Slashdot Mirror
Toyota's Killer Firmware
New submitter Smerta writes "On Thursday, a jury verdict found Toyota's ECU firmware defective, holding it responsible for a crash in which a passenger was killed and the driver injured. What's significant about this is that it's the first time a jury heard about software defects uncovered by a plaintiff's expert witnesses. A summary of the defects discussed at trial is interesting reading, as well the transcript of court testimony. 'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.' Anyone wonder what the impact will be on self-driving cars?"
I'm convinced. I'll give up my career as a computer programmer now, and go use my bare hands for subsistence farming now. Sorry, I was wrong.
Those working on self-driving cars and those that are watching the technology already know that any such car would need an absolutely 100% rock solid OS.
This changes nothing.
Anyone wonder what the impact will be on self-driving cars?
Google claims their cars are safer than most human drivers.
Would you trust Google on that? You cannot possibly code for every driving scenario, even with collision avoidance systems. Remember, just because YOU didn't drive into someone doesn't omit you from being at fault in every scenario.
The owner of a self-driving car will have had to accepted the EULA and accepted not to hold the manufacturer liable for sofware defects. (half joking but I wouldn't rule it out)
Idea:
The ideals of The Toyota Way, as embodied in the corporate religion of Lean, may have contributed to overlooking some aspects of software engineering best practices.
Discuss.
THL phish sticks
Sure, they will be more safe. Just like in the aviation industry, where each incident/crash is investigated meticulously, and flying has become safer ever since 1903. With non-selfdriving cars 99% of the incidents were caused by human error. Now no more, so we can fix it!
2nd link, 5th paragraph:
Anyone wonder what the impact will be on self-driving cars?
A longer chapter on debugging in the first edition of "Programming Self-Driving Cars: The Missing Manual."
Brought to you by Carl's Junior.
> "and missed RTOS use during task switching"
IRQs will piggyback atop the main stack. Since control does not devolve back to that thread until the IRQ finishes, this is perfectly fine. However you have to consider IRQ's worst-case use atop your thread's worst-case.
We don't use an OS so OS stack use isn't an issue. Obscured recursion as chains of functions call each other in hidden ways is something to consider.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
If there's no human fall back or ability to overthrow the computer's control of the car I'll never drive it. I don't think this will change anything except maybe give the people that are rushing for self-driving cars some pause. Every developer knows the risks of self-driving computer controlled cars (if they don't, well they're naive). Between human error in programming and human maliciousness, there are two camps. People who think they can overcome the possibilities of putting a semicolon in the wrong place and prevent hackers from comprising the software's integrity. And people who realize the first people are fooling themselves.
Like, literally. Don't flash those custom firmwares onto your cars, kiddies. Unless you want to be on the BLEEDING EDGE.
Still happy that my car (not a Toyota) has a stick and thus a mechanical clutch pedal :)
On the other hand, doesn't automatic gearboxes have neutral setting? Wouldn't moving into this be roughly the same as depressing the clutch on a manual gearbox? Of course, the reaction times are longer (since you have to do something unusual when driving an automatic, i.e. touching the shifter while in motion), but for the cases you hear of where they managed to call 911 while figthing to control the vehicle...
That someone hold programmers liable....
If it can cost you big bucks, you test it more.
'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.'
Huh? I'm a software engineer and don't understand the relevance of this statement, how can a jury? How does it confirm that there was a defect?
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Remember when Toyota and DOT concluded the problem was driver error and improperly fitted floor mats?
Good; hold the hacks accountable. This is a great first step. Hold the companies deploying this crap accountable. The next step is to go after the hack developers who write this trash.
The lamest, hackiest, most shameful industry known to mankind where the product is nearly guaranteed to be defective is yep, you guessed it: software development.
So, the brakes cannot override the engine power, since when? The ignition key would be rendered inoperable? The emergency brake would not work? The transmission would lock in gear? No effing way.
"Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching." If they wrote that firmware using C# or Java instead of C and ASM, those people wouldn't have been harmed. Quit bitching about RAM and CPU usage, put a real computer in the thing, with a real stress-tested and proven kernel like Linux, and use a modern programming language. 512MB of RAM and 500MHz isn't worth peoples' lives.
