Stack Overflow Could Explain Toyota Vehicles' Unintended Acceleration

New submitter robertchin writes "Michael Barr recently testified in the Bookout v. Toyota Motor Corp lawsuit that the likely cause of unintentional acceleration in the Toyota Camry may have been caused by a stack overflow. Due to recursion overwriting critical data past the end of the stack and into the real time operating system memory area, the throttle was left in an open state and the process that controlled the throttle was terminated. How can users protect themselves from sometimes life endangering software bugs?"

Wow

[rsilvergun]

Is there anything Stackoverflow can't do?

Re:Wow

[snookerdoodle]

I have to admit, that was my first thought as well. :)

Re:Wow

Is there anything Stackoverflow can't do?

Fix beta?

Re:Wow

[fred911]

"Is there anything Stackoverflow can't do?"

Divide by zero?

Re:Wow

[wisnoskij]

I am not so sure, have you tried it yet?

Re:Wow

[smittyoneeach]

Truly a git hub.

Re:Wow

Not sure if you're suggesting the beta site has been fixed already or suggesting its unfixable. But to stay on topic, if the beta site were Toyota I'd probably jump ship to Honda. I'm not sure what site would qualify for the "Honda" part though. There's soylentnews.org but that strikes me as being more "Datsun".

Re:Wow

[Hsien-Ko]

Toyota::MovingForward encountered an unhandled exception

Re:Wow

[wickerprints]

Gives a new meaning to "race condition," doesn't it?

Re:Wow

[Darinbob]

Don't give up on them just yet, they're still waiting for the computer to finish calculating the value of 1 divided by 0.

Re:Wow

[davester666]

I always knew there would be a catch to getting free help.

I missed the "May occasionally cause death." clause in 1pt at the bottom of each page.

Re:Wow

[steelfood]

Sure somebody there could explain it, but if nobody actually poses the question, there will be no answers from which to choose the best explanation, leaving this presumption to remain in the realm of conjecture only.

Re:Wow

[jones_supa]

Not sure if you're suggesting the beta site has been fixed already or suggesting its unfixable.

IMHO the Beta is getting better.

Re:Wow

[MikeBabcock]

Mine too, I thought "Cool, stackoverflow has a site for debugging closed hardware now"

Re:Wow

[fractoid]

"Your program has crashed."

Re:Wow

You're actually right. It only took 6 months of sending in feedback and two weeks of jumping ship to get them to remove most of the damned whitespace and fix the comment font.

Now if we could just get them to put back abbreviated comment view, fix the broken-by-design concept of going all the way to the bottom to "load more comments" then having to scroll back up to see if there are any replies to a thread you were interested in (put "load replies" in each comment?) and fix linking to comments since http://developers-beta.slashdo... is still a blank page.

Re:Wow

It's a stack overflow in the brains of the poor drivers who can't differentiate the pedals at some moment.

Re:Wow

[maxwell+demon]

No, you misunderstood. After not finding the solution themselves, Toyota asked on Stack Overflow, and they could explain the problem to Toyota.

Re:Wow

A stack overflow is nothing like a race condition, so your joke fails. It was bad, and you should feel bad.

Re:Wow

Nerds love racy picture sites and the condition they cause.

Re:Wow

Ha, only until Chuck No^H^H^H^H^H^H^H^HBruce Schneier logs in to answer the question.

Re:Wow

>nothing like a race condition

TFA specifically refers to race conditions, so you fucking lose, asshole.

Re:Wow

[q4Fry]

I don't understand. Could you use a car analogy?

Re:Wow

Someone turned the throttle up to 11...unfortunately it was an array of 10 items.

Re:Wow

I think Toyota::MovingForward was working ok - the unhandled exception was only in Toyota::SlowingDown

Re:Wow

Really? Cause I was unable to post here using it. As in utterly unable. I had to restart in classic. Maybe I needed Windows 98+ and Macromedia Flash to use that advanced functionality.

I'd have preferred posting my comment to soylentnews.org but they don't even have this story(Why?). Way for both to suck.

Never use any software.

Problem solved.

Re:Never use any software.

Not using recursion in constrained embedded systems is a good start. It's been best practice since I started working with them 15 years ago.

Re:Never use any software.

[perryizgr8]

why is recursion so bad? it looks like any other code construct to me.

Re:Never use any software.

Because verifying maximum recursion depth is quite a bit more complex compared to verifying a whole bunch of other constraints

Re:Never use any software.

[viperidaenz]

Because its very easy to overflow the stack? Embedded systems tend to have a limited stack space too.

Re:Never use any software.

[Z00L00K]

You can use recursion if you have something that terminates it.

A stack overflow detection should definitely have been in place causing a termination/restart of that thread/process.

However this highlights that many ECUs in cars today are built by "embedded standards" where there are weak protections between processes because they use proprietary operating systems that seldom sees the extremes but instead relies on "nice" programmers following the "rules".

The main issue is anyway that the car industry today tries to save a cent on hardware and add a large load on development. Most notably is that many ECUs in cars today aren't able to do floating point calculations in hardware - they require software workarounds one way or another because a processor capable of floating point operations costs more.

The ISO 26262 standard will put more demand on the vehicle industry when it comes to software quality.

Re:Never use any software.

[damaki]

Cheap india outsourced embedded software specialists beg to differs.
Welcome to the marvelous world of Minimal Cost Driven Development (MCDD).

Re:Never use any software.

[Antique+Geekmeister]

And because a software error or "bit error" can cause the software to be stuck in the recursion, in an infinite loop. Even when software errors don't exist, "bit flips" due to electrical transients or even due to cosmic radiation are inevitable due to the quite small transistor size in modern processors. And cars are electrically quite noisy environments, so a certain amount of "bit flip" should be expected as normal for any such system.

Re:Never use any software.

[Grishnakh]

Because it has the potential to overflow the stack. It's not the only thing that should be forbidden; exception-handling is another one, as is dynamic allocation, and also CPU caches. If you're using any of these things in a mission-critical embedded system, you're doing it wrong.

Re:Never use any software.

[AmiMoJo]

The recursion they seem to be taking about is loops with no fixed limit, e.g. a while loop with a test condition to exit. In theory such a loop could execute indefinitely, so the usual approach is to have some kind of watchdog. I believe Toyota use an embedded OS to prevent tasks hanging that way (probably ITRON, can't remember now).

The problem is that no actual evidence of these flaws has been provided. No code samples. We can't check the analysis.

Did anyone else read that title and think...

[RevWaldo]

..."We'll I'm sure somebody on there could!"

.

Re:Did anyone else read that title and think...

Yes, as usual, ./'s inability to write proper English sentences in the title have led to confusion again. If they had written it as, "A stack overflow.." instead, then there would not have been an assumption that it had anything to do with the website stackoverflow.

Oh come on!

[Lexible]

How in the world can the StackExchange formun StackOverflow be responsible for such anomolous acceleration events? I mean praise reddit or IRC alternatives to stackoverflow.com all you want, but tone down the rhetoric willya? Sheesh.

Go Amish?

[dbc]

"How can users protect themselves from sometimes life endangering software bugs?"

Amish buggies typically don't have software throttle failures. Run-away horses can be an issue.... and actually having to share the road with dipshit drivers who don't understand the number of slow moving vehicles (not just buggies) that there are out in farm country are a real danger.

Seriously, software has bugs. Mecanical throttle linkages can stick, too. Life has risks.

Re:Go Amish?

[rmdingler]

Water's wet.

Skies are blue.

Software and cheaper accommodations have bugs.

Re:Go Amish?

[mjwalshe]

typical stack overflow high rated answer - totally ignoring the question at hand

Re:Go Amish?

Coming from the aerospace industry, you cannot have software that has bugs. And if there was the possibility of a software bug, you have to prove that you can mitigate the effect in hardware. So just to say "software has bugs...life has risks" isn't an acceptable answer (in my opinion). We have to remember this is not an apples to apples comparison. Just because traditional consumer software always has bugs in it (which are acceptable) doesn't mean they are acceptable in other industries. Considering that the failure puts someone's life at risk, I would think it should be considered unacceptable in automotive industry as well.

Re:Go Amish?

[TapeCutter]

Until someone actually reproduces the bug I'd say the loose floor mat explanation is just as credible.

Re:Go Amish?

[LordLimecat]

Sometimes the question is dumb and asking to do the wrong thing. There isnt a good answer to "how do I avoid software bugs" other than "avoid software", and not the answer that is wanted.

Re:Go Amish?

[bobbied]

Until someone actually reproduces the bug I'd say the loose floor mat explanation is just as credible.

I'm actually going for "operator error" but hey...

Two cases come to mind. First, was short term unintended acceleration. Probable cause for that is hitting the wrong or both peddles.

Long term acceleration on the highway? Nobody thought to just turn off the ignition switch? Turns off the fuel pump, care stops running, eventually you come to full stop.

BOTH where operator error..

Re:Go Amish?

[CodeArtisan]

Coming from the aerospace industry, you cannot have software that has bugs. And if there was the possibility of a software bug, you have to prove that you can mitigate the effect in hardware. So just to say "software has bugs...life has risks" isn't an acceptable answer (in my opinion). We have to remember this is not an apples to apples comparison. Just because traditional consumer software always has bugs in it (which are acceptable) doesn't mean they are acceptable in other industries. Considering that the failure puts someone's life at risk, I would think it should be considered unacceptable in automotive industry as well.

If you want your cars to be as expensive as a 747, then you can attain that goal. I used to work in the automotive industry designing embedded software for engine management systems. At that time, no automotive company would pay more than $100 for the Engine Control Unit. Probably 60% of the code was written to manage failures (both software and hardware), and there were other electronic fail safe mechanisms. But you can't mitigate every possible failure event without introducing costs that would have made the unit orders of magnitude more expensive.

Re:Go Amish?

[jeffmflanagan]

While you can't do anything to avoid bugs, in the case of cars, there are things you can do to reduce the chance of being killed by a software bug.

A car where you have to hold down a button for 2 seconds to turn it off makes it easier for software to kill you than a car where you can simply turn the key counter-clockwise if the throttle sticks open.

Not handing your gear-shift over to electronics gives you the option to drop it into neutral if the computer is causing undesired acceleration.

Re:Go Amish?

[amorsen]

Killing the ignition also means killing power steering and power braking. There is a quite widespread belief that it can also engage the steering wheel lock, but AFAIK no one has been able to name a car where that happens so far. The next challenge is that in many modern cars the ignition switch is just a button which is handled in... software. You could throw the key out of the window and wait for the anti-theft device to kill the fuel supply, but that does not seem like something that most people would try.

In most cars you can put the gear box in neutral. The car will likely have a rev limiter (possibly in software, but it might still work). Worst case the engine breaks, but in almost all cases that would not be fatal to the people in the car.

However, in almost all cars, when not going down a steep hill, the brakes are actually more powerful than the acceleration. Just do not let off the brakes once you get the car slowed down and you think things are under control -- then the brakes overheat and you have a stuck accelerator combined with no brakes, and that has killed at least one driver already.

Re:Go Amish?

[dcw3]

The aerospace industry deploys bugs very frequently. Don't pretend like you don't. Yes, for some applications, we test the hell out of it, but bug free, hardly.

Re:Go Amish?

[digitalhermit]

Web developers have a different level of acceptability than in aerospace. I remember a code review for a tiny bit of code that did almost nothing but flash an LED on a failure condition. Three engineers, from three different areas had to approve the change. There was a code review board. There was paperwork and signoffs. Documentation had to include test results, cert results, someone's firstborn and a blood sacrifice to Moloch. The unfortunate engineer that submitted the code had to *defend* it in front of a room full of people whose chief entertainment was watching software guys squirm ("They ain't real engineers" "Here's a quarter kid. Go buy a real degree.").

Wimps.

In the last company where I worked, they changed web code on the fly. The developer edited code directly on the web server. An refresh from the client browser during the update could mean that the look of the page changed one moment to the next. Hell, there was one time when the whole webroot directory was renamed on the live server so the new site could be installed. Too bad for anyone browsing the old page...

Pshaw... You aerospace guys think you live on the edge? Change review? Bwahahaaha. Regression testing? You kid. Dev/Test/Stage/Prod migration? What are you, five?

Re:Go Amish?

[arkhan_jg]

Even in the aerospace industry, there are software bugs. Very few, yes, because a lot more time and money is spent to track them down. There are mechanical failures too, despite the best engineering efforts. But anything we build has the potential to be flawed somewhere in the process. That's why we still put highly trained pilots in the things, for when something goes wrong - and even then, human error causes unintended faults, sometimes catastrophically.

If a car cost as much as a jet, and drivers went through as much training as a passenger pilot - and had to have a co-driver at all times - we'd be far safer on the roads.
After all, the vast majority of car crashes are driver error. And failure modes when you're at 30mph on wheels are a lot better on the whole than when at 30,000 feet. But if we built cars to the same standard, and held drivers to the same standard as aerospace engineering, only the rich could afford to.

There's a trade off between acceptable risk, and cost. Even though the designs get safer every year, maybe we allow too much risk in drivers and their cars. But absolute flaw free cars? Impossible.

Re:Go Amish?

[eulernet]

Coming from the aerospace industry, you cannot have software that has bugs.

Why do you think that you are better than us ?
This is wishful thinking:
https://en.wikipedia.org/wiki/...
7 major bugs in space exploration !

Instead of "you cannot have software that has bugs", you should have said "you have to accept that there are still hidden bugs".
Then, you try to mitigate them by running 3 different programs on 3 different processors, so that if the result differs on one of them, you can suppose that the 2 others are correct.

Just because traditional consumer software always has bugs in it (which are acceptable) doesn't mean they are acceptable in other industries.

And then ?
A bug is never acceptable.
Fixing bugs has a cost, and if your project is very expensive, spend a lot of time fixing bugs is cheaper than delivering quickly.
Writing bullet-proof software is possible, but expensive, and requires a lot of code-reviews (automated and human), and code that never changes !

Re:Go Amish?

[jrumney]

Yes, aerospace software has solved the problem of software bugs. We should all be following its perfect example. </sarcasm>

Re:Go Amish?

[ebno-10db]

I'm not so sure cost is the biggest problem. Once upon a time ABS was an exotic tech used only on aircraft. I was impressed when they became a car option.

My biggest concern is whether a driverless car can be smart enough to reliably handle all the situations that arise. Probably someday, but I don't know when. Google's over-hyped toys can only handle clear weather, and even then they often have to kick out and go to manual control.

Re: Go Amish?

[Bobb+Sledd]

that is foolish. my father-in-law was nearly killed by one of these acceleration events, which happened several times. he was sitting at a stop sign with his foot in the brake when the engine revved. it was NOT the floor mat.

Re: Go Amish?

Turning off the ignition engages the wheel lock on mine; however I can push the clutch in to stop it. Failing that I might be able to muscle it into neutral.

Re:Go Amish?

[TrollstonButterbeans]

"You could throw the key out of the window and wait for the anti-theft device to kill the fuel supply, but that does not seem like something that most people would try."

100% not true.

Push button start vehicles need to detect the key fob to start up, nothing else.

In fact, it is possible to start up a "push button start" vehicle even if the key fob has a dead battery (you have to hold the key fob right next to the push button (you can watch this video if you like: http://www.youtube.com/watch?v... )

Re:Go Amish?

[Wuhao]

You're not supposed to, but you do routinely have software that has bugs even in aerospace, because there is no development process that can guarantee the prevention of 100% of defects, nor even guarantee that 100% of defects are detected and corrected.

Re: Go Amish?

[amorsen]

Brand and model year please? Just turning the ignition off is enough to engage the steering wheel lock, with the key still in the ignition?

Re:Go Amish?

ABS is a very simple system on its own with today's technology.

Driverless cars is your concern? Have you thought that people cannot handle even normal driving conditions? They see fog, and do they fucking slow down? No! They see 100k/h speed limit and that's what they are going, even if they see no further than 100m ahead of them. So please, some respect for driverless cars. Those at least have the brains to *PULL OVER* if there is some weird condition (internal or external)

Re:Go Amish?

[amorsen]

Well scratch that idea then.

Re:Go Amish?

[sjames]

Many people don't realize that you can turn off a modern car at speed by pressing and holding the start button. If you just press it normally, nothing happens.

Re:Go Amish?

[malvcr]

I think that there is a basic fundamental problem here.

There are characteristics and there are characteristics in a device that carry you to another place.

The first ones are classified as critical and it is important to invest all possible resources to make them to work. I know one car computer could cost $100 but to develop it cost millions of dollars, so there are resources to make them well.

The other characteristics, to attach an iPod, to control the temperature in your seat, to dim the internal light, they can have bugs, nobody will die because of them.

But, please, don't make bugs in the critical areas because you like to have the superficial characteristics at hand without using money, I will name that an irresponsible design behaviour.

Re:Go Amish?

When it comes to software, comparing the aerospace industry to the car industry is much like comparing the financial industry to the video game industry.

Re:Go Amish?

[recharged95]

And that's the difference in domain. Software can't be made to be the be-all-end-all of solutions.

On a 747, single point of failure (SPF) is a huge concern in design. Otherwise, the plane falls out of the sky. And it's an $$$ proposition.

On a BMW, you may want a SPF, power of the engine and allow coasting/override (i.e. let it fail, but keep other subsystems alive). And that's a cheap proposition.

No code is 100% bug free, but hopefully 100% controllable for the application. Heck s/w can't help you if the lug nuts fall off.

Re:Go Amish?

Aerospace is no more immune to software bugs than other sectors, even though there is more systematic effort to minimize their occurrence.
The space launch industry has experienced particularly memorable software bugs, with catastrophic launch failures from missing hyphens and commas.
Missing Mars because the contractor software used miles/hr while NASA was using kilometers/hr could also be considered a software glitch by some.

Re:Go Amish?

[ebno-10db]

Those at least have the brains to *PULL OVER* if there is some weird condition (internal or external)

No, the automatic systems kick out and say to the driver "your problem schmuck". In other words, they're least helpful when most needed.

Re:Go Amish?

[ComputersKai]

wut?

Re:Go Amish?

[Mashdar]

Coming from a fault tolerant computing background, your non-trivial software could have bugs. There is a reason N-version programming exists (and it's not for fun).

Unless you have true N-version programming with totally separate teams writing on different platforms with different languages, different academic backgrounds, different cultural paradigms, etc, then you don't have perfectly reliable software. (And even then your application may lend itself to certain symantic commonalities.)

When done properly, reliability/availability is a numbers game, and you have to look at price, time to market, MTTF/A, etc. If you think you can claim any software is bug free, I've got news for you.

Re:Go Amish?

[Mashdar]

Update: I missed three important letters: cannot :) Please nevermind me :D

Re:Go Amish?

[Mashdar]

update 2: no I read you right. I still disagree with the idea that fault-free software doing anything interesting exists anywhere.

Re:Go Amish?

[radish]

Seriously? Software has bugs. Aviation software has bugs. Planes crash. It sucks but it's the truth, 100% perfection in any non-trivial thing (whether hard or soft) is impossible. The list of examples is long (think Ariane 5, MPL, various F-22 crashes, Chinook ZD576, Osprey, etc).

Effective risk management is predicated on understanding that fact and designing systems to be fault tolerant. It's my understanding that most flight control software runs with redundant non-similar implementations which vote on the correct decision to try and handle spurious results. Why would you bother with that if there are no bugs?

Re:Go Amish?

So where do you get the bug-free hardware to run this bug-free software? And why don't they apply that same process to mechanical systems on the plane so that it's impossible for any component to fail? It's almost like the whole system you describe is imaginary.

Your stuff still has bugs and failures. It just has out-of-band verification and mitigation where those failures are important. And even those are sometimes not sufficient -- and we accept that risk.

The only thing we can do is understand the failure modes, bound and quantify the risks, and design the overall system to produce an acceptable amount of risk. That's engineering, be it software, bridges, planes or anything else. What you're suggesting is perfection, which is not only generally believed to be impossible, but often detrimental to even attempt.

Re:Go Amish?

Most key-fob systems poll periodically during operation as part of the theft deterrence system, in addition to the startup interaction.

Re:Go Amish?

[jrumney]

Once upon a time ABS was an exotic tech used only on aircraft. I was impressed when they became a car option.

In other words, ABS software (and hardware) was very expensive to develop, and only the development budgets of airliners was large enough to cover its development. Once developed, the companies that developed it realized that adapting it for automotive use would be within the budget of luxury car makers, and once it was working there, it became very cheap to adapt for standard cars, as the differences are very minor (in fact it is basically a case of the luxury car makers funding continued improvements, and standard cars getting the previous generation that already has its development paid for).

Re:Go Amish?

If you want your cars to be as expensive as a 747, then you can attain that goal. I used to work in the automotive industry designing embedded software for engine management systems. At that time, no automotive company would pay more than $100 for the Engine Control Unit. Probably 60% of the code was written to manage failures (both software and hardware), and there were other electronic fail safe mechanisms. But you can't mitigate every possible failure event without introducing costs that would have made the unit orders of magnitude more expensive.

This is a spurious argument. The 747 code might cost as much as the initial investment on the vehicle code, it has a hell of a lot more volume to soak that cost against and a failure there should be treated even more drastically than one in aeronautics since the risk for loss of life is even higher with that sort of volume. (600k units a year vs 20k units EVER.)

Re:Go Amish?

[jnana]

People can't reliably handle all the driving situations that arise. The actual target for driverless cars should be something more like handling situations that arise at the 95th percentile compared to human beings. When they are as good as the very best human drivers, that should be good enough, although at that point, it will probably not be too much longer until they're at the 99.999th percentile level.

Re:Go Amish?

[jafac]

doesn't really kill the power braking. I think that in a car the size of a prius, loss of power steering isn't a big deal either.

What happens to the brakes is the vacuum pump (or manifold vacuum) falls off, and the vacuum assist to the brake booster drops off. However, ALL brake boosters I'm familiar with, have enough vacuum in the reservoir for at least 3 brake pumps after vacuum is removed. I think this may be a NHSA regulation. Without brake booster, you still have hydraulic assist, AND a handbrake that is a mechanical linkage. Unless you're towing 5000 lbs, I have a hard time believing that brakes weren't strong enough.

UNLESS - the software failure somehow affected the antilock brakes and/or electronic stability control. But in my understanding, those solenoids would HAVE to be firing like crazy, and the driver would know something was up because that is loud. It would have been reported.

Re:Go Amish?

Oh, I know that trick! The extra hooks and power needed to run the test suite themselves introduce higher risks of bugs. The over-designed mess become completely impossible to trace through all the error conditions, especially due to modern "object oriented" programming where people are not even allowed to know how the other modules actually work.

Re: Go Amish?

Most cars of a few years ago have several ignition switch positions. My 2007 Ford Aerostar, 1992 and 2006 Dodge pickups, all have a Locked, Accessory, Run, and Start positions. If it's in Run mode, turning it to Accessory will kill the engine, but you can still listen to the radio and turn the steering wheel. If you accidentally turn the switch all the way to Locked, it WILL lock the steering column. This would be very easy to do because of muscle memory - usually you turn the engine off to leave the vehicle, so you are in the habit of turning it all the way off. BUT - the engine would be off, and your brake booster would have enough vacuum in it to give you good braking for at least one, or probably two stabs at the brakes. If it was me, I'd kill the engine and stand on the brakes as hard as I could!

Re: Go Amish?

Happened several times ?
You mean he took the car out a second time after seeing that happen ?

Re:Go Amish?

"There is a quite widespread belief that it can also engage the steering wheel lock, but AFAIK no one has been able to name a car where that happens so far."

The widespread belief is that turning off the ignition and removing the key, which is a reflexive action, will engage the steering wheel lock, which is true of every car with a column lock and mechanical key.

Re:Go Amish?

Aerospace industry or not, it's not like someone decided that the space shuttle's computer systems were not the underlying cause for the loss of Columbia, and then a jury decided otherwise.

Toyota's cars were crawled over by three government agencies for nearly a year, and they gave Toyota a clean bill of health (just to watch a jury overturn their findings).

Re:Go Amish?

"killing power steering and power braking."

Most brake assist systems use engine vacuum. If your engine is operating at wide open throttle, then you have no vacuum. However, diesels and the like will have an engine operated vacuum pump that will still be running. However there is a reason that you have a vacuum reservoir. Even if the engine cuts out, just apply the brakes with maximum force and (here's the important part), don't release any pressure until you have completely stopped, assistance will still be available.

You'll only have a problem if you pump the brakes, which will drain your vacuum reserve.

Re:Go Amish?

[ShakaUVM]

I used to drive an '84 Caprice Classic. When the accelerator cable got stuck, there was enough vacuum for exactly zero brakes.

Even riding the brake with both feet pushed firmly down, it still accelerated out of control around the campus loop.

Re:Go Amish?

power of the engine and allow coasting/override

Their is a big diffidence inn between "off", and "of". You sing the wrong won makes it herd two decipher you're wyrds. Eye had too read that phrase 3 times two make any cents out off it.

Re:Go Amish?

[zachie]

Given these kind of units are mass produced, I expect the margin your employer would earn on this $100 component to be much more related to the per-unit manufacturing cost than engineering costs. Formal verification of such a component can not be so costly that it can't be justified, once you spread such a cost over hundreds of thousands of units.

Re:Go Amish?

[Z00L00K]

Even the aircraft industry have bugs - but fewer. And if you see one, it's most likely a cosmetic one, like a pixel missing in a display or a symbol one pixel off, which only the most extreme geeks would notice.

Re:Go Amish?

[Z00L00K]

Killing the ignition does not mean that you kill steering or braking. Those are mechanical/hydraulical.

The steering lock only locks when you remove the key from the lock.

Re:Go Amish?

[sl149q]

Also the unit price of a 747 is high and there are not a lot of units to amortize development over.

There are a lot more BMW's built. The aggregate total sales for most popular car platforms can dwarf that of aviation. So the money is there.

Re:Go Amish?

Brake overheat is mentioned in my state's drivers' handbook.
Drivers are expected to know this simple fact and shift to N and brake. The driver involved didn't do that. And this is clearly a operator's error.

Re:Go Amish?

[umghhh]

yes and these people speak of software kuality hahahahahahaha

Re:Go Amish?

All your little shitty quality control is no match to the dangers you put your crews into. If spaceflights would only take off if the risk was lower than driving a buggy toyota then you would be out work. Obviously you never thought this risk thing through.

Re: Go Amish?

Every non trivial software has bugs. Even the Space Shuttle flight software, one of the prime example of high quality software, had some bugs.

Re:Go Amish?

[umghhh]

funny - I work in QA, mostly in telecom and I saw this conversion from let'em sweat (approx 20yo) to - ship if it compiles approach (last few years). All in the name of customer satisfaction of course.

I recall that old platforms on which we worked were so robust that new ways did not cause too much trouble. New platforms are so much better than it is enough to look at them and they break. I strongly believe however that this has nothing to do with the change of approach that we discuss here. And if it does than It must be that we skipped the human sacrifice part and people are frustrated trough lack of entertainment.

Re:Go Amish?

[EnglishDude]

My car has this push button start thingy - when the car is in motion, a quick jab at the button won't kill the engine, however if you push it and hold it for 3 seconds it will turn off the engine no matter the conditions. Not great in my opinion, I'd prefer instant kill, but it's there. I know, I've tested it. At least the clutch and brake pedals both are still mechanical.

Re:Go Amish?

[Kjella]

And they still won't be accident free, not if they're going to drive anything like humans do. If a pedestrain on the sidewalk suddenly decides to walk out into the road, there will almost certainly be an acccident. If someone comes running out from behind a tree or van or corner or doorway, there will almost certainly be an accident. If we're driving through an intersection and one of the people waiting to cross jumps into the road, there will be an accident. In short despite what the rules of the road say about having sufficient line of sight in practice we don't keep a low enough speed to prevent any and all accidents.

I'm not sure we're ready for "death by autonomous vehicle", even if we could prove that the computer drove at the posted limit, acted with superhuman reaction and applied full emergency brakes the moment that four year old came running out from behind the parked car. Take for example industrial robots, they work under extreme safety measures and even through I don't have a statistic to point to I'm absolutely positive that a lot more people have been killed in human-on-human industrial accidents than robot-on-human. We don't tend to tolerate robots with an accident rate, despite doing so with humans.

Re:Go Amish?

[Antique+Geekmeister]

> Long term acceleration on the highway? Nobody thought to just turn off the ignition switch? Turns off the fuel pump, care stops running, eventually you come to full stop

I know of at least one such case, http://www.theguardian.com/wor.... The car was modified for a disabled man, so it's not clear what the combination of controls he could manage was. But he wound up rocketing across France into Belgium, traveling over 100 MPH with quick acting police clearing traffic ahead of him.

Re:Go Amish?

At least, that's what you told the cop....

Re:Go Amish?

[Attila+Dimedici]

Actually on most cars where turning the key turns off the car, there is a point where you have turned off the engine but have not engaged the steering wheel lock. However, most people turn the key one stop further when they turn off the engine, because you have to in order to remove the key. They are probably unaware that they can turn off the engine without engaging the steering wheel lock.

Re:Go Amish?

[Grishnakh]

That's bullshit. 747s are expensive because the high cost of those avionics systems (among many other things) is only amortized over a tiny number of units. They don't make millions of 747s, they make dozens. Cars are made in huge volumes, plus components like ECUs and ABS controllers can be shared across many different models with few or no changes. These components absolutely should be made to aviation standards, by law (at least the software part should be; the hardware doesn't have to be quite as rugged since cars don't go to 60,000 feet and back several times a day). The cost will be insignificant to each car when they're making millions of them.

Re:Go Amish?

[Grishnakh]

Killing the ignition also means killing power steering and power braking.

No, it doesn't.

Yes, you do lose your power steering without the engine, IF you have hydraulic power steering. If you have a newer car with EPS (electric power steering), this may or may not be the case. I don't really know, but at least in the older cars I drive when you turn off the ignition you can turn the key back to "on" and all your electic power accessories will continue to work even though the engine is not running.

Anyway, it doesn't matter that much. The only time power steering is all that helpful is when you're driving at speeds under 10mph, i.e. in a parking lot. You don't need it at higher speeds. If you just need to pull over on a highway, you should be able to do that just fine without power steering.

For braking, you're completely wrong. Power brakes are driven by vacuum. So even if you kill the engine, you still have enough vacuum built up to apply the brakes once, which is all you need to bring it to a stop.

Re:Go Amish?

[drinkypoo]

But you can't mitigate every possible failure event without introducing costs that would have made the unit orders of magnitude more expensive.

That is precisely why every manufacturer shouldn't be making their own control system. Leave it to Bosch and Hitachi to make the control systems. Ford and Toyota want to be big boys and make their own computers. Look at the results. Fords disintegrate and Toyotas spontaneously accelerate.

