Toyota Unintended Acceleration and the Big Bowl of “Spaghetti” Code |

25 Май 2015 | Author: | No comments yet »
Toyota Fine-X

Toyota Unintended Acceleration and the Big of “Spaghetti” Code

Last Toyota hastily settled an Acceleration lawsuit – hours an Oklahoma jury determined the automaker acted with disregard,” and delivered a $3 million to the plaintiffs – but before the jury determine punitive damages.

did the jury hear that such a gross neglect of due care obligations? The testimony of two experts in software design and the process gives some clues. After reviewing software engineering process and the code for the 2005 Toyota both concluded that the was defective and dangerous, riddled bugs and gaps in its failsafes led to the root cause of the crash.

and Schwarz v. Toyota emanated a September 2007 UA event caused a fatal crash. Bookout and her friend and passenger Schwarz were exiting Highway 69 in Oklahoma, when she throttle control of her 2005 When the service brakes not stop her speeding sedan, she the parking brake, leaving a skid mark from rear tire, and a 25-foot mark from the left. The however, continued speeding the ramp and across the road at the crashing into an embankment. died of her injuries; Bookout five months recovering head and back injuries.

Graham Esdale, of Beasley who represented the plaintiffs is the first to say the Bookout verdict – in some – rested on those two black marks scoring the off-

“Toyota just couldn’t those away,” Esdale “The skid marks that she was braking.”

The jury was attentive, despite the technical that dominated the testimony. the jury learned that the had been settled, jurors Judge Patricia Parrish if could stay and discuss the A dozen jurors, Judge and the plaintiff’s lawyers discussed it. says that it was obvious that conversation that the was poised to punish Toyota for its and cover-up.

Skid marks notwithstanding, two of the software experts, Phillip and Michael Barr, provided insights into the myriad with Toyota’s software process and its source code – bit flips, task deaths would disable the failsafes, corruption, single-point failures, protections against stack and buffer overflow, single-fault regions, thousands of global The list of deficiencies in process and was lengthy.

Michael Barr, a embedded software specialist, more than 20 months Toyota’s source code at one of cubicles in a hotel-sized room, by security guards, who ensured entrants brought no paper in or and wore no belts or watches. testified about the specifics of source code, based on his report. Phillip Koopman, a Mellon University professor in engineering, a safety critical systems specialist, authored a Better Embedded System and performs private industry software design reviews – in the automotive industry – testified Toyota’s engineering safety Both used a programmer’s term for what they spaghetti code – badly and badly structured source

Barr testified:

There are a number of functions that are complex. By the standard industry some of them are untestable, that it is so complicated a recipe there is no way to develop a reliable suite or test methodology to all the possible things that can in it. Some of them are even so that they are what is unmaintainable, which means if you go in to fix a bug or to make a change, you’re to create a new bug in the process. Just your car has the latest version of the — that is what we call software — doesn’t mean it is necessarily than the older that conclusion is that the are inadequate. The failsafes that have contain defects or But on the whole, the safety architecture is a of cards. It is possible for a large of the failsafes to be disabled at the same that the throttle control is

Even a Toyota programmer the engine control application as in an October 2007 document read into his testimony.

was highly critical of Toyota’s engineering process. The accepted, voluntary, industry coding were first set by Motor Software Reliability Association in 1995. Accompanying these is an industry metric, which broken rules with the of a number of software bugs: For 30 rule violations, you can expect on three minor bugs and one bug. Toyota made a mistake in declining to follow standards, he said.

When software engineers evaluated of Toyota’s source code their NHTSA contracted in 2010, they checked 35 of the rules against the parts of the source to which they had and found 7,134 violations. checked the source code MISRA’s 2004 edition and 81,514 violations.

Toyota its own process, which had little with the industry standard. so, Toyota’s programmers often their own rules. And they to keep adequate track of departures from those – and the justification for doing so, which is standard practice. Koopman that if safety is not baked the recipe in the process of creating the it cannot be added later.

have to exercise great when you’re doing critical software. You can’t wing it. And Toyota exercised care, but they did not reach the of accepted practice in how you need to safety critical systems,” he

One of the biggest safety standards broke was allowing single failures within its system. point failure refers to a of hardware or software that has control over whether a is safe or not—such as a single-engine Koopman testified:

“If there is a single point of by every safety standard I ever seen, it is by definition and no amount of countermeasures, no amount of will fix that. They reduce how often it happens, but it completely fix it. Because we have of vehicles out there, it will a way to fail that you didn’t of, and it will fail.”

Other deviations from standard were the number of global in the system. (A variable is a location in that has a number in it. A global is any piece of software anywhere in the can get to that number and read it or it.) The academic standard is Toyota had more than global variables.

