KR102020994B1 - Method and apparatus for fault injection test - Google Patents

Abstract

The present invention relates to a defect injection test method and apparatus, and more particularly, a defect injection test capable of automatically generating a defect to be artificially injected into an electronic control device and monitoring the operation of the electronic control device in which the defect is injected. A method and apparatus are disclosed.
The defect injection method according to the embodiment includes a defect information generation step of generating defect information including a defect scenario of the electronic control apparatus; A defect information injection step of injecting the generated defect information into the electronic control apparatus; And monitoring the operation of the electronic control apparatus by receiving task execution information and variable value information from the electronic control apparatus in which the defect information is injected.

Description

Fault injection test method and apparatus {METHOD AND APPARATUS FOR FAULT INJECTION TEST}

The present invention relates to a defect injection test method and apparatus, and more particularly, a defect injection test capable of automatically generating a defect to be artificially injected into an electronic control device and monitoring the operation of the electronic control device in which the defect is injected. A method and apparatus are disclosed.

Recently, as various functions are mounted in an automobile, an electronic control unit (ECU) for processing the same has been widely used. As mechanical control devices are replaced by electronic control devices, whenever a safety-related issue such as a Toyota situation arises, the reliability of the software (SW) mounted in the electronic control device is questioned. Accordingly, the ISO26262 standard applies Fault Injection Test for safety-sensitive SW components by applying functional safety applied in the safety industry (railroad, aviation, nuclear power, etc.) to the automotive industry. It requires that

Electronic controllers should be designed to basically avoid and prevent faults. If a fault occurs, a mechanism for detecting an error and recovering itself in a short time should be provided. Therefore, there is a need for a method of verifying that the self-healing is smooth by forcibly causing defects that may occur even though the probability of occurrence in the actual situation is low.

Conventionally, designers inject artificial defects into the electronic control device through a debugger, and monitor the before and after defect injection, and designers have to write a test result report by hand.

Therefore, there is an urgent need for an automated defect injection test method that automatically induces a defect in the electronic controller, monitors the operation of the electronic controller injecting the defect in real time, and automatically generates a test result report.

An object of the present invention is to provide a defect injection test method and apparatus capable of automatically generating and injecting artificial defects into an electronic control apparatus.

Another object of the present invention is to provide a defect injection test method and apparatus capable of monitoring whether an electronic control device in which a defect is injected is normally operated.

In addition, an object of the present invention is to provide a defect injection test method and apparatus capable of automatically generating a test result report of a defect-injected electronic control apparatus.

The problem of the present invention is not limited to those mentioned above, and other problems not mentioned will be clearly understood by those skilled in the art from the following description.

The defect injection method according to the embodiment includes a defect information generation step of generating defect information including a defect scenario of the electronic control apparatus; A defect information injection step of injecting the generated defect information into the electronic control apparatus; And monitoring the operation of the electronic control apparatus by receiving task execution information and variable value information from the electronic control apparatus in which the defect information is injected.

In the defect information generation step, the defect scenario may be generated based on the setting information of the electronic controller and the user selection information input to the input window.

In the defect information generating step, the defect scenario may be extracted by combining all the defects that may occur in the setting information of the electronic control apparatus.

In the defect information generating step, the defect scenario may include at least one or more of a timing of occurrence of a defect, a target of the defect, a type of the defect, and a number of occurrences of the defect.

Types of defects include: interrupting task execution, preventing task rerun by the scheduler, preventing task rerun by interrupting alarm generation, preventing rerun of the task after waiting for an event, preventing task rerun by inducing deadlock during resource wait, stacking At least one or more of prevention of task rerun by causing overflow overflow, task overrun, contamination of variable value, code variation, CPU register value contamination, S / W component contamination, and bit flip It may include.

The monitoring may include displaying a task state change graph based on the task execution information of the electronic control apparatus and a variable value state change graph based on the variable value information of the electronic control apparatus.

The task state change graph may include a state change for each task over time, a defect occurrence time point, and a system reset time point.

The variable value change graph may include a trend of a variable value (s) over time, a defect occurrence time point, and a system reset time point.

The variable value graph may include a notification indicating whether the variable value exceeds a preset threshold.

The monitoring may include extracting start and end information of a task of the electronic control apparatus and correct a monitoring period based on the extracted start and end information of the task.

Here, a test result report generation step of generating a test result report, the test result report may further include a portion outputting the task state change and the variable value trend in text.