Re:Go Amish?

[drinkypoo]

And they still won't be accident free, not if they're going to drive anything like humans do.

As a passenger, do you want someone to drive like you normally drive? Well, you must be a very boring driver, then. Safe, but boring. Me, I like to feel the road a bit, but passengers don't like that so much. Most of 'em anyway.

If someone comes running out from behind a tree or van or corner or doorway, there will almost certainly be an accident.

Yes, if someone tries to throw themself beneath your wheels it will still be possible to have an accident. But a self-driving car will obey posted speed limits and avoid excessive acceleration (see prior point) and thus this will be less of an issue. Also, the car can have thermal vision and be much better at sussing those situations than are you.

Re:Go Amish?

But you can't mitigate every possible failure event without introducing costs that would have made the unit orders of magnitude more expensive.

Holy Crap O_o !
Then you shouldn't be putting the damn thing in the car. If it is too expensive to get right, then cutting costs and putting in potentially defective parts is NOT a solution when peoples lives are on the line. If it is too expensive to add fully tested and safe electronics don't add them!

Feasability is both an economic and technical term.
Engineers/Managers/CEO's who think otherwise should lose their jobs.

Re:Go Amish?

If you want your cars to be as expensive as a 747, then you can attain that goal. I used to work in the automotive industry designing embedded software for engine management systems. At that time, no automotive company would pay more than $100 for the Engine Control Unit. Probably 60% of the code was written to manage failures (both software and hardware), and there were other electronic fail safe mechanisms. But you can't mitigate every possible failure event without introducing costs that would have made the unit orders of magnitude more expensive.

Open Source project? After all, GM and Ford are working together to build 8 speed automatic transmission

Re:Go Amish?

In a car like the Prius, practically the whole car is under computer control. The brakes have a regenerative mode, so it's possible that even that might not respond as you expect. The transmission may have a neutral position, but it's also under compter control.

And even if you cut out the ignition or fuel, you still have an electric motor capable of delivering 80 ft-lbs of torque at 0 rpm!

dom

Re:Go Amish?

[R3d+Jack]

Short of expecting "perfect" code, I completely agree. Code reviews that specifically inspected for buffer over-runs would have detected this flaw. Beyond that, the code should be written in a language that provides some protection, not assembler or whatever. Poor code that can kill people is unacceptable, especially when the flaw should be evident upon inspection.

Re:Go Amish?

[geoskd]

Coming from the aerospace industry, you cannot have software that has bugs. And if there was the possibility of a software bug, you have to prove that you can mitigate the effect in hardware.

For an industry that claimed such high standards, they did a remarkable job of missing the semi obvious effects of mechanical failures. Funny, but some of their engineers even went so far as to tell them that their mechanical systems had possibly failed and or were likely to fail. Long story short, they should have paid a little less attention to proving their software was perfect, and a little more attnention to proving their hardware wouldn't suddenly explode, and/or fall off for no good goram reason.

If the safety of your system relies solely on software functioning perfectly, then you haven't done a very good job of thinking through your system design. Its right up there with routing all three redundant hydraulic system through the same area and stating that you're all good because you have redundancy. It completely ignores the problems arising from mechanical failures that are the result of an area effect. Instead of three redundant systems, two with armor would be more effective at covering all of the various failure modes.

Re:Go Amish?

I don't know if you're an engineer or software developer, but 95th percentile and 99.999th percentile are world's apart in any human discipline where a large number of humans have the skill. Google and others so far have been following the Pareto principle. The last 20% will be excruciatingly hard.

Oh, and since driverless cars involve non-safety tradeoffs such as freedom, 95th percentile is nowhere near a high enough objective. For mandatory driverless cars, there might not be any threshold high enough.

Re:Go Amish?

Water's wet.

Skies are blue.

Accidents happen.
They can kill you.

Burma Shave

Re:Go Amish?

[ultranova]

Seriously, software has bugs. Mecanical throttle linkages can stick, too. Life has risks.

Life has risks. That in no way justifies bad workmanship on a vital item. And if enough people try to use such an excuse, the end result will be regulation.

Re:Go Amish?

[Dare+nMc]

It is wrong to claim a 747's software being bug free. More so the complicated parts have at least 3 independent systems, and mechanisms to switch them, and highly trained operators trained to react to any bug. I am guessing the FMEA for the Toyota was more, if the throttle sticks, the operator will shift to park, or stop the car with the brakes, which are more powerful than the engine. That the driver would drag the brakes until they burn up... I do think more automotive standards need to be put in place for drive by wire, but requiring the same level of redundancy for a 4 passenger car as for a 400 passenger plane isn't one of them. It seams obvious (in retrospect) that electronic throttle should have it's own dedicated cpu, and thus a simple control logic (it could be integrated into a shared ECM case, and comms link, but not a shared cpu.) But I am not sure we would need 3 separate ECM's... Also I would like to see more fact based required driver re-education, we got people who either haven't been taught how to drive since carburetors and no ABS, or are being taught by people who teach the same way they were taught. Not the car most are actually driving.

Re:Go Amish?

"How can users protect themselves from sometimes life endangering software bugs?"

My car has a fail-safe mechanical interlock to separate the engine from the drive wheels.

It's called a clutch - you should have one on your car.

Re: Go Amish?

[toddestan]

Most any modern car with an automatic transmission that still uses a physical key has an interlock where the key cannot be turned all the way to off or locked if the transmission is not in park. This also means that the key cannot be removed unless the transmission is in park. Granted, on a car with a computer-controlled transmission, you might be able to put the gearshift in park while moving at speed (since the car is moving the computer won't engage the parking cowl) and remove the key which will engage the steering lock while the car is still moving.

Manual transmission cars handle things differently. Some have a button next to the key that acts similar to the transmission interlock in the sense that you must push the button to allow the key to to be moved to off/lock and be removed. On a car like this, you could engage the steering lock (and remove the key) while the car is in motion by pushing the button, and since the whole push-the-button-to-turn-the-car-off motion becomes part of your muscle memory after a while, it's possible in a panic situation that you might engage the steering lock unintentionally (though in a manual I would hope that most people would simply push the clutch or put the car in neutral first). Some cars, such as some Saab models had a better system where the transmission must be in reverse to lock the steering and remove the key.

Re:Go Amish?

[toddestan]

Even then it may not stop the car. Some of them just set off the alarm but don't kill the engine.

Re:Go Amish?

There is the interesting addendum to your analogy that 'if cars mostly drove themselves'. Modern aircraft are so safe, even in failure situations, because they can deal with a multitude of problems faster than a pilot can. Pilots nowadays are there to essentially make moral decisions and judgement calls that the computer cannot.

Re:Go Amish?

There's a simple, cheap solution here. It's been used by industrial machinery for many years, to good effect:

An e-stop switch - a big red button which, when pressed, kills power to all motors and such.
In a car, it would work the same way, and be easier to deal with in a crisis than trying to remember to turn the key back towards you a click or two.

Sure, you lose some useful features like power steering and brakes, but that's the point of having mechanical fallbacks for these things.

-Rob

Re:Go Amish?

[amorsen]

if you push it and hold it for 3 seconds it will turn off the engine no matter the conditions.

It is possible that they have implemented the three second delay in hardware, but it seems rather unlikely. I bet the button is handled completely in software.

Re:Go Amish?

[AK+Marc]

Which do that? For the Mercedes system, it stops the car and alerts you (the one that's actually in production). Perhaps you are selectively thinking about some prototype systems still in development, but then why select just the ones you like least and assert them to be the usual case? Seems like Ludditism to me.

Re:Go Amish?

[AK+Marc]

There must be a bunch of poor coders on slashdot. Piles of people constantly defend the idea that there can *never* be useful software without bugs. It always sounds more like excuses than proof.

Re: Go Amish?

[AK+Marc]

Your car, your year (presuming you have a key-based ignition and an '80s or newer car). Try it, go turn your car on. Turn the wheel. Turn the key to ignition position "off" (your words) - not standby - "off". Turn the wheel.

Let us know how that goes. Also, if you come back with the "I really meant "standby" or accessory", note that most people in such a panic situation would turn the car off forcefully and in a panic mode, and end up in the "off" position.

We'll be waiting, let us know how it worked in your car.

I've not driven many past 2000, but before that, I've never been in a "modern" car that didn't lock the steering when "off". Well, unless you go back really far. My '67 Bug didn't lock the steering.

Re:Go Amish?

industrial robots have already killed people. go look it up.

Re: Go Amish?

[dunkelfalke]

1993 Opel Astra. Locks only when the key is out.
2004 Audi A3. Locks only when the key is out.
2012 VW Golf. Locks only when the key is out.

I seldom drive, but I remember that much.

Re:Go Amish?

[canadian_right]

The average driver isn't that good, and the computer driven car only has to be better than how people drive. In the USA about 30,000 people die each year in car accidents, and many more are injured. I'm betting driver error was the cause of 90% of these accidents.

Computer driven cars are going to save lives, reduce congestion, and save money.

Re:Go Amish?

[rpstrong]

My old Volvo 240 ('85?) had some kind of electrical glitch. While diagnosing it, I had a situation at one point where I started the car, only to have the starter remain engaged and smoke pouring out of the engine compartment. Turning the key off had no effect; I had to tear off one of the battery leads (fortunately, it wasn't tightened down) in order to stop the engine.

[I then heard a drip, drip, drip sound from near the alternator - 'twas the insulation melting off the wiring harness].

I don't recall if I ever tracked down the particular cause. I assume it was a short, but the wires relating to the charging system were too badly damaged to diagnose. The problem didn't recur after I replaced said wires.

The point is that virtually any system can fail.

Re:Go Amish?

[Copid]

I'll go so far as to say the bug is probably real (looking at the analysis raises some serious questions), but I'll also guess that most of the people reporting it are actaully reporting human error that produces the same result. IIRC, when this was starting to make the news, somebody did a histogram of the ages of the people involved and noticed that it looked nothing like the distribution of the ages of owners of that paritcular car. Lots of elderly folks. So either the software bug recognizes old people, old people have a driving style that triggers it, old people are more likely to report the problem than ignore it, or a lot of those people screwed up and didn't realize it.

Re:Go Amish?

Firstly, please know I'm not attacking "amorsen" - really. If anything I'm attacking "popular misconceptions" (which is my biggest frustration with American culture).

Killing the ignition also means killing power steering and power braking.

AFAIK, and as far as I've learned from direct experimentation, this is 100% incorrect. Try it. You will find that the engine will be driven by the momentum of the vehicle coupled through the wheels, axles, gears, transmission, and torque converter.

Besides, power brake systems are required to have residual assist (vacuum reserve, fluid pressure reservoir, etc.) even if the engine stops turning. If you have power assist brakes, please try it. Shut off your car and press the brake pedal several times. You should find you can do it easily 3 or 4 times before the power assist drops off and it becomes (quite) difficult. If the first pedal press is difficult, please take it to a shop immediately.

Power steering loss is a non-issue. The difference is nil when the car is in motion. Anyone who can't handle it should not be driving.

To obtain a pilot's license, one of the many tests you have to pass is to land with power cut (engine idling.) If I were in charge, nobody would have an automobile license until they can properly handle serious mechanical malfunctions (as much as can be done), such as stuck throttle, engine shutdown, etc.

I'm a BSEE sw and hw engineer, auto enthusiast and tinkerer (sometimes hot rodder), and I refuse to ever own a car with electronic throttle even if I designed and coded the system (and I might do that soon). A mechanical throttle is FAR more reliable.

Re:Go Amish?

[ed1park]

The automotive industry will pay in the end. Look at the damaged reputation, recall and legal costs. Might as well do it right in the beginning.

Re:Go Amish?

[ed1park]

Allow the software "engineers" and corporate managers that are responsible for deploying these systems to suffer real damages criminal/civil penalties that are responsible for these bugs. If people die due to bug-ridden and faulty software, those responsible should be help accountable. They do the same for real engineers.

Motivate people properly, and you will see a difference.

Re: Go Amish?

[ultranova]

he was sitting at a stop sign with his foot in the brake when the engine revved. it was NOT the floor mat.

It can still be a mechanical failure, rather than a software one. For example, you could get a short circuit in whatever sensor reads the accelerator position. "Floor mat" makes for a convenient shorthand for all such possible problems.

Re:Go Amish?

I had a stuck accelerator once on a Toyota Tacoma. Thankfully traffic was light enough I had room to work things out. Shifting into neutral solved the acceleration issue and the rev limiter kept the engine from self destructing long enough for me to pull over and kill the ignition.

Re: Go Amish?

[AK+Marc]

I've never heard of any American car with the behavior mentioned, nor Japanese. The only German car I've owned was a modified 911, and a previous owner defeated the steering lock completely, as well as the clutch interlock, so hardly representative. Given every car you've listed is European, it doesn't necessarily apply to the US. Have you tried a 2004 Audi A3 in the US? I've tried an (older) Golf in the US, and it locks when "off" and the key is in.

Re: Go Amish?

[amorsen]

Your car, your year (presuming you have a key-based ignition and an '80s or newer car).

No. I have not owned a car who did that. But I live in Europe as you say in a later post.

Re:Go Amish?

lol. The programming practices I've seen from the aerospace industry are terrifying, what are you talking about?

Re:Go Amish?

[amorsen]

Driving without power steering and power braking is not a problem. You just need to apply more force and not panic about the controls not responding the way they usually do. However, in many cars power steering does not completely shut off at least at city speeds. Most modern cars are heavy and steering wheels are generally smaller today than they used to be. Therefore the difference is not nil, even though the car is still drivable with the power steering turned off.

I was not aware that the vacuum would replenish if the ignition was off; I assumed that there would be no intake vacuum to work with. Now that I think about it, it is obvious that the engine still needs to take air in even when no fuel is injected.

Re:Go Amish?

[amorsen]

Killing the ignition does not mean that you kill steering or braking. Those are mechanical/hydraulical.

Notice the word "power" that I had included twice but you did not. I was wrong about power braking, as long as the car is still in gear, but you definitely lose power steering with the ignition off. You can still steer, you just need to pull harder.

The steering lock only locks when you remove the key from the lock.

Which is what I wrote.

Re: Go Amish?

[dunkelfalke]

Never been to USA. All cars I've driven were made in and for Germany.

Re:Go Amish?

[romons]

If someone comes running out from behind a tree or van or corner or doorway, there will almost certainly be an accident.

Yes, if someone tries to throw themself beneath your wheels it will still be possible to have an accident. But a self-driving car will obey posted speed limits and avoid excessive acceleration (see prior point) and thus this will be less of an issue. Also, the car can have thermal vision and be much better at sussing those situations than are you.

Sure. The car will be able to predict, with reasonable certainty, whether it is safe to zoom by a van at 30 mph. I'm the sort of driver who, when I can't see around something, will slow down to a speed where I can stop if somebody runs out, since this happens all the time. I'm sure autonomous cars will be able to do this.

I saw an ad suggesting that the new braking software on high end cars predicts when the guy in front of the guy in front of you will slam on his brakes. Not sure what the limits of that are, but if they are really doing that, they are already better than I am.

The real win with autonomous cars, however, will be with older drivers, who are unwilling or unable to give up driving, and with drunks, who cause something like 1/2 of all fatal accidents. Compromised or sleepy drivers. If your car can get you home when you are shit faced, the technology will have won, and soon it will be like seatbelts, required on all vehicles. I can't wait.

Re:Go Amish?

[romons]

Yes. I had a 2005 prius, one of the floor mat hooks broke almost immediately, and the remaining one would unhook regularly when I pushed on the mat to get out of the vehicle. When the mat was unhooked, it got pushed up under the pedals unless I was very careful. The dealership gave out free hooks if you asked for them.

Re:Go Amish?

[Brianwa]

Cars did have this a long time ago. School buses had it up through the 90's at least, and firetrucks will probably always have a kill switch due to the potential of taking in combustible stuff through the intake.

Honestly I'm fine with using a key, it's good UI design to have an e-stop system that the user can operate without doing anything special or unusual. The only real danger is how easy it is to accidentally engage the steering column lock at the same time (or overly aggressive anti-theft systems that kick in and leave you dead in the water with no exterior lights...)

However I really don't like the new keyless systems, if I hit something and there are flames pouring out of the engine compartment and I can't get out, I'd much rather physically cut power to the fuel pump (and disable HV on a hybrid) than hold down a button I've never used before for a few seconds to send a request to a likely damaged controller to pretty please start the shutdown sequence.

Re:Go Amish?

[Brianwa]

There is generally a one-way valve that maintains brake booster vacuum when the throttle is open, but it's something that can fail and you won't notice it until you need it. It's worse when it happens in a turbo'd car, the turbo spools up and you find yourself with a rock solid brake pedal that stays that way for a few seconds even if you turn the engine off

Re:Go Amish?

[q4Fry]

Yes, if someone tries to throw themself beneath your wheels it will still be possible to have an accident.

Reading your comment makes me think of those dashcam compilations of morons doing just that, presumably for insurance payout.

If they start to think that a rich automaker might be on the hook for insurance settlement, would that make them more or less inclined to try?

Re:Go Amish?

[Mashdar]

Then you've never done anything mission critical and interesting simultaneously ;)

Fault tolerance is a much studied field. Software faults exist with some probability no matter how much work you do.

Re:Go Amish?

[ceoyoyo]

An aerospace software engineer will know how to prove correctness. I wouldn't be surprised if the average software developer today didn't know you could do that, never mind knowing how. It's a huge pain in the ass to do for even simple programs. It makes sense if your code is running the flaps on an airplane. Not so much if it's showing vacation pictures to your friends.

Re:Go Amish?

[ceoyoyo]

Most people know about that stop because that's how you listen to the radio while you're waiting for your wife/girlfriend/whatever to finish shopping.

Re:Go Amish?

[russotto]

You can prove a program correct, but it's an exercise in academic wankery; it's at least as difficult and error-prone to prove a program correct as it is to write it in the first place.

Re:Go Amish?

[Grishnakh]

We can't have driver ed in this country; it's against the philosophy people here have. My driver test, for instance, consisted of three right turns (from parking lot in the corner of two streets into a street, right turn onto next street, right again back into the parking lot), and then parking. That's it. There is no serious driver training or testing in this country, and there never will be.

Cars need to be engineered to be absolutely fault-tolerant and reliable, and yes, that means the same redundancy in a 4 passenger car as for a 400 passenger plane. There's many orders of magnitude more cars built than planes, so the costs will be miniscule. We already require every new car to have tire pressure monitoring, traction control, and yaw control, plus multiple airbags. If we can afford all that complexity, we can afford a couple extra sensors and some more rigorous testing (and DO178 coding standards) on embedded computers.

Re:Go Amish?

[gzuckier]

indeed. a safeguard for "sticky throttle in software" can't be impossible. I note that if you so much as tap on the brake pedal, the cruise control on every car lets go of the throttle. How hard can it be to do the same for drive by wire, so that if you tap on the brake, it let's the actual throttle actuator relax (i.e. shut?) regardless of the state of the throttle pedal to actuator software? Yeah, that'll make heel and toe impossible, but something tells me these vehicles are pretty much automatics.

Re: Go Amish?

[AK+Marc]

There must be a conflicting regulation. There are many (lighting being a big one). In fact, thinking about the laser headlights, they'll probably save millions by not having to have separate lamps/reflectors for RHD vs LHD and LHD Europe vs LHD US. They may not save anything per lamp, but could save millions in parts, tooling, and such.

But in the US, I've never seen a car made since 1980 that didn't lock the steering when turned off, with the key still in the ignition. And yes, that includes German cars. Though I have never driven a Saab. They had always done the locks differently, but I didn't ever drive my friend's '87 900.

Re:Go Amish?

[swalve]

Software doesn't have to have bugs. There is no reason on god's green earth why an accelerator routine should ever be susceptible to something as stupid as a stack overflow. We should have higher expectations.

Re:Go Amish?

[swalve]

Since when can't you do anything to prevent bugs? How complicated does a throttle control have to be? Read the value from the pedal, send the value to the throttle. I would expect any high school student to be able to implement this in BASIC or LOGO.

Re:Go Amish?

[swalve]

I hardly think that it would take an actual competent developer more than a day to write code to the effect of "read pedal" "write throttle". It is half as complicated as a stupid joystick.

Re:Go Amish?

[swalve]

If you can't make the code to read a sensor and write to an actuator bug free, you should not be writing code for anything.

Re:Go Amish?

[LordLimecat]

That doesnt protect you from stack overflows in other parts of the code.... which is what this article is about.

Re: Go Amish?

...and the original bug actually was a bug.

Re:Go Amish?

[Vryl]

Has aerospace solved the halting problem then?

Re:Go Amish?

[ceoyoyo]

It's quite a bit more difficult, yes. If you do it properly, it's not necessarily more error-prone. It's not academic wankery - it has a place where software is both very simple and must perform correctly.

Re:Go Amish?

[mdielmann]

Just because a car has software that was as expensive to produce as a jet's doesn't mean it has to cost the consumer that much. Cost to develop is only one factor. The other factor is units sold. There have been about 1000 Boeing 757s built, ever (747s have almost broken 1500). In the same time span, there were about 3 million Priuses built. If they spent the same amount on Prius software as they spent on software for the 757, they could price it at 1:3000 the price Boeing charges for the same profit. The ratio would be 1:2000 for the 747.

Now, you might say the comparisons are a bit off. I'm sure it is. But even is you spread the cost over those 3 million ECU's, that still leaves $100 million towards development costs (half the price of a $60 ECU, the other half devoted towards the ECU hardware). Merely $50 million if they insisted on 100% profits on that module. I think that could have gone a fair ways towards stopping the occasional stack overflow.

Re:Go Amish?

Sorry for the delay- life happens. I quite agree with your statements. I'm in the USA, btw. Bigger, heavier older US cars were almost impossible to steer if power steering goes away. Ask me how I know. Ugh! Anyway, fortunately American cars are finally being engineered much better and some might actually be very good now.

Yes, as long as the engine is being "back-driven" and the throttle closed, it is just an air pump so the closed throttle will allow vacuum to form.

Plus, vacuum-assisted power brakes have a vacuum reservoir that should give you 3 or 4 pumps before vacuum is lost. If it doesn't, it's defective. People should know to test for this.

And just for the record and for anyone's interest - I have a 2001 Chevy Astro van that uses power steering hydraulic pressure, not vacuum, for the power brake assist. Not sure why they did that but it is a smaller unit and has a great pedal feel. It has a spring-piston fluid pressure reservoir to give you the 3 - 4 pumps if the engine stops turning. They used these on many vehicles including fairly large trucks.

Re:Go Amish?

[Cro+Magnon]

The fact that a speeding car uses the same emergency shutdown technique as my Windows laptop is just plain scary!

Re:Go Amish?

[sjames]

Agreed. The commercials all expect the start button to impress me. I'd like to stick with turning a key. Or at least a toggle switch wired to a relay that will actually interrupt power to the ignition and fuel pump.

Re:Go Amish?

[ShakaUVM]

I didn't get a ticket for it, and luckily I didn't hit anyone.

It was still a terrifying experience, though, as there were pedestrians everywhere.

It felt like the floor mat had ridden up on the accelerator, so I was trying to reach down to pull it off while it was accelerating out of control.

When that didn't work, I turned it off.

Re: Go Amish?

My 2007 Ford Aerostar...

Ford killed the Aerostar in the late 90s. I used to have one of the 4.0 liter AWD models, and the ignition switch did not function in the way you describe.

- T

Re:Go Amish?

[Agripa]

There is a quite widespread belief that it can also engage the steering wheel lock, but AFAIK no one has been able to name a car where that happens so far.

With a steering wheel lock integrated with the key on the steering column, turning the key to off to kill the engine but runs the risk of locking the steering.

Re: Go Amish?

[Agripa]

I remember very vividly doing this on my 1974 Pinto to test the vacuum assist and the steering wheel not only locked but the force on it made it difficult to return the key to the on position leading to a very exciting few seconds.

Re:Go Amish?

[ShakaUVM]

Yeah, the brakes were rock hard. After I turned off the car to get it under control, it took quite a while to drift to a stop, even with both feet on the brake pedal.

Re:Go Amish?

[rjstegbauer]

I understand your point that the code for a 747 or the ISS must be written to *avoid* catastrophic failures and will be much more expensive to design and develop. If a car manufacturer were to write all the code in its ECU like this, then no one would be able to afford a car. However, not all the subsystems in an ECU need to be written to this standard. The portions that control the engine performance and gas mileage don't. But all the fly by wire parts *do* need this level of care. As soon as the gas pedal and brakes are being completely controlled by software, then the manufacturer had better make sure that it fails safely.

That said, I'll be in the *second* wave of people buying robo-cars.

Peace,
Randy

Mandatory publication?

[Skinkie]

How would a mandatory publication of all code as open source [not suggesting liberal licensing here] work out here? Might converge at a collaborative initiative and will most likely be reviewed by all sort of people.

Re:Mandatory publication?

That doesn't always help. The software is still dependent on complicated wiring, connectors, and sensors. My brother was seriously hurt when the throttle stuck on his Harley that has fly by wire throttle. He high sided after turning the ignition off. Unfortunately he's left handed so he used that hand and wasn't depressing the clutch at the time. A rock hit the small box on the handlebars containing the sensor which made it unable to tell that he rotated the throttle back down so he kept accelerating. If you do a search for "tbw harley" you'll see thousands of complaints about failures, but not a one I have ever seen concerned the software.

Re:Mandatory publication?

[Demonantis]

That is a software failure. It isn't failing safe at all. A watchdog timer, of sorts, should be occurring that would detect a failed sensor assembly.

Re:Mandatory publication?

Wow, that was moderated to a +2? /. is really run by morons now. When it is not an error for the throttle position to not change, how is software going to help? No amount of software can magically make that happen. If it failed like several throttles I've seen that use Hall Effect non-contact sensors, the sensor didn't fail. The magnet was knocked loose from the rotary encoder so further changes in the throttle position were not detected. Hey fucking moron, the sensor didn't fail. There was nothing to detect. How is software going to detect something that didn't fail? To explain it with hardware that readers here are more familiar with, If you were old enough to have experience with mice with balls (speaking of which have your balls dropped yet?), then you would get the fucking concept instead of spouting nonsense like a moron. When the encoder wheels on mice break or stop spinning due to dirt, the optical pattern between the sensors doesn't change. The sensors were working fine.

Seriously, can we do something about the twelve year-olds that are ruining this site?

Re:Mandatory publication?

Was that post serious or a ridiculous joke? Could you please not post such things because someone here might believe what you posted.

Re:Mandatory publication?

How is a watchdog going to detect, for example, a higher than normal resistance because of corrosion if the reading is within the normal range? Also, if an arm breaks that connects the throttle to the sensor, how is the software going to differentiate that from the normal condition of an unchanging throttle position? Many of the older systems used linear potentiometers so dirt would often affect the reading. How are you going to detect that difference with software?

Seriously, start thinking things through before posting nonsense. Also, please moderators please start thinking before rewarding these type of stupid hit and run posts.

Re:Mandatory publication?

That is a software failure.

wat

Re:Mandatory publication?

[DerekLyons]

How would a mandatory publication of all code as open source [not suggesting liberal licensing here] work out here?

Not very well I suspect. To start with, the code is going to be tightly hardware bound - not only to that of the control unit it runs on, but to the vehicle it's installed on. So you're going a whole lot data than just the code to usefully evaluate the code for any but the most gross of errors. On top of that, this is a very specialized field, and again since the odds are the reviewer lacks the necessary background... you face the same issue.

Open source is neither a magic wand or a panacea.

Re:Mandatory publication?

[thegarbz]

a) statistical analysis showing that over time the system appears to be changing and alerting the user to get the sensor checked. Corrosion like this doesn't happen overnight, and even if it did it's trivial to pick up. This is basic process control right here.
b.1) When we do critical valve control we sense the torque required to move the arm. This gives us all sorts of indications of the life of the valve and also detects when some dodgy tech didn't do up the bolt properly and the positioning arm fell off. This should be trivial to adapt.
b.2) Every dynamic system has noise. If the arm breaks it's no longer a dynamic system. Changes in the system noise is how the process control world detects things like plugged pipes going to pressure gauges, no need to guess if the pressure is not changing because it's steady or because the pipe is plugged.
c) What does old technology have to do with developing new?

Maybe consider that a lot of these problem have been solved about 20 years ago when controlling critical processes. Just because you can't wrap your head around them doesn't mean another person should be barred from getting mod points, it means you should.

Re:Mandatory publication?

[Grishnakh]

If the problem is that a sensor can fail with catastrophic results, the simple answer is to add redundancy: add a second sensor, and if the two disagree, shut down. Or add a third and use a voting algorithm.

Re:Mandatory publication?

[Grishnakh]

Easy: you add redundant sensors and compare the results.

Re:Mandatory publication?

[AK+Marc]

I've never ridden a Harley, I prefer cheaper, faster and more comfortable bikes, but every bike I have ridden has a kill switch reachable by the right thumb. Letting go to turn off the bike is a rider error. Pull the clutch and coast down with a loud engine is better than panicking the way your brother did. Hell, putting the kick stand down would have killed the engine (no, you don't have to get it far before it kills the engine, so it wouldn't cause a control issue unless he was in a tight left turn when he tried).

He wasn't hurt from his throttle sticking, he was hurt from his reaction to it. He sounds like he shouldn't be riding anyway. Why is it when mechanical failure occurs, people are so afraid to let the engines rev high?

Re:Mandatory publication?

[Demonantis]

I am sorry very sorry that I only mentioned a small aspect of safety design. I really wasn't interested in writing an whole article in the comments about it. Yes failing safe it is much more complex than I made it sound, but you can implement some of it in the software.

Re:Mandatory publication?

[ultranova]

Changes in the system noise is how the process control world detects things like plugged pipes going to pressure gauges, no need to guess if the pressure is not changing because it's steady or because the pipe is plugged.

I work in process control and no, it doesn't. The problem is that the pressure sensor, the transmitter and the receiver all introduce noise themselves. A sensor that physically exists always sends "dynamic" data, and it's unlikely that being subjected to the far rougher conditions in a car helps matters.

How it actually works is that we have multiple sensors and if they disagree, there is a problem. But of course that costs money, so it's only done to critical systems. Apparently customer's biological functions don't count as those to car manufacturers.

Re:Mandatory publication?

I just love self-righteous assholes who don't have enough experience to know they're fucktards, but they keep running their mouths anyway. He crashed on the entrance ramp between I-90 and I-5 in Seattle. There's a tight turn, a lot of traffic, and no emergency lane between traffic and a concrete wall. But hey, don't let not knowing what the fuck you're talking about stop you. I know in real life you trolls don't act this way because someone would have taught you a lesson. Instead, you come here and constantly tell everyone else to fuck themselves. If /. had real moderation, you would have been banned after your second post. I hope you and the rest of your twatnozzle posters get cancer so you'll finally stop posting.

