Toyota's Killer Firmware

New submitter Smerta writes "On Thursday, a jury verdict found Toyota's ECU firmware defective, holding it responsible for a crash in which a passenger was killed and the driver injured. What's significant about this is that it's the first time a jury heard about software defects uncovered by a plaintiff's expert witnesses. A summary of the defects discussed at trial is interesting reading, as well the transcript of court testimony. 'Although Toyota had performed a stack analysis, Barr concluded the automaker had completely botched it. Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.' Anyone wonder what the impact will be on self-driving cars?"

Technology is hard and dangerous

[i+kan+reed]

I'm convinced. I'll give up my career as a computer programmer now, and go use my bare hands for subsistence farming now. Sorry, I was wrong.

Re:Technology is hard and dangerous

[neoritter]

Or we could present this as the new Therac-25 and learn from it. :)

Re:Technology is hard and dangerous

[vux984]

Realistically, you are quite a bit more likely to die in your classic car than you are in a new car despite issues like this.

The new car brakes better, handles better, is an order of magnitude safer in a collision thanks to the crumple zones, airbags, and modern collision testing requirements. It also uses less fuel, and pollutes less.

I like classics too, but I don't have any illusions that they are generally safer or more reliable. I will give you that they are usually easier to fix (assuming they aren't so classic that parts are a problem) but that doesn't make them safer -- and safety was the underlying catalyst for this discussion.

Re:Technology is hard and dangerous

[es330td]

The problem with "a new car" is that some of the functionality has been taken away from the driver. In a classic car, if I put it in neutral, the gears disengage, especially if it is a stick. I may blow the engine if I push on the clutch and the throttle is stuck but power will be disconnected from the drive wheels. If I turn the key counter clockwise, the car WILL shut off. In a push button start, drive by wire car the driver uses physical inputs to tell the computer to do something and then the computer does it. If due to a software glitch it suddenly decides to max the throttle there isn't much I can do as the driver to stop it, at least not in the very limited time I have before I collide with another car or a wall. It isn't the probability of collision with which I have a problem, but the fact that significant parts of the control of a two ton machine powered by incendiary fuel are put under the control of a computer program.

Re:Technology is hard and dangerous

[SleazyRidr]

Yeah, the point of crumple zones is that the car gets damaged as opposed to the people inside. In fender benders old cars do better, but in a serious accident you'll be hurt worse in an older car. That doesn't stop me using a old car as my primary transportation, but I am aware that I am taking a risk doing so.

Re:Technology is hard and dangerous

[FatdogHaiku]

Why the need to push and pull everything to the extreme that they can pushed or pulled to?

It's kind of the unofficial /. posters motto:
Ad absurdum, Ad infinitum, Ad nauseam!
Add Vodka...

Re:Technology is hard and dangerous

[ebno-10db]

I agree. I'm hardly a Luddite, but being an embedded hardware/software engineer, I know what kinds of problems can crop up. The use of computers for safety critical functions was pretty well developed years ago in aerospace, but it's very expensive. Developing the software is also very expensive (and dull frankly), and has to meet stringent standards (the higher tiers of DO-178B). It sound like Toyota anyway, haven't even reached the point of good practices, let alone stringent standards. The car makers have decided they want aerospace style control, but without the costs. Good luck with that.

ECU's have been around since the 70's, and became ubiquitous in the 80's. AFAIK the older systems had a mechanical linkage between the gas pedal and the throttle plate. The ECU then read the air flow sensor, and various other sensors, to set the fuel injection and spark timing. Obviously it can fail, but it's a soft fail. The engine won't run, or more likely won't run well. Sudden acceleration or unstoppable engine though? Forget it. With the throttle plate closed there's no way you can get any more than the power produced at idle, no matter what the ECU does.

Re:Technology is hard and dangerous

[SethJohnson]

The metal is so much thicker on those old cars, we had to use a sledge hammer instead of a normal body work hammer to take the dent back out

I apologize if I'm stating the obvious here...

Most older products were over-built for durability because there were not methodologies for engineering minimum material for the required applications. Cars and other things were built with thicknesses of material that were tested and known to work. To reduce that thickness risked approaching an unknown threshold for failure. Trial-and-error was used where budgets allowed to reduce material, but this was an expensive process and in most cases the manufacturer chose to overbuild.

In more recent years, computer modeling has enabled engineers to load test structural designs so that the product can be built with the minimum amount of material required to satisfy the desired application. This benefits the producer, the consumer, and the scrap yard, while delivering overall efficiency.