The defect injection test apparatus according to the embodiment includes a test scenario management module that generates defect information including a defect scenario of the electronic control apparatus; A test execution module for executing a test for injecting the generated defect information into the electronic control apparatus; A task monitoring module configured to receive task execution information from the electronic control apparatus in which the defect information is injected, and monitor a state change of a task in the electronic control apparatus; And a variable value monitoring module configured to receive variable value information from the electronic control device in which the defect information is injected, and monitor a change in the variable value of the electronic control device.

And a report generation module configured to generate a test result report including a change in the state of the task and a change in the value of the variable before and after a defect occurs in the electronic control apparatus.

Using the defect injection test method and apparatus according to the embodiment of the present invention has the advantage of automatically generating and injecting artificial defects into the electronic control apparatus.

In addition, there is an advantage that it is possible to monitor whether the electronic control device injected with a defect is operating normally.

In addition, there is an advantage that can automatically generate a test result report of the electronic control device injected with a defect.

It also has the advantage of expanding the ISO26262 based test environment.

In addition, there is an advantage that can reduce the cost of test automation.

In addition, there is an advantage to build an infrastructure for testing abnormal conditions.

It also has the advantage of extending the testing range to BSW without code modification.

In addition, there is an advantage to prepare a preemptive response strategy for the defect detection process.

1 is an example of a system configuration in which a defect injection test method according to an embodiment of the present invention can be implemented.
2 is an internal configuration diagram of a defect injection test apparatus and an electronic control apparatus according to an embodiment of the present invention.
3 is a flowchart of a defect injection test method according to an embodiment of the present invention.
4 is a conceptual diagram for describing a defect injection test method according to an exemplary embodiment of the present invention illustrated in FIG. 3.
5 is a diagram illustrating an example of a task state change graph.
6 is a diagram illustrating an example of a variable value change graph.
7 is a diagram illustrating an example of a generated test result report.
8 and 9 are diagrams for describing a method of generating a defect scenario of 'task execution interruption' among the types of defects described in Table 2;
10 and 11 are diagrams for describing a method of generating a defect scenario of 'preventing task rerun by a scheduler' among the types of defects described in <Table 2>.
12 and 13 are diagrams for describing a method of generating a defect scenario of 'preventing task rerun by interrupting alarm generation' among the types of defects described in Table 2. FIG.
14 and 15 are diagrams for describing a method of generating a defect scenario of 'preventing task re-execution after waiting for an event' among the types of defects described in <Table 2>.
FIG. 16 is a diagram for describing a method of generating a defect scenario of preventing a task re-execution by inducing deadlock while waiting for resources among the types of defects described in Table 2. FIG.
17 and 18 are diagrams for describing a method of generating a defect scenario of 'avoid task re-execution by inducing a stack overflow' among the types of defects described in <Table 2>.
19 and 20 are diagrams for describing a method of generating a defect scenario of 'Task overrun (other task omission, delay initiation)' among the types of defects described in <Table 2>.
21 and 22 are diagrams for explaining a method of generating a defect scenario of 'contamination of variable values' among the types of defects described in Table 2. FIG.
FIG. 23 is a diagram for describing a method of generating a defect scenario of 'code variation' among the types of defects described in Table 2. FIG.
24 and 25 are diagrams for explaining a method of generating a defect scenario of 'CPU resist value contamination' among the types of defects described in Table 2. FIG.
26 and 27 are diagrams for describing a method of generating a defect scenario of 'Bit Flip' among the types of defects described in <Table 2>.
FIG. 28 is an exemplary diagram for describing an operation (S350) of monitoring an operation of an electronic control apparatus in a defect injection test method according to an exemplary embodiment of the present disclosure illustrated in FIG. 3.
29 is a diagram for describing a function of compensating for a monitoring error due to memory polling.

DETAILED DESCRIPTION OF THE INVENTION The following detailed description of the invention refers to the accompanying drawings that show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It is to be understood that the various embodiments of the invention are different but need not be mutually exclusive. For example, certain shapes, structures, and characteristics described herein may be embodied in other embodiments without departing from the spirit and scope of the invention in connection with one embodiment. In addition, it is to be understood that the location or arrangement of individual components within each disclosed embodiment may be changed without departing from the spirit and scope of the invention. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of the present invention, if properly described, may be defined only by the appended claims, along with the full range of equivalents to which such claims are entitled. Like reference numerals in the drawings may refer to the same or similar functions throughout the several aspects.

DETAILED DESCRIPTION Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement the present invention.

1 is an example of a system configuration in which a defect injection test method according to an embodiment of the present invention can be implemented.