Re:Mandatory publication?

[thegarbz]

Sensors introduce noise, yes, that's why I said "changes", that's the key word right there. If you take a single measurement in time you're not going to know anything. Yet if you can explain characteristically how your process changes over time (i.e. trends slowly but has high noise) you can then draw conclusions if you see sudden movements or a change in noise.

If you think it doesn't work like you better call up Emerson, Yokogawa, ABB, etc and let them know the HART alarm for blocked impulse lines doesn't work and they've been doing it wrong for 20 years. (I can tell you as an Instrument engineer working in Reliability it does work, and it works really well). Have a read on the many whitepapers on the issue. Emerson's papers on the 3051S are quite good as they describe via flowchart the process by which the software determines if the result is a plugged impulse line or a change in process conditions.

Mind you we have had a false alarm by this before, and we were hell thankful for it because the change in noise wasn't caused by plugging, but rather cavitation of an upstream pump that went initially unnoticed.

Re:Mandatory publication?

[AK+Marc]

So keeping his hands on his handlebars would have been much less safe? Do you even know how to ride? Or are you just an angry idiot?

How can drivers protect themselves....

[mevets]

One way would be to insist that automakers do not nickel and dime design vehicles. The critical components related to vehicle safety should be designed for safety first, cost second.

These vehicles go for over $20 000, I should at least have the option to pay an extra $1000 to chuck the electronic crap.

Re:How can drivers protect themselves....

I should at least have the option to pay an extra $1000 to chuck the electronic crap.

Won't happen.
All of the new electronic stuff is required for emissions and fuel efficiency. Taking it out means the manufacturer has to submit that version for testing as well, which it won't pass.

Re:How can drivers protect themselves....

[Anonymous+Psychopath]

One way would be to insist that automakers do not nickel and dime design vehicles. The critical components related to vehicle safety should be designed for safety first, cost second.

These vehicles go for over $20 000, I should at least have the option to pay an extra $1000 to chuck the electronic crap.

The electronics are very deeply embedded. Not sure how you're gonna dump them when there's no physical cable connecting your throttle to your engine. Impossible in the case of EVs or hybrids.

Also although the article does a decent job of showing that a stack overflow is possible and might result in unexpected behavior, what's needed is a simulated failure scenario to see if that's what actually happens.

Re:How can drivers protect themselves....

[fluffy99]

Also although the article does a decent job of showing that a stack overflow is possible and might result in unexpected behavior, what's needed is a simulated failure scenario to see if that's what actually happens.

That's what he did. He showed several methods where a key task could get corrupted and killed, why it wouldn't be detected, and the results of that death. He also deliberately killed the tasks and demonstrated that it results in a loss of control of throttle.

Re:How can drivers protect themselves....

[ebno-10db]

All of the new electronic stuff is required for emissions and fuel efficiency.

You don't need things like throttles without a mechanical connection for that. The emissions and fuel efficiency is handled by the engine and transmission controllers. You might need to automatically move the throttle plate a little for idle, but that's about it. They were doing stuff like that long before some genius had the idea of getting rid of the throttle cable.

Re:How can drivers protect themselves....

[Waffle+Iron]

These vehicles go for over $20 000, I should at least have the option to pay an extra $1000 to chuck the electronic crap.

A few dozen episodes of sudden acceleration, resulting in a handful of deaths, gets headlines.

Meanwhile, nobody pays any attention to the fact that all that "electronic crap" has probably saved hundreds of thousands of lives over the past few decades.

Re:How can drivers protect themselves....

[Charliemopps]

The electronics are very deeply embedded. Not sure how you're gonna dump them when there's no physical cable connecting your throttle to your engine.

It's not that hard if you're handy. I've done it, as has anyone else that's into off-road stuff. All those safety systems are great on the highway but make driving over a bolder impossible. The real trick is being able to turn them off and on again.

Impossible in the case of EVs or hybrids.

Total bullshit. The first electric cars were made in the 1800's, how many computers did they have on-board?

Re:How can drivers protect themselves....

[Grishnakh]

Throttle-by-wire is necessary for traction control, which is a standard feature these days (maybe required by law, I'm not sure).

Re:How can drivers protect themselves....

[drinkypoo]

These vehicles go for over $20 000, I should at least have the option to pay an extra $1000 to chuck the electronic crap.

It is probably impossible to meet smog test standards without the electronic crap. It is impossible to meet the federal yaw control requirement without the electronic crap. Build a bridge, and get over it, or move to another country. I think you know the folly of trying to vote against progress.

Re:How can drivers protect themselves....

[drinkypoo]

Throttle-by-wire is necessary for traction control, which is a standard feature these days (maybe required by law, I'm not sure).

Traction control and yaw control are required on all new passenger vehicles sold in the USA. But neither requires throttle-by-wire. They only require fuel reduction-by-wire, which can actually be accomplished even with carburetors, coupled with ABS. So you're going to need a computer in the loop somewhere, but it doesn't need the ability to control the throttle butterfly. And if you want to be able to close off the intake partially to control intake air, then you use a secondary butterfly (or other valve) in the intake manifold.

Re:How can drivers protect themselves....

[Dare+nMc]

If you want to meet emissions while reducing fuel flow, you will need electronic control of throttle. More the thing is, it is much safer and less complicated to do throttle by wire than a secondary path. Just because one manufacture screwed up throttle by wire doesn't prove that mechanical is safer. Especially since most cars have cruise control. So it truly is much less complicated to have one stepper motor and throttle by wire, than, for example, what my 91 mustang had. It had 3 cables, connected to springs, and a stepper motor for cruise control, then a solenoid controlling a vacuum operated idle control valve (and I still haven't covered the EGR part). Then you have a mass flow meter determining how much flow is going through all of that crap to determine fuel flow, spark advance. Then using Vacuum to determine the throttle position to shift the transmission (however I did remove the auto for a manual.)
Compare that to my current 2006 electronic throttle Diesel, it has a throttle position sensor that it reads to determine how much fuel to inject (and a mag pickup to determine when ton inject.) Done.

Re:How can drivers protect themselves....

[drinkypoo]

Compare that to my current 2006 electronic throttle Diesel, it has a throttle position sensor that it reads to determine how much fuel to inject (and a mag pickup to determine when ton inject.) Done.

they're not directly comparable, because diesels don't require an intake butterfly (though some do have intake restriction technologies for one reason or another.)

Re:How can drivers protect themselves....

[Dare+nMc]

True, but even if you compare that 1991 to a 2001 mustang, they took away all that crap load of cables, and went to a throttle position sensor. Both still have a single stepper motor, granted it is a much quicker stepper motor than was needed for cruise control. If your going to run a car with cruse control, software can still apply the throttle, you might as well have the simpler system without all the cables. I am putting that 91 motor in a kit car currently, and am debating about going to a mega-squirt ECM and switching to the 01 pedal/throttle valve just in case I decide I want cruise someday.

Re:How can drivers protect themselves....

[AK+Marc]

They were doing stuff like that long before some genius had the idea of getting rid of the throttle cable.

Yeah, the more modern throttle-cable systems were essentially throttle by wire with a placebo for those that liked to see a throttle cable. The guy that got rid of the throttle cable saved money and weight, but didn't change the operation of the car. I'm sure someone could put a spring-loaded cable in your car, if you liked.

Re:How can drivers protect themselves....

[canadian_right]

..that electronic crap...

Well, I haven't seen such a proud display of ignorance for quite some time. Modern cars are so much more reliable, powerful, fuel efficient and safe due to all that "electronic crap". Fuel, injection, engine timing, gear shifts. etc... are all control electronically on most new cars. You can make an automatic transmission a lot smarter if you have software determining shifts instead of fluid pressure.

Re:How can drivers protect themselves....

[ceoyoyo]

I would be surprised if electronic throttle control isn't considerably safer than mechanical. Having the mechanical throttle actuator freeze wasn't uncommon where I lived a few years ago. You hoped it froze closed, but that wasn't always the case. I've never heard of anyone I know having a problem with an electronic throttle; only a few reports worldwide on the Internet.

Re:How can drivers protect themselves....

[Anonymous+Psychopath]

The electronics are very deeply embedded. Not sure how you're gonna dump them when there's no physical cable connecting your throttle to your engine.

It's not that hard if you're handy. I've done it, as has anyone else that's into off-road stuff. All those safety systems are great on the highway but make driving over a bolder impossible. The real trick is being able to turn them off and on again.

Impossible in the case of EVs or hybrids.

Total bullshit. The first electric cars were made in the 1800's, how many computers did they have on-board?

Tell you what, you go get one of those 1800's electric cars and drive it at highway speeds for a couple hundred miles without any electronics. Then come back here and tell me how full of shit I am.

stackoverflow.com

[tdoshea90]

i thought this post was going to be about the website lol

I know what users could do!

At least in this case switch the car into that little N looking thing on their shifter. Sadly a good portion of the population does not know what that N means.

Re:I know what users could do!

[Nighttime]

A lot of gearboxes on modern cars are "fly-by-wire", so selecting N may not work. How about some way to mechanically disengage the engine from the driving wheels? You could make it foot-operated and install it to the left of the brake pedal.

Re:I know what users could do!

[bobbied]

Even easier is to just TURN IT OFF using the key and get on the breaks. Trust me, the car WILL stop running and come to a full stop fairly quick. Don't worry when the key won't come out, the steering wheel will work with a bit of effort, just turn the key as far as you can. Coast to a safe place, stop, put the car in park and remove the key. THEN check your floor mats.... If you see nothing wrong, start the car and if everything is normal again, continue on your way.

What do they teach people in drivers education these days..

Re:I know what users could do!

[CodeArtisan]

Even easier is to just TURN IT OFF using the key and get on the breaks. Trust me, the car WILL stop running and come to a full stop fairly quick.

Not if it's a diesel engine.

Re:I know what users could do!

[amorsen]

Modern cars have nothing to turn. They just have a software-controlled button.

Re:I know what users could do!

[ebno-10db]

Are you sure? Diesels have electronic controls these days. Even before that, how did you shut them off normally?

Re:I know what users could do!

[sjames]

What key? These days it's a button, and the 'key' works by proximity.

Re:I know what users could do!

As they say, them's the breaks! But that pedal in a car, that's a BRAKE. Moron.

Re:I know what users could do!

[AaronW]

I remember my parent's '86 Mercedes 300SD when a vacuum line broke. It would not shut off since the injector was mechanical until my father fixed the vacuum leak.

Re:I know what users could do!

[GrahamCox]

One problem caused by this fault is that if the throttle gets stuck in the open position (the exact amount is redacted from the public record, but it looks to be >30%), then the vacuum assist to the brakes is greatly reduced (after all, normally the throttle closes when you move your foot to the brake pedal, so you get full vacuum assist). The upshot is that the driver would need to apply far more pedal pressure than they're used to to get full braking - combined with the fact that the engine is pulling hard it will feel like the brakes have simultaneously failed. Turning off the ignition might help with the acceleration, but not with replenishing the vacuum assistance.

There is a lot more to this than simple driver error. Read the court testimony, it's a real eye-opener and in fact a really great read: http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/

Re:I know what users could do!

[LiENUS]

What will it run on without fuel? Turning the key off will kill the fuel pump.

Re:I know what users could do!

[distilate]

Not if its an engine driven pump

Re:I know what users could do!

[kyrsjo]

On a small diesel engine I've worked on and used (marine yanmar 3 cylinder engine for a small sailboat), the way to kill it was to close a valve on the fuel line. This valve (installed on the engine itself) was connected to a wire which was connected to a T-handle in the cockpit. When you wanted to stop the engine, you put it to idle/neutral, pulled the handle, and when the engine stopped, switched off the power key on the engine control panel. If you where at sea and moving (under sail), you then pushed the throtle/transmission handle to reverse, in order to avoid "windmilling" of the propellor.

If you switched off the electronic key while it was running, nothing happened (except maybe blowing up some expensive charger electronics). The electronics where only for starter (with a handle supplied in case of emergencies... Never needed/dared to use it, as if the rusty disengagement mechanism failed you would have a 5kg handle spinning at ~1000 RPM, potentially making a huge hole in the bottom of the boat if it suddenly did disengage...), charging (cabin & running lights, "fridge", engine starter and nav/radio all ran on 12V), and sensors for basic warning systems (oil pressure+a few more). The machine itself was fully mechanical.

On a modern diesel car, I'm not shure exactly what happens when you switch off the "ignition" - but my best guess is (as someone here mentioned) that you stop the fuel pump. While I do drive a throtle-by-wire diesel car, it is equiped with a 3rd pedal which mechanically disengages the engine from the transmission, so it doesn't worry me too much...

Re:I know what users could do!

[Grishnakh]

If the power is off, the electric fuel pump will stop running. Even if the diesel isn't using electronic fuel injection (which means it's ancient), it still needs fuel to run.

Re:I know what users could do!

[Grishnakh]

Sounds like they should dump the old vacuum-assisted brakes and move to some type of electric assist, or perhaps just adding an electric vacuum pump rather than bleeding engine vacuum.

Re:I know what users could do!

Diesels are unlike a spark ignition engine, where turning off the spark (i.e. turning off the key) stops generating power, even though the engine is still sucking fuel and air. Spark ignition engines control output by restricting the flow of air (i.e. a throttle valve). You can also (on modern engines) stop injecting fuel (used for rev limiting, for instance)

In a diesel, there is no "throttle valve". The air flow is always there.. the gas pedal controls how much fuel gets injected on each stroke, and that determines engine output. Inject too much fuel for the amount of air, and you get black smoke from incomplete combustion. If the linkage to the injection pump (in a mechanical system) fails, and it keeps squirting fuel in, it will run forever..

Furthermore, because there's no throttle plate, you don't have the same way to slow down by taking your foot off the gas and downshifting and letting "compression" slow you down (i.e. engine braking).

See here to see a workaround called "jake brakes" (from Jacobs, the company that made them first)
http://en.wikipedia.org/wiki/Compression_release_engine_brake

What do you do on a diesel for emergency shutdown?
SO, on bigger diesels (6-71, for instance) there is a mechanical linkage to a door that cuts off the intake air. A big flap that just covers the intake to the supercharger. Note that if the vehicle is moving and in gear, that big roots blower makes a dandy vacuum pump, when driven.

There are stories about runaway trucks that triggered the emergency shutoff (while in gear), and it just sucked the door into the supercharger, ground it up and kept on going (well.. with lots of mechanical noises and probably reduced output).

Re:I know what users could do!

I'm pretty sure that all us-market diesel road-worthy vehicles use a start/stop electrical control.
Old mechanical diesels have a shutoff solenoid, new ones have a computer which has to provide signals to the injectors to keep firing.
  Yes, it may be possible to make the engine run away if things fail catastrophically - a turbo seal blowing and dumping enough oil into the engine to run it may do this,but that's not a software problem either.
And no matter what, you still have neutral.

-Rob

Re:I know what users could do!

[AK+Marc]

Is there any engine driven pump in a drive by wire car?

Re:I know what users could do!

[AK+Marc]

Are the cars in question vacuum assist? I remember the same arguments flying around back when Audi had issues.

Re:I know what users could do!

[geekdad]

Crappy software is a rampant with enough blame to cover all aspects of its production from the top to the bottom of the corporate management and engineering structure. Good software is hard to write. Good software is hard to design. Good software is time consuming to produce. Good software engineers are hard to find. Good software engineers are experienced. Good software engineers are expensive. Short schedules and low cost are in direct conflict with good software.

Re:I know what users could do!

My VW diesel had an electrical failure. The motor turns off by having a solenoid valve shut off the fuel supply. The engine would not shut off. I had to stall it out by gently pushing against a telephone pole. Gasoline engines need spark, so you turn off the electricity. In the old days, you shut down a diesel by turning a lever in the fuel line.

Re:I know what users could do!

I learned about 1 semester's worth of software design by reading the testimony. Highly recommended.

Re:I know what users could do!

[bobbied]

Turning off the ignition might help with the acceleration, but not with replenishing the vacuum assistance.

Breaks and steering both work reasonably well when the engine stops running. Breaking will function just fine until you exhaust the vacuum stored in the canister, you will be god for one or two full peddle depressions before there will be noticeable increase in stopping distance. Even then, stopping just takes a bit more pressure which in panic situation shouldn't be too much of an issue for just about anybody. So I'm not so ready to just let these lame brain drivers off the hook. Taking your food off the peddle will likely fix the problem (because you are on the wrong one) and if that doesn't work, turn off the car. You will stop.

full stop

Re:I know what users could do!

[bobbied]

Yea, I've seen such cars. Usually key-less cars are the exception and come at a premium so I'm guessing the owners of a Toyota are not usually going to have such options. But, in all cases there are TWO things you can do. 1. Turn it off (however the car is designed to accomplish this) and 2. put it in neutral. Both will cause the car to eventually stop. If you have the presence of mind and can accomplish either of the previous things, you can assist in the stopping of the car by doing one of two things.. 1. Depressing the break peddle or 2. Applying the emergency break.

Driving car 101 should teach this. Where is Driver's Education these days?

Full Stop

Re:I know what users could do!

[sjames]

You should probably know that the incidents in this discussion all involved cars that have the start button as a standard feature.

Note that both the start button and the transmission are under control of the very same system that is thought to have crashed. Same for the ABS.

Also notable, the people having these issues got their driver's ed back when turning the key off would absolutely shut the engine down instantly but might lock the steering if you turn it too far. Shifting to neutral with the throttle wide open WOULD blow the engine complete with thick blue smoke everywhere and possibly fire. OTOH, the brakes were connected by an uninterrupted hydraulic system, no ABS to back off the applied force. On and on and on.

At least one incident included reports from witnesses that smoke was pouring from the wheels, sorta like the driver was standing on the brake.

Re:I know what users could do!

[bobbied]

Shifting to neutral with the throttle wide open WOULD blow the engine complete with thick blue smoke everywhere and possibly fire.

I'm no expert in engine control units, but.... I'm told that they have rev limiters built in to avoid having the engine come apart under the conditions you describe. Manufacturers generally don't like replacing engines, and if it was that easy to blow one up, you can bet there would be a rash of "Oh my gosh, it's 1,000 miles before my drive train warranty dies" engine blow ups.

The push button start thingy does complicate things, but neutral is still an option when faced with freeway traffic and uncontrolled acceleration. Personally, I'd rather buy an engine than crash my car going in excess of 60 MPH, but I doubt it would come to that.

Re:I know what users could do!

[sjames]

What engine control units!?! Not when I learned to drive! Not when a lot of people learned to drive. Points, condenser (that's a capacitor to you young'uns), and coil, mechanical distributor. The closest it had to an ECU was the vacuum advance. A diaphragm driven by vacuum from the intake manifold that would physically rotate the distributor to make small changes to the timing. It wasn't hard to tell when an engine blew up from over-revving. Naturally that was considered abuse and not covered.

So many people are not aware that things have been updated since then including rev limiters. And keep in mind, blowing an engine wasn't always just clank and it stops. Sometimes it was kaboom and burning oil, smoke, and steam goes everywhere (not to mention push rods and rocker arms). You can probably forgive someone for wondering if that might make matters worse.

Suffice to say there have been a lot of changes since many adults learned to drive. Most don't realize it. You shouldn't be too hard on them, you didn't realize how much has changed either.

So yeah, on a modern car neutral is an option (assuming the computer is still running enough to accept the command) and pressing and holding the start button for 3 seconds (but it'll seem more like 30 in the heat of the moment) might do it if the computer responds. The brakes MIGHT work if you stand on them or they might overheat before you come to stop.

Re:I know what users could do!

[GrahamCox]

Have you ever been in an impending accident situation? However it's caused, with only seconds to react it's extremely hard to think rationally about a series of steps needed to bring it to a harmless conclusion, EVEN WITH EXPERT TRAINING. For example, on a car without ABS, "cadence braking" is a technique that can stop you quicker in a skid, but actually doing that in a real slide (not just a training situation) is exceedingly hard. That's why ABS was invented - it practically performs rapid cadence braking for you automatically, so you're free to panic and lock up on the pedal.

The Toyota software flaw apparently indicates that the brake "failsafe" which closes the throttle when the brakes are applied only reacts to a new transition of the brake switch, not an existing braking condition, so you have to remove your foot and reapply the brake to activate the failsafe (assuming that part of the software is still actually running, which in the stack overflow case it probably wouldn't be). If the vacuum assist has also been depleted, or you're already in a skid, you're in big trouble; you'd have to fully comprehend the situation, and arrive at the conclusion that the only solution is to turn off the ignition (not a natural emergency procedure at any time) in the few seconds before you hit whatever it is you're careering towards. Could you do that? I seriously doubt it - even the best racing car drivers in the world still crash sometimes.

Re:I know what users could do!

[bobbied]

IF you don't have an ECU (Engine Control Unit), chances are you don't have push button start either. So we have come full circle, just turn off the key.

And I learned how to drive in a 56 Chevy truck, complete with a clutch, when I was 12. I was driving for 4 years before I got my license, albeit in the fields on the farm. It was also around this time I learned to work on engines (cars, tractors, trucks, lawnmowers etc) so I have a reasonable understanding of what's going on. Subsequently I've received a degree in electrical engineering, so I'm not totally unaware of how all this automation works.

Re:I know what users could do!

[bobbied]

As with all things, it's *training* you will fall back on in panic situations. My complaint about "drivers education" is valid. Emergency situations should be drilled and proper coping techniques taught and practiced. You need to do it once or twice, then if you happen on a situation like this you KNOW what to do and if you hit a situation you haven't thought about, you know what you CAN do. Turning the key off fixes a LOT of stuff that can go wrong and knowing how a car drives and brakes w/o the engine running is a GOOD thing to know>

Flight training is replete with training and drilling the student pilot on the standard emergency situations that they should NEVER find themselves in if they are careful. Departure stalls are one that stands out in my mind because they where HARD for me. But I went up and practiced them until I mastered them because there was that chance I'd get in a situation where I got distracted on departure, close to the ground with full power applied nearly stalled I'd know what to do, instantly. Guess what, stall training SAVED MY LIFE at least once. Not that I stalled, but that I RECOGNIZED the stall was about to happen and I knew what to do, (which is NOT intuitive by the way).

Yea, some folks panic and freeze, you cannot help them much. But with training and experience, doing the right thing is possible for most of us.

Re:I know what users could do!

[sjames]

Not really, no. Sure no ecu = no push button start. BUT a person who learned to drive when cars had no ECU and no pushbutton may have no idea about either of them. That can't be blamed on Driver's Ed from back in the day, now can it?

I'm a bit surprised then that you didn't seem to know that the ECU is a fairly new thing or that it wasn't always safe to pop a car in neutral with the throttle wide open.

I'm hoping you just missed the point that someone who learned on an older car (possibly not so old at that time) may not know how much things have changed.

I was 8 the first time I diagnosed an engine that wouldn't start without Dad's help.

Re:I know what users could do!

[GrahamCox]

I agree that better driver education would be a good thing. But it's not going to happen because it would make the cost of obtaining a license too high, blah blah - all sorts of political arguments that haven't got anything to do with prioritising safety.

I'm a PPL holder too, so I know what you're saying about pilot training, but that's a completely different thing for several reasons, not least of which is that the cost of obtaining a license is entirely irrelevant to the overall economy - if you can afford it, go for it. Also, the outcome of an accident tends to have greater consequences in the air, so overall the extra cost of safety is considered worth it and is written into the law. On the roads, for whatever reason, the extra cost of safety is deemed not worth it by most people, since a) they don't bother getting advanced driver training once they have their license, b) they drive badly most of the time, and c) politicians don't demand anything is done about it.

In other words, more driver training might lead to fewer accidents, but no-one is bothering with it, either voluntarily or mandating it by law. So, the fact remains, that for the typical driver, locking up on the brake pedal in panic will remain the norm, even though it's not a good thing to do. All that can be done is to design the cars themselves to be safer, using technology to make up for driver deficiency where it can. With increasing use of drive-by-wire systems, it's high time that car manufacturers were forced to follow coding and design standards, and have their designs independently audited and approved. That's going to improve safety far more cheaply than mandating more driver training.

To me it's unbelievable that such mandatory design approvals are not already the norm. I guess the pollies are well behind the state of the art as usual. Maybe the Toyota case will help shake them up. In any case it makes good business sense for manufacturers to at least go with the voluntary standards that exist, which Toyota did not do. Until they can show that they're compliant with the voluntary standards,the best way to fix this mess is not buy a Toyota. That's how free market correction is supposed to work, right?

Re:I know what users could do!

[bobbied]

As kindly as I can..

As I recall this conversation, I was saying "TURN IT OFF". You said, "but you can't because it is a push button". Then I said "put it in neutral" to which you objected "The engine will blow!" to which I said "The ECU will prevent that" to which you reply "But not all cars have ECU's" which had me saying "Then it doesn't have a push button, so turn it off". Now you are saying I don't 'get' what an ECU is or how they work?

Troll much?

Full stop (as in I'm done here)

Re:I know what users could do!

[bobbied]

That's how free market correction is supposed to work, right?

And it does if you let it. We already have safety standards for cars. You either meet them, or you cannot sell your car to the public. Things like seat belts, tail lights and emergency brakes are all mandated features. But none of these things make a car safe. Additional software requirements would be the same, they'd be regulations you'd have to show you meet, but not really all that helpful for true safety of the complex system integration a car involves.

Manufacturers are inclined to produce reliable, safe cars by the profit motive. Many cars have proven to be unsafe, or at the very least the public believed them to be unsafe. The builders of these cars couldn't sell them or had to discount them and didn't make money so they stopped. You can bet that these manufacturers don't want to take years and hundreds of millions of dollars to design a car and the manufacturing process to build it only for it to be unsafe or unreliable. They will go out of business if they do this too often or continue to push out inherently unsafe cars they cannot sell.

So I think market forces will correct such things. And the court system is there for when manufacturers mess up (or can't prove they didn't). Both are huge incentives for keeping manufacturers on track.

Re:I know what users could do!

[sjames]

Read it again. You apparently skipped right over:

Also notable, the people having these issues got their driver's ed back when turning the key off would absolutely shut the engine down instantly but might lock the steering if you turn it too far. Shifting to neutral with the throttle wide open WOULD blow the engine complete with thick blue smoke everywhere and possibly fire. OTOH, the brakes were connected by an uninterrupted hydraulic system, no ABS to back off the applied force. On and on and on.

You must have read too quickly and missed that I was speaking of people's expectations based on when they learned to drive rather than what would actually happen to a modern car. That of course is because you were suggesting they were uneducated (at least in driving).

So you might wanna watch those troll accusations and read more carefully.

Motorcycles!

[Marrow]

No software. No seat belts. No automatic..anything.

Re:Motorcycles!

[Walter+White]

No software. No seat belts. No automatic..anything.

You'd have to restrict that to old motorcycles. My '98 has ABS and fuel injection, both of which used programmed electronics. Newer bikes include systems such as CAN Bus, traction control, fly by wire throttles and more. Except for things like air bags, seat belts and bumpers, motorcycles use a lot of technology found in automobiles.

Re:Motorcycles!

I prefer my Motorcycle to be 100% software:

http://i.imgur.com/cz8klVm.jpg

Re:Motorcycles!

[bobbied]

No software. No seat belts. No automatic..anything.

In Chicago in a snow storm during rush hour? No thanks!

Re:Motorcycles!

[Hognoxious]

Does it have an automatic transmission, and if not does it have clutch by wire?

Re:Motorcycles!

My giant scooter (650cc) has a continuously variable transmission. It also means I can accelerate faster than most other bikes that need to shift from 0-60mph (obviously, not counting crotch rockets here, just normal bikes).

So, no clutch.

On the other hand, almost all bikes have a kill switch making any "unintended acceleration" problems moot.

Re:Motorcycles!

[Walter+White]

Does it have an automatic transmission, and if not does it have clutch by wire?

Automatic transmissions are common (perhaps universal) on scooters and have been used on motorcycles in the past. The newest BMWs have ability to shift without pulling the clutch lever or reducing the throttle. From http://www.motorcycledaily.com... "The BMW Gear Shift Assistant Pro, available as a factory option, represents a world first for production motorcycle manufacture. It enables upshifts and downshifts to be made without operation of the clutch or throttle valve in the proper load and rpm speed ranges while riding."

Re:Motorcycles!

What point are you trying to make?

Re:Motorcycles!

Except for things like air bags, seat belts and bumpers, motorcycles use a lot of technology found in automobiles.

Airbags are an option on Honda's Gold Wing bikes.

Re:Motorcycles!

"does it have clutch by wire?"

Well, it's a really THICK wire, but yeah, my 1969 Yamaha 350 has "clutch by wire". Right to the lever! Gotta keep it lubed, though.

Re:Motorcycles!

[thegarbz]

You better call Yamaha and tell them to stop putting drive-by-wire throttles, ABS, and stability control on their motorbikes.

Re:Motorcycles!

[Hognoxious]

What point are you trying to make?

That you're an idiot, however you make it much better than me.

Trying to establish how close the situation is with a bike and a car. Not very, it would seem. A mechanical clutch trumps any software glitch.

Re:Motorcycles!

You haven't seen a modern motorcycle. One of my friends just bought a BMW HP4, and that things got automatic everything. No seat belt, yes, but definitely software.

Re:Motorcycles!

Sounds like a Rekluse z-start clutch.

Re:Motorcycles!

[Alioth]

But what motorcycles have that cars don't is a kill switch. Many modern cars with a start button and proximity key don't have a way of being turned off except by the button (i.e. software). My modern motorcycle has a start button and electronic everything, but it DOES have a kill switch. So if there was an unintended acceleration (and in the owner's forum for this bike, this has happened to at least one person when the throttle physically stuck on his bike after a spirited overtake) you can turn it off with the kill switch. Not so with a car. Why cars which only have software start and stop don't have a kill switch is puzzling (especially here in Europe where no one drives an automatic, so the engine will continue to be turned by the wheels if you kill the ignition, and will continue therefore to turn things like the power steering pump. If you're lumbered with an automatic gearbox the engine probably won't get turned so the steering will go very heavy but it will still function).

Re:Motorcycles!

[Hypotensive]

If you actually know how to change gear, then I don't see how this buys you anything. And if you don't know how to change gear, then (1) you shouldn't be riding anything more powerful than a 125cc, and (2) if you do train yourself to use this system then you've shot yourself in the foot when it comes to operating anything else.

Re:Motorcycles!

[MiSaunaSnob]

scooters don't have automatic transmissions they have CVT's and as far as I know they are universally mechanical.

