Toyota’s killer firmware: Bad design and its consequences | EDN

3 Июн 2015 | Author: | No comments yet »
Toyota Camry TS-01

Toyota’s killer firmware: Bad and its consequences

On Thursday October 24, an Oklahoma court ruled Toyota in a case of unintended that lead to the death of one the Central to the trial was the Engine Module’s (ECM) firmware.

software used to be low-level we’d bang together C or assembler. These days, a relatively straightforward, albeit task like throttle is likely to use a sophisticated RTOS and of thousands of lines of code.

all this sophistication, standards and for design, coding, and testing paramount – especially when the involved is safety-critical. Failure is not an It is something to be contained and benign.

So what happens when an decides to wing it and play by own rules? To disregard the rigorous best practices, and checks and required of such software hardware) design? People are reputations ruined, and billions of are paid out. That’s happens. Here’s the story of software that arguably should have been.

out this related

For the bulk of research, EDN consulted Michael CTO and co-founder of Barr Group. an systems consulting firm, week. As a primary expert for the plaintiffs, the in-depth analysis by Barr and his colleagues illuminates a example of software design and and provides a cautionary tale to all in safety-critical development, whether be for automotive, medical, aerospace, or else where failure is not Barr is an experienced developer, former professor, editor, and author .

Barr’s ultimate conclusions that:

Toyota’s electronic control system (ETCS) code is of unreasonable quality.

source code is defective and bugs, including bugs can cause unintended acceleration


Code-quality metrics predict of additional bugs.

Toyota’s safes are defective and inadequate to them as a “house of cards” architecture).

Misbehaviors of Toyota’s are a cause of UA.

A damning summary to say the Let’s look at what him to these conclusions:

Hardware

Although the investigation almost entirely on software, is at least one HW factor: Toyota the 2005 Camry’s main CPU had detecting and correcting (EDAC) It didn’t. EDAC, or at least RAM, is relatively easy and insurance for safety-critical systems.

cases of throttle malfunction been linked to tin whiskers in the pedal sensor. This not seem to have been the here.

Toyota Camry TS-01

The Camry ECM board. U2 is a NEC Renesas) V850 microcontroller.

The ECM software formed the core of the investigation. What follows is a of the key findings.

Mirroring (where key is written to redundant variables) was not done. This gains significance in light of …

Stack overflow. Toyota only 41% of the allocated stack was being used. Barr’s showed that 94% was closer to the On top of that, stack-killing, MISRA-C recursion was found in the code, and the CPU incorporate memory protection to against stack overflow.

Two key were not mirrored: The RTOS’ internal data structures; most important bytes of the final result of all this TargetThrottleAngle global variable.

Toyota had performed a stack Barr concluded the automaker had botched it. Toyota missed of the calls made via pointer, stack usage by library and functions (about 350 in total), and RTOS use during task They also failed to run-time stack monitoring.

Toyota’s ETCS used a of OSEK. which is an automotive RTOS API. For some though, the CPU vendor-supplied version was not compliant.

Unintentional RTOS shutdown was heavily investigated as a source of the UA. As single bits in control each task, due to HW or SW faults will suspend tasks or start unwanted Vehicle tests confirmed one particular dead task result in loss of throttle and that the driver might to fully remove their from the brake during an acceleration event before able to end the unwanted acceleration.

A of other faults were in the code, including buffer unsafe casting, and race between tasks.

Toyota Camry TS-01
Toyota Camry TS-01
Toyota Camry TS-01

Interesting Articles

Tagged as:

Here you can write a commentary on the recording "Toyota’s killer firmware: Bad design and its consequences | EDN".

Sign in, to write a review.

Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

Born in the USSR

423360519

About this site

For all questions about advertising, please contact listed on the site.


Toyota cars catalog with specifications, pictures, ratings, reviews and discusssions about cars Toyota.