Referring to FIG. 1, a system in which a defect injection test method according to an embodiment may be implemented includes a defect injection test apparatus 10, an interface device 30, and an electronic controller (ECU) 50.

The defect injection test apparatus 10 performs the defect injection test method which concerns on embodiment of this invention. Here, the defect injection test apparatus 10 may be a program (or application) installed in any one of a notebook, a laptop, a tablet, and a smartphone, or may be a dedicated terminal that performs only a defect injection test method.

The interface device 30 may be a debugger for debugging the electronic controller 50. The CPU device or the memory of the electronic controller 50 may be accessed through the interface device 30. In addition, the kernel region of the Real Time Operating System (RTOS), such as task scheduling and interrupt, can be accessed. The artificial defect generated in the defect injection test apparatus 10 may be injected into the electronic controller 50 through the interface device 30. The interface device 30 may be connected to the defect injection test device 10 by wire (eg, a USB cable) or wirelessly.

Alternatively, the interface device 30 may be an adapter capable of transmitting CAN data to the electronic controller 50 and receiving CAN data from the electronic controller 50.

The electronic controller 50 may be an electronic controller for a vehicle. The interface device 30 may be connected by the JTAG port for debugging and may be connected by wire or wirelessly to enable CAN communication. Here, the electronic control device 50 is not limited to the vehicle electronic control device. The electronic controller 50 may be an electronic controller used in the vehicle industry as well as other industries. For example, the electronic controller 50 may be a remote terminal unit (RTU) used in a power system. When the electronic control device 50 is an electronic control device used in another industry, the interface device 30 and the electronic control device 50 may be connected to each other by Ethernet, USB, or serial communication. In describing the embodiments of the present invention in detail, it is assumed that the electronic control device 50 is a vehicle electronic control device for convenience.

2 is an internal configuration diagram of a defect injection test apparatus and an electronic control apparatus according to an embodiment of the present invention.

2, a defect injection test apparatus 10 according to an embodiment of the present invention may include an operating system (OS) 11, a test scenario management module 12, a test execution module 13, a task monitoring module 14, The variable monitoring module 15 may include a test result management module 16, a report generation module 17, a communication module 18, and a GUI 19.

The operating system 11 may be Windows, but is not limited thereto and may be various operating systems such as Linux, Mac, and Android.

The test scenario management module 12 generates fault information to be artificially injected into the electronic controller 50. For example, you can create a defect scenario.

The test execution module 13 executes a test for injecting the generated defect information into the electronic control device 50. The test execution module 13 causes a defect to occur in the electronic controller 50 at a predetermined time. For example, the test execution module 13 performs a control to change the memory value of the electronic controller 50 at a predetermined time or controls to transmit a CAN signal for changing the memory value.

The task monitoring module 14 monitors a state change of a task operated in the electronic controller 50. For example, display the status change of a task as a graph or list.

The variable monitoring module 15 monitors the change of the variable value of the electronic controller 50. For example, the change in the value of a variable is displayed in a graph or a list.

The test result management module 16 stores or analyzes the test result.

The report generation module 17 automatically generates a test result report on the status of the task state and the variable value before and after the defect occurs in the electronic control device 50.

The communication module 18 outputs defect information generated in the test scenario management module 12 to the electronic controller 50 and receives task execution information and variable value information from the electronic controller 50.

GUI 19 includes test scenario management module 12, test execution module 13, task monitoring module 14, variable monitoring module 15, test result management module 16, report generation module 17 and communication. The module 18 provides an interface for user control and monitoring.

The electronic control device 50 shown in FIG. 2 includes an operating system 51 and a plurality of tasks 53.

The operating system 51 may be a real time operating system (RTOS). Here, the operating system 51 is not limited to the RTOS. In describing the embodiment of the present invention, since the electronic control device 50 is taken as an electronic control device for a vehicle, it should be noted that the operating system 51 is assumed to be an RTOS. Therefore, the operating system 51 may vary depending on the electronic control device 50.

RTOS provides an environment in which a given task can be performed within a given time. Each task operates in a unit of task 53, and task 53 has four states of running, suspended, waiting, and ready. In addition, since only one task 53 can be executed at a time, all tasks 53 are managed by a scheduler and operate according to task priority.

A representative example of the RTOS is OSEK / VDX used in the embedded field. OSEK / VDX consists of the elements described in Table 1 below. Using the elements shown in Table 1, a defect injection method and apparatus in accordance with an embodiment of the present invention can artificially create a defect.

