DE102022104010A1 - Method and monitoring system for monitoring an operating state of an application that is operated in a control unit of a motor vehicle - Google Patents

Abstract

The invention relates to a method for monitoring an operating state (32) of an application that is operated in a control unit (12) of a motor vehicle (11), a symbol-free program code (13) of the application in the control unit (12) being free of a symbol table ( 22) is provided and if a collection module (27) detects a predetermined triggering event in the control unit (12), the collection module (27) determines raw memory state data (26) that describe memory addresses (35) from the symbol-free program code of the application and transmits them are sent out to a vehicle-external monitoring server (23), and the monitoring server (23) receives the raw memory state data (26) and, by means of at least one symbol table (22) provided in the monitoring server (23), converts it into decoded memory state data (30) in which the memory addresses (35 ) a respective symbol (38) from a source code (15) is assigned or replaced by this, converts and controls at least one predetermined analysis measure (31) by means of the decoded memory state data (30).

Description

The invention relates to a method and a monitoring system by means of which the operating state of at least one application (application) can be monitored in at least one control unit of one or more motor vehicles. The program code of such applications in control units must be kept very compact in order not to unnecessarily overload the small memory resources of control units. For this reason, only little or no so-called debug information for analyzing runtime errors of an application can usually be accommodated in the program code of applications.

A program code of an application can be provided with symbols (for example character strings) in order to be able to assign a function name, for example, to memory addresses to which a program pointer jumps to execute a function. If a runtime error occurs in the application after such a jump, the symbol can be used to identify where the error is to be found in the source code. This simplifies troubleshooting. Even without runtime errors, it can be useful to monitor which functions in an application are called frequently and are therefore runtime-critical. In order to be able to recognize this in a compiled or binary program code, the said symbols are also necessary in order to be able to read or interpret memory addresses to which function and definition in a source code they belong.

However, enriching a program code with symbols increases its data volume or so-called "footprint". In a motor vehicle control unit in particular, however, available memory is a costly resource that one does not want to unnecessarily burden or occupy.

A runtime analysis of the functions of an application is, for example, from the US 9,104,805 B1 known.

The use of symbols to understand a sequence of binary program code using an associated source code is, for example, from US 10,521,331 B1 known.

The invention is based on the object, when monitoring an operating state of an application in a control unit of a motor vehicle, to keep the memory requirement in the control unit low for this purpose.

The object is solved by the subject matter of the independent patent claims. Advantageous further developments or developments of the invention are described by the dependent patent claims, the following description and the figures.

As a solution, the invention includes a method for monitoring an operating state of an application that is operated in a control unit of a motor vehicle. An application is understood here as an application or functionality that is provided by the control unit on the basis of software or program code that is present in the control unit as machine-readable code or binary code or in machine language. In the method, the application is provided in the control unit as "symbol-free program code", i.e. as a program code that is free of a so-called symbol table, in which memory addresses can be assigned to a respective symbol from a source code in a program code, in order to store, for example, a function name of a program function or variable name of a variable that begins at the memory address or whose entry address is given by the memory address in the manner described for a memory address. In particular, a program code without a debug symbol table is meant.

The method provides for a collection module to be operated in the control unit, which can be implemented, for example, as program code or software or a routine of an operating system of the control unit. If the collection module detects a predetermined triggering event in the control device, the collection module determines raw memory status data that contains the memory address from the program code of the application. They can be memory addresses that refer to currently executed or active code components of the program code that is being executed, e.g. to program functions that are currently called. A link to an associated part of a source code of the program code is missing due to the missing symbols from the source code (free of symbols). The memory state data is referred to here as “raw” in order to distinguish it from the “decoded” memory state data described below. In particular, the raw memory state data is symbol-free because it is formed from the symbol-free program code. The memory status data can in particular be what is known as a stack trace, in particular a stack of jump addresses for recursive function calls.

