in continuity other studies between discussed addresses. in Section 2.3, the memory-updatedThe basic model of snapshots the proposed must neural be convert networked to model 1D for consists continuity of six between layers as addresses. shown in Figure8. First,The (1) serializesbasic model the of input the proposed image file neural and reshapesnetwork mode it intol aconsists one-dimensional of six layers array. as shown Next, in (2) Figure and (3)8. First, perform (1) serializes a convolution the input operation image file on and a one-dimensional reshapes it into filtera one-dimensional at stride intervals. array. Next, At this (2) time, and the(3) perform activation a functionconvolution uses operation ReLU. ReLU on a does one-dimensional not saturate the filter value, at stride but is intervals. often used At in this the time, CNN the by simplyactivation activating function the uses value ReLU. to the ReLU threshold does [not27]. saturate The input the data value, has but as manyis often channels used in as the the CNN number by ofsimply filters activating in the convolution the value to layer. the threshold The channels [27]. passThe input through data a has flattened as many layer channels to convert as the them number into aof 1D filters vector in the at (4). convolution Then, (5) passeslayer. The through channels the fullypass connectedthrough a flattened layer and layer reduces to convert it to the them number into of a features1D vector set. at Finally,(4). Then, (6) finds(5) passes the output through feature the full classy connected corresponding layer to and the inputreduces frame it to by the applying number the of softmaxfeatures functionset. Finally, to the (6)fully finds connected the output layer. feature The class proposed corresponding classifier adjusts to the input the number frame ofby filters applying and the numbersoftmax offunction features to inthe this fully basic connected model. layer. The proposed classifier adjusts the number of filters and the number of features in this basic model.

Figure 8. The basic form of the proposed neural network model.

The updatedupdated feature feature classifier classifier created created using using the basicthe basic model model learns thelearns labeled the imagelabeled file image obtained file fromobtained the unitfrom test. the Theunit updatedtest. The feature updated classifier feature consists classifier of consists three stages. of three The stages. first stage The recognizesfirst stage whetherrecognizes the whether application the is application working for is each working frame andfor each classifies frame itinto and two classifies classes it of into app /infra.two classes The next of stageapp/infra. classifies The next the unitstage functions classifies thatthe unit operate functions on frames that operate classified on frames as the app classified class. as In the the app example class. ofIn the Figure example5, if there of Figure are four 5, if unitthere function are four indices,unit functi f ison set indices, to 4 in f is steps set to (2)–(4) 4 in steps in Figure (2)–(4)8 ,in and Figure is learned8, and is as learned a neural as network a neural that network distinguishes that distinguishes four classes. Thefour lastclasses. stage The classifies last stage the featured classifies frame the index.featured It classifiesframe index. the featured It classifies frame the index featured according frame to index whether according each featured to whether address each is updated,featured andaddress classifies is updated, the feature and classifies of the sequence the feature for the of framethe sequence confirmed for upthe toframe the unitconfirmed function. up to the unit function. 4.3. Reducing the Fault Candidates 4.3. ReducingWe have the described Fault Candidates the detailed steps in the unit test phase for fault localization. In the integration test phase, the conversion of the collected memory data to the image file proceeds in the same way as We have described the detailed steps in the unit test phase for fault localization. In the the unit test. The image file contains the updated feature of the unit function and the featured frame. integration test phase, the conversion of the collected memory data to the image file proceeds in the same way as the unit test. The image file contains the updated feature of the unit function and the featured frame. That is, the updated information of the featured addresses. Apply the proposed fault- localization method to these image files. The proposed method classifies the updated feature for the images of the app class with the traces of the function executed, except for the images of the infra class that are not directly related to the execution of the function. For each frame classified by the app class, the unit function and the featured frame class are identified, and to find a sequence in which a fault occurs that does not match the memory-updated pattern of normal operation. Appl. Sci. 2019, 9, 2799 12 of 21

That is, the updated information of the featured addresses. Apply the proposed fault-localization method to these image files. The proposed method classifies the updated feature for the images of the app class with the traces of the function executed, except for the images of the infra class that are not directly related to the execution of the function. For each frame classified by the app class, the unit function and the featured frame class are identified, and to find a sequence in which a fault occurs that Appl.does Sci. not 2018 match, 8, x FOR the PEER memory-updated REVIEW pattern of normal operation. 12 of 20 The updated feature classification uses the updated feature classifier created in the unit test phase. EachThe frame updated of the feature test in whichclassification the fault uses occurred the updated is filtered feature by application classifier framescreated corresponding in the unit test to phase.IDUR throughEach frame the firstof the stage test classifier. in which Next, the application fault occurred frames is classifyfiltered the by unit application function andframes the correspondingfeatured frame to in IDUR order, through and output the first only stage the frames classifier. whose Next, unit application function index frames and classify featured the frame unit functionindex match and the the featured class. Figure frame9 showsin order, the and flow output through only the the updated frames whose feature unit classifier. function In index the figure, and featuredthe image frame files index of frames match 214–221 the class. are Figure classified 9 show ass the the Infra flow/App through class the in updated the first feature stage. Accordingclassifier. Into the the figure, flowchart, the image files 216, files 218, of frames and 219 214–221 are classified are classified as the Appas the class, Infra/App and the class matching in the first of the stage. unit Accordingfunction and to the flowchart, featured frame files is216, confirmed. 218, and In219 the are example, classified file as 217 the is App classified class, asand the the unit matching function of#4, the the unit featured function frame and isthe classified featured as frame #5, but is theconfir featuredmed. In frames the example, matching file the217 unit is classified function as #4 the are unit#13–15. function In this #4, way, the thefeatured unit function frame is and classified the featured as #5, frame but the are featured matched, frames except matching for file 217. the Finally, unit functionfiles 216, #4 218, are and #13–15. 219 are In classifiedthis way, asthe application unit function frames, and thethe unit featured function frame index are is matched, #1, and the except featured for fileframe 217. index Finally, is output files 216, as #1–3.218, and 219 are classified as application frames, the unit function index is #1, and the featured frame index is output as #1–3.

