Toyota Unintended Acceleration and the Big Bowl of “Spaghetti” Code |

25 мая 2015 | Author: | No comments yet »
Toyota Fine-X

Toyota Unintended Acceleration and the Big of “Spaghetti” Code

Last Toyota hastily settled an Acceleration lawsuit – hours an Oklahoma jury determined the automaker acted with disregard,” and delivered a $3 million to the plaintiffs – but before the jury determine punitive damages.

did the jury hear that such a gross neglect of due care obligations? The testimony of two experts in software design and the process gives some clues. After reviewing software engineering process and the code for the 2005 Toyota both concluded that the was defective and dangerous, riddled bugs and gaps in its failsafes led to the root cause of the crash.

and Schwarz v. Toyota emanated a September 2007 UA event caused a fatal crash. Bookout and her friend and passenger Schwarz were exiting Highway 69 in Oklahoma, when she throttle control of her 2005 When the service brakes not stop her speeding sedan, she the parking brake, leaving a skid mark from rear tire, and a 25-foot mark from the left. The however, continued speeding the ramp and across the road at the crashing into an embankment. died of her injuries; Bookout five months recovering head and back injuries.

Graham Esdale, of Beasley who represented the plaintiffs is the first to say the Bookout verdict – in some – rested on those two black marks scoring the off-

“Toyota just couldn’t those away,” Esdale “The skid marks that she was braking.”

The jury was attentive, despite the technical that dominated the testimony. the jury learned that the had been settled, jurors Judge Patricia Parrish if could stay and discuss the A dozen jurors, Judge and the plaintiff’s lawyers discussed it. says that it was obvious that conversation that the was poised to punish Toyota for its and cover-up.

Skid marks notwithstanding, two of the software experts, Phillip and Michael Barr, provided insights into the myriad with Toyota’s software process and its source code – bit flips, task deaths would disable the failsafes, corruption, single-point failures, protections against stack and buffer overflow, single-fault regions, thousands of global The list of deficiencies in process and was lengthy.

Michael Barr, a embedded software specialist, more than 20 months Toyota’s source code at one of cubicles in a hotel-sized room, by security guards, who ensured entrants brought no paper in or and wore no belts or watches. testified about the specifics of source code, based on his report. Phillip Koopman, a Mellon University professor in engineering, a safety critical systems specialist, authored a Better Embedded System and performs private industry software design reviews – in the automotive industry – testified Toyota’s engineering safety Both used a programmer’s term for what they spaghetti code – badly and badly structured source

Barr testified:

There are a number of functions that are complex. By the standard industry some of them are untestable, that it is so complicated a recipe there is no way to develop a reliable suite or test methodology to all the possible things that can in it. Some of them are even so that they are what is unmaintainable, which means if you go in to fix a bug or to make a change, you’re to create a new bug in the process. Just your car has the latest version of the — that is what we call software — doesn’t mean it is necessarily than the older that conclusion is that the are inadequate. The failsafes that have contain defects or But on the whole, the safety architecture is a of cards. It is possible for a large of the failsafes to be disabled at the same that the throttle control is

Even a Toyota programmer the engine control application as in an October 2007 document read into his testimony.

was highly critical of Toyota’s engineering process. The accepted, voluntary, industry coding were first set by Motor Software Reliability Association in 1995. Accompanying these is an industry metric, which broken rules with the of a number of software bugs: For 30 rule violations, you can expect on three minor bugs and one bug. Toyota made a mistake in declining to follow standards, he said.

When software engineers evaluated of Toyota’s source code their NHTSA contracted in 2010, they checked 35 of the rules against the parts of the source to which they had and found 7,134 violations. checked the source code MISRA’s 2004 edition and 81,514 violations.

Toyota its own process, which had little with the industry standard. so, Toyota’s programmers often their own rules. And they to keep adequate track of departures from those – and the justification for doing so, which is standard practice. Koopman that if safety is not baked the recipe in the process of creating the it cannot be added later.

have to exercise great when you’re doing critical software. You can’t wing it. And Toyota exercised care, but they did not reach the of accepted practice in how you need to safety critical systems,” he

One of the biggest safety standards broke was allowing single failures within its system. point failure refers to a of hardware or software that has control over whether a is safe or not—such as a single-engine Koopman testified:

“If there is a single point of by every safety standard I ever seen, it is by definition and no amount of countermeasures, no amount of will fix that. They reduce how often it happens, but it completely fix it. Because we have of vehicles out there, it will a way to fail that you didn’t of, and it will fail.”

Other deviations from standard were the number of global in the system. (A variable is a location in that has a number in it. A global is any piece of software anywhere in the can get to that number and read it or it.) The academic standard is Toyota had more than global variables.