So you are driving a really *old* car eh? No?
Or perhaps you have rigged up a "master reset" line for each and every controller in your car? ABS, ECU, PCU, Air Bag controller, Security AND entertainment systems? No?
Then I'm throwing the BS flag or you don't understand what you are saying (or both.)
"If there's no human fall back or ability to overthrow the computer's control of the car I'll never drive it."
by definition you wouldn't be driving it.
The Kruger Dunning explains most post on
Half of the cars I've had didn't come with ABS, ECU, airbag, security. They all did come with car radio/cassette player.
- Raynet --> .
Car makers can and have been sued for defective mechanical designs many times. Now they're getting sued for defective and dangerous software and computer hardware designs. I don't think there's much of a difference between the two when it comes down to it. You were either negligent or not, and whether it's software, hardware, or mechanical stuff doesn't really matter.
Good lord, they have got to be kidding? If Toyota (or their parts suppliers) are making those kinds of errors, you can bet your ass that other manufacturers will be making them as well.
There needs to be very strict set standards for car control systems. We have standards for OBD, so why not strict, over engineered and thoroughily coded critical systems standards? Even better, why not make them open standards, including the hardware?
Standardising would make parts cheaper as well as stopping manufacturers from building closed black box units that may be of dubious quality. It would also make it easier to maintain and repair modern cars as they get older, and allow third parties to provide new hardware long after the manufacturer loses interest.
As an aside, I do wonder what we're going to do in ten years time when the failure rate for most of the control hardware starts creeping up. Would they fail safely? Would the repair cost be prohibitive?
It would be a sad irony if these environmentally conscious efficiency improving measures resulted in cars being scrapped en masse because the ECU that superseded a $10 throttle cable costs a grand.
I'm unsure how you're attempt to paint me as a hypocrite would ever be successful. Economic pressures essentially force me to buy new cars that have computerized control systems. For instance I don't pay as much for car insurance because the newer cars are (in general) deemed safer. That's not to say I try to cut back on certain features where possible. Such as not getting the remote key-less entry and ignition systems installed on my car. If you read the second linked article you'll notice mentions of interrupts that can be done by the human to prevent improper function or restore proper function of the vehicle. In this case (Toyoto), the human interrupts were sent to single points of failure or were inadequate to prevent catastrophe.
Intellectual Innovations is busily patenting CAPTCHAs on highways.
Lol, you're right. I guess drive should change to ride.
All personal cars will have self-drive fallback, but there will be roads that wont allow you to self-drive on them. Eventually you will only be able to self-drive on a track or in emergencies (which are logged).
Good-bye
I wonder when the first lawsuit will be filed on behalf of someone who died while trying to
buy medical insurance on the government web site. Will this set the precedent that the
government is responsible for bugs in the government web site ?
Certainly I'd want an autopilot toggle switch - principally so I could drive it for pleasure or in unexpected / offroad ways. As far as safety is concerned I suspect that the headlines where "human disables malfunctioning/compromised autopilot, saves life" would be dwarfed by those where "human confused by crash avoidance strategy disables autopilot and causes horrible crash"
As for security, it's not *that* hard. Just disable all wireless communication for starters. Once someone has physical access to the car all bets are off anyway, people were cutting brake lines long before anyone ever heard of a buffer overflow attack.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The only thing you've mentioned that controls the car is the ABS (and traction control). With the absence of a drive-by wire system, there is a physical link to the throttle the ECU can't override. All it can do is control the idle valve, which has physical limits as to how much air can pass.
Electric power steering may pose a problem, but that's only recently coming in to new cars.
Also old school cruise control that has an actuator that moves the gas pedal.
On a societal level that makes sense. If a software bug crashes your car and you're paralyzed, it's little comfor to be told you might have crashed yourself.
If you're a good driver, a firmware bug that crashes your car is a BIG problem. The fact that other people avoided accidents because the software is better than a human isn't exactly relevant.
On the other hand, doesn't automatic gearboxes have neutral setting? Wouldn't moving into this be roughly the same as depressing the clutch on a manual gearbox?