FigureFigure 9. 9. FlowchartFlowchart of of classification classiﬁcation of of updated updated features. features.

TheThe frames frames to to which which the the class class is is assigned assigned find find the the sequence sequence corresponding corresponding to to the the updated updated feature, feature, andand compare compare it with thethe updatedupdated pattern pattern of of the the normal normal operation, operation, which which presents presents a sequence a sequence other other than thanthe normalthe normal pattern pattern as a fault as a occurrence fault occurrence point (i.e., po unexpectedint (i.e., unexpected sequences, sequences, nonsequential nonsequential sequences, sequences,and disconnected and disconnected sequences). sequences). The fault occurrence The fault sequenceoccurrence and sequence the previous and the sequence previous are sequence presented areas R1presented and R2 as ranks, R1 and respectively. R2 ranks, respectively. In the rank, R1In mustthe rank, be checked R1 must first be chec in theked sequence first in the in whichsequence the inabnormal which the updated abnormal pattern updated occurs, pattern and R2occurs, may and be the R2 causemay be of the cause abnormal of the updated abnormal in theupdated previous in thesequence. previous All sequence. sequences All performed sequences when performed a fault occurs when may a fault be involvedoccurs may in the be fault,involved and arein the presented fault, andin R3. are Addresses presented thatin R3. cause Addresses the fault that can because found the byfault checking can be sequentially found by checking according sequentially to the rank. accordingFigure 10 toshows the rank. an example Figure 10 of shows the results an example presented of the by theresults fault-localization presented by the method fault-localization proposed in methodthis paper. proposed In Figure in this9, only paper. three In frames,Figure 9, 216, only 218, three and frames, 219, are 216, classified 218, and as 219, applications. are classified In (a),as applications.the sequence In corresponding (a), the sequence to the corresponding unit function to index the unit and thefunction featured index frame and indexthe featured of each frame frame, indexare sequentially of each frame, from are seq1 sequentially to seq3 of the from front seq1 turn to signal, seq3 andof the the front next, turn seq4, signal, does not and appear. the next, Therefore, seq4, doesR1 at not the appear. time of theTherefore, fault occurrence R1 at the is seq4,time whoseof the sequencefault occurrence is disconnected, is seq4, R2whose is seq3 sequence that is theis disconnected, R2 is seq3 that is the previous sequence, and the other sequence is R3. The fault candidates to be presented along with the point of the fault occurrence are the featured addresses of each sequence. The fault candidates are R1 (#8619), R2 (#8612), and R3 (#8603, #8650, #10677, #10681) according to the normal pattern, as shown in (b). Algorithm 1 is described as to how to present a fault-occurrence point. Appl. Sci. 2019, 9, 2799 13 of 21

previous sequence, and the other sequence is R3. The fault candidates to be presented along with the point of the fault occurrence are the featured addresses of each sequence. The fault candidates are R1 (#8619), R2 (#8612), and R3 (#8603, #8650, #10677, #10681) according to the normal pattern, as shown in

Appl.(b). AlgorithmSci. 2018, 8, x 1FOR is describedPEER REVIEW as to how to present a fault-occurrence point. 13 of 20

Figure 10. a b Figure 10. ExampleExample of of finding ﬁnding the the fault fault occurrenc occurrencee sequence sequence of front turn signal. ( (a)) Example; Example; ( (b)) fault fault candidates with the rank. candidates with the rank.

AlgorithmAlgorithm 1. 1. TheThe algorithm algorithm for for determin determininging fault fault occurrence occurrence sequence sequence INPUT: classified frames, memory-updated patterns INPUTOUTPUT: classified: fault occurrence frames, memory-updated sequence, suspicious patterns sequence OUTPUT1: PF The: fault set ofoccurrence unit function sequence, in memory-updated suspicious sequence patterns ≡ 2: S(f) The set of sequence of PF(f) 1: PF ≡ ≡The set of unit function in memory-updated patterns 3: FOR i in classified frames 2: S(f) ≡ The set of sequence of PF(f) 4: curPF FIND (unit function class of i in PF) 3: FOR i in classified← frames 5: IF i > 0 4: curPF ← FIND (unit function class of i in PF) 6: IF curPF , pastPF 5: IF i > 0 7: unit_function_change_flag = 1 6: IF curPF ≠ pastPF 8: curSeq FIND (featured frame class of i in S(curPF)) 7: unit_function_change_flag← = 1 9: IF I = 0 or unit_function_change_flag = 1 8: curSeq ← FIND (featured frame class of i in S(curPF)) 10: IF curSeq , first sequence in S(curPF) // Unexpected sequences 9: IF I = 0 or unit_function_change_flag = 1 11: fault occurrence sequence FIND (sequence number of curSeq) 10: IF curSeq ≠ first sequence in S(curPF)← // Unexpected 12: ELSE IF i

