POSIX OS & Execution Model - AUTOSAR Adaptive Platform

POSIX Process Model

Each Adaptive Application runs as an independent POSIX process with its own virtual address space. The Execution Manager (EM) launches each process via execve() using the parameters in the Application Manifest. Processes do not share BSS or data segments — spatial isolation is enforced by the MMU.

The ara::core::Initialize() call (required before any other ara:: API call) connects the process to the Execution Manager via an IPC channel, registers the process identity, and sets up the internal ara::com communication middleware. ara::core::Deinitialize() must be called before process exit to cleanly release all middleware resources.

C++main.cpp

#include <ara/core/initialization.h>
#include "my_service_skeleton.h"

int main() {
    // Mandatory: connect to EM and initialise all FCs
    if (auto res = ara::core::Initialize(); !res) {
        return EXIT_FAILURE;
    }

    // Offer the service via ara::com skeleton
    MyServiceSkeleton skeleton(
        ara::core::InstanceSpecifier{"MyApp/MyService/Instance0"});
    skeleton.OfferService();

    // Application event loop
    while (running) {
        skeleton.MyEvent.Send(ReadSensor());
        std::this_thread::sleep_for(std::chrono::milliseconds(10));
    }

    skeleton.StopOfferService();
    ara::core::Deinitialize();
    return EXIT_SUCCESS;
}

💡 Key Point

Unlike Classic where SchM_Act triggers a runnable, the Adaptive application owns its own thread management. You decide when to call Send(), GetNewSamples(), and when to block on a condition variable.

Scheduling Classes

Adaptive Applications run on the host OS scheduler. The scheduling policy and priority for each process are declared in the Application Manifest under schedulingPolicy.

Policy	Use Case	Manifest Value
`SCHED_FIFO`	Hard real-time, preemptive — used for 10 ms control loops	`FIFO`
`SCHED_RR`	Real-time with time-slicing among equal-priority threads	`RR`
`SCHED_OTHER`	Background, non-real-time tasks (logging, OTA)	`OTHER`

JSONapplication_manifest.json

{
  "startupConfig": {
    "schedulingPolicy": "FIFO",
    "schedulingPriority": 50,
    "resourceGroup": "adas_group"
  }
}

⚠️ Priority Inversion

If a high-priority application calls ara::com methods that internally acquire a mutex also held by a lower-priority process, priority inversion can cause latency spikes. Use SCHED_FIFO with care and ensure the middleware is configured to use priority-inheritance mutexes (PTHREAD_PRIO_INHERIT).

IPC Under ara::com

The ara::com API abstracts the transport entirely. Under the hood, on a single machine:

UNIX domain sockets are used for method calls (request/reply) and subscription management.
Shared memory is used for zero-copy event data transfer when both processes are on the same SoC — the SamplePtr points directly into a shared memory segment without copying.

For cross-ECU communication, the binding layer serialises to SOME/IP over UDP/TCP Ethernet or to DDS. The application code does not change — only the Service Instance Manifest binding changes.

IPC Path for Same-Machine Events

  Provider Process                   Consumer Process
  ┌─────────────────────┐            ┌─────────────────────┐
  │ skeleton.Event.Send │            │ proxy.Event.         │
  │   (SamplePtr)       │            │  GetNewSamples(cb)   │
  └────────┬────────────┘            └──────────┬──────────┘
           │ ara::com middleware                 │
           │ (shared memory segment)             │
           └──────── mmap'd region ─────────────┘
              Zero-copy: SamplePtr references
              the buffer directly

Resource Management

Linux cgroups constrain CPU and memory per process group. The resourceGroup field in the Application Manifest maps the process to a named cgroup defined in the Machine Manifest.

JSONmachine_manifest.json

{
  "resourceGroups": [
    {
      "shortName": "adas_group",
      "cpuShares": 1024,
      "memoryLimit": "2G"
    }
  ]
}

💡 systemd Integration

On Linux-based Adaptive platforms, EM typically generates a systemd .service unit per Adaptive Application. The WatchdogSec field maps to PHM's alive supervision timeout — if the process does not call sd_notify(WATCHDOG=1) within that window, systemd reports the failure to PHM.

Summary

The POSIX execution model gives Adaptive Applications full OS capability — multi-threading, dynamic memory, shared libraries — while Execution Management and PHM provide the lifecycle governance that safety-critical systems require. Spatial isolation via process boundaries replaces Classic's compile-time partitioning.

🔬 Deep Dive — Core Concepts Expanded

This section builds on the foundational concepts covered above with additional technical depth, edge cases, and configuration nuances that separate competent engineers from experts. When working on production ECU projects, the details covered here are the ones most commonly responsible for integration delays and late-phase defects.

Key principles to reinforce:

Configuration over coding: In AUTOSAR and automotive middleware environments, correctness is largely determined by ARXML configuration, not application code. A correctly implemented algorithm can produce wrong results due to a single misconfigured parameter.
Traceability as a first-class concern: Every configuration decision should be traceable to a requirement, safety goal, or architecture decision. Undocumented configuration choices are a common source of regression defects when ECUs are updated.
Cross-module dependencies: In tightly integrated automotive software stacks, changing one module's configuration often requires corresponding updates in dependent modules. Always perform a dependency impact analysis before submitting configuration changes.

🏭 How This Topic Appears in Production Projects

Project integration phase: The concepts covered in this lesson are most commonly encountered during ECU integration testing — when multiple software components from different teams are combined for the first time. Issues that were invisible in unit tests frequently surface at this stage.
Supplier/OEM interface: This is a topic that frequently appears in technical discussions between Tier-1 ECU suppliers and OEM system integrators. Engineers who can speak fluently about these details earn credibility and are often brought into critical design review meetings.
Automotive tool ecosystem: Vector CANoe/CANalyzer, dSPACE tools, and ETAS INCA are the standard tools used to validate and measure the correct behaviour of the systems described in this lesson. Familiarity with these tools alongside the conceptual knowledge dramatically accelerates debugging in real projects.

⚠️ Common Mistakes and How to Avoid Them

Assuming default configuration is correct: Automotive software tools ship with default configurations that are designed to compile and link, not to meet project-specific requirements. Every configuration parameter needs to be consciously set. 'It compiled' is not the same as 'it is correctly configured'.
Skipping documentation of configuration rationale: In a 3-year ECU project with team turnover, undocumented configuration choices become tribal knowledge that disappears when engineers leave. Document why a parameter is set to a specific value, not just what it is set to.
Testing only the happy path: Automotive ECUs must behave correctly under fault conditions, voltage variations, and communication errors. Always test the error handling paths as rigorously as the nominal operation. Many production escapes originate in untested error branches.
Version mismatches between teams: In a multi-team project, the BSW team, SWC team, and system integration team may use different versions of the same ARXML file. Version management of all ARXML files in a shared repository is mandatory, not optional.

📊 Industry Note

Engineers who master both the theoretical concepts and the practical toolchain skills covered in this course are among the most sought-after professionals in the automotive software industry. The combination of AUTOSAR standards knowledge, safety engineering understanding, and hands-on configuration experience commands premium salaries at OEMs and Tier-1 suppliers globally.