The raw memory state data is sent by the collection module to an off-board Monitoring server sent out. In the manner described, the raw memory state data is not readable or illegible to the extent that it is impossible to assign the memory addresses to function names or variable names as used in a source code on which the symbol-free program code is based. The monitoring server can be implemented, for example, as a cloud server or backend server of the motor vehicle. The monitoring server receives the raw storage state data.

In order to be able to relate the raw memory state data to a source code of the application, at least one symbol table is provided in the monitoring server, by means of which the received raw memory state data is converted into said decoded memory state data in the monitoring server. The decoded memory state data differ from the raw memory state data in that they additionally or alternatively indicate the symbols, ie in the decoded memory state data the said memory addresses are each assigned a symbol or replaced by one. Such a symbol can be a character string in the manner described, for example, which can specify a function name (e.g. "_main") or variable name. In particular, a respective symbol from a source code of the application is provided.

Although a symbol-free program code of the application is operated in the control unit, the decoded memory state data can then be used in the monitoring server to identify or describe which symbol belongs to the respective memory address from the raw memory state data. The monitoring server then controls at least one analysis measure using the decoded memory status data.

The invention therefore uses the monitoring server outside the motor vehicle to provide a mapping algorithm based on at least one symbol table in order to map the memory addresses received from the control unit as raw memory state data to a respective symbol and thus make the memory state data “readable” or interpretable or transferable to a source code of the application.

The invention has the advantage that a program code can be provided or operated in a control unit without symbols and thus has the small footprint described in terms of memory requirements, and yet the decoded memory status data with information on a respective symbol of the Memory address can be made available and thus the at least one analysis measure can be controlled.

The invention also includes developments or further developments that result in additional advantages.

Since the symbol-free program code in the control unit on the one hand and the symbol table in the monitoring server on the other hand must correspond or match one another, a further development provides for avoiding asynchronism or a source of error due to version differences. To this end, a development system, which can include one or more computers in a development laboratory, for example, generates a complete program code for the application from a source code for the application using a compiler and/or linker. "Complete program code" means the known version or embodiment of a program code with the said symbols. The complete program code is thus equipped with symbols In particular, a program code with a debug symbol table is meant. Using a so-called strip process, such as that which can be provided using the “strip” software, for example, the said symbol-free program code for the control unit is derived from this and also transmits this to the control unit. The development system, on the other hand, transmits the complete program code to the monitoring server. In addition or as an alternative to the transmission of the complete program code, the at least one symbol table read from the complete program code is transmitted to the monitoring server. In this way, the development system keeps the symbol-free program code in the control unit and the symbol table in the monitoring server version-synchronous, i.e. both can be traced back to the same source code. This avoids using an outdated or incorrect symbol table to generate the decoded memory state data. The complete program code is larger in the aforesaid manner or includes a larger amount of data than the symbol-free program code, which is why the said memory footprint of the symbol-free program code is smaller and thus advantageously requires or uses fewer memory resources in the control unit.

The memory state data is, in particular, runtime data such as may be present in a volatile memory or RAM (Random Access Memory) of the control device during operation of the application. In the memory state data according to a Development as memory addresses such collected from a memory image and / or a stack trace. A "stack trace" indicates which program functions of the application were currently called with which parameter values when the memory addresses were read out. Thus, the current operating state and the values of variables and function parameters can be read using the memory state data and an assignment to elements or sections in the source code can be made possible or carried out using the decoded memory state data.

A debug symbol table with debug symbols is particularly preferably used as the symbol table. This can be used to support or carry out troubleshooting in the event of a runtime error in the application. It can be a debug symbol table, such as would be removed from full program code by the "strip" software.