Task RTOS's most basic execution unit Interrupt Hardware mechanism. Used to handle asynchronous events Resource Used to share resources between tasks Alarm Task can be executed periodically Event Synchronization processing by event signal between tasks Message Used to transfer data between tasks

It should be noted that the defect injection test method and the defect injection test apparatus according to the embodiment of the present invention are not limited to the OSEK / VDX operating system, and may be applied to the same or similarly in other operating systems.

On the other hand, the operating system 51 of the electronic control device 50 is not essential. The predetermined electronic controller 50 may operate as firmware without a separate operating system.

3 is a flow chart of a defect injection test method according to an embodiment of the present invention, Figure 4 is a conceptual diagram for explaining a defect injection test method according to an embodiment of the present invention shown in FIG.

3 and 4, in the defect injection test method according to an exemplary embodiment of the present disclosure, generating the defect information 500 (S310), and generating the generated defect information 500 to the electronic controller 50. Injecting (S330), monitoring the operation of the electronic controller 50 (S350), and generating a test result report 800 (S370) may be included.

Generating the defect information 500 (s310), generating a defect scenario based on the setting information 100 of the electronic control device 50 that is the defect injection target and the user selection information input to the input window 400 Can be. Here, the defect information 500 includes the generated defect scenario.

The defect scenario includes at least one of the timing of occurrence of the defect, the object of the defect, the type of the defect, and the number of occurrences of the defect. Here, the defect scenario may be a combination of two or more of the occurrence time of the defect, the object of the defect, the type of the defect, and the number of occurrence of the defect.

The occurrence time of the defect includes a defect occurrence time, a task execution count, and a variable value.

Targets of defects include tasks, memory, CPU registers, task schedulers, systems, variables, or code areas, and software components.

The number of occurrences of the defects is for causing the defects to be repeatedly generated, and includes the occurrence interval and the end value of the defects.

The type of defect includes at least one or more of the types shown in Table 2 below.

Fault type Description of faults and examples of how to trigger them One Interrupt Task Forcibly interrupt a running task.
Instruction Pointer operation: Induce malfunction of running task. 2 Prevent task rerun by scheduler Interrupt the task from going to standby after scheduling.
Induce malfunction of running task by changing Active_count value. 3 Prevent task rerun by interrupting alarm Interfere not to execute task that is executed periodically by Alarm.
Interrupt the execution by operating the alarm cycle. 4 Prevent task rerun after waiting for event Prevent a task from running again after putting it in an event standby state.
Interrupt the redo by manipulating the standby Event Mask. 5 Prevent task rerun by inducing deadlock while waiting for resources Interferes with the release of a task using a resource, preventing execution of other tasks that are waiting to be released.
Manipulate resource IDs to disrupt task normal operation. 6 Prevents task rerun by inducing stack overflow Cause overflow of the running task by making it full.
Induce overall system malfunction by assigning Max value to Stack Pointer. 7 Task overrun (induces other task omissions and delays) 1) Delay the task execution time more than expected time.
Transition to another function with long execution time while executing task. (Delayed Task is missing or delayed the next task to run)

2) Induction of task omission excluding task overrun.
Tasks with long execution time have priority over short tasks. 8 Contamination of Variable Values Change the value of a specific variable to any value (in or out of range).
Refer to the map file and change the value of a specific variable address. 9 Code variation Change the code value of the code area to an arbitrary value.
Refer to the map file and change the code value in the code address area. 10 CPU register value contamination Change register value to any value.
Change register value. 11 S / W component contamination It classifies S / W components and changes information such as event and runable.
Change event setting information, change runable function address. 12 Bit flip Change one bit of random memory area.
Change the value of specific memory in bit unit.

The setting information 100 of the electronic controller 50 is information unique to the electronic controller 50. For example, when the electronic controller 50 has an OSEK / VDX operating system, the setting information 100 may include a * .oil file including design information of the electronic controller 50 and the corresponding electronic controller 50. It may include a * .map file containing address or symbol information. Here, when the electronic controller 50 has an operating system other than the OSEK / VDX operating system, the setting information of the electronic controller 50 may be defined by another type of file or the source code itself.

The input window 400 provides the user with the information necessary for generating the defect scenario in the setting information 100 of the electronic control apparatus 50 so that the user can easily see it. When the user selects the desired information among the information provided through the input window 400, user selection information input to the input window 400 is generated, and a defect scenario is generated by combining the generated user selection information.