For years, some cars have not had mechanical linkages to the automatic transmission; the shifter is just a human interface that plugs into a wire. This started in the luxury market and has wound its way down. Interfaces include joysticks resembling shifters, rotary dials, and push buttons.
The slide has been away from direct mechanical control of various car components for a while. It started with throttles, then it went to brakes (yep...) and now even some steering systems are going to steer-by-wire. Same for push-button ignition control systems. It's pretty horrifying.
Still, plenty of "runaway" cases have involved vehicles with mechanical ignition keys, mechanical transmissions, and mechanical throttles. People are just stupid, uneducated (they think that if they shift out of Drive the car will explode, ditto for shutting off the ignition...poor braking technique, like trying to "ride" the brakes to reduce speed, instead of braking HARD to STOP the car immediately) or get caught speeding and try to use it as an excuse to get out of it.
Please help metamoderate.
I would rather have drive by wire in my car.
I can agree with you for the most part. But I don't think there's a trend there that would cut wireless. Just look at OnStar and its ability to cut off your engine. The trend in technology right now seems to be, make everything wireless and connected. From TVs to fridges, I don't quite expect cars to be any different. In fact, wasn't it a few years back that Ford (or some other make) was offering cars that had the ability to be mobile hot spots?
... well NOW you know why (not only) the automotive industry try's to encrypt, lock and proprearitize anything...
"If it cant shoot down 100% of missles, then it is useless". So dont build it.
In real life, Isrealiis discovered that 90% effectiveness is a game-changer. There "Iron Dome" anti-missle defense is that accurate. People dont run to the bomb shelters every siren now. Nor do the enmenies attack that often, knowing most will be wasted. At some degree of accuracy people accept "good enough".
Then they were too new. I had a car that pre-dated tape decks (it had an optional 8-track player, but my car was no so equipped).
Learn to love Alaska
I'd be happy with a car OS that kills less than 30,000 people per year.
If a car manufacturing defect kills anybody at all, then there should be manufacturer's liability for it.
They don't get a free pass just because of the kind of manufacturing defect, there's no privilege against liability just because it's a software defect.
-wb-
"..over 11,000 global variables.." Should this make for the biggest dailywtf?? In an ECU????
There was a time after automated elevators first came out when people refused to use them because they didn't trust them without a "human fall back or ability to overthrow the computer's control". Today, when nearly all the elevators we've ever seen were automated, this seems crazy.
In 50 years, when most people have never seen a manually operated car, we'll seem just as crazy for not trusting them.
Anyone wonder what the impact will be on self-driving cars?
In soviet Russia, self-driving cars impact you!
I'm feeling really positive about Google robotic cars driving themselves ...
Positive they'll be sued when they kill people, that is.
Especially kids. People don't care what your excuse is for that.
-- Tigger warning: This post may contain tiggers! --
Those working on self-driving cars and those that are watching the technology already know that any such car would need an absolutely 100% rock solid OS.
This changes nothing.
I think you meant "none before I hack the OS".
Ooh, wonder what happens if I send these signals all at the same time when it's not expecting it?
Crash ... Tinkle
Cool.
-- Tigger warning: This post may contain tiggers! --
Oh certainly, there's lots of reasons to have all sorts of things wireless, and I fully expect all the fancy media systems, etc to go that route. I just don't think the autopilot will be so, any more than the engine control module is today. A wireless kill switch is one thing, but that doesn't need to be connected to the autopilot, just its power line. And so long as the producers aren't shielded from liability for faulty security I would expect them to take a heavily safe route.
That's not to say that I would be surprised by a networked navigation computer/robotic chauffeur/etc. I just don't think there is any reason to integrate it into the autopilot. There's no reason it couldn't just relay navcomp style "turn left in 1/4 mile" type instructions over a simple high-security text mode serial link with an extremely limited vocabulary. So long as the autopilot itself is heavily defended against intrusion the worst that's likely to happen is that a distracted passenger gets driven to a dangerous destination (the observant passenger would presumably flip the override switch)
Actually, for nefarious purposes the ideal autopilot hack would likely be to simply swerve suddenly into oncoming traffic, preferably into a cement truck or something, in which case it will all be over before a human could even reach the override switch - so perhaps an override delay would be advisable to prevent a panicked rider from screwing up the collision avoidance while still giving them time to take over for any less immediate threats. Maybe a two-stage switch - flip off the autopilot, then 20 seconds later press the button on the wheel to confirm that you really mean it and are in control - just to avoid the scenario where a panicked person tries to take control, gets stunned/unnerved/disoriented by the extreme recovery maneuverings, and proceed to drive themselves off a cliff.