Re:Technology is hard and dangerous

[tlhIngan]

On airliners they're willing to spend just a little more on extremely reliable and redundant hardware than they are on cars. Makes a difference. It also helps if you code to extremely stringent standards like DO-178B Level A, which costs a fortune. Light aircraft don't use fly-by-wire, why do cars need it?

AFAIK the main argument for fly-by-wire on airliners is that it allows for a reduced stability aerodynamic design, which reduces drag and hence fuel consumption. Considering the amount of fuel an airliner consumes, it's worth spending a king's ransom on fly-by-wire. The payback is definitely there. I know of no similar argument for most of the current generation of electronics in cars, and they're certainly not willing to pay the price.

Safety critical systems in automotive applications are fairly rigourous as well. The airbag controller, for example, has a power reserve (a big honkin' cap) so it can trigger the airbags even if the power systems are mangled, dual accellerometers (in case one fails), logging of data, etc.

Brakes are almost always hydraulic with a mechanical backup - malfunctioning ABS cannot defeat the system, etc.

The ECU may not be redundant, but it doesn't matter because if the ECU fails, the engine dies and you try to pull over safely. (in aircraft, you don't want engine failure due to computer failure, so they require dual computers, or computer/magneto).

And fly-by-wire on military jets lets you have better dynamic stability because an unstable aircraft maneuvers faster. Commercial jets are traditional stable designs to begin with. The reason they went fly-by-wire was wire is a LOT lighter than miles of cables, rods, pulleys, hydraulic fluid, etc and has way less error modes (a cable system can fail simply because someone forgot to balance the lengths properly), and makes mechanical assistance much easier to do.

Airbus uses it to avoid having pilot inputs exceed the flight envelope as well.

Re:Technology is hard and dangerous

[TapeCutter]

A big red button on the dash marked "emergency stop". As I said elsewhere I've experienced a jammed mechanical throttle on a Honda 750 motorbike. Because I had a clutch the incident was no danger to anyone or anything except the engine, which screamed it's guts out before I turned it off.

Re:Technology is hard and dangerous

[Jane+Q.+Public]

"This is the argument Boeing put forth about Airbus and its fly-by-wire planes...until the gave in. We cannot stop this type of progress, but it would be nice if there was still somewhere a killswitch that was manual and separate from the computer...just as a last resort if possible."

Having researched this issue not very long ago, I can tell you that the issue is not as black-and-white as you make it out to be.

Boeing has been building "fly-by-wire" planes almost as long as Airbus. The major difference (which Airbus aficionados still dispute but which is supported by factual records) is that Boeing put more and better physical ("manual") backup systems in their planes than Airbus did. And the consequences, as shown in the safety record, speak for themselves. Airbus' systems in some cases led to pilots literally sitting horrified in their cockpits watching disaster happen and not being able to do a single damned thing about it.

Kill switches, manual disconnects and backups, etc. all have to be built in. Doing otherwise is just plain irresponsible.

But hey... you're talking about the automotive industry here, remember? The same guys who control engines and entertainment systems with the same CPU, and who put android systems in new vehicles with no way to upgrade them for the life of the car.

Re:Technology is hard and dangerous

[Frobnicator]

Obviously it can fail, but it's a soft fail. The engine won't run, or more likely won't run well. Sudden acceleration or unstoppable engine though? Forget it. With the throttle plate closed there's no way you can get any more than the power produced at idle, no matter what the ECU does.

That is exactly the thing that makes this jury verdict so suspicious.

The driver was 76 years old at the time. This crash was subject to an NTSB investigation, and investigators found no evidence that it was a software fault or a hardware fault. The crash recorder says the driver pushed the accelerator and was not pushing the brakes, and then the car was hit.

And most interestingly from TFA is the last line. Ten of the 12 jury members said they wanted to punish Toyota.

If he was pushing on the brakes he could have probably overcome most of the force of a sudden accidental acceleration. If he had more time there were other options like shifting to neutral, but he was approaching an intersection.

When I look at it, an older driver and vehicle recording systems saying the accelerator was pressed and the brakes were not, investigators finding no evidence to support the claim of a software failure, and then the jury stating they want to punish Toyota, I don't see this as a good verdict.

Re:Technology is hard and dangerous

[MachDelta]

In a "serious accident", I'd wager my old Chrysler New Yorker against your crumple-zones any day of the week.

You'd lose that bet.
And likely only once.

http://www.youtube.com/watch?v=xtxd27jlZ_g

Not only would I experience far lower acceleration forces than you

No, you'd be experiencing far greater acceleration forces, as if no portion of the car gives way and soaks up kinetic energy, a greater portion of it will be transferred to anything not bolted securely to the frame (eg: you).

I won't end up crumpled in my car's own crumple zone.