Meanwhile, in operation S310 of generating the defect information 500, a basic test scenario may be generated. Here, the basic test scenario is a defect scenario automatically extracted by combining all the faults that may occur in the setting information 100 of the electronic controller 50.

Injecting the generated defect information 500 into the electronic controller 50 (s330) is a step of injecting the defect information 500 into the electronic controller 50 according to a defect scenario. Here, the method of injecting the defect information 500 into the electronic control device 50, which directly changes the memory value of the electronic control device 50 or transmits a memory value change CAN signal at a predetermined time written in the defect scenario. It can be by.

In operation S350 of monitoring the operation of the electronic controller 50, the task execution information and the variable value information output from the electronic controller 50 are received, and each of the received task execution information and the variable value information is monitored. The display through 600 is performed. Here, task execution information and variable value information may be displayed in a graph form. For example, task execution information may be displayed as a task state change graph, and variable value information may be displayed as a variable value change graph.

An example of a task state change graph is shown in FIG. 5. Referring to FIG. 5, the task state change graph may display a state change for each task over time, a defect occurrence time 610, and a system reset time 630 due to a watchdog.

An example of a variable value change graph is shown in FIG. 6. Referring to FIG. 6, the variable value change graph may display the trend of the variable value (s) over time, a defect occurrence time 650, and a system reset time 670. In addition, the variable value graph may set and display a notification 690 that indicates whether the variable value to be changed exceeds a preset threshold. The notification 690 may be set to display in bold only a portion of the corresponding variable value curve that exceeds the threshold.

3 and 4, in operation S370 of generating a test result report 800, a test result report 800 including information before and after injecting a defect into the electronic controller 50 is included. ) Step.

An example of the test result report generated in FIG. 7 is shown. Referring to FIG. 7, the test result report 800 includes a 'specials' part 810 that outputs a text message of a task status change and a variable value trend. The 'specifications' part 810 is a part for automatically outputting a specific change or state before and after the defect injection in the task execution information and the variable value information. When the 'specifications' part 810 is included in the test result report 800, the user may write a report directly and an error in which the user may misunderstand the graph provided through the monitoring unit 600 may be proactive. Can block on.

The test result report 800 illustrated in FIG. 7 includes a test title, a report type, a scenario name, a scenario description, a test time check type, a test time check target, a test time condition, a test target, a test start time, a test end time, Test kill attempt time, ECU reset estimated time, test result overview, action results, variable list, variable monitoring, task status change graph and variable value change graph may further include. This information is also output automatically, rather than written by the user.

Generating the defect information 500 shown in Figure 3 (s310), injecting the generated defect information 500 into the electronic control device 50 (s330), monitoring the operation of the electronic control device 50 In operation S350 and generating the test result report 800, operation S370 may be performed by the defect injection test apparatus 10 illustrated in FIG. 2. For example, step s310 is in the test scenario management module 12 shown in FIG. 2, step s330 is in the test execution module 13 and communication module 18 shown in FIG. 2, and step s350 is shown in FIG. 2. In the task monitoring module 14 and the variable value monitoring module 15, the step s370 may be performed by the report generation module 17 shown in FIG. 2.

8 and 9 are diagrams for describing a method of generating a defect scenario of 'task execution interruption' among the types of defects described in Table 2;

Referring to FIG. 8, the defect scenario of 'stopping task execution' may combine information selected by a user from among information provided through the test execution condition input unit 410 and the defect induction method input unit 430 of the input window 400. Can be generated.

Information included in each of the test execution condition input unit 410 and the defect induction method input unit 430 of the input window 400 may be configured from the setting information 100 of the electronic control apparatus 50 to be injected with a defect. . Information included in each of the test execution condition input unit 410 and the defect induction method input unit 430 is determined according to the setting information 100 of the electronic controller 50. There is a difference in the setting information 100 for each of the electronic controllers 50, and the information included in each of the test execution condition input unit 410 and the defect induction method input unit 430 varies according to the difference in the setting information 100.

For example, as illustrated in FIG. 8, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time of '1000' ( Or a waiting time), the user selects a fault induction method called 'Instruction Pointer operation' in the fault induction method input unit 430, selects a target task for stopping execution of 'Task_A', Entering a register name, selecting an alternative function called 'Task_B_function' and pressing OK, automatically generates fault information 500 including a fault scenario of 'Task Execution' combined with the information selected and specified above. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information 500 is injected into the electronic controller 50, as shown in the red box of FIG. 9, the TASK_B function is performed under the TASK_A name by replacing the TASK_A_function address (currently executed position) with the TASK_B_function address. This can be seen in the change graph. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

10 and 11 are diagrams for describing a method of generating a defect scenario of 'preventing task rerun by a scheduler' among the types of defects described in <Table 2>.

