ВходНаше всё Теги codebook 无线电组件 Поиск Опросы Закон Пятница
22 ноября
467356 Топик полностью
Связанные сообщения
Functional Safety
Каждый раз когда говорится о "выбросах", "помехах" и "оптронах" начинаю понимать, что говорящие не понимают как оно работает. П...2019-12-15
Спасибо, вообще в документе многие пункты достаточно разумны, я особо подчерку для некоторых здешних читателей:2019-10-30
A ссылка -- это же не указатель? А вообще как всегда решаются проблемы прошлого века. Ну будет арифметика на индексах, что-то п...2019-10-30
[ГОСТ Р МЭК 61508-7-2012] -> --> Интересные вещи там написаны...Раздел С.2.6.6 Ограниченное использование указат...2019-10-29
Отказ от динамической памяти -- сомнительное занятие, подходящее лишь для маленьких программок: в системе физической памяти обыч...2014-01-03
fk0, легенда (25.11.2013 18:42, просмотров: 827) ответил SciFi на Не, 11 килотонн переменных говорит о говнокоде, и ось тут не поможет :-)
Я вот вижу интересную ссылку, но процитирую здесь полностью, т.к. информацию приходится достатвать уже из archive.org и кешей гугла, т.к. за последний месяц активно всё удаляется из интернетов. Ссылка на показания M. Barr в суде в приложенном http://translate.google.com/translate?sl=auto&tl=ru&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Farchive.is%2FlfJSs&act=url
PDF-файле. (http://embeddedgur …intended-acceleration/)
An Update on Toyota and Unintended Acceleration Saturday, October 26th, 2013 by Michael Barr In early 2011, I wrote a couple of blog posts (here and here) as well as a later article (here) describing my initial thoughts on skimming NASA’s official report on its analysis of Toyota’s electronic throttle control system. Half a year later, I was contacted and retained by attorneys for numerous parties involved in suing Toyota for personal injuries and economic losses stemming from incidents of unintended acceleration. As a result, I got to look at Toyota’s engine source code directly and judge for myself. From January 2012, I’ve led a team of seven experienced engineers, including three others from Barr Group, in reviewing Toyota’s electronic throttle and some other source code as well as related documents, in a secure room near my home in Maryland. This work proceeded in two rounds, with a first round of expert reports and depositions issued in Summer 2012 that led to a billion-dollar economic loss settlement as well as an undisclosed settlement of the first personal injury case set for trial in U.S. Federal Court. The second round began with an over 800 page formal written expert report by me in April 2013 and culminated this week in an Oklahoma jury’s decision that the multiple defects in Toyota’s engine software directly caused a September 2007 single vehicle crash that injured the driver and killed her passenger. Don’t be misled by much of the mainstream coverage of the Oklahoma verdict. While it is true this was the first time Toyota has lost an unintended acceleration case in court, it is more significant that this was the first and only jury so far to hear any opinions about Toyota’s software defects. Each of the earlier cases either predated our source code access, applied a non-software theory, or was settled by Toyota for an undisclosed sum. In our analysis of Toyota’s source code, we built upon the work that NASA had done. First, we looked more closely at more lines of the source code for more vehicles for more man months. And we also did a lot of things that NASA didn’t have time to do, including reviewing Toyota’s operating system’s internals, reviewing the source code for Toyota’s “monitor CPU” (which even Toyota hadn’t ever done before! (!)), performing an independent worst-case stack depth analysis, running portions of the main CPU software including the RTOS in a processor simulator, and demonstrating–in exemplar Toyota Camry vehicles–a link between loss of throttle control and the numerous defects we found in the software. In a nutshell, the team led by Barr Group found what the NASA team sought but couldn’t find: “a systematic software malfunction in the Main CPU that opens the throttle without operator action and continues to properly control fuel injection and ignition” that is not reliably detected by any fail-safe. To be clear, NASA never concluded software wasn’t at least one of the causes of Toyota’s high complaint rate for unintended acceleration; they just said they weren’t able to find the specific software defect(s) that caused unintended acceleration. We did. Now it’s your turn to judge for yourself. Though I don’t think you can find my 800 page expert report outside the Court system, here’s the trial transcript of my expert testimony to the Oklahoma jury in Bookout, et.al. v. Toyota. Note that the jury in Oklahoma went with the software defects and found that Toyota owed each victim $1.5 million in compensatory damages and also found “reckless disregard”. The latter legal standard meant the jury was headed toward deliberations on additional punitive damages when Toyota finally called the plaintiffs to settle (for yet another undisclosed amount). I understand there are about 500 personal injury cases still working their way through various courts, including one set for trial in November in U.S. District Court in Santa Ana, California. 