In fact we probably want multiple autopilot settings - On and Off of course, but also "panic mode" where the autopilot takes over when a collision in imminent but still avoidable - great for when the kids are learning to drive, or you decide to go for a drive after you've had a few. And maybe something like a co-piloted "driving instructor mode" as well.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
You don't trust the engineer, but you trust the 16 year old girl trying to apply makeup and text her boyfriend while driving on the highway?
That's a bogus strawman argument: that hypothetical 16 year old girl is required to have an older adult in the co-pilot seat specifically because we have already agreed that we don't trust her judgement.
I had a car that didn't have a tape deck and only five buttons for the radio. ...
And we LIKED it.
-- Tigger warning: This post may contain tiggers! --
What if we let automakers avoid liability by publishing complete design specs and code for their cars. Not just for the computerized parts but for every part. Insurance companies and consumer watchdogs could then analyse and rate them for safety, durability and any other criteria, helping consumers make informed purchasing decisions.
Allowing software developed by unknown third parties to operate undocumented hardware on public roads with only limited testing is just nuts. We have a right to inspect those designs ourselves, or delegate the job to trusted experts of our own choosing.
I'm guessing you haven't been deep into the wiring and electronic control systems of most modern cars yourself.
Brakes are also computer controlled, taking input from the wheel sensors, engine computer, ABS computer and possibly even differential controllers and a vehicle stability system or yaw control computer. So when you hit the brakes, there are a number of computers that decide that you really don't need 100% of the car's braking capacity to control the car in any given situation. They may even decide you're just a bit out of control instead of trying to stop.
I'm not saying that the ergonomic problems are not real. I'm saying there is definitely more going on than can be accounted for by ergonomic problems (in one specific car model) alone.
I thought there were standards for C in automotive and aerospace applications which disallowed the use of pointer arithmetic.
I don't see why updates for the navigation, entertainment (or anything that's not on the powertrain for that matter) should have anything to do with the ECU...
For the same reason that on many GM cars the radio was integrated into the airbag system: to save money on parts cost (or, if you're cynical, to lock you to paying the manufacturer for high-margin entertainment options if you wanted your car's basic safety functions to work).
Did you set the presets by pulling the buttons out, then pushing them back in?
Learn to love Alaska
Elevators use a mechanical safety device that was invented by Elisha Otis in 1854. Prior to that elevators were rightly considered death traps. Take out that mechanical safety device and I wouldn't trust them either.
What if the ECM were implimented as a finite state machine, wouldn't such programming defects be avioded or much easier to detect. Impliment all the low-level stuff as small fast functions and call them from a FSM implimented in software.
It's going to mean that building the control platform for these things is going to have to have MUCH stricter tolerances, and be gone over much more rigorously. And there's going to have to be comprehensive testing of the subsystems, both individually and as a whole.
People's lives are at stake here, and the automakers would do well to be properly paranoid about it.
Look back at Grimshaw v. Ford Motor Co.
Now think of this as "Ford Pinto II".
Chas - The one, the only.
THANK GOD!!!
>> "Anyone wonder what the impact will be on self-driving cars?"
No but as a car enthusiast who enjoys driving I'm praying it will kill the idea stone dead. I can forsee the day when after self-driving cars actually work, it will quickly become illegal for humans to drive at all.
I guarantee you not one single person on that jury knew the first thing about computing, software, firmware, electronics, or anything else having to do with the firmware in the toyota.
A jury of incompetent people found firmware to be defective, and so it is, regardless of the actual facts.
This is why the American justice system is broken. Juries are comprised of off-the-street idiots and not people skilled in the analysis of the evidence at hand.
I did not see anything the article that proved the driver was not at fault. If the firmware was truly at fault, there should many, verifiable episodes of sudden acceleration. That the driver did not have the situational awareness and common sense to gain control of the vehicle (whether from operator error or software issues) suggests operator error was the probable cause.