5.1. HiL Test Environment and Fault Injection We constructed the SUT as an OSEK/VDX-based software on the MC9S12X [28] ECU for evaluation [14]. Figure 11 shows the HiL test environment configured for the experiment. The environment consists of the SUT with three ECUs, a test executor, and a monitoring system that collects and stores memory data. Appl. Sci. 2019, 9, 2799 14 of 21

5.1. HiL Test Environment and Fault Injection We constructed the SUT as an OSEK/VDX-based software on the MC9S12X [28] ECU for evaluation [14]. Figure 11 shows the HiL test environment conﬁgured for the experiment. The environment consists of the SUT with three ECUs, a test executor, and a monitoring system that collects and stores memory data. Appl. Sci. 2018, 8, x FOR PEER REVIEW 14 of 20

Figure 11. HiL test environment.

The SUTSUT hashas threethree electronicelectronic control control units units (ECUs) (ECUs) and and ten ten unit unit functions, functions, and and the the three three ECUs ECUs are responsibleare responsible for thefor steeringthe steering and frontand front functions functi (N1),ons (N1), communication communication and propulsionand propulsion systems systems (N2), and(N2), peripheral and peripheral sensing sensing and rear and functions rear functions (N3). The (N3). software The software of each unitof each function unit function is statically is statically assigned toassigned the memory to the area memory of each area ECU of node. each FaultsECU node. injected Faults into theinjected SUT wereinto generatedthe SUT were by modifying generated only by onemodifying statement only in one the statement original source in the code original using sour thece mutation code using technique the mutation [29]. Table technique1 summarizes [29]. Table the 1 faultssummarizes injected the into faults each injected function. into each function.

Table 1. List of fault injection by the selected mutation operators.

Index Node Function MutationMutation Operator * Fault Index Node Function Fault 1 Front Turn Signal Operator OEBA * Malfunction due to consecutive commands 2 N1 Head Lamp OCNG Illumination change error 1 Front Turn Signal OEBA Malfunction due to consecutive commands 3 2N1 Head Steering Lamp OCNG CGSR Illumination Steering changeangle change error error 4 SSDL Distance change error 3 SteeringAEBS CGSR Steering angle change error 5 CGCR Operation in the reverse mode 4 SSDL Distance change error 6 N2 AEBS STRI Mode change while accelerating 5 CGCR Operation in the reverse mode N2 6 Driving Mode STRI ModeIncrease change internal while variable accelerating in the parking 7 Driving Mode STRI 7 STRI Increase internal variablemode in the parking mode 8 Rear Turn Signal OEBA Malfunction due to consecutive commands 8 Rear Turn Signal OEBA Malfunction due to consecutive commands Malfunction due to accelerator pedal 9 9Brake Brake Lamp Lamp CGSRCGSR Malfunction due to accelerator pedal condition condition 10 N3 Emergency Stop Signal CGCR Operation in the reverse mode Emergency Stop 1011 N3 Rear Alert OEBACGCR Distance Operation change in the error reverse mode 12 Adv.Signal ESS OEAA Malfunction due to the existing command state 11 Rear Alert OEBA Distance change error * OEBA (OEAA): Operator Replacement (Assignment (=) to Bitwise assignment (|=); Assignment to Arithmetic Malfunction due to the existing command 12 assignment (+ =)) OCNG:Adv. Logical ESS context negationOEAA CGSR (CGCR): Constant for Scalar (Constant) Replacement SSDL: Statement Deletion STRI: Trap on if Condition. state *OEBA (OEAA): Operator Replacement (Assignment (=) to Bitwise assignment (|=); Assignment to Arithmetic assignment (+ =)) OCNG: Logical context negation CGSR (CGCR): Constant for Scalar (Constant) Replacement SSDL: Statement Deletion STRI: Trap on if Condition. Because the proposed method operates normally in the unit test and the fault occurred in the integration test, the fault to be injected must also pass the unit test. Therefore, we classify the applicable operators for each function among 80 mutation operators in C language. Then, the mutation operator that passed the unit test is injected into the fault. At this time, the unit test tests the function on/off in the function initialization state, and in the integration test, the communication between the nodes, the function connection, and the continuous state changes of the single function, are examined. For example, fault #1 modified a statement from the source code of the front turn signal function of Node 1 by using the OEBA operator. This fault has been modified to Appl. Sci. 2019, 9, 2799 15 of 21

Because the proposed method operates normally in the unit test and the fault occurred in the integration test, the fault to be injected must also pass the unit test. Therefore, we classify the applicable operators for each function among 80 mutation operators in C language. Then, the mutation operator that passed the unit test is injected into the fault. At this time, the unit test tests the function on/off in the function initialization state, and in the integration test, the communication between the nodes, the function connection, and the continuous state changes of the single function, are examined. For example, fault #1 modified a statement from the source code of the front turn signal function of Node 1 by using the OEBA operator. This fault has been modified to change an assignment to a bitwise assignment, which works fine in a single command, but the fault occurs when successive commands are received.