Accordingly, a further development provides that the at least one triggering event upon which the collection module determines or collects the raw memory state data accordingly includes the collection module receiving an error signal from the application. The application can thus signal to the collection module that there is a runtime error and/or an error in relation to parameters or variables. In addition or as an alternative to an error signal from the application, it is provided that the trigger signal receives an error signal from an operating system executing the application. Such an operating system can also advantageously generate an error signal when the application itself has “crashed”, ie the execution of the symbol-free program code has been stopped or interrupted due to an error. In addition or as an alternative to this, it can be provided as a triggering event that the collecting module receives an error signal from a watchdog function of the control device. Such a watchdog function expects a message or a signal from the application at predetermined times, which is an indication that the application is still running as intended or is running at all. A watchdog function can also run on a hardware basis, for example, independently of an operating system of the control unit. In the manner already described, the error signal describes an incorrect operating state of the application, for example a violation during a memory access and/or the utilization of a CPU of the control unit above a predetermined limit value, which can indicate, for example, a so-called endless loop and thus a programming error. An incorrect operating state can be, for example, that the symbol-free program code tries to access an invalid memory address, e.g. with a so-called null pointer.

However, the raw memory state data does not have to be generated exclusively in the presence of a faulty operating state of the application. Advantageous information about normal operation of the application can also be determined or described by means of the memory status data. A further development therefore provides that the at least one triggering event includes that a timer for a cyclic status report on the application expires. Such a status report is also referred to as a health report. It is thus possible to check from the monitoring server which memory addresses and thus which symbols and thus which sections in the source code an application uses or executes, which can then be used to determine, for example, which section in the program code and thus in the source code in relation to the runtime and/or or memory usage should be optimized. In this case, the motor vehicle can be analyzed or monitored in the manner described from outside by means of the monitoring server with regard to its resource allocation by the symbol-free program code.

Accordingly, a possible analysis measure according to a further development provides that the decoded memory status data with the symbols contained therein are output via a display system. An operator or developer can thus use this analysis measure to obtain an insight into the internal state of the motor vehicle, in particular the control unit. Another name for such a display of a display system is "dashboard".

A further development provides that the analysis measure, which is applied to the decoded memory state data or is controlled by it, comprises a filter which searches for a predetermined symbol in the decoded memory state data. In other words, the filter checks whether a predetermined symbol occurs in the currently generated decoded memory state data, i.e. for example a corresponding function and/or a corresponding memory element in the symbol-free program code on the control unit was active or was used or was accessed. If the filter finds the symbol being searched for, a message is sent to a predetermined recipient address. The recipient is thus automatically informed at the recipient address that a memory address to which the predetermined symbol belongs has been used or taken up or accessed in the control device. For example, the call of a specific function or the use of a specific memory content of a variable marked with the symbol can be automatically reported to the recipient address. In this way, for example, a developer can be informed that a specific function has been called up or used in the control device.

The invention does not have to be limited to the monitoring of a single application. Several applications can also be monitored in the control unit. In order to collect all monitored applications efficiently and with low memory requirements, a further development provides that the respective symbol-free program code of several applications is executed in the control unit, but only one collection module is provided, which determines the raw memory status data of each of these applications and transmits them to the monitoring server emits. The service or the functionality of collecting the raw memory status data from a number of applications is therefore concentrated in a single collecting module in the control unit.

The invention also includes a monitoring system for at least one application in at least one control unit. If there are several control units, they can be arranged in one motor vehicle or distributed among several motor vehicles. In other words, the monitoring system can monitor one or more motor vehicles with regard to the operating states of applications in the control units of motor vehicles. For this purpose, the monitoring server described is provided in the monitoring system, as well as a respective collecting module for the respective control unit, in order to collect the raw memory status data occurring in the respective control unit and to transmit them to the monitoring server. Accordingly, the monitoring system according to the invention is set up to carry out an embodiment of the method according to the invention. For this purpose, the collection module itself and control software or an operating program of the monitoring system can have corresponding program instructions which, when executed by the collection module or the monitoring server, cause the method steps to be carried out together according to the embodiment of the method according to the invention. For this purpose, the program instructions can be stored in a respective data memory of the control device (for the collection module) and of the monitoring server. The monitoring server may be based on one or more microprocessors, which may be coupled to the data storage of the monitoring server. The control device can also have one or more microprocessors, by which the at least one application (ie its symbol-free program code) can be executed and by which the collection module can also be operated or executed.