You can tear ANY system apart and discover flaws; software is not perfect. A verdict like this simply means a low bar for plaintiffs to get an easy payday.
-- Posted from my parent's basement
Valves stick , actuators fail.
The Kruger Dunning explains most post on
... the GP was concerned about overriding software control.
Brake lines also burst, tires fail, wheels fall off, humans spontaneously combust...
I've been reading the transcript. It's fantastic. The expert explains clearly and lucidly in terms that (I imagine are) understandable by non-techies.
The transcriber made some funny mistakes... Let me tell you about "parody bits" and "pointer D references" :)
"Anyone wonder what the impact will be on self-driving cars?"
Ok, I'll play.
How about well written and documented code?
I'll stop there.
I'm curious just how many cases like this (tremendous harm generated by software not properly developed because of unreasonable management timelines, hiring, etc) will be necessary before some pressure is put on organizations to actually do a good job with their code. It's not like good code is impossible to write. It just takes time and expensive programmers. Companies (and the govt) keep trying to skimp on both, and the result causes untold damages. Knight Capital, the Obamacare site, Toyota.... I would bet any amount of money anyone should care to put forward that the technical people at the company were screaming their heads off about the code not being ready or done correctly, but management decided to push it out or accept it (in the case of contracting) anyway.
Elevators have a mechanical safety that you as a passenger have no control over, so it doesn't address neoritter's demand for a human fall back. And that mechanical safety only protects you from a cable failure. It does nothing to protect you from out of control elevator computers bouncing you up and down the shaft.
See, software engineers are not real engineers.
No liability, no responsibility...there is some id10t who quoted on another software defect saying "who cares, it's not the tacoma narrows bridge..."..typical attitude of software "engineers", just fix it in the next service pack, and go work on your little easter eggs.
I can just imagine..we'll name the next release after the next of kin, and give them a free software upgrade.
Software sold "WITHOUT WARRANTY" or "FITNESS FOR A PARTICULAR PURPOSE", and "CONTAINING KNOWN DEFECTS" , controlling my car? Driving my car? No thanks!
it doesn't address neoritter's demand for a human fall back
My point was that a simple and extremely reliable mechanism prevents the most likely cause of injury or death. It doesn't rely on software (neoritter's fear) or even a power source.
It does nothing to protect you from out of control elevator computers bouncing you up and down the shaft.
No, but the big red stop button does. It bypasses computer control. It's long been common, and very good, design practice to put in some sort of very simple and reliable override in case the more complex control machinery (not even necessarily a computer) fails.
This "killer" firmware must have a subroutine that detects the age of the driver and then invokes the bug. link The Toyota sudden acceleration "problem" is yet another media/lawyer driven hoax. Toyota only recalled only due to political pressure during the mass hysteria.
And such a device could easily be put on a car.
My point is that neoritter's fear of computer controlled cars is more an instinctive reaction to their novelty rather than a rational assessment of their dangers. He doesn't trust cars not controlled by humans because, based on his past experience, cars are supposed to have human operators. He has no problem with elevators no longer having human operators because, based on his past experience, elevators are supposed to be fully automated.
Engineers can't write code. Simple as that.
Leave it to the professionals you morons. For some reason every hardware engineer think they can be a programmer. I have spent decades cleaning up their shit.
And such a device could easily be put on a car.
Which device, a big red stop button? That's only true for stopping the engine. It wouldn't work for steering or brakes, as would be needed in a self-driving car.
It's also presumptuous to assume his fear is irrational. He stated his reasons (and he sounds like a programmer, so he's not just talking about a bogey man he doesn't understand). If you disagree with him it doesn't necessarily mean his fear is irrational.
Been in an elevator much? They still have 'Stop' buttons - quite literally big red buttons. Only the latest buttonless (internal to the car) elevators don't have this (and even then it's available in an access panel inside the car).
There was a time after automated elevators first came out when people refused to use them because they didn't trust them without a "human fall back or ability to overthrow the computer's control". Today, when nearly all the elevators we've ever seen were automated, this seems crazy.