As shown in FIG. 10, in the test execution condition input unit 410, a user selects a task called 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The fault induction method input unit 430, the user selects a fault induction method of 'manipulation of rerun information', select the task to be prevented to run again 'Task_C' and press OK, the selected and specified information is combined Fault information is automatically generated, including the Fault Scenario of the 'Prevent Task Replay by Scheduler'. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic controller 50, it can be confirmed through the task information window and the task change graph that Task_C is killed, as shown in the red box of FIG. 11. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

12 and 13 are diagrams for describing a method of generating a defect scenario of 'preventing task rerun by preventing alarm generation' among the types of defects described in Table 2. FIG.

As shown in FIG. 12, in the test execution condition input unit 410, a user selects a task named 'Task_E', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The fault induction method input unit 430, the user selects a fault induction method of 'manipulate the alarm cycle', select 'ALARM_E' to disable the task E that triggers the alarm and press OK , Defect information including a defect scenario of 'preventing task replay through interruption of alarm generation' combined with the information selected and specified above is automatically generated. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, as shown in the red box of FIG. 13, it can be confirmed through the task change graph that the alarm of Task_E is executed once and is no longer executed. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

14 and 15 are diagrams for describing a method of generating a defect scenario of 'preventing task re-execution after waiting for an event' among the types of defects described in <Table 2>.

As shown in FIG. 14, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '20', and a defect occurrence time (or waiting time) of '1000'. ), The user selects a fault induction method called 'waiting event mask manipulation' in the fault induction method input unit 430, and selects an event called 'Task_D_task_evts (0x40000128)' and presses the information selected and specified above. Defect information is automatically generated, including the combined fault scenarios of Combined 'Prevent Task Restart After Waiting'. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes 20 times.

When the generated defect information is injected into the electronic controller 50, it can be confirmed through the task change graph that Task_E is killed, as shown in the red box of FIG. 15. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

FIG. 16 is a diagram for describing a method of generating a defect scenario of preventing a task re-execution by inducing deadlock while waiting for resources among the types of defects described in Table 2. FIG.

As shown in FIG. 16, in the test execution condition input unit 410, a user selects a task called 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The user selects a fault induction method called 'Derivation of deadlock while waiting for resources' at the fault induction method input unit 430, selects an event called 'RES_DATA_1' and presses OK, and the information selected and specified above is combined. Defect information is automatically generated, including the defect scenario of 'Preventing task rerun by inducing deadlock while waiting for resources'. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

17 and 18 are diagrams for describing a method of generating a defect scenario of 'avoid task re-execution by inducing a stack overflow' among the types of defects described in <Table 2>.

As shown in FIG. 17, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), And in the fault induction method input unit 430, when the user selects a fault induction method called 'Assign Max value to the stack pointer' and presses OK, the user selects and executes a stack overflow in which the information selected and specified above is combined to rerun the task. Defect information is automatically generated, including fault scenarios of 'prevent'. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, as shown in the red box of FIG. 18, it can be confirmed through a task change graph that a segmentation fault error occurs and the entire system is killed. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

19 and 20 are diagrams for describing a method of generating a defect scenario of 'Task overrun (other task omission, delay initiation)' among the types of defects described in <Table 2>.

As shown in FIG. 19, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The fault induction method input unit 430, the user selects a fault induction method called 'replace function of a running task', selects 'Task_A' as a task, and replaces 'Task_F_function (0x000058FE)' If you select and press OK, defect information including the fault scenario of 'Task overrun' combined with the information selected and specified above is automatically generated. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, as shown in the red box of FIG. 20, 'task overrun' occurs in which the execution part of Task_A is long while executing a function of Task_F in the part where Task_A is to be executed. This can be checked through the task change graph. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the red solid line indicates a time point at which a function replacement of another task is started.

21 and 22 are diagrams for explaining a method of generating a defect scenario of 'contamination of variable values' among the types of defects described in Table 2. FIG.

As shown in FIG. 21, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The fault induction method input unit 430, the user selects a fault induction method called 'memory contamination', and after pressing a certain variable value through the memory pollution input window 450, the selection and Defect information is automatically generated, including a fault scenario of 'contamination of variable values' in which the specified information is combined. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, it can be seen that the shape of the variable value change graph changes according to the variable value change, as shown in the blue ellipse portion of FIG. For reference, the solid red line indicates the time when the defect is started.