The invention also includes the combinations of features of the described embodiments.

• 1 eine schematische Darstellung einer Ausführungsform des erfindungsgemäßen Überwachungssystems; und
• 2 eine Skizze zur Veranschaulichung eines Mapping-Algorithmus, mittels welchem rohe Speicherzustandsdaten in decodierte Speicherzustandsdaten umgewandelt oder darauf abgebildet werden.

Implementation examples of the invention are described below. For this shows:

• 1 a schematic representation of an embodiment of the monitoring system according to the invention; and
• 2 a sketch to illustrate a mapping algorithm by means of which raw memory state data is converted into decoded memory state data or mapped onto it.

The exemplary embodiments explained below are preferred exemplary embodiments of the invention. In the exemplary embodiments, the described components each represent individual features of the invention to be considered independently of one another, which also develop the invention independently of one another and are therefore also to be regarded as part of the invention individually or in a combination other than that shown. Furthermore, the exemplary embodiments described can also be supplemented by further features of the invention already described.

Elements with the same function are each provided with the same reference symbols in the figures.

1 shows a monitoring system 10, by means of which at least one control unit 12 of the motor vehicle 11 can be monitored in relation to its operating state in at least one motor vehicle 11. The 1 shows that several motor vehicles 11 can also be monitored. In each motor vehicle 11, multiple control units 12 can also be monitored in the manner described below. Since the invention can also be applied to a single motor vehicle 11 and there to a single control unit 12, only this case is described below without restricting the general validity.

The control device 12 can represent an embedded system in the motor vehicle 11 . A respective application App1 to App(n) can be operated or executed in control unit 12 on a processor system or SoC (System on Chip). to provide at least one vehicle function in motor vehicle 11 . For example, an application can control a motor and/or a window opener and/or media playback (for example playing MP3 files), to name just a few. So that the applications take up little data memory in control unit 12, their respective program code is symbol-free, i.e. each of the applications is implemented in control unit 12 by a symbol-free program code 13 which has no symbol table for debug information, i.e. free of a such a symbol table is. This can be implemented in a manner known per se, for example by a so-called strip process or a strip program. For this purpose, the symbol-free program code 13 can have been generated, for example, in a laboratory or by a manufacturer in a development system 14 by compiling a respective source code 15 . Linking can also be provided in addition or as an alternative to compiling. In general, it can therefore be a build agent 16 that uses at least one compiler 17 and/or linker 18 to generate the respective symbol-free program code 13 from the source code 15, which then installs it in the control device 12, for example via a communication connection 19 may have been. The communication link 19 may have been provided in a wired manner when the motor vehicle 11 and/or when the control unit 12 was manufactured, for example, or via a radio link during a later installation, which may have been provided by means of mobile radio and/or WLAN (Wireless Local Area Network), for example. The debug symbol table, which belongs to the respective symbol-free program code 13, can be extracted by the build agent 16 by means of an extraction module 21, ie additional software. For this purpose, the complete result of the compiling and/or linking from the compiler 17 and/or linker 18 can be made available to the extraction module 21 as complete program code 20 . In other words, the complete program code 20 can include the symbol-free program code 13 plus the symbol table 22 . The symbol table 22 extracted from the complete program code 20 or also the complete program code 20 itself can be transmitted to a monitoring server 23 which can be operated as a cloud 24 for example on the Internet 25 . The symbol table 22 that has been read out can thus be made available in the monitoring server 23 for the same version of the complete program code 20 to which the symbol-free program code 13 also belongs or from which the symbol-free program code 13 was also generated.

