Testing the Implementation of Concurrent AUTOSAR Drivers Against Architecture Decisions

Concurrent software based on a shared-memory model is predominant in industrial applications that cannot afford to execute complex message-passing libraries. However, direct access to shared memory creates implicit dependencies between concurrently executing components. Therefore, the development and maintenance of such software is hard. In this paper, we argue the need to manage, at the architectural level, the implicitly high coupling between concurrent components that share memory. We suggest an approach that verifies architectural specifications against the implementation and finds potential mismatches. While static analysis approaches can be complete and verify all possible mismatches, they are often imprecise, leading to a large number of false warnings, especially in concurrent software. Instead, we built our approach, using dynamic analysis, on top of one of the most well-known algorithms for detecting data races, Eraser Lockset, and extended its model to support features required for the verification process. Since Lockset operates on the execution traces, test cases that produce these traces must ensure proper coverage. Therefore, we argue the need to use test cases conforming to the strict modified condi-tion/decision coverage criteria (MC/DC). Our version of Lockset takes advantage of the fact that possible shared memory locations are known in advance. We further improved its precision by considering atomic operations as a synchronization mechanism. The approach was evaluated on industrial AUTOSAR drivers that execute concurrently.