Mental stack overflow of the driver is more likely

Idiot drivers hit the gas pedal instead of the brake and instead of owning up to their incompetence as a drivers, they blame the car instead. The Toyota sudden acceleration problem disproportionately affects the elderly and inexperienced drivers. It also a uniquely an American problem and it occurred during a deep recession where GM and Chrysler were going bankrupt and Americans needed some FUD against Toyota because supporting American car companies was the jingoism of the day. The toyota sudden acceleration is more of a case study of an American moral panic and mass hysteria perpetrated by the media than it was an engineering problem.

Brake

[Etrahkad]

I mean.. lesson well learned. I will test the throttle now. Ah crap that's right I was fired. Must not do that in the next automotive company, Saturn beware I made buyers be weary of the Toyota Brand. (Glad Lexus drivers have more common sense)

Death Penalty?

The death penalty for programmers that write such code will bring an end to this OUTRAGE !

Re:Death Penalty?

[colinrichardday]

The death penalty for programmers that write such code will bring an end to software !

FTFY

Re:Death Penalty?

[bobbied]

The death penalty for programmers that write such code will bring an end to this OUTRAGE !

I'm shocked, SHOCKED that our software has bugs!

Your bug reports sir!

Carry on...

It's like this

There is no such thing as unintended acceleration. All cases have been unrepeatable or shown to be human error.
The Toyota stuff was a bunch of crap that got whipped in to a media frenzy then a bunch of people tried to cash in on it.

The slightly longer answer is, if something like that ever happens, turn off the car and press the brake pedal firmly.

Re:It's like this

Ah yes. All software is perfect. Nothing to see here. I'm sure the average motorist will think of your workaround, thus avoiding tragic "human error". (can you even turn off the car while it's in drive? what are the sequence of steps, exactly? hopefully your transmission isn't computer controller?)

Re:It's like this

Drive much? You CAN turn a car off in drive. In keyed cars, you can't "lock" the steering wheel in most models. In keyless, you must hold the start button down for 3 seconds (see owners manual.)

I would hope that the accelerator pedal and start/stop switch are not running within the same embedded logic however.

Re:It's like this

[amorsen]

All cases have been unrepeatable

Stack overflows tend to be difficult to reproduce.

Re:It's like this

[dcw3]

Wrong. I've personally had it happen to me in a '85 Hyundai. The vehicle was relatively new at the time, and had a manual transmission. After tapping the throttle to try to unstick it, I flipped the ignition and stopped the car. Once completely stopped, I restarted, and with my foot on the clutch watched at the tach approached redline until I shut it down again. I was eventually able to get it going again, and headed straight to the dealership. They found nothing, and it never reoccurred.

Yes, I'm well aware that people can hit the wrong pedal...there's no way I did that twice. I believe in my case, the throttle got stuck when I had floored it..those vehicles had very little acceleration.

Re: It's like this

[Bobb+Sledd]

shut up jackass. my father-in-law was nearly killed by one of these impossible events.

Re:It's like this

Really!?! -- just continually push information on the stack -- at some point will generate a stack overflow, guaranteed for any stack programming language. Now, reproducing the situation/events that generate the stackoverflow tends to be difficult.

Re: It's like this

[perryizgr8]

I know that sometimes its difficult to admit that someone you know well may have made such a stupid mistake, but the probability of your father-in-law being confused/mistaken is a lot more than entire teams of engineers at the world's largest car manufacturer fucking up in such a dangerous manner.

Re: It's like this

I'll just say that your father-in-law sucks at driving.
If he could get it to repeat for the factory reps I'm sure Toyota would love to study what's going wrong. They might even give him a brand new car for his troubls.

Re:It's like this

That's a sticky throttle cable, it has been known to happen.
Did you make sure that both of the return springs on the carb were unbroken? Because sure as shit there is no possible way an '85 hyundai had drive-by-wire carbs.

Re:It's like this

Stack overflows tend to be difficult to reproduce.

Ummm...no.
Software is deterministic.
If you know the contitions that caused the problem, it will repeat exactly the same way every time.

Re:It's like this

Difficult to reproduce, but they're trivial to statically detect if your standards don't allow recursion or indirect calls (aka. virtual methods or function pointers); in such cases, you can simply trace the graph of the source code and measure maximum stack depth for each entry point; by the time you get back to main, you'll know if it's possible to blow the stack. Murphy's law says if it's possible, then it will eventually happen to someone.

p.s. Yes, yes, I can hear some hacker in the back yelling that this programming model is too limited for his tastes, and he can't imagine working without lambdas. Fine. Work somewhere else.

And I can hear another guy claiming that he's 100% sure that his function A passes a flag to function B that prevents it from calling C, D, E, ... overflow. *ahem* Just refactor B and call the parts you need. It's a better design, and the tool will stop warning you about a possible stack overflow. Bonus: You also just freed up a register.

Re:It's like this

The slightly longer answer is, if something like that ever happens, turn off the car and press the brake pedal firmly.

And if you have push-button start and brake-by-wire?

Re:It's like this

[amorsen]

According to TFA, the OS is multitasking with the OS stack sharing the user stack. The proof of the maximum stack depth that the developers gave was wrong.

Re: It's like this

Having worked on engineering teams at some of the world's largest companies, I think both occurrences are equally likely.

Those wily Toyota lawyers ....

[140Mandak262Jamuna]

Suddenly Toyota lawyers sued this website http://stackoverflow.com/ and claimed they are victims too.

Likley the cause?

[mjwalshe]

if you cant demonstrate it in lab conditions it is just awlawyer speculating about stuff "M'lud I postulate it was the alien space bats wot dun it"

Re:Likley the cause?

[Alioth]

If you dig into one of the cited articles, you'll find they DID reproduce it in the lab. The Toyota software turns out to be very flawed.

Could it? Really, it could? Could be?

A stack overflow could cause uncontrollable acceleration. The car also could be hit by a meteor. You could be mauled by a bear when you press the accelerator. The engine could catch on fire. Small invisible aliens could hold down the accelerator. The wavefunction of the car could tunnel to a position high above the ground.

I'm no law-talking guy, but I guess "conceivable occurrence allowed by the laws of physics" is pretty much the same level of proof as "preponderance of evidence". Anyway, check, please!

Re:Could it? Really, it could? Could be?

[roc97007]

> You could be mauled by a bear when you press the accelerator.

But only if you've purchased the "mauled by a bear" feature and have forgotten to put the "bear" switch in the "off" position before putting the car in gear.

I thought everyone knew that.

Re:Could it? Really, it could? Could be?

Oh man, we just barely escaped being mauled. Let's be more careful this time.

Checks manual: Release accelerator pedal. Depress clutch to floor. Move shifter into second bear. Aaaaugh!

Re:Could it? Really, it could? Could be?

> You could be mauled by a bear when you press the accelerator.

But only if you've purchased the "mauled by a bear" feature and have forgotten to put the "bear" switch in the "off" position before putting the car in gear.

I thought everyone knew that.

It's only supposed to maul the passenger; mauling the driver is a feature defect.

Not much

[n1ywb]

Honestly, not much, except perhaps demand better software. Better processes, better languages. I'm just hypothesizing here but it might not have happened if they had e.g. followed better development standards like the MISRA C standard, or don't use C at all, use Ada or something. Better QA processes might have caught it before it went into production, e.g. using a dynamic stack profiling tool, input fuzzing, whatever. Fundamentally a system like this should have an independant hardware watchdog timer to at least try and make it fail-safe in the event of a CPU crash. Finally any motor vehicle ought to have a manual cutoff switch wired into the fuel pump or ignition circuit so that when the CPU shits it's bits you can still turn the damn thing off before you crash crash.

Re:Not much

Of course this bug would not happen because neither MISRA C or Ada SPARK allows recursion, so the stack wouldn't get overflown.

Re:Not much

[AmiMoJo]

Except that the cause of the accidents wasn't a software bug, it was people pushing the wrong pedal. Maybe Toyota should develop a system to detect stupidity and disable the accelerator.

FWIW the code is actually pretty good. It uses watchdogs, can cope with sensor failure, guards critical values stored in memory and so forth. The guys examining it had a hard time understanding it because all the comments were written in Japanese and they only had Google to translate them. They were unable to demonstrate any bugs that could lead to unwanted acceleration, only that if they carefully changed specific memory locations (including backup duplicates) with a debugger they could make it happen.

Re:Not much

[Bite+The+Pillow]

Are you saying Toyota did not follow the Motor Industry Software Reliability Association C rules? Because that would be interesting. Or are you just thinking into your keyboard without knowing?

And how are people supposed to demand better software? There is not a demonstrable problem, given that we don't know what the problem is, or the cause. I don't see how you could demand, or legislate, better software without at least something specific.

You are dangerously close to +5 despite having conveyed no actual information. And the people who do have information have not solved this yet.

Can != did

[140Mandak262Jamuna]

"We've demonstrated how as little as a single bit flip can cause the driver to lose control of the engine speed in real cars due to software malfunction that is not reliably detected by any fail-safe," Michael Barr, CTO and co-founder of Barr Group, told us in an exclusive interview. Barr served as an expert witness in this case

Emphasis mine.

Yes, a single bit flip can cause unpredictable behavior in any code. You could say that without any analysis. A single mistake in sign can get you a goose egg in the Algebra paper. So many people could have won the lottery if only one digit was different. These are well known. But can != did. Did that stack overflow? Did it actually happen? That is the question.

Re:Can != did

[Cochonou]

Did it actually happen? That is the question.

From an engineering standpoint, it's not really the question - if there is a design flaw so that the system can fail with a non-negligible probability, it will eventually fail. Bits flip everyday, everywhere, but there should be mitigation in place to take care of that (at least a watchdog).

Re:Can != did

Yes, a single bit flip can cause unpredictable behavior in any code. You could say that without any analysis.

You can say it, but that doesn't make it true.
Especially in space electronics random bit flipping is something that has to be taken into consideration but often you can handle errors like that on a more abstract level.
There is a nice text on why Erlang was developed, sadly I can't find that one right now but it an interesting language to look up if you want to write programs that handles non-predicted failures in a relatively nice manner.
VxWorks is a nice OS to have a look at if you need to handle such situations. (Used in everything from the Mars rover to industrial robots.)

If stack overflow or single bit flipping is a problem in Toyota then they need to redesign their system.

Re:Can != did

[AmiMoJo]

A watchdog isn't the best solution to this problem. You don't really want your ECU to reboot randomly due to a fixable error. Just use ECC RAM and keep redundant copies of critical values in memory.

There is no way this issue could have caused the number of events people are claiming to have had. Such a bit flip has never been observed in real life (they used a debugger to simulate it) and the changes of that particular bit out of millions corrupting is extremely low. Of bit flips were common enough to cause this we would see the effects as other systems like the dashboard display and head unit crash, not to mention other parts of the ECU.

Re:Can != did

[140Mandak262Jamuna]

From a legal/liability stand point this the only issue. If it can happen, they have take steps to correct it after they have become aware of it, and they have to show that they followed reasonable engineering practices in designing and testing it. In a car, the hydraulic line for the brakes could rupture, the teeth in rack and pinion can break and jam locking the wheels, the brakes can jam, the car can skid, the tires can burst. All of them CAN happen. But unless you can show it did happen, and the Toyota knew it could happen and still it did not enough you don't have a legal claim.

Re:Can != did

[140Mandak262Jamuna]

True they have to redesign the system. But the courts is asking a different question, do they have a liability? Do they have to pay compensation?

This is a case of manual override

[EmperorOfCanada]

Quite simply the absolute control should not be handed over to the computer. Basically doing something like pulling on the handbrake should basically physically cut the throttle. Or stomping on the brakes should activate a simple solenoid that cuts the throttle. This mechanism should be 100% separate from the computer and override most computer outputs.

I see this as critical in a driverless car. There needs to be a way for people to pull the plug and there needs to be a way for people to phone in an emergency. So if someone is lying in a pothole being run over by car after car, or the bridge is failing, there needs to be a way for 911 to say that a stretch of road is now cut off. The key is that this cannot be ab abusable by officials. I do not want my car grinding to a halt because the police are looking for some runaway or a bank was robbed.

Re:This is a case of manual override

I strongly suggest that if you base your needs above that of the public servants doing work for the good of us all that you buy an airplane or helicopter and stop using public roadways immediately. It's not always about you.

Re:This is a case of manual override

[PPH]

I strongly suggest that you re-evaluate the needs of those public servants who had their blue lights on en route to their coffee/donut break a few months back.

Re:This is a case of manual override

[StikyPad]

I do not want my car grinding to a halt because the police are looking for some runaway or a bank was robbed.

GLWT.

Re:This is a case of manual override

[jcdr]

Actually the brakes alone are enough to stop the car even in case of a full throttle bug.

Re:This is a case of manual override

[wisnoskij]

That would be hilarious. Something goes wrong, and every car is automated, so you just get car after car calmly driving their passengers to their death in a giant sink hole, or something.

Re:This is a case of manual override

[wisnoskij]

People banging on the windows and the car is like "please remain seated, the doors are lock while the car is in motion for your protection"

Re:This is a case of manual override

You could make exactly the opposite argument -- that the computer always needs some way to ignore the human because humans sometimes do dumb things.

Without actually quantifying the relative risks it's all just speculation.

Re:This is a case of manual override

[jafac]

I do not want my car grinding to a halt because the police are looking for some runaway or a bank was robbed.

. . . or I didn't endorse the right political candidate.

Re:This is a case of manual override

[zbobet2012]

I have actually had to do this before. Had a 2002~ A8L that would full throttle on its own, and yes the breaks are more powerful than the engine. We spent months going around with Audi on the issue before at some point we took a regional manager on a ride and it did it to him. And no it wasn't the fucking floor mat. They took it back without a word and gave us a newer model with 20k less miles. The important part to note here is that stepping on the breaks will still stop the car.

Re:This is a case of manual override

[EmperorOfCanada]

This will happen, and it will make national/international news, and there will be a bunch of asswipes all going, "I told you so, these automated cars were going to be the death of us all." But this will be in the face of driverless cars killing so few people that it might be single digits nationwide.

Oh and I forgot to mention all the "experts" they will get on the news who will try to turn driverless car safety into an issue; when in fact any changes that they propose will probably kill even more people.

Re:This is a case of manual override

[EmperorOfCanada]

The worst one will be politically connected neighborhoods that presently have tons of traffic because these people built their houses in a high traffic area. So they will demand (and get) that the government mandate that driverless cars detour around their precious streets.

Also this will be another opportunity for the narcissistic egomaniacs that run government to have us serfs part like the red sea when they are driving by.

Re:This is a case of manual override

"stomping on the brakes should activate a simple solenoid that cuts the throttle"

This already happens with cruise control. Touch the brake, and cruise control ceases to control the throttle. Don't see why such a feature couldn't be implemented across the board. No-one (with the possible exception of racing drivers) needs the brake and the throttle at the same time. The brakes should also have hardware priority over the throttle, kind of like a NMI. One simple signal tells the engine management to relinquish control, the failsafe principle takes over and the motor reverts to idle.

And another thing - how the hell can a throttle be "left open"? Don't they even have a return spring anymore?

Re:This is a case of manual override

[DerekLyons]

Basically doing something like pulling on the handbrake should basically physically cut the throttle. Or stomping on the brakes should activate a simple solenoid that cuts the throttle. This mechanism should be 100% separate from the computer and override most computer outputs.

So... your solution to failures, errors, and bugs is to introduce more sources of failure, error, and bugs? Brilliant.

Re:This is a case of manual override

[Gavagai80]

Any driverless car, including the ones already in service, obviously has to be able to read road signs and look for obstacles. You don't need some phone system. You just need to put up a sign or a barricade.

Re:This is a case of manual override

[vidarlo]

What you're asking for is basically an emergency stop. The problem is that in some cases this can be dangerous as well. What if there's a truck 30 feet behind you, and you suddenly by accident (or inherent fault) activate the emergency stop? Safety is complex, and I'm not sure emergency stop is a good idea here, as it introduces it's own problems.

Re:This is a case of manual override

[Grishnakh]

What about the public servants here in New York and New Jersey who closed off all but one lane on the George Washington Bridge during rush hour as political payback to a Democrat-voting district on one side of the bridge? Were they "doing work for the good of us all"?

Re:This is a case of manual override

[romons]

I see this as critical in a driverless car. There needs to be a way for people to pull the plug and there needs to be a way for people to phone in an emergency. So if someone is lying in a pothole being run over by car after car, or the bridge is failing, there needs to be a way for 911 to say that a stretch of road is now cut off. The key is that this cannot be ab abusable by officials. I do not want my car grinding to a halt because the police are looking for some runaway or a bank was robbed.

Or the Governor doesn't like the Mayor of a particular city.

Re:This is a case of manual override

[swalve]

before you spout off about "all but one lane", you should probably look at a map. The whole thing was about one tiny town's tiny access road to the bridge. The mainline bridge was fine.

Re:This is a case of manual override

Otherwise the vehicle wouldn't be legal, either.

Re:This is a case of manual override

[Cro+Magnon]

The worst one will be politically connected neighborhoods that presently have tons of traffic because these people built their houses in a high traffic area. So they will demand (and get) that the government mandate that driverless cars detour around their precious streets. .

Or, businesses arranging to have traffic go past their stores in the hope that some will stop and buy their crap.

Outlaw Recursion

Recursion is lazy, stupid, and above all, DANGEROUS.

Whomever thought recursion was a good idea ought to be taken out back and given a thorough beating.

Re:Outlaw Recursion

[Dunbal]

Recursion is fine if recursion is fine if recursion is fine if recursion is fine if recursion is fine if you do it right.

Re:Outlaw Recursion

[Hognoxious]

Yo dawg...

Re:Outlaw Recursion

[bobbied]

Recursion is lazy, stupid, and above all, DANGEROUS.

Only in the hands of a novice..

It is an elegant solution for certain kinds of problems that can work magic in the hands of one who has mastered the technique. But when applied to the wrong problem, it's what you describe.

As in all things, the right tool for the job is always best. Masters of the trade know their tools well.

Re:Outlaw Recursion

[jrumney]

MISRA C, which is a mandatory coding standard across pretty much all the automotive industry, does outlaw recursion. So I find this speculation on the cause to be very unlikely, and is just lawyers bringing in "software experts" to speculate. If you want to speculate, there are many other potential software bug causes as well. Some of them would even pass MISRA C coding checks, and not be easily detectable by static analysis.

Re:Outlaw Recursion

[ebno-10db]

Masters of the trade know their tools well.

Which is why designers of hi-rel systems never use recursion.

Re:Outlaw Recursion

[jrumney]

Self proclaimed masters of the trade have no place in safety critical software systems. Can you guarantee that the coder who will be maintaining your code 10 years from now will also be a "master of the trade"?

Re:Outlaw Recursion

[GrahamCox]

They didn't speculate. They analysed the source code, which they had clean-room access to, as well as the actual compiler and test harness used by Toyota. Toyota testified that the stack utilisation was 41%, whereas the analysis showed that it was actually 97% *before* the recursion was taken into account. It looks pretty certain that stack overflow could occur. Following the stack are key system structures used to control the scheduling of threads on the CPU, and damage to these structures could cause one or more of the threads to never get any scheduled time. One of the threaded tasks not only controls the throttle, but also the failsafes in case of some scenarios,and also the code that writes fault codes to the battery-backed RAM. Basically, if that task dies, then the throttle is left uncontrolled, the failsafes don't kick in, and no fault codes are written so that the problem is revealed after the fact. It's a terrible design; a disaster waiting to happen.

Uses can protect themselves against this sort of thing by not buying a Toyota until they are compliant with the relevant standards. Only hurting them in the marketplace will get them to fix this problem.

The testimony from both expert witnesses Barr and Koopman are now a matter of the public record and actually make fascinating reading - they'll be especially interesting to computer guys because it goes into a lot of detail about the code design, though frequently translated for the benefit of the court into layman's language. It's going to go down in history I reckon as a classic case of how not to design a safety-critical system.

A great summary and links to the public court documents can be found here: http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/

Re:Outlaw Recursion

[andy753421]

I think you could make the case that tail recursion is safe in that it doesn't result in an unbounded stack. You'd really need the toolchain enforcing it though.

Re:Outlaw Recursion

If they're working on critical systems and they aren't a master of the trade, then the software is fucked regardless of whether the existing code uses recursion or not. If an engineer doesn't both understand recursion and find it to be a natural solution to various problems (even if not fit for particular resource-constrained environments), then they're just a code monkey who needs to be put on work appropriate to their abilities.

Re:Outlaw Recursion

[Beryllium+Sphere(tm)]

Maybe not quite as bad as the Therac but definitely should be taught in engineering school.

Re:Outlaw Recursion

[ChunderDownunder]

Tail Calls

Scala's @tailrec annotation, for example, emits a compiler error if it can't perform TCO.

Re:Outlaw Recursion

Computer algorithms are usually implicitly recursive so I don't see how you could ever avoid it. What you don't want to do (in C at leasst) is make the recursion explicit in a recursive function call without knowing the exact expense of that in memory when you are only working with kilobytes of the stuff.

Re:Outlaw Recursion

[gnupun]

Recursion is lazy, stupid, and above all, DANGEROUS.

Sorry, recursion is very useful. The non-recursive version is often far more complex, and therefore more bug prone.

Due to recursion overwriting critical data past the end of the stack and into the real time operating system memory area,...

That's very poor architecture. Why don't they use protected memory OS/CPU that isolates OS and app? A $100 smartphone has these features, why doesn't a car worth over $20,000 have it?

Re:Outlaw Recursion

[Grishnakh]

Very interesting. So why is Toyota not following MISRA C coding standards?

Re:Outlaw Recursion

[Alioth]

There was no speculation involved. An expert witness (a team of embedded platform engineers) analysed the source code.

Not only did Toyota not follow MISRA C, they didn't even follow their own coding standards. Reading the source code showed recursion was being used and Toyota's own internal standards were not being followed (let alone MISRA C). An 800 page report was produced. If you dig into TFA a bit you can see the 45-odd page presentation that the expert witness gave to the course. The TLDR version of that presentation is that Toyota was grossly negligent in the way they developed this system.

Protecting yourself from bugs?

[Savage-Rabbit]

How can users protect themselves from sometimes life endangering software bugs?

Drive older non digital cars. Come to think of it I can get you a great deal on a factory standard model 1971 Ford Pinto.

Re:Protecting yourself from bugs?

[bobbied]

The one with the scorched paint that caught fire when I was driving it? Wow, I thought that went to the junk heap back in the 80's

Re: And we're going to trust self driving cars now

What's your point? People are killed everyday by cars operated by people (others, or even themselves). I'll take my chances with the computer, thank you

I don't buy it.

[Timmy+D+Programmer]

Most of the people who claimed 'sudden' acceleration said it happened while they applied the brake. And I don't care how crazy your engine goes, the brakes wouldn't also happen to go out at that moment too. It's like the Audi's even before the computers did anything more than fuel mixture, folks pressed the wrong petal and blamed it on the car.

Re:I don't buy it.

Read the report. The explanation is in there. Basically, the acceleration gets stuck on and pressing the brake pedal doesn't send the signals to turn it off. And since the brakes are not strong enough to stop the car, you're hosed.

Re:I don't buy it.

[sexconker]

Read the report. The explanation is in there. Basically, the acceleration gets stuck on and pressing the brake pedal doesn't send the signals to turn it off. And since the brakes are not strong enough to stop the car, you're hosed.

You're going to get a lot of idiots telling you that the brakes will win out over a floored throttle. Just a heads up.

Re:I don't buy it.

[amorsen]

And since the brakes are not strong enough to stop the car, you're hosed.

They are, though. Unless the brakes are otherwise faulty. However, if you just try to keep the speed low instead of stopping completely, the brakes will overheat and stop working.

Re:I don't buy it.

[dcw3]

See my post above. Yes, I was able to turn off my ignition, and stop. Mine was most likely a stuck throttle, as I was able to recreate it.

Sure people hit the wrong pedal, and some are just looking for a payday. But let's not pretend that it doesn't happen.

Re:I don't buy it.

[jrumney]

And those idiots would be right. Show me a car that has a faster 0-60 time than its best 60-0 time.

Re:I don't buy it.

Read the report. The explanation is in there. Basically, the acceleration gets stuck on and pressing the brake pedal doesn't send the signals to turn it off. And since the brakes are not strong enough to stop the car, you're hosed.

Unless your breaks are in disrepair they will be more powerful than your engine. Before you get a new set of tires go out and try it for yourself.

Re:I don't buy it.

[sexconker]

And those idiots would be right. Show me a car that has a faster 0-60 time than its best 60-0 time.

If you keep the throttle wide open and the car in drive, that's every single car. Your brakes will fail well before stopping the vehicle. They'll heat up and lose all stopping power in a matter of seconds. There's a reason we build runaway truck ramps. http://en.wikipedia.org/wiki/R...

Unless you cut the throttle or disengage the engine, the brakes will lose every time.

coding standards

[lkcl]

... you know... i worked for pi technology in milton, cambridge, in 1993. they're a good company. they write automotive control systems, engine control management software, vehicle monitoring software and diagnosis systems and so on. one of the things i learned was that coding standards for mission-critical systems such as engine control have to be very very specific and very very strict. the core rules were simple:

1) absolutely no recursion. it could lead to stack overflows.
2) absolutely no local variables. it could lead to stack overflows.
3) absolutely no use of of malloc or free. it could lead to stack overflows.

now you're telling me that there are actually car manufacturers that cannot be bothered to follow even the simplest and most obvious of safety rules for development of mission-critical software, on which peoples' lives depend? that's so basic that to not adhere to those blindingly-obvious rules sounds very much like criminal negligence.

Re:coding standards

[TechyImmigrant]

>... you know... i worked for pi technology in milton, cambridge, in 1993. t
So did I.

Small world.

Re:coding standards

I do a lot of embedded software and had the exact same thought... Recursion on a safety critical software system = bad design. (And, as you say, malloc/free on a safety critical software system = also bad.)

Re:coding standards

[aviators99]

3) absolutely no use of of malloc or free. it could lead to stack overflows.

Hate to be nit-picky here, but that's not true. It's a great idea to not use malloc() in a real-time application, for reasons of performance. But it can't overflow the stack.

Unless you call it recursively :-)

2) absolutely no local variables. it could lead to stack overflows.

I think it would be pretty hard to overflow the stack by use of local variables. I mean it's easy to cause, but you'd pretty much always see it if you've even tested the program once. The best reason I can think of for not using local variables is that globals are easier to debug.

1) absolutely no recursion. it could lead to stack overflows.

This should be rule number one for this type of application.

Re:coding standards

[wisnoskij]

When the contract always goes to the lowest bidder and regulation is non existent, is it really that surprising?

Re:coding standards

[Cassini2]

Every computer science, computer engineering and software engineering major is taught the wonders of virtual memory and recursion. They are taught pointers are good, and global variables are bad. When writing embedded software, the engineers do as they have been trained ...

Re:coding standards

As someone that has done a lot of safety related embedded code, I totally agree with #1 and #3 and we didn't use them in our code. What did you do instead of #2? Declare everything file scope static or something?

Re:coding standards

[ebno-10db]

absolutely no local variables. it could lead to stack overflows

In which case you shouldn't have function calls or interrupts either. I know recursion and dynamic allocation are to be avoided, but even in the highest rel standards I've never heard of not being able to use local variables. Careful stack use analysis and testing, sure.

Re:coding standards

[phantomfive]

Good points.

Re:coding standards

[phantomfive]

The best reason I can think of for not using local variables is that globals are easier to debug.

Really?

Re:coding standards

I'm sorry but those "best practices" are 20 years behind, even by 1993 standards.

I agree with #1, but #2 is detected by static analysis (bounds checking) and #3 by a good internal memory manager (also, by very smart bounds checking algorithms but I'm unaware of those in 1993).

All 3 considerations are useful only if the project has budget or time restrictions, then again, I wouldn't want to drive a car which was designed on a budget restriction.

Re:coding standards

I remember an RTOS/embedded systems class in my CE major that explicitly warned about using recursion in highly reliable systems.

Re:coding standards

[andy753421]

In embedded systems this is often the case. Not because it makes the software easier to understand, but for more practical reasons. You probably won't be stepping though the code with a debugger in real-time, but global variables are at fixed addresses and they don't disappear as soon as the function call returns, so they're just easier to look at.

Re:coding standards

[phantomfive]

Wow bro, get a jtag

Re:coding standards

[Beryllium+Sphere(tm)]

> I wouldn't want to drive a car which was designed on a budget restriction.

That criterion will eliminate a lot of confusing choice from your purchasing decisions.

Re:coding standards

[gstovall]

:) Which is why we had to spend the first 6 months after hiring any new grad, retraining them in development techniques that actually worked in our embedded near-real-time, real-world sitations. I still have no idea why colleges convince their graduates that they actually know anything. College is an opportunity to learn how to think and how to learn, not to learn what's needed to be an instant star. We all have to learn constantly our whole lives to stay on top of the technology.

That's not to say I've not met a couple that were instant stars upon graduation...however, they were usually the ones who had done several coop terms with us learning the ropes already.

Re:coding standards

[psithurism]

but you'd pretty much always see it if you've even tested the program once

No.

C++:
if ( break_press_force > 10 )
{
    BIG_DATA_STRUCTURE env_data = GatherEnvData(); ...

Re:coding standards

[narcc]

Yes. Think about the applications under discussion.

Re:coding standards

I've worked with embedded systems for the past 8 years, right out of university. You know what I've noticed?

Most embedded code is terrible, and the programmers themselves are completely full of themselves. And it's not because "its built to be reliable", "or its maintainable", or whatever else. It's because the programmers who wrote the code barely even know C. They walk around on their high horse thinking they are vastly superior to every other programmer because they "work in embedded", "are close to the bits", and whatever else. And when they encounter a function pointer, or some CPP statements, they are taken aback and immediately start into "how dangerous" it is.

Here is a great gem of an exchange:
Me: the variable you declared in that .c file is not visible to the other compilation unit - you need to make it visible. That's why is wont build.
Them: make it 'static'!
Me: that wont work - your making the problem worse.
Them: oh, these C compilers are so stupid! They didn't used to be like this! Somebody needs to fix C!

Bad programmers are bad programmers. If you write "pointer heavy" code and you are getting out-of-bounds faults all the time - your doing it wrong. If you are getting alignment errors, your doing it wrong. And if you have global variables scattered all over the place, tangled up in 100's of horribly named flags, are marking every variable as 'volatile' because you think it means "dont optimize", you are doing it wrong.

Sorry, I obviously disagree with you (quite strongly). Shitty programmers are shitty programmers, young or old. It has nothing to do with today's education.