In 50 years, when most people have never seen a manually operated car, we'll seem just as crazy for not trusting them.
http://gizmodo.com/380525/guy-trapped-in-elevator-41-hour-ordeal-caught-on-tape
The guy was stuck for 41 hours. It was one of those express elevators, between floors, and no one noticed.
My point wasn't that elevators are completely safe (indeed, several dozen people in the US die every year in elevator accidents). My point is that it never occurs to us that they shouldn't be trusted without a human operator.
So you're telling me that a random selection of people are qualified to pass judgement on this? What a flawed system, a qualified government regulator should be investigating this through science, not the judicial system. Only in America.
Point to a world where consumers hold liability and responsibility for their car, their ECU and their braking behavior even though unintended acceleration is at fault.
http://www.carscoops.com/2013/10/toyota-wins-bellwether-case-on.html
I had a car that didn't have a tape deck and only five buttons for the radio. ...
Ah, but did it have tubes? And a single speaker in the middle of the dash? Was it covered with real chrome?
My car for which you could say yes for all of that also had a transmission with five buttons. Wicked cool for smoke starts.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Every person knows the risks of human drivers, if they don't, well they are naive. between human error, human inattention and human maliciousness. There are two camps, people who think they are the greatest driver to bless the earth and can deal with any situation in the blink of an eye, even if it's caused by some malicious human idiot; and people who realize few people are as special as the first people think they are.
Rocket Surgeon.
Couple of details here:
Toyota had no software testing procedures, no peer review, etc. The secondary backup CPU code was provided by a third party in compiled form, Toyota never examined it.
Their coding standards were ad hoc and they failed to follow them. Simple static analysis tools found massive numbers of errors.
They used over ten thousand global variables, with numerous confirmed race conditions, nested locks, etc.
Their watchdog merely checked that the system was running and did not respond to task failures or CPU overload conditions so would not bother to reset the ECU, even if most of the tasks crashed. Since this is the basic function of a watchdog, they may as well not have had one.
They claimed to be using ECC memory but did not, so anything from single bit errors to whole page corruption were undetected and uncorrected.
A bunch of logic was jammed in one spaghetti task that was both responsible for calculating the throttle position, running various failsafes, and recording diagnostic error codes. Any failure of this task was undetected by the watchdog and disabled most of the failsafes. Due to no ECC and the stack issue below, a single bit error would turn off the runnable flag for this task and cause it to stop being scheduled for CPU time. No error codes would be recorded.
They did not do any logging (eg of OS task scheduler state, number of ECU resets, etc), not even in the event of a crash or ECU reset.
The code contained various recursive paths and no effort was made to prevent stack overflows. Worse, the RTOS kernel data structures were located immediately after the 4K stack, so stack overflows could smash these structures, including disabling tasks from running.
They were supposed to be using mirroring of variables to detect memory smashing/corruption (write A and XOR A to separate locations, then compare them on read to make sure they match). They were not doing this for some critical variables for some inexplicable reason, including the throttle position so any memory corruption could write a max throttle value and be undetected.
Instead of using the certified, audited version of the RTOS like most auto makers, they used an unverified version.
Thanks to not bothering to review the OS code, they had no idea the OS data structures were not mirrored. A single bit flip can start or stop a task, even a life-safety critical one.
These are just some of the massive glaring failures at every level of specifying, coding, and testing a safety-critical embedded system.
I am now confident in saying at least some of the unintended acceleration events with Toyota vehicles were caused by software failures due to gross incompetence and negligence on the part of Toyota. They stumbled into writing software, piling hack on top of hack, never bothering to implement any testing, peer review, documentation, specifications, or even the slightest hint that they even considered the software something worth noticing.
Natural != (nontoxic || beneficial)
No, they get a pass because it kills less than DFU errors. ;-)
Sleep your way to a whiter smile...date a dentist!
The problem is not the language. The problem is the garbage tools that are available for it.
There is no single good tool (as in modern IDE or even command line debugger) for it. The top (and probably only one still maintain) one is AdaMulti ... and it sucks.
Pretty much all diesels made in the last decade are drive-by-wire.
