Toyota’s … firmware: Bad design and its consequences | EDN

3 Июн 2015 | Author: | No comments yet »
Toyota Camry TS-01

Toyota’s … firmware: Bad and its consequences

On Thursday October 24, an Oklahoma court ruled Toyota in a case of unintended that lead to the … of one the Central to the trial was the Engine Module’s (ECM) firmware.

software used to be low-level we’d bang together C or assembler. These days, a relatively straightforward, albeit task like throttle is likely to use a sophisticated RTOS and of thousands of lines of code.

all this sophistication, standards and for design, coding, and testing paramount – especially when the involved is safety-critical. Failure is not an It is something to be contained and benign.

So what happens when an decides to wing it and play by own rules? To disregard the rigorous best practices, and checks and required of such software hardware) design? People are reputations ruined, and billions of are paid out. That’s happens. Here’s the story of software that arguably should have been.

out this related

For the bulk of research, EDN consulted Michael CTO and co-founder of Barr Group. an systems consulting firm, week. As a primary expert for the plaintiffs, the in-depth analysis by Barr and his colleagues illuminates a example of software design and and provides a cautionary tale to all in safety-critical development, whether be for automotive, medical, aerospace, or else where failure is not Barr is an experienced developer, former professor, editor, and author .

Barr’s ultimate conclusions that:

Toyota’s electronic control system (ETCS) code is of unreasonable quality.

source code is defective and bugs, including bugs can cause unintended acceleration

Code-quality metrics predict of additional bugs.

Toyota’s safes are defective and inadequate to them as a “house of cards” architecture).

Misbehaviors of Toyota’s are a cause of UA.

A damning summary to say the Let’s look at what him to these conclusions:


Although the investigation almost entirely on software, is at least one HW factor: Toyota the 2005 Camry’s main CPU had detecting and correcting (EDAC) It didn’t. EDAC, or at least RAM, is relatively easy and insurance for safety-critical systems.

cases of throttle malfunction been linked to tin whiskers in the pedal sensor. This not seem to have been the here.

Toyota Camry TS-01

The Camry ECM board. U2 is a NEC Renesas) V850 microcontroller.

The ECM software formed the core of the investigation. What follows is a of the key findings.

Mirroring (where key data is to redundant variables) was not always This gains extra in light of …

Stack overflow. claimed only 41% of the allocated space was being used. investigation showed that 94% was to the truth. On top of that, stack-killing, rule-violating recursion was found in the and the CPU doesn’t incorporate memory to guard against stack

Two key items were not mirrored: The critical internal data and—the most important of all, the final result of all firmware—the TargetThrottleAngle global

Although Toyota had performed a analysis, Barr concluded the had completely botched it. Toyota some of the calls made via missed stack usage by and assembly functions (about 350 in and missed RTOS use during switching. They also to perform run-time stack

Toyota’s ETCS used a of OSEK. which is an automotive RTOS API. For some though, the CPU vendor-supplied version was not compliant.

Unintentional RTOS shutdown was heavily investigated as a source of the UA. As single bits in control each task, due to HW or SW faults will suspend tasks or start unwanted Vehicle tests confirmed one particular … task result in loss of throttle and that the driver might to fully remove their from the brake during an acceleration event before able to end the unwanted acceleration.

A litany of other faults found in the code, including overflow, unsafe casting, and conditions between tasks.

Toyota Camry TS-01
Toyota Camry TS-01
Toyota Camry TS-01


Смотрите также:
Tagged as:

Here you can write a commentary on the recording "Toyota’s … firmware: Bad design and its consequences | EDN".

Sign in, to write a review.

Our partners
Follow us
Contact us
Our contacts

Born in the USSR


About this site

For all questions about advertising, please contact listed on the site.

Toyota cars catalog with specifications, pictures, ratings, reviews and discusssions about cars Toyota.