Re:coding standards

>1) absolutely no recursion. it could lead to stack overflows.
I'll grant this one

2) absolutely no local variables. it could lead to stack overflows.
WTF?. There is nothing inherent about local variables that could lead to stack overflows that isn't also inherent to simply using functions.

3) absolutely no use of of malloc or free. it could lead to stack overflows.
WTF? Overuse of dynamic memory leads to heap exhaustion, not stack overflows.

Re:coding standards

none of these stupid rules get at the core issue. if you can calculate the maximum call depth,
it doesn't matter if you have recursion or local variables, you can calculate the maximum stack
needed. if you cannot calculate the maximum call depth, you're screwed even if you do follow
these rules.

Re:coding standards

idiot++

if ( moron_cant_spell BRAKE )

do while TRUE

{

Tesla coil on nuts

}

BRAKE

BRAKE

BRAAAAAAAAAAAAAAAAAAKE FUUUUUUUUUUUUUUUUUUUUCK

Re:coding standards

[TopSpin]

This should be rule number one for this type of application.

Perhaps it should be rule number one, but actually it's Rule 16.2 of MISRA-C:2004 (Motor Industry Software Reliability Association, Guidelines for the use of the C language in critical systems):

Functions shall not call themselves, either directly or indirectly.

The rule actually appeared first in MISRA-C:1998. Each rule is accompanied by a detailed rationale that I will not reproduce verbatim here as the standard is not open; one must pay for the privilege. The rationale for 16.2 is that recursion may cause stack overflows. I only cite the rule itself because it appears in public testimony and also on the (first) page linked by this story ...... which you obviously did not read.

Because MISRA also disallows constructs such as function call indirection, self modifying code, etc. a compiler is entirely capable of detecting recursion and reporting the violation as an error. MISRA compliant compilers do exactly that.

Yes Virginia, the largest auto manufacturer on Earth ignores the very thing that was designed to prevent simple, common, easily predictable failures such as stack overflow despite the fact that the cost of compliance is much, much smaller than a rounding error for an outfit like Toyota.

Also, despite the fact that Industry dutifully identified this specific problem in a published standard at least 16 years ago, compliance is apparently not yet a requirement by government regulators. I suspect they're too busy investigating child seat manufacturers or Telsa batteries or whatever other politically high profile crisis that giant, engineer-free gaggle of NTSB lawyers fill their bankers hours with.

Re:coding standards

Yeah the local variables overflowing the stack in a program without recursion seems a bit strange to me if you don't use recursion.
Presumably an ECU has a limited number of functions so you could easily calculate the absolute worst case stack usage if all functions called each other once, even if not all the functions call each other.

Re:coding standards

[sconeu]

This. Don't they use the MISRA C standard?

Re:coding standards

3) absolutely no use of of malloc or free. it could lead to stack overflows.

Hate to be nit-picky here, but that's not true. It's a great idea to not use malloc() in a real-time application, for reasons of performance. But it can't overflow the stack.

Unless you call it recursively :-)

2) absolutely no local variables. it could lead to stack overflows.

I think it would be pretty hard to overflow the stack by use of local variables. I mean it's easy to cause, but you'd pretty much always see it if you've even tested the program once. The best reason I can think of for not using local variables is that globals are easier to debug.

1) absolutely no recursion. it could lead to stack overflows.

This should be rule number one for this type of application.

3) absolutely no use of of malloc or free. it could lead to stack overflows.

Hate to be nit-picky here, but that's not true. It's a great idea to not use malloc() in a real-time application, for reasons of performance. But it can't overflow the stack.

Unless you call it recursively :-)

2) absolutely no local variables. it could lead to stack overflows.

I think it would be pretty hard to overflow the stack by use of local variables. I mean it's easy to cause, but you'd pretty much always see it if you've even tested the program once. The best reason I can think of for not using local variables is that globals are easier to debug.

1) absolutely no recursion. it could lead to stack overflows.

This should be rule number one for this type of application.

I was thinking the same thing about malloc(). I also agree the idea of no local variables sounds pretty stupid.

Re:coding standards

Local variables in C are allowed to be dynamically sized arrays in modern versions.
calculating the size wrong would cause the stack to overflow.

Not using local variables leads to more bugs I would think.

Re:coding standards

[AmiMoJo]

No, the source code analysis showed that Toyota did indeed follow these best practices in their firmware. The accidents were not due to firmware, they were due to people pushing the accelerator pedal when they meant to push the brake.

I am an embedded software engineer and we follow similar rules, but with an exception that local variables are allowed if they are static because on our platform that guarantees they don't end up on the stack. Like Toyota we also keep two copies of critical variables at different locations in RAM (using sections to keep them far apart) and periodically compare the two copies.

Re:coding standards

[ld+a,b]

Sorry. I work in automotive embedded systems(although not personally in safety-critical parts we use the same parts and rules) and I can tell you rules like yours were behind this.

We are following all these rules and so we are safe. We can save a penny per 1000 units sold using a crappy MMU-less CPU.

First of all, following the stupid rules requires you to use baroque lint imitations which will go off on every line of idiomatic C. You need a paper trail to justify every line of code. Seems about right, people's lives are in danger, right?

Now consider that the controller system is hundreds of thousand of LOCs(for us it's more like millions). Most of that is crap boilerplate code required by the standards. This means if you follow that methodology strictly, you need hundreds of people going through mindnumbing lists of "You are not using this argument/This code assigning an argument to itself does nothing". Given that most software developers are inept and overworked, I can give you a certificate that there will be bugs.

It took me two weeks with the code to find a checksum function used all over the place that had been "fixed" to detect offset data after some earlier corruption bug was not detected.

Every 256 bytes "checksummed", a bit from the input would be left unaccounted(And it was actually used for data several times larger than that). I know for a fact that had to go through at least three source and design reviews and at least one more design review with some fat managers higher up.

Now tell me you feel safe.

Note to PHBs: Googleing up a fucking working CRC and getting a CS PhD to make a formal proof that it will work as intended would have cost far less.

Also, you see, the crappy CPU vendor stack measuring tools - that rules say we must use to guarantee safety - don't account for function pointers(they do show scary icons for recursive functions). They say foo(384) bar(uhhm... maybe 0?) I know to look for that when I add calls to function pointers, but I guess most people don't.

Now you add another rule. LOZRA 4092: You can't use function pointers at all.

Make my life more miserable, give the remaining work I will be unable to do to Dave, the monstera plant, or someone with the same programming aptitude.

I will give the crappy CPU/Compiler/RTOS vendors that should be sued free advice:

0- Add an MPU

1- Add canaries to every function call with any local variable at all(here it's not hackers it's programmers following LOZRA 396: cast the shit off everything so the compiler can't tell)

2- Add stack overflow canaries on every task switch. (add an MPU and align to page in the stack growing direction)

3- Add canaries to any memory pool allocation. (add MPU dead pages - You don't need RAM, just fucking address space of which you are using like 2%)

4- If any of the above traps, jump to a customer defined function(stored in ROM than can only be physically modified by outside hardware) that puts all vital hardware in a safe state, adds a record to the black box and reset the whole thing from scratch.

5- Forget about tasks and threads and move on to processes running on separate address spaces. If information must flow from a to b it better go through accepted channels. 6- Did I tell you to add a fucking MPU!?

Re:coding standards

[Grishnakh]

Hate to be nit-picky here, but that's not true. It's a great idea to not use malloc() in a real-time application, for reasons of performance. But it can't overflow the stack.

You're right about the stack, but you're wrong about the reasons to not use it. Dynamic allocation is forbidden in any decent (safety-critical) real-time application because it's non-deterministic. Anything which isn't deterministic is eliminated or minimized as much as possible. This also includes CPU caches.

Re:coding standards

[swfuggles]

Forgive my ignorance, but given C's linking and visibility spec ... what platform/toolchain will create static variables on the stack?

Re:coding standards

Points two and three have nothing to do with stack overflows.

Point two can be proven not to occur by the use of static stack use analysis tools.

Point three is only a problem if you invoke malloc at the wrong time and aren't prepared to handle failure - but it won't fail silently in the manner a stack overflow typically does (until you notice the corruption the overflow causes)

Re:coding standards

No local variables? That means that all your variables are global, and there's a risk that once function could set a variable when it's not supposed to. I would actually say "no global variables that don't represent global state".

Since local variables can only lead to stack overflow if you have recursion, and recursion itself is banned, there's no reason to ban local variables. Without recursion you can precisely compute the length of each possible call chain, then compute the amount of space used by the local variables along each call chain, and thus compute the exact stack size needed for any non-recursive program.

And how does malloc cause stack overflows? It can have other problems, like running out of memory, memory fragmentation, and non-constant-time behavior -- but it absolutely will not cause a stack overflow.

dom

Re:coding standards

>> absolutely no local variables. it could lead to stack overflows.

So you use globals instead. That's even more dangerous from my perspective. Especially in a tasking OS.
If you are not recursing, using an ANSI compliant compiler, and ensure all of the function prototypes match the calling parameters (e.g. no compilation warnings), your use of local variable should be exceedingly safe. Unless, your creation of task control blocks is out of control but that's an entirely different failure at the system design level.

>> absolutely no use of of malloc or free. it could lead to stack overflows.

Do you mean memory leaks, running out of space on the heap?

Re:coding standards

[russotto]

Most embedded code is terrible, and the programmers themselves are completely full of themselves.

Certainly most embedded code is terrible. I've worked on systems from the smallest to the largest (4K ROM + 128 bytes RAM to Google-scale) and it turns out that MOST code is terrible. There was one embedded project I worked on where most of the code was a horrible mess... and then there was this one little module that was beautiful. And not by appplication of any rules like "no function pointers"; no, it was just written by someone (not me) who knew how to do software design. I'd heard he was a pain to work with and wouldn't let anyone touch his code base... probably true, but I bet it was because he didn't want the rest of the idiots trashing his code.

Still. Recursion in an embedded system? That's a red flag. If you're going to go through the trouble of managing the stack depth so it's always safe, it's probably just as easy and more efficient to do an iterative algorithm or one with an explicit stack.

Dynamic allocation isn't quite as bad; you can do it, but you either have to be very careful it can't fail, or you have to make allocation failures result in acceptable though degraded behavior. Theoretically that's always true, in practice most programs on larger machines just assume they've got as much memory as they want and fail hard if they can't allocate.

Re:coding standards

[AmiMoJo]

I don't know if any actually do, but technically there is nothing that forbids it from happening. We have audited a particular version of GCC that we now use, and know for sure that it never puts static variables on the stack.

Re:coding standards

[swfuggles]

I was the AC, you were responding to (decided I should make an account).

I agree, recursion in real embedded systems is a red flag. If you have a 512B stack, recursion is certainly not the best idea! Personally, I deal with dynamic allocation on a case by case basis.

I just can't stand this idea that "pointers" are dangerous, optimization is bad, and error checking is a pointless because the "hardware always does what its told". I feel that you can build a solid case for no recursion. But most other things, I don't think inherently decreases system reliability.

Re:coding standards

BRAKE

BRAKE

badger
badger
badger
badger

Re:coding standards

[Grishnakh]

Sorry, but you obviously don't work under DO-178 standards. #3 is still in use in highly-reliable systems (or part of it; you can allocate memory, you just can't ever free it. So you allocate all your memory at the beginning of program execution, and everything stays static after that). I don't remember anything about #2 however.

These aren't the result of budget restrictions; these same rules (#1 and #3 again, I think #2 is an error or something) are used currently on commercial and military aircraft.

Re:coding standards

Either that, or they've been bitten by the 'agile' bug ... just push crap out as fast as you can, and fix symptoms later ... eventually the whole thing comes apart at the seams, but most software doesn't have an expected lifespan of more than a couple of years anyway. What ... this doesn't apply to control systems ? ... sounds like backwards, legacy thinking to me ... why they don't code control systems in Ruby or CoffeeScript is beyond me, they're so stuck in the past ...

Re:coding standards

[tjb6]

I think the standard you are referring to is MISRA.
I can't see any good reason why recursion would be used in such a control system, and in any embedded application it is asking for trouble - principally (as you say) stack overflows.

I am less convinced of the dangers of using local variables - the trade off is to use globals, or at least global to file (C static global), which is an open invitation to side effects all through the code.

Use of malloc or free - might not cause stack overflows, but
  1) can easily cause heap overflows, which can be as bad.
  2) can fail to return the memory, which is difficult to handle robustly in an embedded application.

We don't use the full MISRA set (for radar systems), but we absolutely do not allow recursion, or dynamic memory use. Nobody wants their control system to run out of memory after a few hours/days use, and fail (eg Patriot failure in Iraq).

Re:coding standards

[tjb6]

It's not so hard to track down local variables.
If you have a failure, you will have a stack pointer, and your memory map will give you an offset into the stack allocation for the function in question.

For those of us 'doing it old school' (mc68302 processor, no hardware debug support at all, no RTOS), the standard tools are a logic analyser dump and the compiler memory map output. Same tools are applicable to many other environments.

I have had to do it more times than I like...

Re:Mental stack overflow of the driver is more lik

I think it was also related to the push button start feature. Most older drivers are familiar with, turn key, engine shuts off, not hold button for 5 seconds to turn off engine while panicking.

Got it Handled!

[FatdogHaiku]

I have just finished my patent application for the steering wheel mounted Ctrl, Alt, Delete button combination...
Problem solved!**

**Some users may experience complete lack of vehicle control while the system is rebooting.

Re:Got it Handled!

"Hi! Looks like you're trying to reboot your car! Can I help?"

Stack overflow vs. buffer overflow (difference)

[Trax3001BBS]

For anyone else that's curious; at first I thought it was double speak, so not to sound as bad.

Stack overflow refers specifically to the case when the execution stack grows beyond the memory that is reserved for it. For example, if you call a function which recursively calls itself without termination, you will cause a stack overflow as each function call creates a new stack frame and the stack will eventually consume more memory than is reserved for it.

Buffer overflow refers to any case in which a program writes beyond the end of the memory allocated for any buffer (including on the heap, not just on the stack). For example, if you write past the end of an array allocated from the heap, you've caused a buffer overflow.

http://stackoverflow.com/quest...

Re:Stack overflow vs. buffer overflow (difference)

I'm horrified that there are people here who didn't know that before reading this story. Oh, poor Slashdot, what has become of you?

Re:Stack overflow vs. buffer overflow (difference)

[Bite+The+Pillow]

Well, here's proof that a new generation of coders has arrived. It's +5, meaning at least 3 representative members found it worthy of mod points.

Monday morning, the boss will hear a recommendation to not hire anyone under 30 for safety reasons.

Re:Stack overflow vs. buffer overflow (difference)

[Trax3001BBS]

Well, here's proof that a new generation of coders has arrived. It's +5, meaning at least 3 representative members found it worthy of mod points.

Monday morning, the boss will hear a recommendation to not hire anyone under 30 for safety reasons.

While I'll always speak fondly of the Amiga it stopped my programing cold, the basic was so dangerous to use, I had to quit; or toss the Amiga out a window.

Prior to the Amiga was the TRS-III (hint much...much older than 30) that I self taught myself Basic and assembly language, I can write great scripts, and crack some programs, but not so much on the coding (gasp).

A 5 does surprise me as well, I thought I was treading on thin ice :} but as informative to others as myself.

Two words

[daniel142005]

Manual Override

"Stack Overflow" not good for discussion site.

[Futurepower(R)]

Technically knowledgeable people often give very poor names to their efforts.

Re:"Stack Overflow" not good for discussion site.

Oh come on.
Lots of companies have bullshit names.
Most of them are just the name of the person that founded it.
It's perfectly possible to write the headline in an unambiguous way.

Unintended acceleration possibly caused by stack overflow.
There you go.
The way it's written makes it sound as if a stack overflow is explaining something, rather than it being the explanation.

Re:"Stack Overflow" not good for discussion site.

[firewrought]

Technically knowledgeable people often give very poor names to their efforts.

I thought "Stack Overflow" was great branding for a website aimed at helping programmers solve technical problems. It's a distinctive, cheeky in-reference understood by its intended audience. (And honestly, it didn't hurt that most developers enjoy being made to feel clever about themselves.) That's what a brand is suppose to do, and it partially* explains their overwhelming success. And hey, much better branding choice than ExpertSexChange.com!

*Of course, branding is just one of many things they did right. They also filled a unique niche, understood their community (because it was started by programmers, for programmers), and made the site super-easy to use by (here comes the important part...) NOT crapping over the UI with a fake paywall that sought rent for years' worth good-faith user contributions. However, they are sort of starting to be dicks about subjective questions (such as help with API choices, etc.). That may provide a niche for a new competitor to fill...

Re:"Stack Overflow" not good for discussion site.

[Geeky]

They certainly do, just ask Leonard of Quirm.

Re:"Stack Overflow" not good for discussion site.

https://programmers.stackexchange.com/, https://softwarerecs.stackexchange.com/, possibly others. By trying to maintain focus they're starting to suffer from fragmentation.

NO

[confused+one]

First rule of real time: No recursion.

Re:NO

second rule, STACK FENCE.

jr

Re:NO

[Tonyrockyhorror]

Second rule of real time: see the first rule.

turn off the car?

[ironicsky]

I used to have a truck with a sticky gas peddle. As in I pushed it down and it didnt come back up. I quickly learned a secret... when it happened, I turned the truck off, dropped it to neutral, and breaked.

I knew that when I was 16. Why cant people figure that out 15 years later?

Re:turn off the car?

[dfsmith]

Some modern cars don't turn off. The start button is software, not a switch backed by a big power relay.

Re:turn off the car?

[twistedcubic]

The acceleration continued when the Toyotas were put in neutral. Look it up.

Re:turn off the car?

Because even you, at 31, can't even spell BRAKE? Or PEDAL?

Re:turn off the car?

[psithurism]

I used to have a truck with a sticky gas peddle. As in I pushed it down and it didnt come back up. I quickly learned a secret... when it happened, I turned the truck off, dropped it to neutral, and breaked.

I knew that when I was 16. Why cant people figure that out 15 years later?

Firstly, things have changed quite a bit in 15years: The car decides when it turns off for you (just like how it decides when you want to drive really, really fast). I've never owned one of these kinds, but some of these models had a big on button, then they turned off when you left the car (I'm probably not entirely right, I never owned one).

Secondly, a sticky gas pedal means you were going fast and you don't want to anymore, you are already somewhat prepared for speed. When you are just idling somewhere and suddenly the car decides it wants to go, you might not even be

And thirdly, good for you being a genius and all; I now know the proper sequence, but the first time the sticky gas pedal happened to me, it took me a few seconds to figure out. I was on an empty road at the time so the eighth of a mile or so I was burning rubber was no big deal, but if I had shot off from my driveway, I would have been doing 70mph through my neighbors living room (Actually, my car was a P.O.S. and could barely do 60mph on the freeway, but if I owned some fancy car from the current century, you get the idea).

Re:turn off the car?

I tried to, but didn't find a single source to support your claim. Would you be kind enough to point it out?

Re:turn off the car?

[twistedcubic]

No.

Re:turn off the car?

"when it happened, I turned the truck off, dropped it to neutral, and breaked."
 
1) Electronic ignition, controlled by the runaway ECU.
2) Electronic shifter preventing shifting into neutral while accelerating to prevent engine damage (And likely controlled by the same runaway ECU)
3) Braking when you're already at speed, with momentum, a decent engine, and no ability to drop into neutral or turn the car off can be rather difficult. Perhaps add in some worn-out brake pads or warped rotors, and you're fuxored.

Re:turn off the car?

[drinkypoo]

The accelerator pedal stuck on my 1982 Mercedes 300SD. I got my foot under it and got it to come up, because it uses a linkage and not a cable. Turned out that the grease used for the linkages was inadequate and had run away. I replaced it with sil-glide and haven't had a problem since.

If anyone would like to buy my 300SD, I just got an A8 and I need to get rid of the Mercedes. I live in NoCal and the car runs like a mad bastard. Drop me a line, luddites :D

Re:turn off the car?

[green1]

Interesting, my 1983 300sd had the throttle jam open on me once too, wasn't grease though, the pedal broke off the metal lever and jammed against it. It's a good thing I was able to think fast and turn off the ignition and stand on the brake because it chose to do this at a very inopportune moment entering a small and very crowded parking lot.
Of course that was back in the days when you had the option to shut off the ignition without using an unintuitive interface to ask permission from the same computer that may be misbehaving while you try to do so...
The brake pedal should include a physical disconnect for the throttle, not implemented in software.

Re:turn off the car?

[Grishnakh]

You press the start button and hold it for several seconds to turn it off.

I do agree, it sucks compared to a regular key-switch that you just turn off without having to wait, but it's not true that you can't turn the engine off. It's just like the ATX power button that computers have had for about 20 years now.

It does seem like it wouldn't be a bad idea to add in an override switch if you have one of these cars, so you can instantly turn off the engine if you need to (the switch would turn off power to the main relay).

Re: turn off the car?

[dfsmith]

Does the "hold it down" technique work when the software has had a fatal stack overflow, for instance? I've had ATX PSUs that didn't respond (unplugging for 3 minutes fixed it: some transient mobo fault). That technique is tricky when power's under the hood.

Re: turn off the car?

[Grishnakh]

I have no idea. It probably depends on the vehicle. If they implemented it in a smart way, it'd be done with a small microcontroller (like a PIC or AVR) that isn't doing anything else. The assembly code for this would be pretty simple, even if it had some CANbus communication with the ECU.

Re: And we're going to trust self driving cars now

[hermitdev]

I've known a lot of high-quality developers over my 15 years of professionally developing software. The reason I don't want an automated car is because of these people. People make mistakes, intentionally or otherwise. There are unforeseen circumstances that the software may not understand. A foreseen circumstance: I've yet to see a demo of an automated car navigating anything resembling an icy surface (safely or otherwise), let alone in stop & go traffic in a city such as Chicago, where such things are quite common.

Yeah, but we know today who pays: the insurance company of the at-fault driver (provided they have the legally required insurance - I think collision is required in all US states). Failing that, the at-fault driver. Failing that, the dead at-fault driver's estate.

The question at hand is, in the case of an automated car, who is at fault (when the automated car is deemed to have caused the accident)? The manufacturer, because, it must have been a design/implementation flaw? The owner? The driver (because owner/driver aren't necessarily the same)? It becomes more difficult when you divest yourself from current paradigms of car transport. Oh, I sent my 6 year old daughter to school as a passenger, and along the way it ran over someone. There was no driver (the daughter was a passenger), but the car still killed someone. Am I at fault because I ordered the car to make the trip? Is the manufacturer at fault because the car didn't detect and prevent the collision that killed the other party? Is my 6 year old daughter at fault, because she was the only human occupant? This is the question that is being posed.

Drive Older Cars

Drive older cars. They're not getting better anyways. Just more complex. e.g. Television for each passenger and 28 cup holders....

In Canada Engineers Are Required to Write the Code

[celest]

In Canada, the public is protected from such software bugs by statute, in the same way the public is protected from medical screw ups: a professional engineer is required by law to write any software code where safety is on the line. Just like when a new bridge is constructed and must be designed and validated by a professional engineer who is an expert in structures and who becomes professionally liable for the project, the same is true for software. If safety is on the line, a professional engineer who is an expert in software and/or computer systems (as the case may be) must design and validate the code and they become professionally liable for the software. Unfortunately, too many companies ignore the law.

Source: Professional Engineers Act of Ontario (http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90p28_e.htm ) and Professional Engineers Ontario (http://www.peo.on.ca/). There are similar acts and professional associations for all provinces and territories in Canada.

Full disclosure: I'm a professional computer engineer registered in Ontario with PEO.

SystemD

systemd is the answer.

Re: And we're going to trust self driving cars now

[JMZero]

People make mistakes, intentionally or otherwise

Yes, people do make mistakes. Often while driving. The test shouldn't be whether automated cars make mistakes, but rather whether they do better than an average driver. Can they deal with icy roads as well as an average driver? That bar's pretty low, even here in Edmonton.

Once they've reached that average competence and start being deployed, they'll also improve rapidly over time; computers have the potential to be much safer drivers than humans. They'd know where other cars are and where they're going, they'd be able to apply brakes to wheels independently with lightning reactions, and would not be subject to health conditions, intoxication, aging, or inexperience.

I'm not sure how far off we are, but it's definitely coming.

Way to dumb it down EE Times

[wiredlogic]

FTA:

Just to clarify, the "tasks" are equivalent to apps running on smartphones or PCs.

It's sad that a publication targeted to EEs has writers that dumb everything down with this sort of populist pap.

Re:Live in a cave

[Immerman]

Or at least avoid any software-controlled devices capable of killing you. And hope you never need a CAT scan. Yeah, can't think of any examples of microwaved people, but you *know* that somewhere in the software there's an extremely rare corner case that will fail to shut off the x-ray source.

Re:Live in a cave

You're one to talk, you can't tell break from brake. Idiot.

Dangerous recursion!

[mveloso]

From the slides:

"Toyota used dangerous recursion"

Not like that safe recursion that other vendors use.

Re:Dangerous recursion!

[thoughtsatthemoment]

Safe recursion is you check the depth and stop at a certain level. Not totally uncrashable, but safe.

Re:Dangerous recursion!

[Cassini2]

When interrupt handlers are considered, it is very difficult to "stop at a certain level." I'm not aware of any processors that have a software stack, and check the the stack depth when responding to an interrupt in hardware. If hardware paging is present, some operating systems use guard pages to make software stack overflows detectable. However, many embedded systems do not have a hard disk, and as such, don't implement virtual memory and hardware paging.

In the small embedded processor market, the best you can hope for is a hardware stack (like some Microchip products use.) If the hardware stack overfills, then a hard reset occurs.

Re:Dangerous recursion!

[thoughtsatthemoment]

I am not familiar with hardware as much as you are, but I think you can still keep a counter of re-entrance as a safety measure. If a function fails this way, action is not taken, like acceleration of the car.

Re:Dangerous recursion!

[Jeremi]

In the small embedded processor market, the best you can hope for is a hardware stack (like some Microchip products use.) If the hardware stack overfills, then a hard reset occurs.

It seems to me that a better approach would be to have the linker (or some post-link build tool) use static analysis to determine the program's worst-case stack usage, and abort with an error if that usage is greater than the amount of stack space that will be available.

Some programs (e.g. those that use recursion or alloca()) may have potentially infinite stack usage, but that's fine -- in this application, those programs are considered unacceptable and should not be allowed to generate an executable.

Re:Dangerous recursion!

And suddenly you heard a cry in the haskell force, like ten people screaming and then silence

Re:Dangerous recursion!

[mveloso]

The joke is there's no such thing as safe recursion - there's making recursion safer, which is what checking your stack does - and which you usually can't do from inside your high level language.

Making recursion safe isn't safe recursion; it's hacking your runtime because your runtime isn't enforcing runtime boundaries.

Re:Dangerous recursion!

[romons]

Many processors will use alternate stacks to service interrupts. All the user threads use a different stack pointer. Some processors allow you to set up different stacks for each level of interrupt.

Also, you don't need a disk to do guard pages, just an MMU. I did it for a MIPS OS I wrote, mapping stack pages out into the boonies of the address space. Overflow or underflow caused a page fault, which vectored to a recovery routine.

Re:Dangerous recursion!

[romons]

Also, microchip hardware stacks wrap around (surprise!). For a PIC16F683, the stack holds 8 return addresses. If you push a 9th element, it will go into location 0... You also need to keep another software stack if you want to save registers or allocate local variables.

From section 2.3.2 of the data sheet:

The stack operates as a circular buffer. This means that after the stack has been PUSHed eight times, the ninth push overwrites the value that was stored from the first push. The tenth push overwrites the second push (and so on).

also

Note 1: There are no Status bits to indicate stack overflow or stack underflow conditions.

I've seen example code from microchip that uses this to avoid returning from interrupts. They just handle the interrupt and reenable interrupts, and then busy loop at the end of the interrupt routine, waiting for the next interrupt to take them to the top of the routine again.

Somebody was on drugs when this was designed.

Mechanical throttle "stopcock"

This drive-by-wire shit would be cool if everything were built to aircraft flight control standards, but it is not nor will it be and proponents need to FACE that reality.

Safeties should be SIMPLE, not cute.

A mechanical throttle with a good old-fashioned return spring is most appropriate for use on street vehicles. Not perfect, but proven to be highly reliable.

Re: And we're going to trust self driving cars now

[ebno-10db]

I've known a lot of high-quality developers over my 15 years of professionally developing software. The reason I don't want an automated car is because of these people. People make mistakes, intentionally or otherwise.

When it comes to true high-rel software, like that written to DO-178B Level A (an avionics software standard used for things like fly-by-wire) it's almost never the software per se that's at fault. The stuff is amazingly good. It's also amazingly expensive to write and test. You might also find it frustrating because it brings new meaning to the idea of conservative design. For example, I don't think it allows recursion. I know it doesn't allow dynamic allocation.

There are unforeseen circumstances that the software may not understand.

That's more the point. When things like fly-by-wire systems have problems, it's almost never the software itself, but something that was unforeseen by the system designers.

A foreseen circumstance: I've yet to see a demo of an automated car navigating anything resembling an icy surface (safely or otherwise), let alone in stop & go traffic in a city such as Chicago, where such things are quite common.

Agreed. This technology is interesting, but it's way over-hyped. It's impressive to be able to drive on a nice clear day, but a far cry from the real world, even in Silicon Valley, let alone Chicago.

Ever hear of the flying cars that in the 1960's they said we'd all have soon? I haven't seen any lately. I suspect driverless cars robust enough not to require human intervention when the going gets tough may be developed on the same schedule.

Re:Live in a cave

[ebno-10db]

you *know* that somewhere in the software there's an extremely rare corner case that will fail to shut off the x-ray source

Certainly you should assume there is, and have some sort of "dumb" safety override (e.g. a simple timer, not in software). Doing otherwise in a system like that is madness.

Re:Live in a cave

[NiteTrip]

I had my car suddenly accelerate on me before. I was driving along and suddenly the pedal felt really strange and it start accelerating, even when I took my foot off the pedal. I turned off the car and pulled over. Turns out the rubber mat I put in to protect the inside of my car from wet/snow had somehow managed to flop on top of the pedal and pushed it down. When I heard about these Toyotas accelerating on their own, it's the first thing I thought of.

Re:Live in a cave

[D'Sphitz]

During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration.

I'm currently weighing your hunch against the industry experts who reviewed the source code, identified specific flaws in detail in an 800+ page report, and testified to their findings, presumably under oath. I'm on the fence here, it's a tough call. I'll let you know what I decide.