“And in five, ten, okay, 10,000, no, we’re done. It is not and I don’t need to see all 10,000 variables to know that is a problem,” Koopman testified.

important design process Barr and Koopman identified an absence of a peer code and Toyota’s failure to check the code of its second CPU, by Denso —even as executives Congress and NHTSA that the of UA couldn’t be in the engine software.

testified to some of the vehicle malfunctions caused by the death of within the CPU, and concluded Bookout’s UA was more likely not caused by the death of a redacted-name called Task X at trial. dubbed it “the kitchen-sink” because it controlled a lot of the vehicle’s including throttle control; the control – turning it on, maintain the and turning it off – and many of the failsafes on the CPU.

He was critical of Toyota watchdog – software to detect the death of a — design. He testified that watchdog supervisor “is incapable of detecting the death of a major That’s its whole job. It do it. It’s not designed to do it.”

Toyota Fine-X

Toyota designed it to monitor CPU and, Barr testified: “it even do that right. CPU is when there’s too much in a burst, a period of time to do all the If that happens for too long, the car can dangerous because tasks not to use the CPU is like temporarily tasks

Barr also testified Toyota’s software threw error codes from the system, ignoring codes a problem with a task. At Barr said:

And task although I focused a lot of task X because it does so much and it throttle control and it does it’s pretty important, but is [redacted] tasks and they can die in combinations. It could be task 3 and X, or task 3and task 7 and X, or just task 9. And those can an unpredictable range of vehicle It turns out that unintended is just the most dangerous your car can do when it malfunctions.

if you were to dismiss their as nothing but paid-for expert Koopman and Barr’s assessment software errors as a possible UA cause go a long way in explaining so how Toyota’s system could and leave no trace; why we are still UAs in late model Toyota and why Toyota can’t seem to fix it floor mat and pedal recalls; how it get away with hiding of the root causes of UA events for so

Their descriptions of the incredible of Toyota’s software also why NHTSA has reacted the way it has and why NASA found a flaw it could to a Toyota’s engine going to a open throttle, ignoring the commands to stop and not set a diagnostic code. For one, Barr the NASA engineers were limited, and did not have access to all of the code. They relied on representations – and in some cases, misled NASA. For example, was under the false belief Toyota had designed in hardware bit protections called Error and Correction Codes, (EDAC). The Camry for example did not have Barr testified, but in an email told NASA that it At trial he said:

NASA didn’t know that wasn’t there. It there in the 2005 Camry. And so if the occurred, there would be no mechanism to find it. And if it occurred in a value that was not mirrored, would be no software protections it. So the conclusion here is that are critical variables in which could flip.

Their explains why it would be near for NHTSA to ever pin an electronic on a problem buried in software. didn’t even have any engineers on ODI’s staff the myriad Toyota UA investigations. have no real expertise on the that actually underpin all of the vehicle functions of today’s It’s as if ODI engineers are investigating an abacus, a chisel and a stone One begins to understand the agency’s doubling, tripling, quadrupaling on floor mats and old ladies as for UA events.

But even if NHTSA did this expertise, the software is so complex ODI would never the time or budget to assess an source code. This is why we harping on the need for NHTSA to a functional safety regulation – its own steam or Congressional mandate.

We are posting preliminary drafts of (part 1 and part 2 ) and Barr’s testimony. along with slides – long, but well a read for anyone interested in more about embedded systems in automobiles and how not to design where NHTSA went and the unbelievably shaky software at the of Toyota’s electronic architecture.

one associates a company’s desire to trade secrets with the of something valuable. That one presumes, is the technology itself — the recipe a company uses in its product. Rather than the automotive equivalent of formula for the testimony of Koopman and Barr that Toyota really to hide was its formula for disaster. the contents of a September 2007 among Toyota employees:

truth technology such as is not part of the Toyota’s engineering DNA,’ ” Barr read in “And it continues, ‘But it good that it is recognized as one of the strengths of Toyota and its system industry.’ And then I highlighted the portion that says, on as is would not be a good thing.’”

entry was posted on Thursday, 7th, 2013 at 4:34 pm. You can any responses to this entry the RSS 2.0 feed. Both comments and are currently closed.

Toyota Fine-X
Toyota Fine-X


Tagged as:

Here you can write a commentary on the recording "Toyota Unintended Acceleration and the Big Bowl of “Spaghetti” Code |".

Sign in, to write a review.

Our partners
Follow us
Contact us
Our contacts

Born in the USSR


About this site

For all questions about advertising, please contact listed on the site.

Toyota cars catalog with specifications, pictures, ratings, reviews and discusssions about cars Toyota.