So one example we've already talked about is the internal data structures within the operating system. They missed it because they never looked at the operating system. They got this operating system in binary from their chip supplier and they never looked inside it to see what was in there.
The implementation of OS they used was not compliant with OS interface specification.
I though what they meant with killer was something game-changing. Turns out, it is literally a killer.
The fact that NatasRevol (and I) would be happy with less deaths from the driverless cars than what would have been caused by human drivers does not mean there would be no need to improve. It just means we would be happy because there would have been improvement and that a path to further improvement has been opened (you can only lower road deaths to a certain degree as long as there are users in the loop)
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
FTA: "Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration."
So, let me ask you this -- if the car 'decided' to accelerate due to a bit flip, tin whiskers, or a stuck task, how likely would it be that a 76-year-old person would think to remove their foot from the brake and then reapply their foot to the break? We are talking about someone whose reaction time is measured in seconds, the same seconds that the accident took to occur.
If they experienced this acceleration and they had 1-2 seconds to react, I doubt they would think to operate the brake in a fashion different than the cars made in the 20th century. You can say driver error, but we're talking about a corner case of software failure that requires the driver to react in a counter-intuitive fashion, and within seconds.
Obviously it's more likely that the people who experience this will be drivers who have decades of experience with cars that don't need this alternative braking procedure. Just like it's more likely that they also took 200-300 ms more time to respond than someone 50 years younger. But that DOESN'T mean it is their fault.
This is not so black and white as you frame it. There are always multiple contributing factors to a crash. The software and hardware involved clearly had a role, and that's why the jury ruled that way.
Best comment on this thread. I'd mod up if I could.
I guess that "killer app" just got a new meaning.
If you post as an AC, don't expect me to spend a mod point on you.
I'd be happy with a car OS that kills less than 30,000 people per year.
If a car manufacturing defect kills anybody at all, then there should be manufacturer's liability for it.
They don't get a free pass just because of the kind of manufacturing defect, there's no privilege against liability just because it's a software defect.
-wb-
What if the 'defective' car also dramatically reduces the overall number of road deaths?
Don't the needs of the many outweigh the needs of the one? Even if you're a lawyer? Oh, wait, that requires a heart...
No sig today...
That's what you get when you hire bricklayers and plumbers to write your code. Can we get the Telegraph editor a Toyota? Kickstarter campaign maybe? :)
http://en.wikipedia.org/wiki/Electronic_throttle_control
"Recently, ETC was initially suspected by some to be responsible for alleged incidents of unintended acceleration in Toyota and Lexus vehicles. No evidence of this has been demonstrated, and Toyota has been exonerated by the U.S. National Highway Traffic Safety Administration (NHTSA)."
??
Whilst there are many aspects about the film I, Robot that I have problems with, this very issue is covered when the female scientist is scared because Wil Smith decides to take manual control of the car they're in.
The comments about TBW making assembly cheaper are well-founded and accurate, but there's WAY more than just that:
TBW let's you get rid of the idle speed solenoid / idle speed bypass motor, which handles high idle during warmup and anti-stall during big drop throttle. Instead, the ECU can move the throttle plate directly. More control authority, less under/overshoot, more stable idle, less idle fuel consumption - not to mention a savings of between 1 (PWM idle solenoids like Honda) to as many as 6 wires (stepper motor systems like Mitsubishi)
TBW allows you to change the ratio between delta pedal and delta throttle - and do so *dynamically*. You can do this by changing the linkage and cam on a mechanical throttle, but it's a big deal and not easy to tune. With TBW, it's a lookup table or a function. If you have a powerful car with a big throttle body, this can pay HUGE fuel savings and vehicle control dividends at low throttle plate angles, where tiny tiny differences in throttle plate angle make huge differences in airflow.
TBW makes traction control / stability control WAY easier - and it doesn't crackle and bang like spark retard systems do.
And that's just the tip of the iceberg.
Just because you can't imagine the benefits don't mean they aren't there.
Want to learn about race cars? Read my Book
Their are some advantages of having the ECU control the throttle in a modern car. Drive-ability is one of them. It allows the ECU to match engine torque and transmission shift points successfully. And this is a big contributor to fuel economy improvements on gas engine vehicles. It allows you to lug the engine at WOT in a much higher gear on small grades or flat roads and when you press the accelerator pedal further, it will force a down-shift. These are mapped into the ECU and adaptive coefficients are determined by the driver during the first few minutes of driving the car after a battery disconnect.