The cabin is under no circumstances a crumple zone. Engine and trunk compartments make great crumple zones. The cabin should be a vehicle's Waterloo.

Re: Technology is hard and dangerous

[jrumney]

it still has all the airbags and r

A shame that manual transmission didn't stop you posting while driving though.

Re:Technology is hard and dangerous

[drinkypoo]

Yah I had a jammy throttle in a RX7 I used to drive. Whenever the gas pedal started to get sticky it'd be time to pop the hood and spray it with some WD40.

WD means "water displacer", not lubricant. Should have used a lubricant, not a water displacer. I like silicone products for the engine top, but sometimes I'll just use a general purpose grease.

"Impact on self-driving cars?" - None

Those working on self-driving cars and those that are watching the technology already know that any such car would need an absolutely 100% rock solid OS.

This changes nothing.

Re:"Impact on self-driving cars?" - None

[neoritter]

It might change the programming language they decide to use though. Pick a language that's more stable at run-time like Ada (missile programming) etc.

Re:"Impact on self-driving cars?" - None

[NatasRevol]

I'd be happy with a car OS that kills less than 30,000 people per year.

http://en.wikipedia.org/wiki/List_of_motor_vehicle_deaths_in_U.S._by_year

Or even less than 10 million accidents a year.

http://www.census.gov/compendia/statab/cats/transportation/motor_vehicle_accidents_and_fatalities.html

Re:"Impact on self-driving cars?" - None

[mjr167]

You don't trust the engineer, but you trust the 16 year old girl trying to apply makeup and text her boyfriend while driving on the highway?

Re:"Impact on self-driving cars?" - None

[erikkemperman]

Not sure why this was modded flaimbait... this is one of the areas where Ada does generally shine, it is a language built for auditing.

That might turn out to be an important point. Suppose some day two cars of different manufacturers cash into each other. Will comparative code audits find their way to court?

Re:"Impact on self-driving cars?" - None

[fahrbot-bot]

Ada 83 sucked. Ada 95 fixed most of the problems, and I believe that they're up to Ada 2012.

Wow. From 95 to 2012 - they must be using Chrome/Firefox style version numbering :-)

Self-driving cars will come with an EULA

[dclozier]

The owner of a self-driving car will have had to accepted the EULA and accepted not to hold the manufacturer liable for sofware defects. (half joking but I wouldn't rule it out)

Re:Self-driving cars will come with an EULA

Won't do any good. I can agree to a hold-harmless provision (and, despite the language of the EULA, such clauses are not actually universal). What I cannot do, is agree to it for someone else. You'd better believe a pedestrian hit by my self-driving car can sue the living daylights out of them. Heck, as previously mentioned, depending on what the particular problem is, *I* can still sue them.

' Anyone wonder what the impact will be?

[freakingme]

Sure, they will be more safe. Just like in the aviation industry, where each incident/crash is investigated meticulously, and flying has become safer ever since 1903. With non-selfdriving cars 99% of the incidents were caused by human error. Now no more, so we can fix it!

Relevant paragraph

[michaelmalak]

2nd link, 5th paragraph:

In a nutshell, the team led by Barr Group found what the NASA team sought but couldn’t find: “a systematic software malfunction in the Main CPU that opens the throttle without operator action and continues to properly control fuel injection and ignition” that is not reliably detected by any fail-safe. To be clear, NASA never concluded software wasn’t at least one of the causes of Toyota’s high complaint rate for unintended acceleration; they just said they weren’t able to find the specific software defect(s) that caused unintended acceleration. We did.

Re:Relevant paragraph

[TopherC]

FTA: "Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration."

The impact on self-driving cars? Documentation.

[wjcofkc]

Anyone wonder what the impact will be on self-driving cars?

A longer chapter on debugging in the first edition of "Programming Self-Driving Cars: The Missing Manual."

If there's no human fall back, I'll never trust it

[neoritter]

If there's no human fall back or ability to overthrow the computer's control of the car I'll never drive it. I don't think this will change anything except maybe give the people that are rushing for self-driving cars some pause. Every developer knows the risks of self-driving computer controlled cars (if they don't, well they're naive). Between human error in programming and human maliciousness, there are two camps. People who think they can overcome the possibilities of putting a semicolon in the wrong place and prevent hackers from comprising the software's integrity. And people who realize the first people are fooling themselves.

Re:The Toyota Way

[div_2n]

Your post demonstrates a complete lack of understanding of what JIT manufacturing (i.e. lean) is and what it tries to accomplish. Hint: it's not about doing more with less. Further, you either willingly fail to mention Kaizen (continuous improvement) or just aren't aware that THIS is the heart and soul of the true Toyota Way.