In the control unit 12, memory status data 26 can be extracted from the applications App1...App(n) during its operation, for example while the motor vehicle 11 is being driven, as is possible, for example, by means of a so-called stack trace in a manner known per se. A memory image of the currently running or stopped symbol-free program code 13 can also be determined as memory state data 26 . These can be determined by a collection module 27 and transmitted to the monitoring server 23 via a communication link 28 . The communication connection 28 can be transmitted, for example, an Internet connection and/or a radio connection (mobile radio and/or WLAN as an example). A mapping algorithm 29 of the monitoring server 23 can expand or enrich the memory state data 26 by means of the symbol tables 22 to form decoded memory state data 30 by memory addresses specified in the memory state data 26 being assigned an associated symbol from the symbol table 22 or in the decoded memory state data 30 is written. This results in a memory image or a description of an operating state of the respective program code 13 in the decoded memory state data 30, which can be compared or correlated with the associated source code 15 using the symbols, so that it is known, for example, which function from the source code 15 is currently in the symbol-free Program code 13 was executed when the memory state data 26 was determined. At least one analysis measure 31 can then be controlled by means of the decoded memory state data 30, for example the decoded memory state data can be visualized for a developer, for example as a plot or graph. The development of the source code 15 can also be improved, for example, by using the decoded memory state data 30 to provide a readable representation of the symbol-free program code 13 or one that can be interpreted in relation to the source code 15 and thus the operating state of the motor vehicle 11, in particular its control unit 12, in relation on the source code 15 is made interpretable.

2 illustrates how the monitoring system 10 can be used to relate an operating state 32 of an application in the control unit 12 to the source code 15 from which the compiler 17 and/or linker 18 was used to generate the symbol-free program code 13 of the application.

In the manner described, the source code 15 can have functions main, fct1, fct2, for example, through which the respective vehicle function can be implemented. After compiling and/or linking using the build agent 16 can result in the complete program code 20, which on the one hand can have the binary code or machine code 33 in which, for example, assembler instructions 34 are described at predetermined memory addresses 35 relative to a reference address in a manner known per se are. In addition, the respective symbol for the associated function can be stored as debug information 36 in a symbol table 22 for the memory addresses.

Removing the symbol table 22 results in the symbol-free program code 13 which only has the machine instructions of the machine code 33 with the assignment or arrangement at the memory addresses 35 being retained. The symbol table 22 can be saved or preserved by the extractor 21 and sent to the monitoring server 23 (in 2 not shown) are transmitted. If the memory status data 26 of the executed symbol-free program code 13 is now determined during operation of the control device 12, then an image or a snapshot of the operating status 32 is thereby contained in the memory status data. For example, what is known as a call stack 37 of function calls can also be contained in the memory state data 26 . If these are then related to the symbol table 22 by means of the mapping algorithm 29, a memory address 35 specified in the memory state data can be supplemented by the respective symbol 38 of the address or function called. As an analysis measure 31, the decoded memory status data 30 generated in this way can have, for example, a translation of the call stack 37 into a symbolic call stack 39, which indicates the order in which the functions were called before an ERROR error occurred. In this way, it can be localized that this error occurred or was triggered in one of the functions, for example.

In a particularly preferred embodiment, the invention thus comprises three modules, one of which is in the development environment or build environment, one in the cloud and one on the embedded device. In a normal production system, the artifacts (executables, libraries, etc.) are created by the build environment. To reduce the size of the artifacts in the production system, the binaries are stripped of the debug information and deployed to the embedded hardware. These are called release builds.

The recording of stack traces on the device therefore only provides uninterpretable data. Therefore, a module is needed in the build agent that generates the debug information of a specific version of the application and stores it in the cloud. The information stored in the cloud includes a list of all debug symbols, the application name and the application version.

On the embedded device, the stackTrace collector module records the stack traces of all applications running on the embedded device. Periodically, the stack traces are sent to the cloud along with the application name and application version.