5.2. Finding the Updated Patterns and Building a Pattern Classiﬁer The unit test of the SUT implanted with the fault is repeated to generate memory-updated information from the memory data in which the unit functions normally operate, and sequential pattern mining is applied to extract the normal memory-updated pattern. Table2 shows the memory-updated patterns extracted from the SUT. The functions injected with faults in Table1 consist of a combination of the unit functions shown in Table2. For example, the driving mode of node 2 is a combination of the unit function gear and pedal. On the other hand, in the updated pattern of Table2, the sequence may partially coincide, such as the front turn signal and the head lamp. This is because, even if the unit functions are diﬀerent, a function similar to the case of allocating a signal on a bit-by-bit basis in the same memory in a communication process, may use a global variable for signal transmission. Both are part of the normal updated patterns. The memory-updated pattern of normal operation in Table2 indicates the addresses to be updated when each unit function operates and the order to be updated. Therefore, it is possible to judge whether the function is normal by comparing the memory data when the function is operated and the pattern of Table2.

Table 2. List of memory-updated patterns of the system under test (SUT).

Node Unit Function Number of Sequences Featured Addresses (8650,10677,10681), (8603), (8611,8612,8613), (8619), Front Turn Signal 5 (8624,8625,8626) 1 (8650,10677,10681), (8603), (8605,8608,8609), Head Lamp 5 (8615,8610,8617,8618), (8620,8622,8623) Steering 4 (8651,10677,10681), (8639), (8640), (8641) Sensor 3 (8628,8633,8935,10604), (8637), (8604) (8696), (8700,8704), (8668,8669,8704), (8661), (8628), AEBS 9 (8701,8703,8704), (8671,8672,8678,8683,8688,8704), 2 (8664), (8624,8627) Gear 4 (8700,8704), (8668,8669,8704), (8661), (8628) (8701,8703,8704), (8671,8672,8673,8683,8688), (8664), Pedal 4 (8624,8627) (8646), (8606), (8607,8608,8609), (8621), Rear Turn Signal 5 (8624,8625,8626) 3 (8646,8648), (8613,8614), (8610,8611,8619,8620), Brake Lamp 5 (8622,8623), (8627,8628) Rear Alert 4 (8656), (8618), (8646), (8602,8613)

We generated the data to learn the updated feature using the updated patterns of the normal operation obtained. Based on the update of the featured addresses, the frame of the range in which the function operates in the unit test is converted into an image file and classified into a sequence. Infrastructure frames are sampled by the number of frames classified as applications in each unit test. Anaconda [30] and Keras [31] were used to generate and learn the update feature classifier. Appl. Sci. 2019, 9, 2799 16 of 21

The data set for learning consisted of about 4000 image data. For the featured frame of 48 sequences of memory-updated patterns in Table2, image data of 40 app class on the average were prepared, and data of infra class of the similar amount were also prepared. These image data contain labels of three classes that are necessary for the learning of the three classifiers. Use this dataset to learn three classifiers for each node, a total of nine classifiers. The dataset was constructed considering the ratio of the featured frame. Therefore, when learning the unit function classifier, the data ratio between classes should be adjusted evenly. Among the data sets, the ratio of training to validation is 4:1. Table3 shows the accuracy, precision, recall, and F1-score for the validation data as a result of learning. In this case, the F1-score is the harmonic mean of precision and recall. The nine classifiers learned were 96–100% overall for the four measures, and all four measures were learned to over 98% on average.

Table 3. Training results of the classiﬁers using a convolutional neural network (CNN).

Node Classiﬁer Accuracy (%) Precision (%) Recall (%) F1-Score App/Infra 96.06 96.07 96.40 96.23 1 Unit Function 97.92 98.47 98.12 98.29 Featured Frame 98.90 99.13 98.70 98.92 App/Infra 100.00 100.00 100.00 100.00 2 Unit Function 97.99 97.96 97.82 97.89 Featured Frame 98.80 97.09 96.94 97.02 App/Infra 98.44 98.39 98.57 98.48 3 Unit Function 96.84 97.44 97.39 97.41 Featured Frame 98.44 97.86 98.66 98.26 Average (%) 98.15 98.04 98.07 98.06

5.3. Experimental Result Among the 12 faults injected in Table1, localization results are presented through Fault index #1 (disconnected sequence case) and Fault index #12 (unexpected sequence case). We compare the present fault-occurrence point with the actual fault-occurrence point and compare the proposed method with the localization ratio of the previous study.