FIG. 23 is a diagram for describing a method of generating a defect scenario of 'code variation' among the types of defects described in Table 2. FIG.

As shown in FIG. 23, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution count of '10', and a defect occurrence time (or a waiting time of '1000'). ), The fault induction method input unit 430, the user selects a fault induction method called 'memory contamination', through the memory pollution input window 450, the name 'Task_A_function', '0x00005742' address, '3 Pressing OK after specifying an offset of '184' and a size of '184' automatically generates defect information including a defect scenario of 'code variation' combined with the information selected and specified above. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

24 and 25 are diagrams for explaining a method of generating a defect scenario of 'CPU resist value contamination' among the types of defects described in Table 2. FIG.

As shown in FIG. 24, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The user selects a fault induction method of 'CPU register value contamination' in the fault induction method input unit 430, specifies a register name (stack pointer) named 'RS R1', and a setting value of '4000000'. After specifying (Hexadecimal) and pressing OK, defect information is automatically generated including a defect scenario of 'CPU resist value contamination' combined with the above selected and specified information. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, it can be confirmed through the task change graph that a system down has occurred, as shown in FIG. For reference, the blue box shows that each task of the electronic controller 50 is operating normally, and the solid red line indicates the time point at which the defect is started.

26 and 27 are diagrams for describing a method of generating a defect scenario of 'Bit Flip' among the types of defects described in <Table 2>.

Here, 'Bit Flip' means that the data (bit) of a specific memory is changed from 0 to 1 or 1 to 0 by the impact of HW.

As shown in FIG. 26, in the test execution condition input unit 410, a user selects a task named 'Task_A', specifies a task execution number of '10', and a defect occurrence time (or waiting time) of '1000'. ), The user selects a fault induction method called 'memory contamination' in the fault induction method input unit 430, and names 'value', '0x40000114', and '3' through the memory pollution input window 450. After selecting 'offset' and '4' size and selecting the bit to change among 8 bits through the value input window 470 to change, press 'OK', the above 'Bit Flip' combination of selected and specified information is combined. Including defect information is automatically generated. Here, the waiting time means that the task waits 1000 ms without injecting a defect immediately after Task_A executes ten times.

When the generated defect information is injected into the electronic control device 50, as shown in FIG. 27, it can be confirmed through the variable value change graph that the variable value has been changed. For reference, the blue ellipse shows the shape of the graph according to the change of the bit value, and the solid red line indicates the time when the defect starts.

In step s350 of monitoring the operation of the electronic control apparatus in the defect injection test method according to the embodiment of the present invention illustrated in FIG. 3, the project management unit 2810 as well as the monitoring unit 600 is illustrated in FIG. 28. ), The test scenario manager 2830 and the task / variable status information inquiry unit 2850 may be displayed.

The test scenario manager 2830 displays a plurality of scenarios that can be injected into the electronic controller 50. Here, the plurality of scenarios may be executed in batches of all or some scenarios according to the user's selection.

The task / variable status information inquiry unit 2850 displays and displays task-specific / variable information of the electronic controller 50 in a matrix. Here, when the state of the task changes, the changed task may be displayed in a distinct color.

In the defect injection test method according to the embodiment of the present invention illustrated in FIG. 3, in operation S350, the monitoring error due to memory polling may be compensated for. This will be described in detail with reference to FIG. 29.

29 is a diagram for describing a function of compensating for a monitoring error due to memory polling. Here, FIG. 29A illustrates a reason why a monitoring error occurs due to a memory polling method, and FIG. 29B illustrates a method of monitoring a state change of a task in near real time. will be.

Referring to (a) of FIG. 29, as the monitoring period increases, an error occurs in a state change of a task monitored through a real-time state change of the task and a task state change graph. In order to solve this problem, as shown in (b) of FIG. 29, by extracting the start and end information of the task of the electronic control device, and correcting the monitoring period by using the extracted start and end information, Complement the monitoring cycle to keep up with the real-time state of the task. Here, the start and end information of the task of the electronic control device can be extracted by using PreTaskHook and PostTaskHook, and the monitoring cycle of the defect injection test device by collecting and restoring the monitoring information accumulated for a certain period at a time by using the circular queue. Regardless, the real-time state changes of tasks can be accurately represented without missing them.