Although I'll admit I get the feeling that there is some kind of conspiracy going on here, probably related to an Obama Muslim invasion. I mean, what are the odds that the "several hundred [people] contending that Toyota's vehicles inadvertently accelerated" all happened to be fans of Toyota's with the same electronic throttle control system?

Re: Live in a cave

[Bobb+Sledd]

Ok. it's very real. happened to my father-in-law several times before any news broke of this. so claiming it's the driver is pointless waste of time. now you can actually suggest something helpful.

Re:Live in a cave

[wonkey_monkey]

http://en.wikipedia.org/wiki/T...

That close enough to what you were thinking of?

Re: And we're going to trust self driving cars now

[Immerman]

You should check out some of the work done by the more adventurous self-driving car projects - I don't know about ice, but there's one that can drive an open-wheeled indycar around Nurburgring in the rain with professional-class lap times (and if you've ever driven Nurburgring even in a simulator you know it's not exactly easy driving to begin with)

As for liability it would seem pretty obvious: unless the accident was found to be due to improper maintenance, it's due to a faulty product and the manufacturer is at fault. Unless product liability laws are changed, and that would probably be a pretty bad PR move for the carmakers - probably cheaper to simply get a little extra insurance.

Of course the natural extension is that, given proper maintenance, the owner can't possibly be liable for accidents caused by the vehicle in self-driving mode, so if you remove the steering wheel there's no reason to require them to carry liability insurance at all.

What about the brakes

Nothing can explain the simultaneous loss of brakes. The brakes on all cars are far more powerful than the engine, and in most cases the stopping distance with an engine that is floored is only 5-10% greater than with the engine at idle.

Re:What about the brakes

[mc6809e]

There were actually two visible skid marks. One track from normal braking and another from pulling up the emergency brake.

It wasn't enough.

Re: And we're going to trust self driving cars no

I would have set up the laws, if it were me to do so, such that owner of auto-drive car must have insurance and insurance must pay. Insurance may attempt to collect from any negligent party.

rounding error

[thoughtsatthemoment]

Integer issue that integer overflow or rounding errors could be another potential cause. But if they figured out it is indeed stack overflow, that's excellent debugging.

Re:Live in a cave

[The+Grim+Reefer]

Or at least avoid any software-controlled devices capable of killing you. And hope you never need a CAT scan. Yeah, can't think of any examples of microwaved people, but you *know* that somewhere in the software there's an extremely rare corner case that will fail to shut off the x-ray source.

Something like this?

This one was operator error. But you'd think there would be better software checks in place so this would be impossible.

The crazy thing is, is that MRI scanners have required the weight of the patient to be entered for many years so it won't cook the patient with RF pulses. The good new is that the CT incidents in the links above caused a nationwide acknowledgement of the dangers of radiation exposure in CT scanners. So it really helped to create the current generation of scanners with significantly lower dosage.

Re:Live in a cave

like, say.. an ignition key? oh, oops..

(yes, i flipped back to the source material)...

-r

Re:Live in a cave

Did they also discover a flaw in the brakes such that they could not overcome the engine power? This was the point of the parent post, I think. Modern cars have sufficient braking force to completely stop the engine even at full throttle. So if the driver is "stepping on the brake really hard," the car should stop in spite of a stuck throttle, unless a simultaneous brake system failure can be demonstrated.

This same thing happened to Audi in the 1980s and as far as anyone can tell, objectively, it was at most a flaw in pedal placement that made the driver more likely to mistake the gas pedal for the brake while stomping something down to the firewall. They solved it by moving the pedals a little.

You cannot really go by the driver's self-reported experience alone, when the concern is that the driver may be confused. They may have an extremely firm belief about what happened, and that belief may be mistaken.

Re:In Canada Engineers Are Required to Write the C

In Canada, the public is protected from such software bugs by statute

Unfortunately, too many companies ignore the law.

Re: Mental stack overflow of the driver is more li

[Bobb+Sledd]

my father-in-law was nearly killed by one of these acceleration events and he's not even close to elderly. he was sitting at a stop sign waiting for a train to pass when the car inexplicably accelerates and lurched forward. he told me this story before the media broke any of theirs. he said this happened several times with this car and it wasn't a floor mat or anything like that. so I think it's idiotic to completely dismiss this as driver error.

A Stack of Floormats?

Wasn't that what caused all the trouble ...

Re:In Canada Engineers Are Required to Write the C

What do you do about imported products? Like cars...

Exception handling

[manu0601]

It should not be that hard to handle the stack overflow exception in a safe way.

First make the crash reliable, either by having a read-only page at the end of the stack, or by monitoring the stack pointer on each function call if the hardware is unable to do it

Then once the process crash, detect process termination and stop the car.

Re:Live in a cave

[Immerman]

Yeah. Seems like leaving out an obvious and fail-safe emergency off switch from your designs for a potentially lethal device is grade-A stupid. I can't imagine what some of those automotive engineers were thinking.

News like that make me miss my old cars

[quax]

Drove a Mercedes 190D once. Alternator quit on a long distance drive. I only noticed because the radio stopped working.

(Car had a great mileage, too.)

Re:Live in a cave

[Immerman]

Considering that the discover of X-rays died from radiation-induced cancer (IIRC) it's sad to believe that there was ever any doubt about the risks.

Outsource to Lockheed Martin or Boeing

How may times have you heard about an F-16 experience "unintentional accelleration"? Hire the Avionics engineers from defense contractors to write your drive-by-wire car. It will increase the cost of the car to a few mills but hey it's only money...

Even mechanical throttle is no cure...

Even mechanical throttles have been known to stick every once in a while. It's somewhat amazing that once we evolved away from the push-pull throttle on the steering wheel (around the dawn of the 20th century), the foot controlled throttles have never had a good way to positively 'close' the throttle. Sure you can stomp on it to open, but the best you can do is take your foot off the pedal and hope it returns closed under what ever mechanical or electrical means is provided.

Conversely, Car and Driver performed a test and found "Hit the Brakes", "Shift to Neutral", "Turn Ignition Off" or various combinations of the three are all very viable ways to stop a car...even going 100mph with the throttle wide open.

http://www.caranddriver.com/features/how-to-deal-with-unintended-acceleration

Re:Even mechanical throttle is no cure...

[pjbgravely]

How can users protect themselves from sometimes life endangering software bugs?"

Simple, with a car make sure it has a throttle cable and a clutch peddle.

I know I can hear it now, you can't buy a car with a throttle cable and you can't drive standard in a city.

If everyone stopped buying cars with throttle by wire, they would stop making them. The rest of the world drives standard in a city, you can too.

Re:Mental stack overflow of the driver is more lik

[phantomfive]

I think it was actually two problems. There was the problem reported by Wozniak, where cruise control would start to accelerate, but tapping on the brakes would fix the problem. It was a bug, but it wasn't life-threatening at all.

Then there is the problem of the car going wildly out of control, unable to stop even when the brakes are applied. That one seems to be a case of foolish driver syndrome.

Re: Mental stack overflow of the driver is more li

[phantomfive]

he was sitting at a stop sign waiting for a train to pass when the car inexplicably accelerates and lurched forward.

Why did he take his foot off the brake?

Re:Live in a cave

[JonBoy47]

Many of these uncontrolled acceleration cases involved hybrid Toyota vehicles. In addition to the electronic throttle, Toyota's Hybrid Synergy Drive uses brake by wire, so the computer can dynamically use any desired combination of regenerative and friction braking, based on the hybrid battery charge state and the severity of the driver's control input on the pedal. These cars also eschew mechanical control for the gear-shift and the push-button ignition switch, relying on interface through the ECU.

It thus seems entirely plausible that a stack overflow, race condition or other crash/freeze/whatever could result in a wide-open throttle with no brakes and no gear-shift or ignition off control. if this is the case, it represents a epic lack of fail-safe design. It certainly doesn't help prevent operator error when Toyota uses a non-PRNDL shift pattern on their hybrids, to say nothing of the lack of industry standardization of the behavior of push-button ignition.

so call me an idiot

[kevlar_rat]

Check out this video where someone demonstrates putting both brakes and throttle to the floor at the same time, and yes, it does stop. It stops even faster with 'brake assist', which automatically cuts the throttle when the brakes are on.

Re:In Canada Engineers Are Required to Write the C

[Cassini2]

Almost all safety systems in Ontario have not been designed or written by a PEO licensed engineer. The PEO is the same organization that tried to get Microsoft to stop using the term "Microsoft Certified Systems Engineer (MCSE)" and largely lost. If you start analyzing real and deployed systems, you will be shocked at what you find.

Yes, there are a few very well designed machines out there that do hardware and software interlocks properly, and in an obviously safe fashion. These are the exception, and I am delighted to find the few exceptions that exist.

However, if you want excellent examples of obviously unsafe things, consider:

- The gas pumps at Shell, Esso, and Petro-Canada. How many brands have an Emergency Stop button? One?

- Toyota cars have a push to start button that is also a push and hold to stop button. So how do you stop the car quickly? Shouldn't a car that has push-button start, also have a push-button stop, that is a different button and works quickly? Why would Toyota follow the Microsoft standard of using a start button to stop, instead of following the very well thought out emergency stop button standards?

- Hospitals have implemented a number of computer systems that are networked, and make the job of nurses quicker, easier and more productive. This reduced nursing costs considerably, and fewer nurses are looking after more patients. However, these systems are not reliable, and the official backup plan is that a nurse will step in and do the job manually if the system fails. Unfortunately, many of these core systems are also running on Microsoft Windows (often Windows XP.) One virus, or one bad update, written by a non-engineer, to wipe out many core systems. A major hospital had its Internet linked systems disrupted because too many people watched Olympic hockey (over the critical internal network.) Has any engineer approved any of this? Does any hospital have enough nurses to cover off in the event of a computer failure?

- Most servo-motor drives are sold with a "not recommended that power be cut by an emergency stop/safety system" warning buried somewhere in the documentation. Ignoring this, and assume braking resistors are used, and power is really cut. Most motors will follow an exponential stopping curve, and appear to coast to a stop. A mechanical engineer doing a PSHSR (Pre-Start Health and Safety Review) will expect the machine to stop quickly, and not coast. The cheapest way to do that is to dynamically brake into braking resistor under full software and transistor control. The second cheapest way is to use a parking brake, but those are not rated for safety and only a fraction of the servo-motor market uses parking brakes anyway. How many PEO licensed mechanical engineers doing PSHSR reviews have passed systems with incorrect software E-STOP circuits and Safety Circuits, and failed E-STOP circuits and Safety Circuits that cut power to the motors in hardware?

Do not depend on the PEO and statutes to keep you safe ...

Re: And we're going to trust self driving cars now

[ebno-10db]

there's one that can drive an open-wheeled indycar around Nurburgring in the rain with professional-class lap times

Which doesn't mean driverless cars are much closer to being usable in the real world. Nurburgring, like any race course, consists of a single known path, and you don't have to worry about pedestrians walking across the road without looking.

Re:Live in a cave

[AaronW]

I have had a stuck accelerator on two cars, my '91 Ford Probe and a '66 Pontiac. In the case of my Probe it was due the throttle cable not retracting properly, a little oil and cleaning solved that problem. On the Pontiac it was the carburetor getting stuck. Most cases I read about are with older drivers, some of whom should no longer be allowed behind the wheel.

Read this before you blame the driver

[GrahamCox]

Anyone who knows anything about coding, or just has an interest in this case can read a great summary here: http://www.safetyresearch.net/2013/11/07/toyota-unintended-acceleration-and-the-big-bowl-of-spaghetti-code/ which also has links to the testimony of the expert witnesses to the court.

The testimony makes fascinating reading, and is based on analysis of the actual source code in clean-room conditions. If after reading it you still think this isn't a software problem, maybe you need to turn in your geek badge right now.

Re:Read this before you blame the driver

Hmm. Whilst there are software issues, like the guy said, 'all software has bugs', they never could prove the freakish environment where the software bug would occur.

In fact, I find it hard to trust the specialist who will make a fortune on this, especially when he categorically claims that it was a software bug and not a driver error - without proving it. His best response was that you can't prove that it wasn't...

I reckon she pressed the wrong pedal.

Also, I HATE it when someone claims that your wrong if you don't agree.

Re:Read this before you blame the driver

[AmiMoJo]

That article demonstrates just how clueless the guys doing the testing were. For example they complain that there "thousands of global variables", but that is actually the normal way to write safety critical firmware since local variables can cause stack overflows. They couldn't read any of the source code comments which were in Japanese either, only get poor machine translations of them.

Most damning of all though is that actually the skid marks the article claims are evidence of the bug are easily explainable, and indeed Toyota did offer an explanation. If the mat/carpet causes the brake and accelerator pedals to become linked pressing one with of course press the other was well. The driver could not explain why she didn't push the brake pedal hard enough to stop the car (even with max acceleration the brakes will always win over the engine), but Toyota could. The mat that was also pushing the accelerator was preventing her from fully engaging the brakes. The pedal could not be pushed down fully.

The fix was to change the firmware to stop accelerating when both the accelerator and brake are heavily engaged. So, in actual fact, the supposedly lethally flawed firmware is now saving people from their own stupidity.

Re:Read this before you blame the driver

Toyota should definitely blamed for its buggy software. But so do the driver.
There's fail safe devices in her car: Gearbox and brake.
The driver should be blamed for her mis-handling of the failure. She should have shifted to N and applied the brake.
It's the same rationale as flight incidents. Even if something on the plane is malfunctioning, as long as the pilot handles the failure correctly, most of the time it's not fatal. And if they didn't and someone died? Both aircraft manufacturer and the pilot should be blamed.

Re:Read this before you blame the driver

It's not clear if they were referring to global visibility or lifetime, I believe they may have meant the former. It is certainly not good practice to have thousands of global variables which are visible to all modules.

Re:Read this before you blame the driver

I read a good deal of Michael Barr's testimony last night and, while he was paid good money by the plaintiff's lawyers to discuss how the software would cause the accelerator to be stuck, the only working exploit he could come up with was a bit-flip exploit using a different year car than the car involved in this accident (and requiring the user to use cruise control).

If it's possible for a stack overflow to cause the accelerator to be stuck, where is Michael Barr's exploit code? To sound like a Reddit poster, "exploit or it didn't happen".

Re:Read this before you blame the driver

[swm]

local variables can cause stack overflows.

I've seen this assertion in two comments now.
How do local variables cause stack overflow?

If you aren't using recursion, then total stack space requirements can be computed from static code analysis.
If you are using recursion, then you can overflow the stack with return addresses alone.

BTW, I did read most of the expert testimony, and some of the expert report.
The suspect software is catastrophically bad.

Re:Read this before you blame the driver

Code littered with globals in any setting is shitty code. Static variables are not situated in the stack, but can still have limited scope (file, function).

Re:Read this before you blame the driver

[AmiMoJo]

When a function is called it allocates any local variables on the stack or assigns them to registers. Well, it's a bit more complicated than that, but basically local variables end up on the stack. If you make them static they are pre-allocated (on embedded systems) and you can tell exactly how much memory they are all going to use and how much is left for the all stack at compile time.

Re:Live in a cave

[perryizgr8]

but the brake pedal is also just a switch. if the computer is malfunctioning, that can explain the lack of any brake application too.

Re:In Canada Engineers Are Required to Write the C

>a professional engineer is required by law to write any software code where safety is on the line.

Uh-huh. Let's take a look at what it takes to become a PE.

• A degree
• Passing the Fundamentals of Engineering (a.k.a. Engineer in Training) exam.
• 4 years of experience under the supervision of another PE.
• Passing the Principles and Practice of Engineering exam

Yep, two exams and managing not to get fired for four years is all it takes. If that is sufficient to reassure you that having a PE on the job means that your product will be well designed and safe, all I can say is that you have a very low bar for reassurance.

Though the title of PE has a certain respectability associated with it granted to it by age, for software engineers, its not much different from worthless certificates such as A+ or MCSE.

Re: Mental stack overflow of the driver is more li

he was sitting at a stop sign waiting for a train to pass when the car inexplicably accelerates and lurched forward.

Why did he take his foot off the brake?

Maybe because he's an idiot and believed the engine was stronger than the brakes? One local elderly woman admitted that was why she lifted her foot off of the brake after a lamp she had in the front seat fell and jammed the gas pedal down. She hurt several people with her mistaken belief.

Overcome high-tech with low-tech solution

I don't have a problem with drive by wire throttle on cars.
Why don't automakers just implement a "master breaker" pull switch within driver reach? If the cars electronics go out of control, just pull the master breaker to cut all power to electronics and let the car come to a stop.

Re:Mental stack overflow of the driver is more lik

[luther349]

heh guess you never drove a really old rusty car. then again forcing the gas peddle back up or just using the brakes fixed the problem. had a old dodge rv that was good for the cable to stick. of course replacing the cable fixed it.

SEGV

Easy, do what the Aerospace guys do.

At the top of the stack have some fixed number of memory pages configured as no access. The hardware will issue an interrupt and based on the address at fault a stack overflow can be separated from a generic bad pointer de-reference.

Additionally, recursive algorithms are generally a bad plan for production software. There almost always is a suitable iterative algorithm for the task at hand. Additionally, what on earth would a low level throttle control algorithm be doing that would require a recursive algorithm even in the most naïve implementation.

Re: And we're going to trust self driving cars now

[Immerman]

Well, one of the interesting features, IIRC, was that no mapping was done by the AI, it drove strictly "by the seat of its pants", and had no trouble performing precisely controlled power-slides that would make most drivers shit their pants. If we're discussing the challenges of driving on ice I think that's very relevant. I don't remember if it had any specific moving-obstacle-avoidance code, but plenty of other projects are tackling that. Conceptually at least it shouldn't be difficult to combine one AI that says "go there" and "that apparently small obstacle has this much larger 'potential collision volume' ", etc. with a second AI that can put that car wherever it wants to regardless of the road conditions. I mean if the thing can flawlessly powerslide an indycar through a rainy slalom course I really doubt its little brother is going to have any trouble with maneuvering a normal car in bad weather.

Re: Live in a cave

[DigiShaman]

There was a recall issued on my 2010 RAV4 for that very reason. They replaced the weatherized floor mats (if you have them) and the gas pedal for one that is shorter at the bottom leaving extra room between it and the floor. In my case, it was a simple swap because it's all drive-by-wire (no physical linkage) and I had the normal floor mats that stayed in place with two hooks in the back.

Re: Live in a cave

[DigiShaman]

In what car?! All modern mainstream vehicles still use a master cylinder in tandem with a booster and ABS. Even if you lose all engine power, should still be able to apply the brakes. Although it will require more force to push the pedal down, it should still be doable to bring the car to a complete safe stop.

Computer control of Automobile safety functions

Software shouldn't control the throttle of a car your foot should

Re:Computer control of Automobile safety functions

Often its the brain command the foot that makes the mistake. It is too stupid to know the difference between a brake pedal and the accelerator. This happens more in the USA due to the low average IQ of that country.

I mean, it could happen

But it didn't.

Re: And we're going to trust self driving cars now

[FrozenGeek]

Even if the self-driving cars are well coded, what about hackers? Imagine a virus that causes, say, a million vehicles to go berserk some Monday morning during rush hour. Or even just causes a million vehicles to brick themselves. Yes, people can also go berserk, but you likely won't get a million of them doing so at the same time. Have we learned nothing from M5 or iRobot or Terminator? Methinks 'tis about time for a Butlerian jihad.

guns don't kill people

stack overflows kill people.

Re:guns don't kill people

[distilate]

stack overflows kill people.

Stack overflows don't kill people, sudden deceleration does!

Re: Mental stack overflow of the driver is more li

[gman003]

How many people keep the brake completely floored when stopped? I know I don't - I keep it down enough to stop the idling engine from moving me forward, but I don't doubt that my car would take off if I slammed down the gas pedal while stopped like I normally am.

Re:Mental stack overflow of the driver is more lik

More of what you said, when the drivers don't have a reason to be less than honest.

Re: Mental stack overflow of the driver is more li

Who said he took his foot off the brake? You believe something VERY wrong. You seem to believe that when you are stopped you have the brakes on as strongly as they can be. Not true at all. In actuality, most people are stepping on the brake only enough to stop the car from moving. If you step on the accelerator (and do not increase the pressure on the brake), the car will lurch forward, as you will no longer be applying enough brake to keep the car stopped. I know, you're going to try this to prove me wrong. And when you step on the accelerator, you will subconsciously also step harder on the brake.Have some one ELSE actuate the accelerator while you have the car stopped and you are unable to see what they are doing. Please do this in a large parking lot with a lot of room for error. I know of this because as a youngster (young and stupid still, at that time) my pals and I used to delight in pulling up behind each other at an intersection and pushing the other into it. VERY easy to do. Even easy to do a second time, when they're expecting it. Again - you're not applying the brakes as hard as you think you are.

Re: Live in a cave

[perryizgr8]

I really don't know. but I think I read in a lot of comments that these new Toyotas use a brake-by-wire system. even the start/stop button doesn't physically control anything, just another signal for the computer.

Re: Live in a cave

[TWX]

In what car?! All modern mainstream vehicles still use a master cylinder in tandem with a booster and ABS. Even if you lose all engine power, should still be able to apply the brakes. Although it will require more force to push the pedal down, it should still be doable to bring the car to a complete safe stop.

The brakes are never adequate to overcome the power of open throttle. NEVER. One is expected to stop pressing the throttle when applying the brakes, that's why one is taught to use one foot for both functions, so that one does not push both pedals at the same time.

Braking subjects lots of parts to massive thermal changes. Those changes significantly reduce the effectiveness of the brakes after only a small amount of use. That's why race cars and other performance vehicles that are expected to have *ahem* spirited driving have much more expensive brake components, that fade less.

Lastly, look at burnout competitions. In those, someone spins their tires for as long as possible, generating smoke and noise, usually either the longest-burning or the crowd favorite wins. Unless a car has been modified to allow only the non-drive wheels to apply brakes, then the same brakes holding the car still (from a standing stop position mind you, not starting out in-motion) are easily overcame by the drivetrain. Yes, the drive wheels spinning in a burnout competition have their brakes applied and it doesn't do a thing to stop the wheels. Sometimes even the non-drive-wheel brakes are overcome in a burnout competition, and the car crashes into something.

My daily driver is a '95 Impala SS. 260hp, 330lbft torque. Tires are 255mm wide, about 10 inches, and are "W" rated, meaning that they're high-performance for grip and are capable of handling extremely high-speed rotation. On smooth, dry pavement or asphalt it's very hard to do a burnout, the car simply overcomes the brakes and takes off, and that's with probably 75% of the braking force on the front, non-drive wheels. A modern FWD car puts all of its torque into the wheels that would normally do the lion's share of the braking, so once they're overcome, the rear wheels aren't going to do squat to stop the car.

This error is VERY dangerous. The ignition key should ALWAYS overcome the throttle. The brakes should ALWAYS overcome the throttle. The gear shifter should ALWAYS overcome the throttle. Hell, even the four-way hazards should trip the computer into resetting the throttle algorithm.

Re: And we're going to trust self driving cars now

[QQBoss]

At least through the mid-late '90s, the American car manufacturers that I dealt with (from the late '80s until then) that were using Motorola MCUs for ECUs had very strict rules that went beyond DO-178B specifically because they were terrified of liability issues (though whether or not this was true in what actually went into production, I can't be certain, just that these were the rules I was told they had to deal with and all our products must supply a way to achieve). I dealt with airline ECUs, also, and never found them to be afraid of caches, for example.

1) no caches, unless the caches could be locked and used effectively as SRAM
2) no DRAM holding any code that was timing dependent (in general, ECUs used only SRAM)
3) the only branch backwards in the code was at the end of the code back to the start of main loop, forget about having function calls.
4) if at any test and set a flag wasn't ready, signal it to be dealt with on the next pass where it could be upgraded to an error
5) any code not written in assembly must be refactored in assembly so that predictable timing could be established
6) in general, everything was polled and interrupts are reserved for panic situations

I did not enjoy working with them and watching them ignore feature after feature that could have improved performance get tossed out the window out of fear or problems that had been pretty completely worked through and resolved before I ever got to college, given enough CPU power and fast enough data paths.

Somewhere around 1994, though, I had the opportunity to start working with the Honda and Ford racing teams, where the culture was understandably different. Able to use 32-bit CPUs to full effect, combined with the 68332's TPU for their timing specific things, allowed them to make the order(s) of magnitude jump in performance to give the soft real time (x can happen before time y, as long as it is guaranteed to happen before time y or a signal is thrown; not the same definition of soft real time everyone uses) approach a fighting chance over the hard real time (x happens at time y, even if delays need to be inserted to make sure that happens; again, not the same definition of hard read time everyone uses) camp. While I am very happy that car manufacturers all seem to have made that jump in every area, knowing that thorough testing of complex code is frequently the first thing management gives short shrift as deadlines approach does keep me open minded to the possibility that software could be the problem in situations like the acceleration issues. I can't recall of a situation where inadvertent acceleration was tracked back to anything ECU related, for what ever that's worth. Other aspects of car management, however...

Wording

[rok3]

I might be an old geezer at this point but I feel like the Slashdot from my youth would have phrased this as "A Stack Overflow ..." as opposed to "Stack Overflow ...". I feel like editors nowadays a) have no clue what they are talking about b) are concerned with clicks over substance.

Re:Live in a cave

[viperidaenz]

You do remember correctly http://en.wikipedia.org/wiki/M...

Re: Live in a cave

[viperidaenz]

The brakes are never adequate to overcome the power of open throttle. NEVER.

Explain why cars can stop quicker than they accelerate then.

The brakes of any car can apply enough force to lock up the wheels at any speed. The engine can't. Not even a super car can spin the wheels above 100mph.

Re: Mental stack overflow of the driver is more li

Sitting at a stop sign with the car in "drive" is a driver error. His foot could slip off the brake and the car would move forwards, wither into traffic or into crossing pedestrians.
This is what we have things like neutral and handbrakes for.
He'd have failed a UK driving test there and then.

I know probably 90% of American drivers do this, but it's still not sensible or safe behaviour.

Re: Mental stack overflow of the driver is more li

[OverlordQ]

Because no brakes are better then some brakes, everybody knows that.

Re: Live in a cave

[viperidaenz]

I even found some information for you:
http://www.caranddriver.com/fe...

A 268 horsepower Toyota Camery can stop from 70mpg in 190 feet with the engine at full throttle. Only 16 feet longer than not throttle. At 100mph the stopping different was 88 feet.

When they tested a full throttle stop from 120mph, the car slowed to 10mph before the brakes overheated.

Perhaps you should put your foot harder on your brake pedal.
You are american though, so your Impala is probably an automatic. In first gear with the torque converter multiplying the torque it may be able to slowly move the brakes when they're fully applied.

Re: And we're going to trust self driving cars now

[Your.Master]

What about people randomly clipping power lines?

What about people with bombs?

What about people fucking with the traffic signals?

What about attaching the subway, bus, especially the ferry systems near islands.

This isn't the first scale attack possible. It's not even the first scale attack against transit.

a toast

[Immerman]

I thought so. What a shame. Though I suppose the fact that even she never really acknowledged the health risks of radiation exposure makes the later CAT-scan thing a little... anti-ironic? Is there a word for that?

I'd like to propose a toast to a brilliant woman that gave her life advancing the cutting edge of science. Let it never be said that either women or geeks don't have the fortitude to step boldly into the darkness and brave what demons may reside there.

Re: Live in a cave

[cloudmaster]

Well, if it was in article comments on the Internet, that's a whole new story... ;)

No one sells a car in the US with exclusive brake-by-wire, because nearly every state mandates the existence of a second braking system independent of the primary braking system. That's often the thing people call the "emergency brake," as compared to the "service brake." For IL, look at Article III at http://www.ilga.gov/legislatio.... They must be separated such that a failure in any one part does not leave the vehicle without brakes. IL also prescribes a maximum stopping distance from a couple of speeds.

Re: Live in a cave

even the four-way hazards should trip the computer into resetting the throttle algorithm.

Whoa... lots of idiots turn on hazards while moving, in the middle of a highway. I saw this in Virginia during snowstorms.

Not saying it's right or good, it just happens a lot.

Re: Live in a cave

[cloudmaster]

Weird. The stock brakes on both the '95 Caprice and '96 Impala SS sitting in my driveway can hold the car in place. That was true when the engine was stock, and is still true after adding a shift kit, PCM tune, cat-back, intake, and valve train upgrades. It's been true on both the factory tires and the substantially wider aftermarket tires. It might be time for you to replace your brake material; you're seemingly endangering the other cars on the road.

When you're trying to power brake, BTW, you'll want to let up on the brakes just a little, and mash the gas. Don't ease in to it. ;)

Re:Live in a cave

[viperidaenz]

It's been 20 years since automatic transmissions had a physical link between the shifter and the transmission.

Re: Live in a cave

A Camry gets 70 MPG? ;)

Anywho, a '95 Impala has a 3.08:1 rear gear ratio and a 4L60e transmission with a fairly low-stall torque convertor.

Simple

[bigjocker]

Use java

Re:Live in a cave

[tragedy]

Did they also discover a flaw in the brakes such that they could not overcome the engine power? This was the point of the parent post, I think. Modern cars have sufficient braking force to completely stop the engine even at full throttle

Is this definitely always the case? Under all conditions? There's a huge difference, for example, between holding down the brake while stopped and gunning the engine and slamming on the brake while already travelling 70 miles an hour with the engine similarly gunning. Static vs Dynamic friction for one thing. Not to mention brake exhaustion due to overheating. The pads and rotors heat up and the physical properties of both change, the rotors can warp, moisture can flash into steam and create a nearly frictionless layer, the properties of the brake fluid change, making it less efficient as a hydraulic fluid or possibly even vaporize. Coming to a dead stop once is probably not enough to do that, but if the accelerator goes crazy on the highway, people aren't going to suddenly stop. They will use the brakes to slow down, heating them up while they try to figure out what to actually do, where to pull over, etc. The brakes can heat up very quickly doing that.

Re: Live in a cave

"The brakes are never adequate to overcome the power of open throttle. NEVER."

Stupidly wrong. Car and driver actually tested this in a disparate group of vehicles, and in all of them the brakes would stop the vehicles even under the worst case scenario they were testing (highway speeds, full throttle in the lowest possible gear). http://www.caranddriver.com/fe...

"Lastly, look at burnout competitions."
This really shows some ignorance. When you're doing a burnout, you apply only a small amount of brakes, this is to stop the vehicle walking forward. Applying the brakes too hard is a common reason people have trouble starting a burnout.

OK, I'll be the first to post it...

[tlambert]

OK, I'll be the first to post it... "Go back to analog control systems". Ford Model T's don't have this problem, and neither do '63 1/2 Mustang convertibles.