5.3.1. Finding the Fault in the Disconnected Sequence (Fault Index #1) This fault is when the input normally enters the function, but the input is not passed to the output. In other words, the updated patterns of the memory according to the operation of the function are not connected to the sequences. In Table1, fault index #1 is a malfunction due to consecutive commands input to the front turn signal function. That is, when a function is in operation, a command for another operation is input, and a fault occurs. We conducted a test to turn on/off each operation in the unit test. In the integration test, consecutive instructions were input at intervals of 500 ms. The result is shown in Figure 12. In the figure, the IDUR of 166–171 normally shows the pattern, and the IDUR of 216–218 is the fourth sequence, but is missed. Because the frame interval is 10 ms, the 50-frame difference is 500 ms. Therefore, in the following operation command, the previous input operates normally, and the subsequent input shows that a fault has occurred. According to Algorithm 1, sequence #4 of the front turn signal is the fault-occurrence sequence (R1), #3 is the suspect sequence (R2), and the other sequences are the related sequence (R3). At this time, it can be seen that the proposed method focuses on sequential patterns rather than continuity in 167 and 217 frames that are excluded. As a result, according to Table2, the fault candidates of the fault index #1 is R1 (#8619), R2 (#8611, #8612, #8613) and R3 (#8650, #10677, #10681, #8603, #8624, #8625, #8626). In fact, the fault we injected is mutated to ‘=’ with ‘|=’ in the assignment operation of the variable assigned to #8619, Rank R1, according to the OEBA operator. Appl. Sci. 2018, 8, x FOR PEER REVIEW 16 of 20

Unit Function 97.92 98.47 98.12 98.29 Featured Frame 98.90 99.13 98.70 98.92 App/Infra 100.00 100.00 100.00 100.00 2 Unit Function 97.99 97.96 97.82 97.89 Featured Frame 98.80 97.09 96.94 97.02 App/Infra 98.44 98.39 98.57 98.48 3 Unit Function 96.84 97.44 97.39 97.41 Featured Frame 98.44 97.86 98.66 98.26 Average (%) 98.15 98.04 98.07 98.06

5.3. Experimental Result Among the 12 faults injected in Table 1, localization results are presented through Fault index #1 (disconnected sequence case) and Fault index #12 (unexpected sequence case). We compare the present fault-occurrence point with the actual fault-occurrence point and compare the proposed method with the localization ratio of the previous study.

FigureFigure 12.12. Finding thethe fault-occurrencefault-occurrence pointpoint ofof faultfault indexindex #1.#1.

5.3.2.According Finding the to Fault Algorithm in the Unexpected1, sequence #4 Sequence of the fron (Faultt turn Index signal #12) is the fault-occurrence sequence (R1),This #3 is fault the issuspect the case sequence when a (R2), normal and input the isother sent sequences to a function, are butthe anrelated unexpected sequence result (R3). is output.At this Intime, other it can words, be seen the memory-updatedthat the proposed pattern method of focu theses function on sequential is a case wherepatterns an rather unexpected than continuity sequence appearsin 167 and in the217normal frames sequence.that are excl Inuded. Table1 As, fault a result, index according #12 indicates to Tabl a malfunctione 2, the fault due candidates to the existing of the commandAppl.fault Sci. index 2018 state.#1, 8, isx FOR R1 Advanced (#8619), PEER REVIEW R2 emergency (#8611, #8612, stop #8613 signal) and (Adv. R3 (#8650, ESS) is #10677, a function #10681, that #8603, turns #8624, on the17 #8625, rearof 20 emergency#8626). In fact, signal the in fault the rearwe injected turn signal is mutated when it to stops ‘=’ with completely, ‘|=’ in the in additionassignment to theoperation ESS function of the thatemergencyvariable flashes assigned signal the brake into the#8619, lamp rear Rank in turn an R1, emergencysignal according when braking it tost opsthe situation.completely,OEBA operator. In in the addition integration to the test, ESS wefunction made that the ESSflashes operate the brake with thelamp turn in signalan emergency turned on,braking resulting situation. in a fault In the of theintegration emergency test, signal. we made As athe result, ESS weoperate5.3.2. obtained Finding with thethe the same turnFault signal result in the asturn Unex Figureedpected on, 13 resulting. Sequence In the figure,in (Faulta fault the Index of fourth the #12) emergency sequence ofsignal. the rear As a turn result, signal we obtained the same result as Figure 13. In the figure, the fourth sequence of the rear turn signal suddenlyThis appearsfault is the when case moving when a fromnormal 202 input to 203 is frames.sent to a Thereafter, function, but a fault an unex occurspected in which result the is output. fourth suddenly appears when moving from 202 to 203 frames. Thereafter, a fault occurs in which the fourth andIn other fifth words, sequences the memory-updated are repeated in the pattern frame. of Therefore,the function sequence is a case#4 where of the an rear unexpected turn signal sequence is the and fifth sequences are repeated in the frame. Therefore, sequence #4 of the rear turn signal is the fault-occurrenceappears in the normal sequence, sequence. #3 is the In suspiciousTable 1, fault sequence index #12 (R2), indicates and #5 anda malfunction the brake lamp due to sequences the existing are fault-occurrence sequence, #3 is the suspicious sequence (R2), and #5 and the brake lamp sequences thecommand related sequencestate. Advanced (R3). In emergency fact, the fault stop we injectedsignal (A wasdv. mutatedESS) is a to function ‘=’ with ‘that+=’ inturns the assignmenton the rear operationare the related of #8621, sequence Rank R1, (R3). according In fact, to the the fault OEAA we operator. injected was mutated to ‘=’ with ‘+=’ in the assignment operation of #8621, Rank R1, according to the OEAA operator.

