Toyota: 81,514 code violations
People: - Hey, Toyota, we counted here, you have 89 people died from 2000 to 2010 because of clumsy electronics and software.
Toyota: - Yes, they are to blame, they confuse the pedals.
People: - Houston, we have problems.
NASA: “We'll figure it out, we need 10 months and 3 million dollars.
People: - On.
Toyota: - 3 million few, here's another top of the cache.
(10 months have passed)
NASA: - Hey, Toyota, we have found a couple of errors in the code, or rather 7134 violations of the MISRA standards, recursion, a function of 740 lines and 9000 global variables.
Toyota: - And we have our own standards. And you finally flew to the moon?
NASA (publicly): - Toyota is not guilty of anything.
(Toyota shares jumped 4.6%)
People: - Well, ee-mine.
(3 years later)
Two American testers (whose grandfathers died at Pearl Harbor): - No bugs? And if we find?
The National Highway Traffic Safety Administration (NHTSA) estimated that from 2000 to 2010, 89 people died in accidents and 57 were injured due to electronics malfunctions.
')
Toyota denies the fault of electronics and believes, on the basis of its own investigation , that the "sticking" gas pedal and poorly fitted floor mats are to blame, but recalls 8.5 million cars around the world.
Complaints continue to come.
Watch out for the faint of heart
NHTSA begin their own investigation , are attracted to the aid of NASA.
During the ten-month investigation, NASA specialists revealed that the software does not meet the standards of the MISRA (Motor Industry Software Reliability Association) and contains 7134 violations. Toyota responded that they have their own standards.
December 20, 2010 Toyota rejects all charges, but pays $ 16 billion in pre-trial claims and issues an update of software for some models of cars and withdraws 5.5 million cars.
After the announcement of the NASA study, Toyota shares on the Tokyo Stock Exchange increased by 4.6%.
In 2013, the 2007 Oklahoma court filed a lawsuit about the accident, in which two girls were hit on a 2005 Toyota Camry. One of them died, the other spent five months in hospital with back and head injuries. Toyota did not admit its guilt. They said that the cause of the accident was that the driver mixed up the gas and brake pedals, and when she realized her mistake and started to slow down, it was too late.
Two engineers are connected to the case: Michael Barr and Philip Coopman . For 20 months, parse 280,000 lines of code, write a report of 800 pages. Each.
The address was classified. The hotel room, in which the engineers worked, was guarded round the clock - the security guard ensured that no one contributed or endured any papers. All phones and internet have been disconnected.
Toyota has withdrawn more than 10 million cars worldwide . Guilt is not recognized.
According to Michael Barr, their report is classified. Also, the terms of the contract, on the terms of which they were provided with the source code of Toyota, were coded. But Barr recommends google a transcript of the hearing materials.
- TRANSCRIPT OF MORNING TRIAL PROCEEDINGS HAD ON THE 14TH DAY OF OCTOBER, 2013
- BOOKOUT V. TOYOTA 2005 Camry L4 Software Analysis
- KILLER APPS Embedded Software's Greatest Hit Jobs
It was in such conditions that analysts worked:
And such a report was written:
How you searched and found
The main test subject is the Electronic Throttle Control System (ETCS).
NASA specialists scanned the chip with an x-ray.
Even cosmic rays are considered causes of errors.
And the code on the C check:
And then the turn came to the code.
Violations of MISRA (and NASA) standards
By estimation, for every 30 violations of MISRA standards they lead to one “serious bug”.
- In MISRA-C: 1998, 127 rules are listed (93 mandatory and 34 recommendatory).
- In MISRA-C: 2004 141 rules (121 mandatory and 20 recommendatory). The rules are divided into 21 categories.
- In MISRA-C: 2012, there are 143 rules (each of which can be verified by a static code analyzer) and 16 directives (rules whose compliance is open to interpretation or related to processes and procedures). Rules are divided into mandatory, required and recommendatory; can be distributed to individual broadcast units or to the whole system. Also, the rules are divided into Decidable and Undecidable.
Toyota has borrowed only 11 MISRA rules into its standards.
NASA's analysis tools could check 35 MISRA rules and 14 of them were violated.
[Source - NASA Report, Appendix A: Software , page 28]
Total: 7134 violations (as calculated by NASA) or 81,514 (as calculated by Michael Barr).
10 rules of NASA
Article on Habré - "10 rules that allow NASA to write millions of lines of code with minimal errors"
The Power of Ten - 10 Rules for Writing Safety Critical Code
[Source - spinroot.com/p10 ]
- Restrict to simple control flow constructs.
- Give all loops a fixed upper-bound.
- Do not use dynamic memory allocation after initialization.
- Limit functions to no more than 60 lines of text.
- Use minimally two assertions per function.
- Declare data objects at the smallest possible level of scope.
- Check the return value of the function parameters.
- Limit the use of the preprocessor to file inclusion and simple macros.
- Limit the use of pointers. Use of dereferencing per expression.
- Code analyzers.
[Source - spinroot.com/p10 ]
The length of the function is limited to 60-75 lines of code, after deleting empty lines and comments. More than 200 functions in the Camry05 code exceeded the specified length. One of the functions was 740 lines.
Variables
31 names have been announced several times in different areas (in different scopes). The most common name is sts_flags1, which appeared in 57 different areas
But it is worth to show larger.
Code confusion
Flow control graph simple program.
The cyclomatic complexity of a program above 50 is an indicator that the program is not amenable to testing.
In Toyota in ETCS-code:
- 67 functions with over 50 complexity
- Difficulty Throttle angle function = 146; 1300 lines of code, no plan for unit test
Recursion
A recursion was used in the Toyota code, and every problem with it led to a CPU reset.
So what?
The amount of
“Programming today is a race in which developers compete to build large and foolproof programs, and the universe spawns more and more high-quality fools. At the moment, the universe is winning. ”
- Rich Cook, science fiction writer
mass media
- US authorities acquitted Toyota ("Kommersant" from 02/09/2011)
- Releases Results from the NHTSA-NASA Study of Unintended Acceleration in Toyota Vehicles (February 8, 2011)
- Toyota's runaway car worries
- NHTSA-NASA Study of Unintended Acceleration in Toyota Vehicles
- Analysis of Toyota ETCS-1 System Hardware and Software
- Toyota Recall Timeline
Investigation Reports
Philip Coopman's colorful presentation:
NASA Report on Toyota Unintended Acceleration Investigation
NASA Executive Summary
NASA Full Report
NHTSA Report on Toyota Unintended Acceleration Investigation
PS
4 years before
Wherever I come, my job is to apply one simple formula. I keep secrets.- Chuck Palahniuk "Fight Club", 1996.
This is elementary arithmetic.
The task of the textbook.
If the car of my company, made by my company, drove from Chicago to the west at a speed of 60 miles per hour, and the rear axle is wedged, the car crashes and burns with everyone who fell into the trap of its cabin, is it worth it for my company to return the model for revision ?
We take the total number of produced cars of this model (A), multiply by the probable number of machines with a malfunction (B), then multiply the result by the average cost of solving the issue without a court (C). A multiplied by B multiplied by C. Equals X. So much is not to return the model for revision.
If X is more than the cost of the return, we return the cars, and no one will suffer anymore.
If X is less than the cost of return, there will be no return.
- And often there are such accidents?- To \ f "Fight Club", 1999.
- You can not even imagine.
- What company do you work for?
- In a very large one.
Source: https://habr.com/ru/post/310862/
All Articles