Control-CPS software fault localization (SFL, aka debugging) is of critical importance as bugs may cause major mission failures, even injuries/deaths. To locate the bugs in control-CPSs, SFL tools often demand many labeled ("correct"/"incorrect") source code execution traces as inputs. To label the correctness of these traces, we must judge the corresponding control-CPS physical trajectories' correctness. However, unlike discrete outputs, the boundaries between correct and incorrect physical trajectories are often vague. The mechanism (aka oracle) to judge the physical trajectories' correctness thus becomes a major challenge. So far, the ad-hoc practice of "human oracles" are still widely used, whose qualities are heavily dependent upon the human experts' expertise and availability. This thesis proposes an oracle based on the system identification (SI) method used in the renowned model predictive control (MPC) technology. Originally designed for controlling black-box physical systems, the MPC-SI is adapted by us to learn the buggy control-CPS as a black-box. We use this learning result as an oracle to judge the control-CPS's behaviors, and propose a framework of methodology to prepare traces for control-CPS debugging. Evaluation results on classic control-CPSs with real-life and artificial bugs show that our proposed approach significantly outperforms the human oracle approach in SFL accuracy, recall, and latency, and in oracle false positive/negative rates.
|Date of Award
- The Hong Kong Polytechnic University
|Qixin Wang (Chief supervisor)