FigureFigure 13.13. Finding the fault-occurrencefault-occurrence pointpoint ofof faultfault indexindex #12.#12.

5.3.3.5.3.3. Evaluation WeWe alsoalso appliedapplied thethe proposedproposed methodmethod toto thethe otherother 1010 faultsfaults inin TableTable1 .1. As As a a result, result, we we could could ﬁnd find thethe causecause ofof thethe faultfault inin thethe faultfault candidatecandidate thatthat presentedpresented forfor allall thethe faults.faults. TheThe experimentalexperimental resultsresults areare summarizedsummarized inin TableTable4 4.. Of Of these, these, the the actual actual fault fault was was highlighted highlighted inin the the shadow shadow cellcell at at which which it it waswas found.found. As a result,result, faultsfaults werewere foundfound inin R1R1 andand R2R2 inin 66 casescases outout ofof 10.10. We couldcould ﬁndfind thethe causecause ofof thethe actualactual faultfault withinwithin aa frameframe distancedistance ofof 0.875,0.875, onon average,average, atat thethe fault-occurrencefault-occurrence pointpoint thatthat wewe proposed.proposed. That is, if thethe frameframe indicatedindicated byby thethe fault-occurrencefault-occurrence pointpoint andand anan additionaladditional frameframe areare further checked, the cause of the fault can be found. The localization ratio is obtained by dividing the number of addresses up to the rank where the fault was found by the total number of updated addresses. For example, fault index #9 is (2 + 4)/132 with a 4.55% localization. As a result, our proposed method could find the point where the fault was updated by checking two frames on the average for 80% fault in the experiment to find the injected fault. The fault was found by checking only 3.28% of the total memory addresses updated.

Table 4. Experimental result.

Allocated Updated Number of Fault Frame Fault Localizatio Method Function Memory Addresses Candidates Distance Index n (%) [14] (Byte) (Byte) R1 R2 R3 (Frames) Front Turn 1 187 1 3 7 0 0.53 9(4.61%) Signal 3714 2 Head Lamp 195 1 1 7 0 0.51 14(7.18%) 3 Steering 200 1 1 4 1 1.00 4(2.00%) 4,5 AEBS 221 0 0 20 - 9.05 22(9.95%) Driving 4032 6,7 179 0 0 17 - 9.50 13(7.26%) Mode Rear Turn 8 170 1 3 5 0 0.59 9(5.29%) Signal 9 Brake Lamp 3711 132 2 4 6 1 4.55 7(5.30%) 10 ESS 289 2 4 4 4 3.46 9(3.11%) 11 Rear Alert 167 1 1 3 1 2.99 4(2.40%) Appl. Sci. 2019, 9, 2799 18 of 21 further checked, the cause of the fault can be found. The localization ratio is obtained by dividing the number of addresses up to the rank where the fault was found by the total number of updated addresses. For example, fault index #9 is (2 + 4)/132 with a 4.55% localization. As a result, our proposed method could ﬁnd the point where the fault was updated by checking two frames on the average for 80% fault in the experiment to ﬁnd the injected fault. The fault was found by checking only 3.28% of the total memory addresses updated.

Table 4. Experimental result.

Allocated Updated Number of Fault Frame Fault Localization Method Function Memory Addresses Candidates Distance Index (%) [14] (Byte) (Byte) R1 R2 R3 (Frames) 1 Front Turn Signal 187 1 3 7 0 0.53 9(4.61%) 2 Head Lamp3714 195 1 1 7 0 0.51 14(7.18%) 3 Steering 200 1 1 4 1 1.00 4(2.00%) 4,5 AEBS 221 0 0 20 - 9.05 22(9.95%) 4032 6,7 Driving Mode 179 0 0 17 - 9.50 13(7.26%) 8 Rear Turn Signal 170 1 3 5 0 0.59 9(5.29%) 9 Brake Lamp 132 2 4 6 1 4.55 7(5.30%) 10 ESS3711 289 2 4 4 4 3.46 9(3.11%) 11 Rear Alert 167 1 1 3 1 2.99 4(2.40%) 12 Adv. ESS 163 1 3 15 0 0.61 17(10.43%) Average 0.875 3.28% 5.77%

On the other hand, our proposed method does not suggest when is the fault-occurrence point in the case of Node 2. The proposed method uses the update pattern to present the point of occurrence of the abnormal pattern as the point of occurrence of the fault. Therefore, we confirmed the limit at which the fault-occurrence point cannot be determined when the updated patterns of the memory are normally maintained and updated to the wrong value. However, this limitation can be overcome. As shown in Table4, all the detected sequences are presented as fault candidates for Rank R3, so we can find the cause of the fault by localization similar to the previous study. As a result, the proposed method can reduce the fault candidates strongly by presenting the point of occurrence for 80% of faults and can suggest a fault candidate similar to the previous study, even when the point of occurrence cannot be observed. When we test the same fault, the proposed method is localized to 3.28%, which is 57% of the memory compared to the previous study. We apply the proposed method to ECUs based on OSEK/VDX. This means that our proposed method can find faults that occur in the HiL test environment using the normal memory-updated features and the updated patterns without debugging tools or source code. However, because the proposed method only targets the update, not the value of the memory, it is limited when there is an error in the value while maintaining the normal pattern. In addition, because it focuses on updating, it is difficult to apply analog signals with frequent changes in values.