I had a car that didn't have a tape deck and only five buttons for the radio. ...
Ah, but did it have tubes? And a single speaker in the middle of the dash? Was it covered with real chrome?
My car for which you could say yes for all of that also had a transmission with five buttons. Wicked cool for smoke starts.
Where we're going, we don't need tubes!
Someone who can create worlds in a box doesn't really sound too much like a dull weirdo to me... especially if they let me play around in their world.
In this case, she was justified as in that era people didn't drive, esp. in high traffic at speed. This is like putting a 15yo in dense interstate traffic. (if you've ever taught anyone to drive, you would shudder at the thought)
It is about bloody time that a software developer is held accountable for delivering dangerous buggy firmware. As a purchaser, I have often been frustrated by how this industry has conditioned us to believe that this is normal and must be accepted. Indeed we are usually expected to subscribe to a continuing service to update delivered software for bug fixes. Can you imagine this happening with any kind of hardware delivery. Professionals in the motor vehicle must deliver a product quality that is consistent with the standards of that industry - even if it is software.
Heavy is the head that wears the tinfoil hat.
Like you, I'm not sure which safety mechanism Stormy thinks we'll install on a car but if they are referring to the big red button...
A big red stop button should work just fine for all those systems. One of the neat side effects of the new electric power steering systems is that they can turn themselves without your help at all and do it with great precision so it makes for easy self-steering. There is however still an actual linkage between the rack and steering wheel. The ABS pump is also completely automatic but there is still a standard vacuum master cylinder with a real connection to the pedal. If you were to cut power to those 2 items then they will shutdown along with the engine when the E-Stop is pressed and you will retain a very rudimentary level of control of the vehicle. Just like today should your engine shutdown while in motion. Now eventually we will eliminate those hard links and go true drive by wire but going by previous vehicle evolution, there is no reason to suspect first gen self drivers to have those backups eliminated. If they did that, whether rational or irrational, fear would dissuade adoption.
if Toyota managed to cock up their software so badly...how bad is the code of other manufacturers?
Never let a lack of data get in the way of a good rant.
For whatever reason the one of the original links was no longer available when I revisited one of the links in the OP today:
http://embeddedgurus.com/barr-code/2013/10/an-update-on-toyota-and-unintended-acceleration/
But Google Cache still has a copy...
http://webcache.googleusercontent.com/search?q=cache:http://embeddedgurus.com/barr-code/2013/10/an-update-on-toyota-and-unintended-acceleration/
You're a stupid asshole....sorry, the far likelier is NOT people hitting the wrong pedal, floor mats or that BS.
I have a first generation Prius, which is not even included in such cases. But I had an unintended acceleration. It happened when I lifted my foot OFF the pedal. And you know what, it felt exactly likely when the cruise control kicks in to accelerate up a hill. And I do believe that was what was involved.
But shit for brains folks like you who just simply assume humor error. At like the fucking morons who wrote up the crash report blaming the F-22 crash on pilot error for not keeping his plane in the air when it ran out of oxygen.
YES, a few people likely did something dumb like that. But hey, let's look at statistics. That would happen with any car, and many many cars have much closer together pedals. No, something technical was going on here.
***
"They eventually "fixed" the problem by moving the brake and accelerator pedals further apart, and putting in a brake-gearshift interlock"
And let me point out, that it was also a significant change, and therefore would have had a different firmware for the electronics control module as well. All your statement proved is that they added some extra measures on the next version. But that the next version was modified, and thus the issue eliminated. There is no proof which resulted in the fix, the pedal change vs the electronics update.
Remember, if you're in a car and its accelerating, breaks aren't working....
1. STAY CALM
2. SHIFT THE VEHICLE INTO NEUTRAL
3. BRAKE or COAST VEHICLE TO A STOP
****
Seriously when you hear the 911 calls about these sort of things, you wonder why every 911 operator is not trained to simply say "Please shift your vehicle into NEUTRAL"