The defect injection test method and apparatus according to the embodiment of the present invention shown in Figs. 1 to 29 can be applied not only to analyzing the execution environment of the electronic control device and to designing the test scenario, but also to test the unit separately with the actual ECU targeted. It is possible to test the heel (HIL) with the virtual ECU, and also to test the vehicle.

The defect injection test method according to an embodiment of the present invention may be implemented through a computer readable recording medium including program instructions for performing a computer-implemented operation. The computer-readable recording medium may include program instructions, data files, data structures, etc. alone or in combination. The recording medium may be one specially designed and configured for the embodiment or be known and available to those skilled in computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical recording media such as CD-ROMs, DVDs, magnetic-optical media such as floppy disks, and ROM, RAM, flash memory, and the like. Hardware devices specifically configured to store and execute program instructions are included. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

The embodiments of the present invention have been described above with reference to the accompanying drawings, which are merely exemplary and are not intended to limit the present invention, and those skilled in the art do not depart from the essential characteristics of the present embodiment. It will be appreciated that various modifications and applications which are not illustrated above in the scope are possible. For example, each component specifically shown in embodiment can be modified and implemented. And differences relating to such modifications and applications will have to be construed as being included in the scope of the invention defined in the appended claims.

10: Fault injection test device
30: interface device
50: electronic controller

Claims (14)

In the defect injection method in a combined injection test device,
A defect information generating step of the test scenario management module generating defect information including a defect scenario of the electronic control apparatus;
A defect information injection step of injecting the generated defect information into the electronic control apparatus by a test execution module; And
The task monitoring module receives task execution information from the electronic control apparatus in which the defect information is injected and monitors the operation of the electronic control apparatus, and the variable value monitoring module receives variable value information from the electronic control apparatus in which the defect information is injected. And receiving a monitoring step of monitoring the operation of the electronic control apparatus.
The monitoring step,
Displaying a task state change graph based on the task execution information of the electronic control apparatus and a variable value state change graph based on the variable value information of the electronic control apparatus;
And the variable value change graph comprises a notification indicating whether the variable value exceeds a preset threshold.
The method of claim 1, wherein in the defect information generating step,
The defect scenario is generated based on the setting information of the electronic control device and the user selection information input to the input window.
The method of claim 1, wherein in the defect information generating step,
The defect scenario is extracted by combining all the defects that can occur in the setting information of the electronic control device.
The method of claim 1, wherein in the defect information generating step,
Wherein the defect scenario comprises at least one of a timing of occurrence of a defect, a target of the defect, a type of defect, and a number of occurrences of the defect.
The method of claim 4, wherein the type of defect is
Stop task execution, prevent task rerun by scheduler, prevent task rerun by interrupting alarm, prevent task rerun after waiting for event, prevent task rerun by inducing deadlock during resource wait, stack overflow Defect injection, including at least one of preventing task rerun by causing occurrence, task overrun, contamination of variable values, code variation, CPU register value contamination, software component contamination, and bit flip Testing method.
delete The method of claim 1,
The task state change graph includes a task change state over time, a defect occurrence time point, and a system reset time point.
The method of claim 1,
The variable value change graph includes a trend of a variable value (s) over time, a defect occurrence time point, and a system reset time point.
delete The method of claim 1, wherein the monitoring step,
Extracting start and end information of a task of the electronic controller and correcting a monitoring period based on the extracted start and end information of the task.
The method of claim 1,
The report generation module further includes a test result report generation step of generating a test result report.
The test result report, the defect injection test method comprising a portion that outputs the task state change and the variable value trend in text.
A computer-readable recording medium having recorded thereon a program for executing the defect injection test method according to any one of claims 1 to 5, 7, 8, 10, and 11.
A test scenario management module for generating defect information including a defect scenario of the electronic controller;
A test execution module for executing a test for injecting the generated defect information into the electronic control apparatus;
A task monitoring module configured to receive task execution information from the electronic control apparatus in which the defect information is injected, and monitor a state change of a task in the electronic control apparatus; And
A variable value monitoring module configured to receive variable value information from the electronic control device into which the defect information has been injected and monitor a change in the variable value of the electronic control device;
Including,
The task monitoring module displays a task state change graph based on the task execution information of the electronic controller,
The variable value monitoring module displays a variable value state change graph based on the variable value information of the electronic controller,
The variable value graph includes a notification indicating whether the variable value exceeds a preset threshold,
Fault injection test device.
The method of claim 13,
And a report generation module for generating a test result report including a change in state of the task and a change in the value of the variable before and after a fault occurs in the electronic control device.

Images