6. Conclusions The proposed method collects memory data in the cycle of main task execution during the HiL test. Analyzing the updated information of collected memory and applying the sequential pattern-mining algorithm enables the acquisition of both the updated feature and updated memory patterns of software execution. The time of fault occurrence indicates that the frame sequence does not match the updated patterns of normal operation in the frame of the integration test where the fault occurs. The fault candidates are categorized into ranks of the featured addresses of the fault-occurrence sequence and the executed sequence. As a result of the experiment by fault injection, 80% of faults suggest the time of fault, and the fault candidates were localized to 3.28% on average. If 100 variables are used in the integration test, the fault can be found by checking only 3 variables before and after the fault occurred at the time of debugging. Appl. Sci. 2019, 9, 2799 19 of 21

The proposed method has the following advantages. First, fault-occurrence time is suggested in a black-box environment, where the source code is difficult to use and the memory address that causes the fault can also be detected. The proposed method, based on normal operation information, that acquires the unit test, can assess the difference in fault situations. Second, with the only automotive communication interface, it is possible to obtain debugging information, even without using existing debugging tools. The proposed method collects memory in the cycle of the main task period of the system, which has a comparable effect of observing the system without debugging tools. Third, the fault-occurrence time and cause of the fault are detected, based in the memory-updated features and the updated pattern of normal operation. Thus, those who perform the test can apply the proposed method even without any background knowledge about the execution flow of the software or the characteristics of the input and output signals. Therefore, the proposed method is based on the memory-updated features and updated patterns without source code or existing debugging tools, and determines not only the time of fault occurrence, but also the memory address responsible to the fault. The developer can thus reduce the time required for debugging. As our method considers the updated status, not to the saved value in the memory, in cases in which the saved value in a major address is updated to the wrong value, it is difficult to determine the time of the fault occurrence. Additionally, because we focus on the updated status, it is limited in the case in which the updated status is not important, like an analog signal, which is common. However, in addition to suggesting the time of fault occurrence in discrete signals, like digital I/O, its localization feature is more robust than that in existing works, which only used the memory-updated information. Furthermore, we plan to proceed with further work using the pattern of change in the value stored in memory.

Author Contributions: J.-W.L. conceived and designed the experiments; J.-W.L. and K.-Y.C. analyzed the data; K.-Y.C. performed the experiments, contributed analysis tools, and wrote the paper. Funding: National Research Foundation of Korea: NRF-2016R1A2B1014376, MSIT(Ministry of Science and ICT), Korea: IITP-2019-2016-0-00309 Acknowledgments: This research was supported by the National Research Foundation of Korea (NRF) grant funded by the MSIP (NRF-2016R1A2B1014376); This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2019-2016-0-00309) supervised by the IITP (Institute for Information & communications Technology Planning & Evaluation). Conﬂicts of Interest: The authors declare no conﬂict of interest.

References

1. Ebert, C.; Favaro, J. Automotive Software. IEEE Softw. 2017, 34, 33–39. [CrossRef] 2. Klobedanz, K.; Kuznik, C.; Elfeky, A.; Müller, W. Development of automotive communication based real-time systems-a steer-by-wire case study. In International Embedded Systems Symposium; Springer: Berlin/Heidelberg, Germany, 2009; pp. 218–225. [CrossRef] 3. Garg, M.; Lai, R. Measuring the constraint complexity of automotive embedded software systems. In Proceedings of the 2014 International Conference on Data and Software Engineering (ICODSE), Bandung, Indonesia, 26–27 November 2014; pp. 1–6. [CrossRef] 4. Köhl, S.; Jegminat, D. How to Do Hardware-in-the-Loop Simulation Right. In Proceedings of the SAE 2005 World Congress & Exhibition, Detroit, MI, USA, 11–14 April 2005; No. No. 2005-01-1657. [CrossRef] 5. ISO. ISO 26262: Road Vehicles-Functional Safety-Part 6: Product Development at the Software Level; ISO 26262 Functional Safety Standard; International Organization for Standardization: Geneva, The Switzerland, 2011. 6. Gomez, M. Hardware-in-the-Loop Simulation. Embed. Syst. Program. 2001, 14, 38–49. 7. Vermeulen, B. Functional debug techniques for embedded systems. IEEE Des. Test Comput. 2008, 25, 208–215. [CrossRef] 8. Wong, W.E.; Gao, R.; Li, Y.; Abreu, R.; Wotawa, F. A survey of software fault localization. IEEE Trans. Softw. Eng. 2016, 42, 707–740. [CrossRef] Appl. Sci. 2019, 9, 2799 20 of 21

