Simulation-based testing remains the main approach for validating Autonomous Driving Systems. We propose a rigorous test method based on breaking down scenarios into simple ones, taking into account the fact that autopilots make decisions according to traffic rules whose application depends on local knowledge and context. This leads us to consider the autopilot as a dynamic system receiving three different types of vistas as input, each characterizing a specific driving operation and a corresponding control policy. The test method for the considered vista types generates test cases for critical configurations that place the vehicle under test in critical situations characterized by the transition from cautious behavior to progression in order to clear an obstacle. The test cases thus generated are realistic, i.e., they determine the initial conditions from which safe control policies are possible, based on knowledge of the vehicle's dynamic characteristics. Constraint analysis identifies the most critical test cases, whose success implies the validity of less critical ones. Test coverage can therefore be greatly simplified. Critical test cases reveal major defects in Apollo, Autoware, and the Carla and LGSVL autopilots. Defects include accidents, software failures, and traffic rule violations that would be difficult to detect by random simulation, as the test cases lead to situations characterized by finely-tuned parameters of the vehicles involved, such as their relative position and speed. Our results corroborate real-life observations and confirm that autonomous driving systems still have a long way to go before offering acceptable safety guarantees.

翻译：仿真测试仍是验证自动驾驶系统的主要方法。我们提出一种严格的测试方法，该方法基于将场景分解为简单场景，并考虑到自动驾驶系统依据交通规则进行决策，而规则的应用取决于局部认知和上下文环境。这引导我们将自动驾驶系统视为一个动态系统，其接收三种不同类型的视景作为输入，每种视景表征特定的驾驶操作及相应的控制策略。针对所考虑的视景类型，该测试方法为关键配置生成测试用例，这些配置将被测车辆置于以从谨慎行为过渡到前进以避开障碍物为特征的关键情境中。如此生成的测试用例是现实的，即它们基于对车辆动态特性的认知，确定了安全控制策略得以实现的初始条件。约束分析识别出最关键的测试用例，其成功意味着次关键用例的有效性。因此，测试覆盖范围可被极大简化。关键测试用例揭示了Apollo、Autoware以及Carla和LGSVL自动驾驶系统中的重大缺陷。这些缺陷包括事故、软件故障以及交通规则违反，这些缺陷通过随机仿真难以检测，因为测试用例导致的情境涉及所涉车辆的精细调谐参数，例如它们的相对位置和速度。我们的结果证实了现实观察，并确认自动驾驶系统在提供可接受的安全保证之前仍有很长的路要走。