LTA: Control-Driven UAV Testing and Bug Localization with Flight Record Decomposition

As UAVs have been widely used in various domains, such as the military and industry, their safety and security have become crucial. One of their root causes is software bugs, which fall into two bug categories: traditional software bugs, such as memory safety bugs, and UAV-specific logical model-misimplementation (LMM) bugs leading to physical misbehavior, such as crashes. To discover and localize bugs, many proactive and reactive techniques have been proposed. However, LMM bug mitigation techniques are still immature, unlike well-established techniques for traditional software bugs, because existing approaches are unable to track the causal relationship between the LMM bug root cause in software and its resulting physical misbehavior. Specifically, existing proactive approaches require extensive, time-consuming dynamic testing to capture the physical impacts of LMM bug exploitation amidst a vast input space. Conversely, previous reactive approaches are inaccurate because existing work cannot accurately identify the causal relationship between misbehavior and bug-triggering inputs mixed with benign but suspicious inputs.To address the aforementioned problems, we propose LTA, the replay-based proactive LMM bug localization technique for UAVs. This technique encompasses three key strategies: (i) an accident playback-based input generation to narrow down bug-triggering input candidates, (ii) an input and trace decomposition to exclude false-positive bug-triggering inputs, and (iii) a causal analysis to precisely backtrack from bug-triggering inputs to their root causes. We evaluate LTA on PX4 with three models for quadcopters, hexacopters, and VTOL UAVs. As a result, LTA found 72 real accident cases (caused by LMM bugs) obtained from public accident logs and then localized bugs with 100% accuracy.