Whatever the reasons they failed in software engineering, neither JIT nor Kaizen would be to blame because neither of those try to nor should they translate to "engineer badly".

Re:It is about time!!!

[c-A-d]

Any engineering project requires that the engineers have to answer for what they've done. The mantra is, "As an engineer, if you fuckup, someone dies." Every engineer, regardless of discipline, needs to understand this and if they don't, should consider going into Liberal Arts or something equally useless where the worst they can do is fuck up my food or drink order.

Re:If there's no human fall back, I'll never trust

[geekoid]

"If there's no human fall back or ability to overthrow the computer's control of the car I'll never drive it."
by definition you wouldn't be driving it.

Re:wtf

[ZombieBraintrust]

Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration.

The jury could confirm there was a defect because they were able to reproduce it with a physical car. They could confirm the code quality was poor because it 1) It didn't follow the required code standards: MISRA C, 2) The cyclomatic complexity was too high 3) Toyota didn't track bugs.

Re:wtf

[geekoid]

Are you sure you are a software engineer, and not some programmer with delusions of grandeur?
 

Re:If there's no human fall back, I'll never trust

[Stormy+Dragon]

There was a time after automated elevators first came out when people refused to use them because they didn't trust them without a "human fall back or ability to overthrow the computer's control". Today, when nearly all the elevators we've ever seen were automated, this seems crazy.

In 50 years, when most people have never seen a manually operated car, we'll seem just as crazy for not trusting them.

Re:The Toyota Way

[ramk13]

Did you read TFA?

In a nutshell, the team led by Barr Group found what the NASA team sought but couldn’t find: “a systematic software malfunction in the Main CPU that opens the throttle without operator action and continues to properly control fuel injection and ignition” that is not reliably detected by any fail-safe.

That's proof, not an argument that they could have tried harder to find the system could fail. The bottom line is that its software that puts people's lives at risk. It's reasonable to hold that type of code to a higher standard. There are millions of other cars, trains, and planes out there with similar software but without this type of problem. At some point you should be responsible for the things you create.

Awesome transcript

[ljw1004]

I've been reading the transcript. It's fantastic. The expert explains clearly and lucidly in terms that (I imagine are) understandable by non-techies.

The transcriber made some funny mistakes... Let me tell you about "parody bits" and "pointer D references" :)

More Details

[rabtech]

Couple of details here:

Toyota had no software testing procedures, no peer review, etc. The secondary backup CPU code was provided by a third party in compiled form, Toyota never examined it.

Their coding standards were ad hoc and they failed to follow them. Simple static analysis tools found massive numbers of errors.

They used over ten thousand global variables, with numerous confirmed race conditions, nested locks, etc.

Their watchdog merely checked that the system was running and did not respond to task failures or CPU overload conditions so would not bother to reset the ECU, even if most of the tasks crashed. Since this is the basic function of a watchdog, they may as well not have had one.

They claimed to be using ECC memory but did not, so anything from single bit errors to whole page corruption were undetected and uncorrected.

A bunch of logic was jammed in one spaghetti task that was both responsible for calculating the throttle position, running various failsafes, and recording diagnostic error codes. Any failure of this task was undetected by the watchdog and disabled most of the failsafes. Due to no ECC and the stack issue below, a single bit error would turn off the runnable flag for this task and cause it to stop being scheduled for CPU time. No error codes would be recorded.

They did not do any logging (eg of OS task scheduler state, number of ECU resets, etc), not even in the event of a crash or ECU reset.

The code contained various recursive paths and no effort was made to prevent stack overflows. Worse, the RTOS kernel data structures were located immediately after the 4K stack, so stack overflows could smash these structures, including disabling tasks from running.

They were supposed to be using mirroring of variables to detect memory smashing/corruption (write A and XOR A to separate locations, then compare them on read to make sure they match). They were not doing this for some critical variables for some inexplicable reason, including the throttle position so any memory corruption could write a max throttle value and be undetected.

Instead of using the certified, audited version of the RTOS like most auto makers, they used an unverified version.

Thanks to not bothering to review the OS code, they had no idea the OS data structures were not mirrored. A single bit flip can start or stop a task, even a life-safety critical one.

These are just some of the massive glaring failures at every level of specifying, coding, and testing a safety-critical embedded system.

I am now confident in saying at least some of the unintended acceleration events with Toyota vehicles were caused by software failures due to gross incompetence and negligence on the part of Toyota. They stumbled into writing software, piling hack on top of hack, never bothering to implement any testing, peer review, documentation, specifications, or even the slightest hint that they even considered the software something worth noticing.