9. Qu, B.; Nie, C.; Xu, B.; Zhang, X. Test case prioritization for black box testing. In Proceedings of the 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), Beijing, China, 24–27 July 2007; pp. 465–474. [CrossRef] 10. Zhang, X.Y.; Towey, D.; Chen, T.Y.; Zheng, Z.; Cai, K.Y. Using partition information to prioritize test cases for fault localization. In Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference, Taichung, Taiwan, 1–5 July 2015; pp. 121–126. [CrossRef] 11. Mao, C.; Hu, X.; Lu, Y. Towards a software diagnosis method based on rough set reasoning. In Proceedings of the 2008 8th IEEE International Conference on Computer and Information Technology, Sydney, Australia, 8–11 July 2008; pp. 718–723. [CrossRef] 12. MISRA-C:2004 Guidelines for the Use of the C Language in Critical Systems. Available online: http: //caxapa.ru/thumbs/468328/misra-c-2004.pdf (accessed on 31 May 2019). 13. Choi, K.Y.; Lee, J.W. Fault Localization by Comparing Memory Updates between Unit and Integration Testing of Automotive Software in an Hardware-in-the-Loop Environment. Appl. Sci. 2018, 8, 2260. [CrossRef] 14. Mabroukeh, N.R.; Ezeife, C.I. A taxonomy of sequential pattern mining algorithms. ACM Comput. Surv. (CSUR) 2010, 43, 1–41. [CrossRef] 15. Bringmann, E.; Andreas, K. Model-based Testing of Automotive Systems. In Proceedings of the 2008 1st International Conference on Software Testing, Verification, and Validation, Lillehammer, Norway, 9–11 April 2008; pp. 485–493. [CrossRef] 16. Sudeendra Kumar, K.; Verghese, L.; Mahapatra, K.K. Fuzzy logic based integrated control of anti-lock brake system and collision avoidance system using can for electric vehicles. In Proceedings of the IEEE International Conference on Industrial Technology (ICIT 2009), Gippsland, Australia, 10–13 February 2009; pp. 1–5. [CrossRef] 17. Di Fatta, G.; Leue, S.; Stegantova, E. Discriminative pattern mining in software fault detection. In Proceedings of the 3rd International Workshop on Software Quality Assurance, Portland, OR, USA, 6 November 2006; pp. 62–69. [CrossRef] 18. Cheng, H.; Lo, D.; Zhou, Y.; Wang, X.; Yan, X. Identifying bug signatures using discriminative graph mining. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, Chicago, IL, USA, 19–23 July 2009; pp. 141–152. [CrossRef] 19. Lo, D.; Cheng, H.; Han, J.; Khoo, S.C.; Sun, C. Classification of software behaviors for failure detection: A discriminative pattern mining approach. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Paris, France, 28 June–1 July 2009; pp. 557–566. [CrossRef] 20. Ince, T.; Kiranyaz, S.; Eren, L.; Askar, M.; Gabbouj, M. Real-time motor fault detection by 1-D convolutional neural networks. IEEE Trans. Ind. Electron. 2016, 63, 7067–7075. [CrossRef] 21. Jing, L.; Zhao, M.; Li, P.; Xu, X. A convolutional neural network based feature learning and fault diagnosis method for the condition monitoring of gearbox. Measurement 2017, 111, 1–10. [CrossRef] 22. Yao, Y.; Wang, H.; Li, S.; Liu, Z.; Gui, G.; Dan, Y.; Hu, J. End-to-end convolutional neural network model for gear fault diagnosis based on sound signals. Appl. Sci. 2018, 8, 1584. [CrossRef] 23. Lee, J.-W.; Choi, K.-Y.; Lee, J.-W. Collecting Big Data from Automotive ECUs beyond the CAN Bandwidth for Fault Visualization. Mob. Inf. Syst. 2017, 2017, 4395070. [CrossRef] 24. Vector Embedded Components. Available online: https://www.vector.com/int/en/products/products-a-z/ embedded-components/ (accessed on 31 May 2019). 25. Fournier-Viger, P.; Gomariz, A.; Campos, M.; Thomas, R. Fast vertical mining of sequential patterns using co-occurrence information. In Pacific-Asia Conference on Knowledge Discovery and Data Mining; Springer: Basel, Switzerland, 2014; pp. 40–52. [CrossRef] 26. SPMF: A Java Open-Source Data Mining Library. Available online: http://www.philippe-fournier-viger.com/ spmf/ (accessed on 31 May 2019). 27. CS231n: Convolutional Neural Networks for Visual Recognition. Available online: http://cs231n.stanford.edu/ (accessed on 31 May 2019). 28. NXP 16-Bit S12 and S12X MCUs|NXP. Available online: https://www.nxp.com/products/processors- and-microcontrollers/additional-processors-and-mcus/8-16-bit-mcus/16-bit-s12-and-s12x-mcus:S12S12X (accessed on 31 May 2019). Appl. Sci. 2019, 9, 2799 21 of 21

29. Agrawal, H.; DeMillo, R.A.; Hathaway, B.; Hsu, W.; Hsu, W.; Krauser, E.W.; Martin, R.J.; Mathur, A.P.; Spaﬀord, E. Design of Mutant Operators for the C Programming Language; Technical Report SERC-TR-41-P; Software Engineering Research Center, Department of Computer Science, Purdue University: West Lafayette, IN, USA, 1989. 30. Anaconda Python/R Distribution—Anaconda. Available online: https://www.anaconda.com/distribution/ (accessed on 31 May 2019). 31. Keras: The Python Deep Learning Library. Available online: https://keras.io/ (accessed on 31 May 2019).

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).