5 Responses to “An Update on Toyota and Unintended Acceleration” Miro Samek says: October 28, 2013 at 4:49 pm Hi Michael, Thank you for posting the link to your court deposition. I found it fascinating and couldn’t stop reading late into the night… There is no doubt in my mind that exposing the inadequacies in the Toyota firmware is a very important development for the whole embedded software profession. It is also interesting to see old mistakes repeated time and time again. For example a timed task degenerating into a kitchen sink. I also bet my shirt that there were no assertions in the Toyota firmware. Assertions in software work like fuses in electrical systems and beyond certain density of assertions in the code all failures (including hardware failures) manifest themselves as assertion violations. I’m sure that this could have saved the day (besides making software development so much faster). Anyway, there are tons of valuable lessons to learn here. From now on I will imagine that all my software is on trial… –Miro David W. Gilbert, Ph.D. says: October 28, 2013 at 10:25 pm Dear Mr. Barr, Nicely done! I found your testimony very interesting, and while I am not a software expert, I can certainly verify the inability of Toyota vehicles to detect certain malfunctions in the electronic throttle controls. And few malfunctions are more apparent than tin whiskers growing inside the APP sensors! Since my 2010 testimony in the Washington Toyota hearings, I have learned much. Your testimony certainly adds to that knowledge and I am pleased that it has received much needed media attention. Maybe our paths will cross someday. DWG Betsy Benjaminson says: October 29, 2013 at 10:29 am Mr. Barr, Wow! Finally, the official, reliable truth has emerged at long last. Thank you for your hard work. I am not an expert of any sort. I am just a Japanese to English translator. Through my work, I saw hundreds of Toyota’s internal documents that strongly suggested that UA was rooted in problems in the software (and also some in hardware) and that Toyota knew about these problems and was attempting to identify them and fix them. But meanwhile the company denied anything was wrong, including in the testimony before both the US House and Senate by Mr. Toyoda, Mr. T. Uchiyamada (the company’s current chairman), other executives, and two of Toyota’s engineers. I have recently published the internal documents in the public interest. You can find them through my Facebook page. Engineers might enjoy poring over them. Mr. Barr, it is a relief to see that the true state of the software is now fully understood. I hope and pray that the US government, including Congress and NHTSA, will now take action to help ensure public safety. I also wish you the greatest success in presenting your findings to the juries of many upcoming trials to help bring justice to consumers who relied on Toyota’s and NHTSA’s assurances all this time, but whose trust has been badly misplaced. Carry on! BZB Christenson says: October 29, 2013 at 9:09 pm What’s with all the stupid redactions about “Task X” (Kitchen sink task), Y millisecond tasks and Z second watchdogs? Not to mention the task count itself? Subtracting those details does nothing to alter the conclusions of the testimony, especially the parts about the technical debt, and doesn’t conceal anything from anyone that has even momentarily thought about the kind of software involved. It only proves that secrecy is a coverup strategy for Toyota! And TWO PAGES of source code being secret? Just petty…. Me, I’m glad there’s a hard-wired, stop-whether-or-not-the-CPU-cooperates E-stop on the stuff I program. Can the report (in 800 pages of gory detail) be published and linked here, since it is now evidence in a court of law and a presumption of openness applies? John Wheeler says: October 29, 2013 at 11:46 pm Wow, the courtroom transcripts are a great read. I’m on page 98 right now, and I’ve been glued to my screen for the past hour and a half. The analogies with race conditions, overflows, and spaghetti code are all very good. You also allude the Toyota engineers didn’t have separation of concerns in the ‘kitchen sink’ task–It’s very scary. While reading this testimony and the egregious details, I can’t help but think one thing – the electronic throttle control shouldn’t be 100% software without some type of mechanical fault protection as a backup. I’ve read about the Therac 25 case, and the problem there was 100% software control of critical systems without hardware interlocks. My questions is: what has Toyota done since this aside from damage control and misguided firmware updates?
[ZX]