“And in five, ten, okay, 10,000, no, we’re done. It is not and I don’t need to see all 10,000 variables to know that is a problem,” Koopman testified.

important design process Barr and Koopman identified an absence of a peer code and Toyota’s failure to check the code of its second CPU, by Denso —even as executives Congress and NHTSA that the of UA couldn’t be in the engine software.

testified to some of the vehicle malfunctions caused by the … of within the CPU, and concluded Bookout’s UA was more likely not caused by the … of a redacted-name called Task X at trial. dubbed it “the kitchen-sink” because it controlled a lot of the vehicle’s including throttle control; the control – turning it on, maintain the and turning it off – and many of the failsafes on the CPU.

He was critical of Toyota watchdog – software to detect the … of a — design. He testified that watchdog supervisor “is incapable of detecting the … of a major That’s its whole job. It do it. It’s not designed to do it.”

Toyota Fine-X

Toyota designed it to monitor CPU and, Barr testified: “it even do that right. CPU is when there’s too much in a burst, a period of time to do all the If that happens for too long, the car can dangerous because tasks not to use the CPU is like temporarily tasks

Barr also testified Toyota’s software threw error codes from the system, ignoring codes a problem with a task. At Barr said:

And task although I focused a lot of task X because it does so much and it throttle control and it does it’s pretty important, but is [redacted] tasks and they can in different combinations. It could be 3 and task X, or task 3and 7 and task X, or just task 9. And can cause an unpredictable range of misbehaviors. It turns out that acceleration is just the most thing your car can do when it

Even if you were to dismiss conclusions as nothing but paid-for testimony, Koopman and Barr’s about software errors as a UA root cause go a long way in so much: how Toyota’s system fail and leave no trace; why we are seeing UAs in late model vehicles and why Toyota can’t to fix it with floor mat and pedal how it could get away with some of the root causes of UA for so long.

Their descriptions of the incredible of Toyota’s software also why NHTSA has reacted the way it has and why NASA found a flaw it could to a Toyota’s engine going to a open throttle, ignoring the commands to stop and not set a diagnostic code. For one, Barr the NASA engineers were limited, and did not have access to all of the code. They relied on representations – and in some cases, misled NASA. For example, was under the false belief Toyota had designed in hardware bit protections called Error and Correction Codes, (EDAC). The Camry for example did not have Barr testified, but in an email told NASA that it At trial he said:

NASA know that that there. It wasn’t there in the Camry. And so if the bit-flip occurred, would be no hardware mechanism to it. And if it occurred in a critical value was not mirrored, there would be no protections against it. So the conclusion is that there are critical in which bits could

Their testimony explains why it be near impossible for NHTSA to pin an electronic failure on a problem in software. NHTSA didn’t have any software engineers on staff during the myriad UA investigations. They have no expertise on the complexities that underpin all of the safety-critical vehicle of today’s cars. It’s as if ODI are investigating with an abacus, a and a stone tablet. One begins to the agency’s stubborn doubling, quadrupaling down on floor and old ladies as explanations for UA events.

But if NHTSA did have this the software piece is so complex ODI never have the time or to assess an automaker’s source This is why we keep harping on the for NHTSA to write a functional regulation – under its own steam or mandate.

We are posting preliminary drafts of (part 1 and part 2 ) and Barr’s testimony. along with slides – long, but well a read for anyone interested in more about embedded systems in automobiles and how not to design where NHTSA went and the unbelievably shaky software at the of Toyota’s electronic architecture.

one associates a company’s desire to trade secrets with the of something valuable. That one presumes, is the technology itself — the recipe a company uses in its product. Rather than the automotive equivalent of formula for the testimony of Koopman and Barr that Toyota really to hide was its formula for disaster. the contents of a September 2007 among Toyota employees:

truth technology such as is not part of the Toyota’s engineering DNA,’ ” Barr read in “And it continues, ‘But it good that it is recognized as one of the strengths of Toyota and its system industry.’ And then I highlighted the portion that says, on as is would not be a good thing.’”

entry was posted on Thursday, 7th, 2013 at 4:34 pm. You can any responses to this entry the RSS 2.0 feed. Both comments and are currently closed.

Toyota Fine-X
Toyota Fine-X


Смотрите также:
Tagged as:

Here you can write a commentary on the recording "Toyota Unintended Acceleration and the Big Bowl of “Spaghetti” Code |".

Sign in, to write a review.

Our partners
Follow us
Contact us
Our contacts

Born in the USSR


About this site

For all questions about advertising, please contact listed on the site.

Toyota cars catalog with specifications, pictures, ratings, reviews and discusssions about cars Toyota.