Kill switch

why not give the driver an engine kill switch (hardware battery kill switch) similar to a choke or something. problem solved.

Re:Live in a cave

[CodeBuster]

Sort of makes you wish for that gas guzzling 1969 427 Camaro SS V8 with the mechanical throttle, dual 4 barrel carbs and enough power off the line to leave your Prius in the dust and all without a computer in sight.

A single processor always fails.

[Ateocinico]

Mission critical systems usually have a set of voting computers. Today electronics is cheap and the technology is not new. Maybe inertia prevents them of building something better. Very common in the automobile industry.

Re:Live in a cave

Sort of makes you wish for that gas guzzling 1969 427 Camaro SS V8 with the mechanical throttle, dual 4 barrel carbs and enough power off the line to leave your Prius in the dust and all without a computer in sight.

The only reason it needs all that power is so it can tow a gas tanker to compete with the range of the prius.

Re: Live in a cave (with switches)

[icebike]

In what car?! All modern mainstream vehicles still use a master cylinder in tandem with a booster and ABS. Even if you lose all engine power, should still be able to apply the brakes. Although it will require more force to push the pedal down, it should still be doable to bring the car to a complete safe stop.

If only the throttle was also required to have a physical linkage!

Unfortunately, once we abandoned the carburetor, there isn't much to link the throttle pedal to any more, and we are stuck with using it pretty like as a mouse. A physical pedal up fuel valve to reduce fuel availability to a level sufficient only to idle the engine might return some measure of physical control. Currently most manufacturers have the computer cut throttle when the brake is pressed, even if the gas is also pressed. (Toyota did not have this during their problem years and added it later). This has the side effect of teaching those idiots who drive an automatic with the left foot riding the brake not to do so. Unfortunately, this functionality is programmed into the same computer, (saving $37), and if that computer has entered stack overflow, it won't help.

But the interesting thing here is that Barr found a situation that (he claims) could in fact cause the engine to receive full throttle, when DOT and NASA could find no such problem and blamed it all on the driver confusing the pedals.

Even if the brakes would have stopped the car (eventually), after applying them fairly firmly for a while (for some values of "while") the car can experience rather sever brake fade. Anyone driving in the mountains has probably experienced this.

Without brake fade, Car and Driver found that from 100mph and up, the braking distance increased three fold, enough to convince the driver that the car was never going to stop. If this occurred after a long downhill, (hot brakes and plenty of fade) and the driver wasn't fully committed to hard panic braking, it seems plausible that a stuck accelerator pedal, or stack overflow, or floor mats, could extend braking distances enough to be deadly. When tested afterwards, the brakes would have appeared to be working again.

If you disallow all of these possibilities you are forced to assume that anyone reporting any unintended acceleration is a total idiot, which, given small the number of events, isn't completely out of the question, but the fact that almost all of these idiots tend to be driving a Toyota is suspicious.
After all, idiocy does not usually manifest itself by a predilection toward a certain brand of car.

"cost", is the root cause

I run a small business in India making software for automotive and embedded systems.

Between the car and the engineer, there are multiple middle men (OEMs). These middle men win bids with car companies purely on the 'feature vs cost' basis. Yes, there are standards. Yes there are rules. Yes there are certifications. But, when its a question of the cheapest bidder, it eventually boils down to the engineer quality. And, in India, we have enough idiots with an engineering degree without a clue of engineering, who fit the 'cheap' tag.

MNCs, hire these guys in masses and pay them more than they are worth. They have set the cost for a knows-nothing-does-nothing engineer as $20 per hour. I guess they are able to manage because of the lucrative banking and BPO businesses that they handle.

In the automotive side, OEMs are aggressive with the cost of development. I sit regularly in negotiation meetings which squabble over $11 per man-hour. Automotive software requires strong understanding of programming, electronics, and mechanical systems. There is no way to get such good engineers at $11. And there are competing companies in my line of business who work at less than $10. Basically, they just horde people who were not able to get a job elsewhere. There are companies who hold compliance certification but no development talent. They simply test and rubber stamp code from other cheaper vendors. OEMs engage a 'certification company' and a 'development company' in order to develop a product that is sold to a car company.

So, there you go.

And me, I am done with this domain. I am getting out soon. I am just waiting for my existing commitments to get over.

Re: Live in a cave

[Z00L00K]

It depends on if the ABS and/or brake servo is influenced by the bug and makes it harder to apply the brakes.

Be aware that most brake servos are using the manifold vacuum to increase the brake force. If the engine gets full throttle the vacuum is soon depleted and a much larger force on the pedal is needed which will be experienced as failing brakes.

Yes, bad names.

[Futurepower(R)]

Lots of companies have bad names. Yes. That's what I said.

Re: Live in a cave

I suggest not giving your wife an iq test, in case intelligence is genetic.

Perfect Software

[gd2shoe]

Anyone who thinks all software has bugs has never written "Hello World" in assembly.

Perfect, trivial software is clearly possible. Perfect software that's slightly more complex is also clearly possible. We haven't yet accepted that perfect software is possible, but we should demand it (for moderately expensive software, or where bugs will cost you money, for instance). A reasonably intelligent programmer writing a modestly complex program should be able to do so perfectly. That he can't, (because his tools don't help him do so) is infuriating.

Yes, almost all software has bugs. We are way too comfortable with the idea. Software doesn't need to have bugs. We just don't have toolchains and development stacks that encourage perfect software. It's as if engineers decided to only use modeling clay for buildings, because nobody sells steel, and it's too cumbersome to smelt their own.

The profession really is no better off for accepting this sorry state.

Re:Perfect Software

[dwpro]

I think the biggest challenge is that we don't _need_ perfect software when good enough will do. Nobody is going to pay for a house that has every measurement calculated and validated, with the perfect torque applied to each screw and every conceivable test method applied to each board and roof shingle. Even if it were, I still think we'd have houses that fall over because of poor design choices.

Though I agree that the tools can and should be better, I can't conceive of a toolchain or stack is going to tell me that I miscalculated a total because I left out a variable.

Re:Perfect Software

[maxwell+demon]

Anyone who thinks all software has bugs has never written "Hello World" in assembly.

Or he has, and the resulting program crashed. ;-)

Re:Perfect Software

[gd2shoe]

I can't conceive of a toolchain or stack is going to tell me that I miscalculated a total because I left out a variable.

But can you conceive of an IDE that displays expressions in a clear and understandable way? Compare the following:
a=2
b=10
c=30
(x^(a*c/30)-2^(bx))/(5a)

To the following pasted into Desmos:
a=2
b=10
c=30
$\frac{x^{a\cdot \frac{c}{30}}-2^{bx}}{5a}$

(Note that Desmos doesn't do copy/paste particularly well, but it does make it really easy to enter formulas from the keyboard.)

Which is easier to read? The mess of parenthesis, or the formula? Which one are you more likely to make a mistake, and leave out a variable? And that's really low hanging fruit. While I agree that we aren't going to get away from text programming, that doesn't mean that all of our real-time coding tools need to be austere and display everything on straight uniform lines. We're stuck in a very old paradigm, compared to the things we're creating.

Re:Perfect Software

[ld+a,b]

Anyone who thinks all software has bugs has never written "Hello World" in assembly.

Perfect, trivial software is clearly possible. Perfect software that's slightly more complex is also clearly possible. We haven't yet accepted that perfect software is possible, but we should demand it (for moderately expensive software, or where bugs will cost you money, for instance). A reasonably intelligent programmer writing a modestly complex program should be able to do so perfectly. That he can't, (because his tools don't help him do so) is infuriating.

Yes, almost all software has bugs. We are way too comfortable with the idea. Software doesn't need to have bugs. We just don't have toolchains and development stacks that encourage perfect software. It's as if engineers decided to only use modeling clay for buildings, because nobody sells steel, and it's too cumbersome to smelt their own.

The profession really is no better off for accepting this sorry state.

Sorry, but you are wrong. A perfect Hello World written in assembly according to specification and formally proofed can have bugs in not one but two cases.

• * The specifications are wrong.
• * The CPU has a bug.

Hardware people can be clueless retards as well

CPU bugs are something you only read about in books until you actually try to do something non-trivial with the CPU.

Re:Perfect Software

[Cro+Magnon]

My "Hello World" program worked perfectly - until I added the ability to ask for a name (like "Hello John"), and got an overflow. :-P

Re:Live in a cave

Toyota uses a hydraulic module in the brake lines that simulates brake cylinders moving and applies the regeneration instead. These modules have a fail-safe in that a hard slam on the panel will always engage the brake cylinders. I presume that is mechanical in nature. It is definitely not 'all central computer module'.

Electric steering does use a voting mechanism, AFAIK. It is also more critical than avionics. As one engineer explained: at 6 km altitude, if a computer reboots for 20 seconds, not much happens, and time is left to regain control afterwards - while in a car you've already hit something by then.

And as far as that 'braking can never overcome the engine power' story popping up later: it can not be true, most cars stop in a shorter distance than the can accelerate. And if they don't, what is wrong with car buyers? Need to accelerate off collapsing bridges, but never need to make an emergency stop?

Anchor

I think everyone needs to protect himself by bringing an anchor which he can throw out of his window, so he can stop his car.

How can users protect themselves? SIMPLE!

[Chas]

How can users protect themselves from sometimes life endangering software bugs?

Uh. Simple! Don't buy cars where the default is "drive by wire". Plain and simple. In the event of a catastrophic failure like this, you want the HUMAN in control of the vehicle. Period.

Re: Live in a cave

Common and correct practice to do this when suddenly slowing in unexpected circumstances, like sudden traffic on the highway. Or, when vehicle is going much slower than normal, like in a snow storm without snow tires, or.... Nothing idiotic about it.

Re:Live in a cave

As you say a CAT scan is X-ray.
But an MRI is more like an actual microwave oven, I've been in one of them for 20 minutes and you actually feel you are getting warm all the way through, like you are getting a fever. I asked the technician, he said yes, everyone heats up in an MRI scan.

Re:In Canada Engineers Are Required to Write the C

There are software engineers that use meaningful QA techniques - you destroyed my understanding of reality. I am now in such a deep state of schock that only a glas of obstler can recover me back to life.

Great, testimony from a guy who now makes $$$

Look, I'm going to just throw it out there - this guy couldn't prove anything that happened (as his assumptions relied on there being some feakish conditions).

He also stated that there was no way it was gas, but then couldn't back up that claim. I wondered why he would so strongly testify against something that is clearly unable to be proven either way, until I then read about all the other cases that are waiting. This guy is now sitting on a fortune as a specialist witness.

Re: Live in a cave

One word... Friction

Re: Live in a cave

One word.... Friction

"Recently"? More like dupe

[Dahan]

>10/25/2013 03:35 PM EDT
>"Michael Barr recently testified ..."
>recently
I've heard this story before

Re: And we're going to trust self driving cars now

[Technician]

A simple EMO button could work wonders. Power down the fuel, inverter, and computer would kill the accelleration and fail safe. Manual steering and brakes still function to maintain control.

ieee floats

[Karljohan]

Computers are very capable of dividing by zero. It is well defined by the floating point standard. It's just that Windows per default set a flag that doesn't allow this.

Re: ieee floats

Dividing by zero based on what math? Division by zero is undefined as far as I can tell.

Re: ieee floats

[Gallomimia]

I guess you're still in grade eight? Division by zero results in positive or negative infinity, depending upon the sign of the numerator. You'll learn that in grade ten I believe.

Re: ieee floats

[JesseMcDonald]

Division by zero results in positive or negative infinity, depending upon the sign of the numerator.

False. Division by zero is simply undefined. Sometimes you can determine the limit of some function as it approaches a discontinuity due to division by zero, but the limit will depend on the function (not just the numerator) and possibly on which side you approach the discontinuity from. For example, the function x/x has a discontinuity at x=0, but the limit isn't infinity, it's 1. The function 1/x approaches positive infinity as x goes to zero from the right, and negative infinity as x goes to zero from the left; since these are not equal, the limit does not exist at x=0. On the other hand, the limit of 1/(x*x) at x=0 is in fact positive infinity, because the function approaches positive infinity from both sides.

If X divided by zero were actually defined to be "equal to" positive infinity for all X > 0, then you could turn that equation around and say that 0 * infinity = X. Since 1/0 = infinity, 0 * infinity = 1. And 2/0 = infinity, so 0 * infinity = 2. Ergo 1 = 2. (Or not...)

The problem is that infinity isn't a number you can calculate with; it's more of a trend, or a way to express the absence of a finite boundary. An expression is never "equal to" infinity, though it may approach infinity as some other condition changes.

Re: ieee floats

Computers are unable to divide by zero because it generates a "Division by zero" interruption on the processor itself, which will result in a crash of the Application (Or the OS, depending on where it happens).

Re: ieee floats

Division by zero results in positive or negative infinity, depending upon the sign of the numerator.

False. Division by zero is simply undefined. Sometimes you can determine the limit of some function as it approaches a discontinuity due to division by zero, but the limit will depend on the function (not just the numerator) and possibly on which side you approach the discontinuity from. ...

Obviously, a math major not a programmer. Undefined does not exist in computer code, or the computer crashes instantly. 8-)

Re: ieee floats

[JesseMcDonald]

Obviously, a math major not a programmer.

Nope, a programmer—though computer science is a branch of mathematics. The comment I was replying to was referring to real math as taught in the classroom, however, not computer-math. Even there "undefined" is an option; that's what "NaN" is for.

Part of the problem is that IEEE FP can't really represent the value zero. Instead, it has a pair of values "too small to represent", one positive and one negative. (If it were really zero then -0 would be equal to +0.) Similarly, positive and negative "infinity" don't really correspond to infinity in mathematics so much as finite numbers too large to represent given the limited range of the exponent. If you combine that with thinking of IEEE +/-0 as "infinitesimal" rather than actually zero then the result makes somewhat more sense. (And 0/0 does give NaN, as you would expect.)

Re: Live in a cave

In that case you'd simply turn the engine off. Brakes would then stop the car with only inertia to fight.

Re:Live in a cave

That's the problem. Because it's plausible, all of a sudden every person who presses the wrong brake pedal can sue. Supported by specialists who can't prove the theory, but can always say 'Well you can't prove otherwise'.

Without proof, I can theorize that ALL accidents with wire throttle are due to software error. Well, you can't prove me wrong, so I guess I win.

Re:Live in a cave

[AK+Marc]

Yes, if you are traveling 55 and the throttle suddenly applies at 100%, your first instinct is not to stomp the brake with maximum force, bringing the car to an abrupt halt, but instead to press the brake progressively to hold speed. Do that for 10 seconds, and your brakes may no longer be strong enough to halt the car.

Audi was improper pedal application, but Toyota looks more like an actual unintended acceleration, followed by poor driver reactions.

Re:Live in a cave

[Immerman]

Huh, I had a brain scan once and don't remember noticing any heating. But then again I may have been distracted by the intense kinesthetic hallucinations I was having. Pretty unsettling feeling my body being tied into all sorts of impossible bone-bending pretzels, especially while lying perfectly still in a narrow tube looking out along my (undistorted, obviously) body in that tiny little mirror. I've never heard of anyone else that reacted that way though.

Re:Live in a cave

[AK+Marc]

And as far as that 'braking can never overcome the engine power' story popping up later: it can not be true,

Yes, it can. I've had partial brake failure from a single stop downhill from about 100 mph in a '87 American car with drum rear brakes (starting from cold brakes). If the throttle had been stuck open, that 100 hp 2.5l would have overpowered the brakes.

Note, if I had locked up the brakes at 100 mph, I'd have stopped faster, and the engine wouldn't have been able to overpower the brakes. But, given a little fade, it's enough to tip the scales, especially if someone uses the brakes for 10 seconds to hold the car's speed, not realizing the urgency of the situation.

Use Ada

[iliketrash]

"How can users protect themselves from sometimes life endangering software bugs?"

Use Ada.

Manual throttle

Cable and all. Problem solved.

Also, just kill the engine via turning your key to "off".

Re: And we're going to trust self driving cars now

[AK+Marc]

It's easier for a computer to dodge a pedestrian than a person. Often the person will steer for the most open space, which is the same place the pedestrian goes. That's not the most effective dodge. The optimal dodge is to stop in a straight line, regardless of the location of the pedestrian. Unless the pedestrian is elderly, in which case, adjust slightly to avoid them, and brake as hard as possible. Neither is the "human" reaction. People steer, rather than brake. I'm not sure why, but braking is almost always better than steering. Cars stop much faster than people think. People prefer to drive at about 0.1g, starting, steering, and stopping. Most cars will do more than 1g stopping. But people aim for about 1/10th that or a regular basis, and think 2-3 times that is "very hard". I've dropped the anchor a few times for my passengers to feel what a car can do (always safely, of course).

Re:Live in a cave

"Did they also discover a flaw in the brakes such that they could not overcome the engine power?"

Just turn the key to the left and there will be 0 power.

Expert lie or are overestimated all the time

[aepervius]

Look we had a "finger print" expert for which the case had to be revisited when it turned out she made it up on the spot, and we had a "fire" expert without any clue which condemned somebody to death. I am in serious doubt of locally taken "experts" for prosecution or for the defense in a legal case. The facts remain that this problem was mostly 1) old person and untrained folk 2) pretty much only in the USA.

Maybe they had a software version specific to the US, but otherwise it does not make sense that this did not happen *at all* in europe where toyota are sold by the truckload in europe, roughly 6 time the number of toyota sold in the USA (usa 150K roughly http://online.wsj.com/mdc/publ... europe 850K roughly http://newsroom.toyota.eu/news...).

Re: Live in a cave

If the driver's so dumb they don't know shifting to neutral will stop the accleration, may be they should die according to Darwinism.

Which idiot

[drolli]

allows recursion on a system controlling a critical system?

Most things which are needed for such a function can be written as a straight-line program and iteration. I would e ven go so far to say that if you need more complex functions, then spend the 25cent per car for a dedicated microcontroller for the low-level function.

Re:Mental stack overflow of the driver is more lik

[damaki]

Sorry to affect your american centrism, but it happened in France, too, and the case is quite documented (pardon my french). The police -which were contacted by the driver- had to make room for the car on the motorway, and to find a solution to slow the car down gracefully. In the end, nobody was hurt, but Toyota...
While I do agree that in the litigation-driven country that became the USA, most of these drivers must be full shit, and surfing on the "it's not me, it's the machine" wave, it looks like there is a real software defect.

Re: And we're going to trust self driving cars now

[lordlod]

I've known a lot of high-quality developers over my 15 years of professionally developing software. The reason I don't want an automated car is because of these people. People make mistakes, intentionally or otherwise.

When it comes to true high-rel software, like that written to DO-178B Level A (an avionics software standard used for things like fly-by-wire) it's almost never the software per se that's at fault. The stuff is amazingly good. It's also amazingly expensive to write and test. You might also find it frustrating because it brings new meaning to the idea of conservative design. For example, I don't think it allows recursion. I know it doesn't allow dynamic allocation.

Firmware engineer here. While I don't work on safety critical systems not allowing recursion or dynamic allocation is just standard practice.

Memory leak errors are almost impossible to debug on a microcontroller. So as a preventative measure, standard practice is not to do any dynamic allocation after hitting the main loop. Initialisation is ok, it runs once and never gets freed. Once the system is running however, the risks outweigh the benefits.

Recursion is much the same, it's easy to blow the stack, messy to debug and makes static analysis hard.

While both can be done safely we consider them automatic red flags and any use needs to be accompanied with a justification in the comments. The code is also very carefully checked. Typically the problem is readdressed and another method used.

Re: Live in a cave

It's pretty stupid and distracting when a bunch of cars, all in the same road and weather conditions, are flashing their hazards.

Re: And we're going to trust self driving cars now

[Grishnakh]

When it comes to true high-rel software, like that written to DO-178B Level A (an avionics software standard used for things like fly-by-wire) it's almost never the software per se that's at fault. The stuff is amazingly good. It's also amazingly expensive to write and test. You might also find it frustrating because it brings new meaning to the idea of conservative design. For example, I don't think it allows recursion. I know it doesn't allow dynamic allocation.

That's correct. Neither recursion nor dynamic allocation are allowed. C++ is only barely allowed (it's pretty new at this point), and even there most of the C++ features are not allowed: no dynamic allocation (you can never delete an object), no exception-handling, etc. The operating systems used are extremely simple real-time OSes where every timeslice is planned for, and there's no preemptive multitasking (only cooperative). Basically, everything is made to be as deterministic as possible, and anything that reduces determinism is forbidden.

Another big point: caches are not allowed. So all on-CPU caches are disabled. You can imagine what this does for performance. Caches are bad, because they are non-deterministic (it's too hard to predict how long something will take to run, because you don't know if you'll have a cache hit or not).

Re: Mental stack overflow of the driver is more li

[Lord+Crc]

Why did he take his foot off the brake?

Because he put the car in neutral?

Oh wait...

Umm..

So what are you supposed to use then if malloc/free and stack variables aren't allowed? Just interested.

Re:Mental stack overflow of the driver is more lik

[Attila+Dimedici]

Actually, the best analysis of the situation I have seen came from someone who had investigated a similar problem that was reported for cars with purely mechanical acceleration linkages some years back. They had studied that situation and discovered that overwhelming majority of those experiencing the problem were in a particular age range (I forget now if that age range was 55-65, or somewhat older). Further analysis revealed that most people go through a kinesthesia change during that period (kinesthesia is the awareness of where a body part is based on the sensations you are receiving from it). When going through that change, people often believe that their feet are positioned a few inches from where they actually are. As a result, drivers in this age range are likely to be positive that their foot is on the brake when it is actually on the accelerator. The interesting thing is that once the person becomes used to the change, they are perfectly capable of being aware of where their foot is once more. The person who did that original analysis analyzed the Toyota data and found that the majority of reported cases involved drivers who were in the same age range. When he took out those data points which looked suspicious as to being part of this actual problem(drivers who looked to be cashing in on the publicity of this, either for money or to explain away their own bad behavior, accidents where no one in the vehicle survived, but this was used to explain irrational behavior on the part of the driver, etc) the overwhelming majority of cases were in this age range and most of the remaining were inexperienced drivers.

solution

[Gravis+Zero]

How can users protect themselves from sometimes life endangering software bugs?

there was a time when cars didnt have computers. there was also a time when the computers ran a single program instead of an operating system that executes other programs.

why do we have operating systems for the only important function of the car?

stop being obsessed with efficiency

[stenvar]

It would have cost almost nothing for the OS and/or the compiler to insert a little code that made sure that the stack couldn't overflow. If those kinds of checks aren't built into the platform and tools, critical and lethal bugs are going to be much more frequent than they ought to be. Given the power and low cost of modern embedded computer hardware, worrying about saving a few percent in CPU cycles is pointless.

To get companies to change their ways, courts should recognize this kind of programming as criminal negligence and punish Toyota and the responsible employees accordingly

Re: Live in a cave

Perhaps there is some sort of... hazard?

Brake more powerful than engine.

[leuk_he]

In the case of the TS, there was a report from NASA that says at page 15 that even at full power with depleted power vacuum brake assist, you can still get the car to stop by braking. And they showed it.

As for your argument of burnout, this is ussuassy done with the hand-brake, that only brake at the rear tires only.

You can get in problems with brakes if you let then run too hot, descending from a hill is a known example of this.

Re:Mental stack overflow of the driver is more lik

[drinkypoo]

The Toyota sudden acceleration problem disproportionately affects the elderly and inexperienced drivers.

You mean the kind of people who buy Toyotas? With the exception of the GT86 and the LFA, they're horrible to drive anyway. People who drive buy something else.

It's funny...

[Bartles]

...how the probability of being affected by one of these stack overflow bugs, increases with the age of the driver. Just sayin.

Proven Correctness

The person who says that bug-free software is possible is speaking truthfully, if one can omit hardware errors.

The person who says that it's possible and then starts talking about techniques and tools is fooling themselves. If you have not mathematically proven that your code responds correctly for all possible inputs, you have done nothing.

I don't know where you hubristic half-wits come from, but I wish you would return there. Your first delusion must be that you can or habitually do write bug-free code, which is statistically unlikely. The second is that there is some factor x which if people would only pay heed to, they would be able to write perfect code too.

If you haven't measured performance, you don't know or care about performance. If you haven't proven your software correct, you don't know or care about correctness. Just so you know, proving a program correct is difficult except in trivial cases. That is why code has bugs, and not some horseshit about toolchains. We can write provably bug-free code, and choose not to, because the process is insane and not generally worth it. Nor is it likely to become easier.

Re:Proven Correctness

[neumayr]

o_O

What you're arguing against is might not be what the parent stated. Yes, proving your software is working correctly is hard, very hard. Not possible for an individual developer in a real life situation (limited time, resources, formal education in mathematics - what are you doing writing commercial code when you're a mathematician?). That's one of the issue what I believe the parent wanted to mitigate with improved development tools, which also need to be bug free of course. At some level, the building blocks need to be proven to work correctly, you're right there. But that's should not be for the feature developer to do, he should be able to rely on the tools he's given.

Yes, I agree with the parent, software development is way to hard at the moment, the analogy "It's as if engineers decided to only use modeling clay for buildings, because nobody sells steel, and it's too cumbersome to smelt their own." holds true and seems to fit with what you're saying.

Re: And we're going to trust self driving cars now

Generally, you are right. People do make mistakes. The issue is how frequently they make them.

Software can be simulated at speeds that would tire the average person. This means that the mistakes people embed into software can be stimulated far more frequently than the mistakes that a person actually makes. This testing leads to the mistake a person make having literally hundreds to millions of opportunities to be noticed. With a larger opportunity of detection, the software in a shop that cares about correctness is rarely the culprit.

Now, I agree that one might make the mistake of not noticing an issue, or of testing an item in a way that doesn't catch the issue; however, it is a lot harder to make two mistakes that are so complimentary if you follow best testing practices.

I think software is blamed because the average person has to deal with shoddy desktop applications, and assumes that all software is written equally badly.

Re:How can users protect themselves? SIMPLE!

[Ateocinico]

Emission and fuel consumption standards can not be met without an ECU. That makes old carburetor or continuous injection engines almost, if not completely, Illegal.

check the code

another problem would be an error in the code due to copies thet have been corupted
by a copy machine.
one badly copied letter or number can cause a problem.
all new code should be checked against a known good original copy for
any errors cased by the copying machine process.

MISRA anyone

MISRA which has become the basis for coding standards for things like Joint Strike Fighter doesn't allow recursion. I wonder to what standard they code to?

Re:Live in a cave

[neumayr]

It is pretty common to blame users for system malfunctions. And often, that turns out to be correct. However, you being here, chances are you somehow involved in software development and its processes, and have experienced many of its failures. Here, we're talking about software people bet their life on. I do think it's warranted to look very closely and actually rule out that the failure was a technical one, and I find it difficult to imagine an argument against that.

Re: Live in a cave

This bug has cost lives. The reason it seems to come and go every five years to you is because it has to wind through the court system. If you had read the article, I think you'd be better informed. Instead you had to put your two cents in to show the world how bright you are.

Cars do cost $100 Million

If you look at the full development cost of a car - including the cost of parts that were designed for other or earlier models, the prices do hit multiple millions. I remember in the 80s Honda spend $200Million on their Formula 1 engine (turbo charged 4 cyclinder). The cost is spread out.

How reliable? The electronics and sensor behind air bags has proven to be, statistically, remarkably reliable. Even 20 year old cars with oodles of miles on them, don't have air bags blowing up in driver's faces on a regular basis. It can be done.

Re: Live in a cave (with switches)

[kyrsjo]

Even if the brakes would have stopped the car (eventually), after applying them fairly firmly for a while (for some values of "while") the car can experience rather sever brake fade. Anyone driving in the mountains has probably experienced this.

I always learned (and do) break on the transmission when going down long steep hills - I normally don't have to touch the break pedal at all. On a manual this is obvious how to do (just downshift untill appropriate speed is reached, and don't redline the engine, use the breaks to CHANGE speed, not to keep from running away). On automatics there is (in my tiny experience of these) usually a possibility to force it to a specific gear, basically driving it as a clutchless manual, or at least a "low gear" button/position on the transmission handle.

Re:Live in a cave

[kyrsjo]

As one engineer explained: at 6 km altitude, if a computer reboots for 20 seconds, not much happens, and time is left to regain control afterwards

Not true during landing/takeoff at least.

Then you own a shitty car

While it takes 6+ seconds to hit 60 mph, the brakes can stop the same car in 2. Brakes should be able to generate much more of a stopping force (at least for a few seconds) than any engine can. Go try it. And if your car can't do it, throw it away and get one that can. BTW, I own two corvettes and a diesel truck with 850 ft-lbs of torque - and brakes win on all of those!

Re: Mental stack overflow of the driver is more li

If the gas is controlled by software, why would you think the brake isn't? If one can fail, it's perfectly reasonable to believe that the other would be likely to fail, and at the same time.

Furthermore, depending on where the error occurs, it would be possible for it to appear to the event recorders that the driver released the brake, and hit the gas.

Hm.

Vacuum assisted braking (most cars) provide enough vacuum reserve to allow for assisted deceleration after the engine has been shut off. You can test this by starting your engine then shut it off while in park. The pedal will still be soft without the engine running but only for the first couple of times you press the pedal. Typical assist systems are 3.8-5.5:1. Meaning you normally do very little of the work required to create the line pressure to the calipers. I'm not sure what happens with the few Mercedes products which used brake by wire during the various system failure modes but I expect that so long as the system has battery power you should be ok.

Power steering when you are at speed doesn't do a whole lot. If you've ever driven a car without it once you are moving at above parking lot speeds you are A-OK.

I doubt very much that any steering column will lock until the key is removed from the ignition, I'm not sure about cars with stop/start buttons and no key slot/socket but that would be software driven.

Some cars have a rev limiter at 3-4k rpm for neutral so even if you do bump it into neutral you won't hurt anything unless the ECM decides to destroy the engine.

Brakes in just about anything you can buy today are going to be more powerful than the engine. You can reach a higher rate of G in decel than accel in pretty much anything made today (particularly for two wheel drive cars) for general consumption (drag racing cars probably don't fit this model). This is of course up to the point where you induce pad or fluid fade. Yet if you use the vacuum reserve correctly you should be able to stop safely if you give the brakes ONE smooth, solid decisive press and hold them firmly until the car has stopped. If you're uncertain and let off then press again the vacuum reserve is going to be depleted and the driver's own lack of training is the means of their end. Driver training is more expensive than an ECM with better code.

Re: Live in a cave (with switches)

BRAKE you illiterate moron!!!!

Wait a minute ... weren't they using MISRA rules?

[Ihlosi]

As far as I remember, MISRA C rules forbid any kind of recursion.

Hello 1980

[nurb432]

They want their coders back..