The mapping algorithm in the cloud uses the application name and version to get the correct debug information from the list and decodes the stack traces into interpretable data. This data is presented in a dashboard that can contain e.g. histograms and/or flamegraphs and/or plots that can be used for detailed CPU analysis of applications. It can be used by the application developers to optimize/monitor the performance of applications.

The examples show how an embedded device of a motor vehicle can be debugged from a monitoring server.

Reference List

10

surveillance system

11

motor vehicle

12

control unit

13

symbol-free program code

14

development system

15

Source code

16

build agent

17

compiler

18

leftist

20

complete program code

21

extraction module

22

symbol table

23

monitoring server

24

cloud

25

Internet

26

raw memory state data

27

collection module

28

communication link

29

mapping algorithm

30

decoded memory state data

31

analysis measure

32

operating condition

33

machine code

34

assembler commands

35

memory address

36

debug information

37

call stack

38

symbol

39

symbolic call stack

QUOTES INCLUDED IN DESCRIPTION

This list of documents cited by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent Literature Cited

• US9104805B1 [0004]
• US10521331B1 [0005]

Claims (10)

Method for monitoring an operating state (32) of an application that is operated in a control unit (12) of a motor vehicle (11), wherein a symbol-free program code (13) of the application in the control device (12) is provided free of a symbol table (22) and if a collection module (27) detects a predetermined triggering event in the control unit (12), the collection module (27) determines raw memory state data (26) describing the memory addresses (35) from the symbol-free program code of the application and sends it to a monitoring server (23) external to the vehicle sends out, and the monitoring server (23) receives the raw memory state data (26) and, by means of at least one symbol table (22) provided in the monitoring server (23), decodes it into memory state data (30), in which the memory addresses (35) contain a respective symbol (38), in particular a symbol (38) from a source code (15) of the application, assigned to it or replaced by it, converts it and uses the decoded memory status data (30) to control at least one predetermined analysis measure (31). procedure after claim 1 , wherein a development system (14) from the source code (15) of the application by means of a compiler and / or linker (18) generates a complete program code of the application, which contains the symbol table (22) or the several symbol tables (22), and from this by means a strip process generates the symbol-free program code and transfers this to the control unit (12) and transmits the complete program code and/or the at least one symbol table (22) read from the complete program code to the monitoring server (23) and thus the symbol-free program code in the control unit (12) and keeps the at least one symbol table (22) in the monitoring server (23) in sync with the version. Method according to one of the preceding claims, wherein those from a memory image and/or a stack trace are collected as memory addresses (35) in the memory status data (26). A method as claimed in any preceding claim, wherein the symbol table (22) contains debug symbols (38). Method according to one of the preceding claims, wherein the at least one triggering event comprises the collection module (27) receiving an error signal from the application and/or from an operating system executing the application and/or a watchdog function of the control unit (12), the Error signal indicates a faulty operating state (32) of the application. Method according to one of the preceding claims, wherein the at least one triggering event comprises that a timer for a cyclic status report to be provided via the application expires. Method according to one of the preceding claims, wherein the at least one analysis measure (31) comprises the decoded memory state data (30) being output via a display system. Method according to one of the preceding claims, wherein the at least one analysis measure (31) comprises a filter searching for a predetermined symbol (38) in the decoded memory state data (30) and, when the symbol (38) sought is found, sending a message to a predetermined recipient address sends. Method according to one of the preceding claims, wherein a respective symbol-free program code (13) of further applications is executed in the control unit (12) and the collection module (27) determines raw memory status data (26) of each of the applications and transmits it to the monitoring server (23). Monitoring system (10) for at least one application in at least one control unit (12) of at least one motor vehicle (11), having a monitoring server (23) and a respective collection module (27) for the respective control unit (12), the monitoring system (10) being is adapted to carry out a method according to any one of the preceding claims.

Images