Watchdog timer

It turns out that Toyota *did* have a hardware watchdog that would initiate a full ECU reset.

However, the designers of the watchdog system, found a problem. If they had a software routine pet the watchdog, then because of CPU starvation, the lag in petting may cause the watchdog to force a system reboot. Toyota solved this problem by moving the watchdog petting to a hardware timer....

Local variables

What sort of strategy would you use if you can't use local variables?

In the testimony, Barr states that a major problem with the Toyota code was dependence on a huge volume (about 11,000 individual variables) of global variables. So, if globals are bad, and you can't use locals... What do you do?

Re: And we're going to trust self driving cars now

[phantomfive]

I've yet to see a demo of an automated car navigating anything resembling an icy surface (safely or otherwise)

You need to watch this. Watch the part where they drive up the ramp.

Modern software may have inhibitions

As you say, you CAN turn off a car when the gear selector is in "drive", but it may not be obvious how to do it.

For example, I have a Toyota with push-button start. When the vehicle is stationary and the gear selector is in Park or Neutral, the button works kind of as you would expect, but the behaviour is different between gear selections (in park, pushing the start/stop button, shuts off the car's electrical systems completely; in neutral, the button merely shuts off the engine, and leaves the accessories on).

HOWEVER, when the gear selector is in Drive (or the vehicle is rolling in neutral with the engine running) then the start/stop button is inhibited. Pushing the button WILL NOT shut off the engine. Pumping the button will have NO EFFECT. In both of these situations, there is no confirmation that the button is doing anything - there is no indicator light, no chime or warning beep. Nothing.

There IS a fail-safe shut-off, but you have to HOLD the start/stop button for 10 seconds continuously, at which point all electrical systems will be shut off. There is no count-down warning buzzer suggetsing that the button is doing something and that you need to hold it a bit longer. no light, nothing. There is also nothing in the manual about this.

I decided to test this out, after reading all these stories about people not being able to shut off a malfunctioning car. I did this on a private road at low speed - and even though I was in full control of the car, and was holding the power button hoping it would shut off, the 10 second delay was long enough for me to begin to wonder whether this strategy was going to do anything at all.

Not a watchdog but careful system design

A watchdog won't do anything in this circumstance. However, there are strategies for dealing with this sort of failure.

For example, you can use 2 transducers, which produce signals with different profiles and power than from independent power supplies. E.g. Toyota's DBW accelerator pedal does this. It contains 2 potentiometers - one is powered from 12V and produces a rising voltage with greater pedal pressure. One is powered from 5V and produces a decreasing voltage with greater pedal pressure. The ECU measures both signals and has a table relating one sensor value to the other. If the sensors readings are inconsistent, a failsafe mode is enabled (if one sensor is reading out-of-range, the remaining sensor has authority within a restricted operating range (up to about 10%); if both sensors are out of range, then the ECU interprets this as idle).

A similar principle could be used for control of an electically operated throttle valve. You have a motor control, a spring return, and dual potentiometers on the throttle plate (potentially connected via different mechanical linkages). The ECU can correlated the values of the independent sensors, and can also correlate the motor duty cycle with a table giving the expected duty cycle required for a given throttle position. Whether this type of control is used, I don't know - but it would be possible. It would also detect faults such as a throttle valve becoming stiff or slow to close, or otherwise obstructed.

The question is how much are you prepared to spend on adding redundant systems such as this, and the additional testing and validation that is required to ensure that they work as intended.

bragging rights from body bags

[epine]

100% perfection in any non-trivial thing (whether hard or soft) is impossible.

This is 100% semantic wankery, because triviality is circularly defined as the magic threshold beyond which bugs become inevitable.

Of course there's an implicit ego frame of reference, because we're all looking for an edge on the margin where the big money lives. They didn't call it a "space race" for nothing. It would be far more pertinent to observe about the human species that bragging rights come from body bags. That's just how we run our affairs on the larger political scales.

I can't stand the intellectual posing that ensues whenever someone espouses the culture of bug mitigation with extreme prejudice. Oh, nothing can ever be perfect—as if that's ever the human standard in anything. Part of this is IQ wanking: the notion that writing bug-free code requires superhuman feats of logical perfection. Successfully reasoning your way out of a wet paper bag has something to do with writing bug-free software, but it's a secondary term at most.

The real key to writing defect-minimized systems is a good understanding of human psychology and mental frailty, keeping notes, and constantly upping your game.

It's a rare piece of software that is more robust than the worst API it programs against. Even if the code behind that API is 100% bug free, you're far from out of the woods, because the API can be designed in such as way as to delegate complexity up hill.

No doubt Opportunity was far from perfect, but it sure as hell sets a god-like bar compared to what passes for quality work in 98% of the make-a-buck sphere.

Re: Live in a cave

[Marxist+Hacker+42]

A Prius does not. More than half the brake power is supplied by regenerative breaking, and if the register for throttle position is at 100, regenerative braking never kicks in, leaving you with the relatively whimpy disc brakes. A prius crash near me last year had the brake pads worn away and smoking when the police arrived.

Re: Live in a cave

[Marxist+Hacker+42]

There is no physical neutral in a synergy transmission. It is simulated by software, and if the computer has crashed, you can't engage it.

Re: Live in a cave

[Marxist+Hacker+42]

Yep, no ignition key in a prius either...next

Sounds familar

The expert code review revealed 80,000 + standards violation, 10,000 + global variables and a massive pile of spaghetti. Looks just like the usual built by the lowest bidder H1 B / Indian written type code I used to fix as a consultant, the only difference is this code is now in safety critical systems. I think I'll just keep my 94 Toyota after RTFA.

To simplify...

[DrPBacon]

@(stack.overflow) { throttle: "open" } oh darn they dun goofed. oh well! let's close our eyes and hope it never happens again!!

Re: Live in a cave

[DriedClexler]

Just because it's a retarded idea, doesn't mean an engineer hasn't tried it on a production design.

It's just that the downside of this design choice is a lot more obvious now that we know a condition in which you absolutely do not what a computer between your brakes and your wheels.

Actually, computers will probably deal with icy ro

Using inter-vehicle communication networks (basic ones are already being tested), icy patches will not cause a surprise to every driver (as is the case now). The hazard will be communicated to other vehicles and infrastructure networks/servers the moment the first car detects there is a problem with the road. Other vehicles - those driving behind / in front / in the opposite direction and even those who approach the site only a few hours later will be forewarned. Their systems will be able to make precautions - detour / slow down / etc. Yes, the systems will be even more complex, and there is always a chance for error. The computer will never get tired. You can't touch the response time it can pull off. It can see in the dark, in fog, and it has 360 degree sharp vision instead of a human's mere 6 degrees with 120 deg peripheral vision. If the driver is not distracted, and/or emotionally stressed, fatigued, ill, etc.

There's no question in my mind that computers have the potential to be far far better drivers than humans, but its still a way ahead. The development is very costly, and the legal risks and grey areas are still quite large. It takes a lot of time and money to make a very safe system (which is clearly a necessity). I guess this will happen in layers and iterations. I guess human drivers will not be completely replaced for at least another 20 years, but I would have no second thaughts about handing over the wheel to a capable computer on the highway in 2-3 years.

As for legal questions? The driver will continue to be responsible for the vehicle for a long time When the time comes that no driver will be in the vehicle, you will have a situation that I think is analogous to travelling on a train without a driver. The entity operating the vehicle will be responsible for what happens, with a compulsory insurance for basic cases. Eventually, the manufacturers will be responsible for software- or mechanical failure caused accidents, as is currently also the case.

fucking recursion

I have to say it. I hate recursion. it had been mathematically proven that you never need recursion. And you know what your code is almost always more clear without it.

When you use recursion, you explain a problem in terms of itself. When you don't, you explain it in terms of simpler concepts. To understand a recursive function, you almost always have to read it at least twice; once to understand the terminating case and once to understand the non-terminating case.

While I have used recursion to do a few things like parse tree like data, I avoid it. Most recursion I have written was for job interviews (for some reason interviewers think abusing the call stack is clever).

If I was writing coffee for a critical system like an automobile, I would never use recursion. I'd make my own stack in the function and manage it. This way I could control its size and avoid problems.

Abusing the call stack in a critical system just seems like a stupid thing to do.

Re:Live in a cave

[JonBoy47]

My 2000 Toyota Camry 4 cylinder, and my wife's 2006 Dodge Grand Caravan both beg to differ with you. Though electronic control of forward gear shifting has been the norm for a couple decades at least, most automatics still use mechanical control for selection of the operating mode (Park, Reverse, Neutral, Drive). Mis-adjustment of the neutral safety switch continues to be a cause of no-start symptoms, even in late model cars. I will grant you that the trend is toward purely electronic controls.

Re: And we're going to trust self driving cars no

How about *no fault* insurance? The real kind, not the fake kind.

Re: And we're going to trust self driving cars now

[Copid]

The liability problem could be legislated in a pretty straightforward way. Limit the exposure of the manufacturer to the same level of liability a typical human driver would have. Require owners to hold liability insurance (this is nothing new). Realistically, the insurance companies will have a very good idea of the likelihood of a human driver crashing vs an automated car crashing and will set rates appropriately. I would bet good money that outside of icy/snowy locations, the rates for an automated car will be lower than for a human driver after only a year or two of trial time.

A lot of time we're blinded to the probability of things happening by the scariness of those things. Realistically, being hit by a computer controlled car is no different than being hit by a car driven by a drunk driver, a distracted 30 year old, or an inexperienced 16 year old. The only question is which is more likely to happen per vehicle mile. On dry roads, most accidents are caused by a drive not paying attention or doing something risky. Accidents caused by complex social interactions that a computer couldn't figue out are far rarer than accidents caused by some nitwit playing with his cell phone. If computers completely solve the 80% problem and make the 20% problem 10% worse, I'm OK with that.

Re: And we're going to trust self driving cars now

[Copid]

If your concern is that computers will do a worse job of looking at the objects in 3 dimensional space around them and solving the kinematics problems required to avoid obstacles than humans do, I think you can rest easy. Reacting quickly to the sudden appearance of a pedestrian is one thing that a human has almost no chance of beating a human at. Even better, the car's LIDAR system will log what happened so if something does go wrong, we know who is at fault.

Re: Live in a cave

[tragedy]

I'm not sure about all of these cars, but I remember from the discussion on one of the earliest of these cases that it wasn't actually possible to stop the car in motion. I think that one was supposed to have a solenoid that actually locked the electronic key in place.

Re:Live in a cave

[DarkOx]

What were the odds of a whole bunch of teen girls claiming to have experienced witchcraft in Salem? Mass hysteria it happens.

Re:In Canada Engineers Are Required to Write the C

Thank you for demonstrating your cluelessness about what the word "professional" means.

Hint: it doesn't have anything to do with having a piece of paper or passing a test or a legal status.

New competitor?

You mean like https://programmers.stackexchange.com/ ?

Re:New competitor?

[firewrought]

You mean like https://programmers.stackexcha... ?

They close out "good" questions there too (examples)... came across one the other day (while programming), in fact. It's like the wikipedia notability police all over again. :O

Re:Live in a cave

[icebike]

No, not many (if any) were hybrid Toyotas.

And Brakes still function.

There have only been a very few Brake by wire vehicles, and all of them have had some physical linkage as backup.

Brake-by-wire technology is still under development by some automobile and automotive parts manufacturers industry worldwide and has not been widely commercialized yet. This is mainly due to the safety-critical nature of brake products. So far, Mercedes-Benz (Sensotronic) and Toyota (Electronically Controlled Brake) already use almost fully brake-by-wire systems, on the Mercedes-Benz E-class and SL models and on Toyota's Estima.

Brakes systems sold in the US for passenger vehicles always have physical or hydraulic linkages in addition to any purely electrical system.
This is because US DOT regulations in 49 CFR 571.105 require the brakes still perform with ANY failure in the electrical system, (cut wires, dead battery short circuit, dead computer, etc), and even has requirements for performance with a totally depleted battery (see at S6.2.6A in above). The easiest way to meet these criteria is to add a physical pedal actuated hydraulic brake linkage.

Aerospace bugs

[dbl]

I would tend to agree with dcw3, based on my limited exposure to the industry. I worked in an aerospace company for a few years, and the code I worked on was some of the buggiest code I've ever encountered. The push was to get more features thrown into the software, rather than writing code properly and fixing the existing code. When I first started at the company, the software was crashing every 2 or 3 minutes and often every time the software tried to start up. By the time I left, we finally had it down to every 6 to 48 hours. However, for the environment this software was supposed to be deployed in, even every 48 hours was crashing too often. The code often reminded me of Chuck Forsberg's xmodem, ymodem, and zmodem code, but it actually makes his code look spectacular. Gotos were liberally sprinkled throughout the code, null pointers passed around like they were going out of style, and globals and statics were the cool thing to use in multithreaded code.

Re:Live in a cave

[gemtech]

1. Modern disc brakes require a power booster, derived from the engine vacuum. I've driven a truck that had a failed power booster, it was extremely difficult to stop it at only 5 miles an hour backing out of the garage (I'm 5'11", 195 pounds, I am not a small guy).
2. At full throttle, the engine is NOT making vacuum, at least very little.
3. Without vacuum, there is no power brakes (after 3 or so pushed on the pedal).
That, my friends, is the problem.
By the way, I have a 2007 Toyota Avalon with this potential problem (accelerator by wire, shift by wire, pushbutton ON/OFF). They've reflashed the computer at least 2 times since this was first made public. The biggest flaw with the "system" is that there is nothing in the owner's manual that you have to keep the ON/OFF pushbutton held in for 4 seconds to stop the engine once you are moving. Toyota's reasoning was that stopping the engine would stop the power brakes (see #2 above), and you would lose power steering (you don't need power steering above 14mph).
I've read that the industry is implementing what Buick has used for years: if several pushes of the ON/OFF pushbutton are tried, it will shut off the engine. That makes a whole lot more sense to me.

Re:Mental stack overflow of the driver is more lik

[Alioth]

Normally I would agree with you, but if you dig into TFA you can read the presentation the expert witness provided to the court. In this case it looks like Toyota was pretty negligent in the way they developed the firmware, violating not only industry standard coding practises but their own! The witness and his team produced an 800 page report on the shortcomings of Toyota's engine management system (he had full source code access).

Re: Live in a cave

[gemtech]

until you run out of vacuum if the pedal is pushed more than a couple of times....

Re:Live in a cave

[gemtech]

that's the best posting I've read so far.

Re: And we're going to trust self driving cars now

[q4Fry]

What about people detaching the subway and bus systems? Of course attaching subways near islands could be pretty neat. Watch the fish out the window on your commute...

Re: Mental stack overflow of the driver is more li

[ceoyoyo]

Driver error. When you're stopped you're supposed to keep the brake down (and the wheels straight). The usual reason is in case someone rear ends you. My car even helps out: if you press the brake all the way down it holds it on until you release it completely.

Sure, most people like to do the creeping forward thing. Most people are poor drivers.

Re: Live in a cave

. . . at full throttle. but what's happening with the vacuum assist at full throttle?
In at least one case, there were brake skid marks (rear wheel, 'emergency' brake) but the car kept on moving and crashed. Yes, ordinarily, four-wheel brakes functioning with vacuum assist will stop a full-throttle vehicle. These events, however, were not 'ordinary.'

Re: And we're going to trust self driving cars now

[chrismcb]

People make mistakes, intentionally or otherwise.

And that is a good reason not to have millions of people driving cars. It will be easier and faster to work out most of the bugs in a computer driven car, than to get everyone to drive error free.

One Issue I see...

If a person has a problem with issues, it affects them and maybe whoever they hit.

If the same software is installed in 50000 cars then the potential of 50000 wrecks where the driver did not have a way to correct the car.

This is actually more scary to me, because at least I have a chance of making corrections if the systems are analog or have analog backup.

I am a software developer, and this scares me.

Re:In Canada Engineers Are Required to Write the C

I work in Alberta and I am a Software Developer. The problem is that having "Engineer" in your title hardly means anything. I worked with many Software Developers and many Software Engineers. Because of the law, the company I work for has to hire a number of Software Engineers. When I compare them side-by-side, I actually do not see any reason to believe that the Engineers in the room would yield better/safer code.

Re:Live in a cave

[lgw]

It's been tested under every condition imaginable. Brake power completely dominates engine power. The only situations in which brakes won't stop you is if you have no brake pad, your brakes are actually on fire, or you're in a fully-loaded heavy truck on a steep grade (and grades that steep usually have emergency pull-offs with steep uphill stopping ramps - you may have seen them).

Re:Live in a cave

[lgw]

You can easily stop with no vacuum assist. It doesn't in any way change how effective the brakes are when firmly applied. It does however totally change how the brakes work and feel, and most drivers these days would have no idea what to do. It's not like we really train drivers after all. I drove a car with no power anything for years, and it's just a very different technique. However, if you stomp the pedal like you'll die if you don't, the car will stop.

Re: Live in a cave

[lgw]

When did you start posting again?

You can definitely stop with no vacuum assist or any other kind of assist - brakes are really quite strong when firmly applied. You do have to be serious about it though (you can't wear away brake pads quickly, BTW, they'll actually catch fire first, though I'd easily believe they were past due for service in that crash).

Re: Live in a cave

[lgw]

In what car? I don't know your FIL, so I'll assume he's dumb as a sack of doorknobs, but I'll believe Woz when he said his Prius has the problem on the highway. The brakes still work, however.

There are vastly more people who step on the gas instead of the brake while parked/parking, however, then claim the car malfunctioned.

Re:Live in a cave

[gemtech]

I could be wrong, but you must have had drum brakes. Drum brakes work fine without power assist, they are too sensitive with power assist (lots of surface area on the friction surfaces). I drove a 1970 Chevelle for many years with drum brakes and no power assist.

Disc brakes are another matter.

Re:Live in a cave

[lgw]

I've had the same problem - had to hook my foot under the gas pedal and lift it. But that's not at all the sort of problem we're talking about here - not a manufacturer's defect in throttle software (certainly not in my '69 240 Z).

Re:In Canada Engineers Are Required to Write the C

[Grishnakh]

In Canada, the public is protected from such software bugs by statute, in the same way the public is protected from medical screw ups: a professional engineer is required by law to write any software code where safety is on the line

Bullshit. This is completely false.

Source: Canada imports most its cars. You really think Canada requires Japanese and German car companies to have all their code written in Canada by professional engineers registered with "PEO"?

Canada doesn't even have any car companies. Any such law is pointless if companies are just going to import stuff that was engineered outside the country.

Re:Live in a cave

[tragedy]

Oh, well, as long as you say so.

Re:In Canada Engineers Are Required to Write the C

[Grishnakh]

- Toyota cars have a push to start button that is also a push and hold to stop button. So how do you stop the car quickly? Shouldn't a car that has push-button start, also have a push-button stop, that is a different button and works quickly? Why would Toyota follow the Microsoft standard of using a start button to stop, instead of following the very well thought out emergency stop button standards?

Don't blame this one on Microsoft. With MS, you have to press the "start" button, then select some drop-down box and select "power off" (or "restart", etc.).

They probably got this from the ATX computer standard. If you're old enough, you may remember that computers (back in the XT and AT days) had on-off power switches that did just that. You flip the lever up to turn it on, then flip it down to turn it off. Of course, this made it impossible for the computer to power itself off (or to power itself on with wake-on-LAN), so when the ATX standard came out, they switched to a front-panel on-off pushbutton: you press it once to turn it on, then press and hold for 3 seconds to turn it off.

Today's push-button-start cars have merely adopted the 20-year-old ATX computer standard. (And for all I know, the ATX people might have gotten it from somewhere else.)

Re:Live in a cave

[lgw]

There is really no way in which drum brakes are better than disk brakes (until you start hauling 40 tons of freight). A larger brake surface just means less pressure with the same force: it's a wash Larger brakes do mean less wear and fade, but drum brakes are so bad to begin with that you never come out ahead on that curve (again, unless we're talking heavy equipment).

The shortest stopping distance on a car (with a great driver) will be achieved with no power assist on disk brakes and no ABS. We all have ABS because the skill to stop aggressively without locking up the tires is so rare (and it's really quite hard with power brakes). But finesse isn't what we're talking about here - it's just that people are used to the brakes doing something near the top of the petal travel, not at the very bottom.

Re:Live in a cave

[gemtech]

I agree that drum brakes have their issues: fading, constant adjustment. But I can't agree with the rest of your arguments, based on my 41 years of driving experience and owning and working on over 20 vehicles: drum brakes, disc brakes, foreign and domestic (US).

Re:Mental stack overflow of the driver is more lik

[gzuckier]

pretty much true for the old Audi sudden acceleration thing. but with drive by wire.... the onus is therefore on the manufacturer/programmer to demonstrate the impossibility of such behavior.

Re:Live in a cave

[lgw]

http://www.keacher.com/672/tit...

http://www.caranddriver.com/fe...

Or you could, you know, try it in a parking lot. My non-sporty brakes easily overpower my 420 HP engine.

Re:Live in a cave

[lgw]

What in particular do you disagree with? There's a reason that sports cars led the conversion to disk from drum brakes, after all - they just work better. And it's well known that ABS increases stopping distance over the most skilled braking, but its advantage is so huge for unskilled braking that even most sports cars don't let you turn it off, for fear of lawsuits (and unpowered disk brakes give such great feedback, no mushy pedal can match it).

Re: And we're going to trust self driving cars now

When it comes to true high-rel software, like that written to DO-178B Level A (an avionics software standard used for things like fly-by-wire) it's almost never the software per se that's at fault. The stuff is amazingly good. It's also amazingly expensive to write and test. You might also find it frustrating because it brings new meaning to the idea of conservative design. For example, I don't think it allows recursion. I know it doesn't allow dynamic allocation.

So it's best written in COBOL? (Which allows neither).

$100 Engine Control Units

[mmmattos]

Sure... but the whole Engine Control Unit project wasnt limited to $100 ? ;)

Re: Live in a cave

I had an Audi and the problem was real. They later came out with a recall but my Audi at a stoplight idling started having the engine rev from 1000 to 3000 and back to while I was stopped at light with foot firmly on brake. Had someone been in front of me on sidewalk when it jumped forward until I pressed on brake harder it could have been a serious accident. It happened several times afterwards but never after they replaced an idle adjust part in the recall. So I understand people being startled but the problem was real.

Re:Live in a cave

[gemtech]

I think you meant to say "conversion from drum to disk". I do agree that your ABS comment, the unskilled need it.
So I was unaware that racing used unboosted disk brakes, after some research they have to increase the mechanical advantage of the break pedal for that to work. What I was focused on was AS DESIGNED disk brake systems for passenger cars/trucks that must have the power boost. And this all comes back to Toyota's decision to not allow someone to easily turn off the engine when the controller has gone into the weeds.

Re:Live in a cave

[viperidaenz]

The only difference between reverse, neutral and drive is which clutches in the transmission ECU determines need to be applied.
Automatic transmissions don't have selector forks like a manual transmission. They have a series of clutches that engage various parts of the planetary gears.

Re:Live in a cave

[Hognoxious]

I had a Citroen 2CV that did that. Luckily, it was so slow that I could jump out and run ahead and warn people to get out of the way.

Cadillacs too!

My 1988 Caddy has done this 5 times. I've had all the throttle components replaced, but it happened the fifth time about a year ago. Repairguy guessed that the computer rebooted itself and left the throttle control in wide-open position and that there was no reason to believe that replacing the computer would solve the problem. So now I practice shifting to neutral and turning the engine off and back on, which means that it will never happen again. I'm OK with that. OTOH, if this problem occurs throughout the auto industry, we're pretty much all screwed and depend on luck to keep us alive.

Waiting in -Drive- position vs -Neutral-

[advid.net]

Sitting at a stop sign with the car in "drive" is a driver error. His foot could slip off the brake and the car would move forwards, wither into traffic or into crossing pedestrians.
This is what we have things like neutral and handbrakes for. [...]

I know probably 90% of American drivers do this, but it's still not sensible or safe behaviour.

Well. Since we changed our car for one with a (for me unwanted) automatic transmission I also have this behavior...

Thanks to your post I'll try to change !

Re: Live in a cave

[Marxist+Hacker+42]

I should have said "Still smoking"- I'm pretty sure the brake pads *did* catch fire.

After hearing about that crash, my *normal* way of stopping became "shut off cruise control a block before I need to stop". But with this story, I am wondering about my methodology. Though, using the passive regenerative braking is great for my gas mileage.

Re:Live in a cave

[DriveDog]

Yeah, well, if you stomp the break pedal your car should realize you need to stop for the break.

Re:Live in a cave

[Agripa]

Modern cars have sufficient braking force to completely stop the engine even at full throttle.

How modern?

My 2002 GMC pickup which is in excellent shape certainly passes this test under normal conditions but if the engine vacuum is lost for whatever reason like the engine stalling, you get one or two pumps of the brake peddle before it becomes so stiff that braking is severely compromised. I found this out the hard way when stopped on a hill with the engine off and I had to push on the brakes hard enough to worry about breaking something (like the steering wheel being used to hold me down to push on the break pedal hard enough to do anything) to stop a gentle roll. Later I tested it by deliberately shutting the engine off while moving.

With older cars I have driven which also had vacuum assisted brakes, they were not nearly so sensitive to the loss of vacuum. I am inclined to think any difference is because of the addition of ABS.

Re: Live in a cave

[Agripa]

On my 2002 GMC pickup, without vacuum assist you have to push down on the brake pedal so hard to get even a modicum of effect that you alarmingly bend the steering wheel while using it to hold yourself down.

Re:Live in a cave

[tragedy]

Or you could, you know, try it in a parking lot. My non-sporty brakes easily overpower my 420 HP engine.

Didn't bother to reply to this at first, because why bother arguing with someone who isn't even listening to you. Unless you're suggesting that I drive at highway speeds in a parking lot.

Re: And we're going to trust self driving cars now

[hermitdev]

Software tests are also capable of missing certain circumstances. Even 100% coverage doesn't make code bullet-proof. There are bugs that only occur due to circumstance, such as stack overflow or undefined behavior. Normal unit test might not expose latent bugs. Just read this.

Re: And we're going to trust self driving cars now

[hermitdev]

The optimal dodge is to stop in a straight line, regardless of the location of the pedestrian.

Richard Petty is oft ac quoted for something similar when asked "how did you miss that car?" His response was "well, I just aimed my car straight at the spinning car". It generally still works well in any sort of auto racing, and also tends to work well even on the highway. If you can get your car to where a car starts to spin, it (being the spinning car) will tend to not be there, if you can get your car there, you'll tend to not wreck. It's not a 100%, but it works fairly wells.

Re: And we're going to trust self driving cars no

[hermitdev]

Not trying to be argumentative, but assuming a situation where a new stop sign is installed. A non-auto car has clear right-of-way. An auto-car runs the stop sign (misreads the signs, doesn't have up-to-date) maps. A collision occurs. Which vehicle is at fault? Clearly the automatic vehicle, but who now foots the bills? Is it the manufacturer because they didn't update the maps? Is it the user, because they didn't pay $200 to update the maps? Is it the city/town because they changed the rules? Another reason I don't want a GPS navigated car: it usually takes 1/2 of my 3 mile driver home to get a GPS signal.

Re: And we're going to trust self driving cars now

[hermitdev]

But, currently, we have a well established legal order to apply responsibility of damages in case of an accident.

Re: And we're going to trust self driving cars now

[hermitdev]

The test shouldn't be whether automated cars make mistakes, but rather whether they do better than an average driver. Can they deal with icy roads as well as an average driver? That bar's pretty low, even here in Edmonton.

I disagree. The car also shouldn't kill me, or others.

Re: And we're going to trust self driving cars now

[AK+Marc]

Go watch a bunch of the russion dashcam footage on youtube. Tell me if the car that moved to "avoid" the other car would have had better results going straight? Most of the time, when someone "dodges" a car, they dodge into the empty space, the same space the other car is moving into. It's not scientific, but it is a consistent observation I've had. If both people aimed at the other car, it wouldn't work, but if one does and the other doesn't, it works great. At least with the spinning car, you know they aren't aiming at anything (aiming implies control).

Re: And we're going to trust self driving cars now

[JMZero]

Sorry, so even if an automated car was safer than most human drivers, you wouldn't want to allow them until what, there's zero possibility of them killing someone?

That's insane.

Aerospace software must be bug-free?

[GPS+Pilot]

Coming from the aerospace industry, you cannot have software that has bugs.

Ideally, yes, but how do you propose to achieve that ideal?

I'm in the aerospace software industry too, and so far 57,000 defect reports have been generated in the program I work on.

My company's CEO recently informed us employees that we are going to start "executing flawlessly." "What a relief," I thought sarcastically. "Now we'll be able to shut down the database that documents those 57,000 defects."

Please enlighten us as to how your program achieved zero defects.

Re: Live in a cave

[deviated_prevert]

even the four-way hazards should trip the computer into resetting the throttle algorithm.

Whoa... lots of idiots turn on hazards while moving, in the middle of a highway. I saw this in Virginia during snowstorms.

Not saying it's right or good, it just happens a lot.

Holy Crap nardo don't come up to Canada and drive stay south of the friggin' border please! Suppose you are in a situation where you come around a corner and you have a white out crossing the road and you know there is a large 18 wheeler only 300-400 yards behind you. When you hit the white out on the corner you need to slow down to squat mph to see where the hell you are going and your tail lights will dissappear. WHAT SHOULD YOU DO? ONE: immediately hit the ditch, TWO: Stop in the middle of the road and get out to see where the ditch is. THREE: Speed up lose control as your wheels hit the ditch and flip your car and kill your wife and kids. FOUR: Slow down, carefully watch for the sholder of the road and increase the luminosity of your tail lights by pumping the brake lights to warn the semi. FIVE: Slow down, watch the edge of the road carefully and turn on your flashers to warn the semi that you have slowed down due to visibility difficulties.

Chances are if you are a moron who is not accustomed to driving according to the conditions you will just wind up going in the ditch at 70 miles an hour, or worse getting rear ended by the semi!

Re: And we're going to trust self driving cars now

[hermitdev]

The point was, in context, the car should not be allowed to into conditions it's not proven to be able to handle; if it is sent into those conditions, fails and kills someone, who is liable?

Re: And we're going to trust self driving cars now

People making the cars aren't omniscient, you're not going to be able to predict every situation (especially while there's still human drivers), and the physical parts are always going to be fallible. Automated cars will kill people, and we'll probably never get to the point where they won't.

In the meantime, they could very likely kill less people than humans. And you would rather not do that because of, what, it'll be awkward to assign liability?

Sorry, but that makes you a psychopath.

Again, the reasonable test is whether they do better than human drivers.