10/25/2013 03:35 PMEDT


MADISON, Wis. —Could bad code kill a person? It could, and it apparently did.


The Bookout vToyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry fora wrongful death, touches the issue directly.


This case -- oneof several hundred contending that Toyota's vehicles inadvertently (非故意地) accelerated -- was the first in which a jury 陪审团 heard the plaintiffs' attorneys supporting their argument withextensive testimony 证词 fromembedded systems experts. That testimony focused on Toyota's electronicthrottle control system -- specifically, its source code.


The plaintiffs'attorneys(原告律师) closedtheir argument by saying that the electronics throttle control system causedthe sudden acceleration of a 2005 Camry in a September 2007 accident thatkilled one woman and seriously injured another on an Oklahoma highway off-ramp.It wasn't loose floor mats, a sticky pedal, or driver error.


An Oklahomajudge announced that a settlement to avoid punitive damages had been reachedThursday evening. This was announced shortly after an Oklahoma County juryfound Toyota liable 有责任的for the crash and awarded $1.5 million of compensation to JeanBookout, the driver, who was injured in the crash, and $1.5 million to thefamily of Barbara Schwarz, who died.


During thetrial, embedded systems experts who reviewed Toyota's electronic throttlesource code testified that they found Toyota's source code defective 有缺陷的, and that it contains bugs -- including bugs that can causeunintended acceleration.


"We'vedemonstrated how as little as a single bit flip 蹦跳 can causethe driver to lose control of the engine speed in real cars due to softwaremalfunction 失灵 that is notreliably detected by any fail-safe," Michael Barr, CTO and co-founder ofBarr Group, told us in an exclusive interview. Barr served as an expert witnessin this case.


A core group of seven experts, including four from BarrGroup, analyzed the Toyota case. Their analysis ultimately resulted in Barr's800-plus-page report.


In Toyota's ownview, though, the automaker had been already exonerated使免罪 when the National Highway Traffic Safety Administration closed itsprobe of Toyota models in February 2011. The NHTSA decision came after NASAinvestigated Toyota's electronic throttle control system and found noelectronic causes of unintended 无意识的;非计划中的accelerationduring a 10-month review.


But not everyonein the embedded systems industry thinks NASA had enough time to come up with acomplete report. Perhaps more significantly, in its report, NASA itself did notrule out the possibility of software having caused unintended acceleration.


The group ofseven experts was given the task of picking up where the NASA investigationleft off.


"We did afew things that NASA apparently did not have time to do," Barr said. Forone thing, by looking within the real-time operating system, the expertsidentified "unprotected critical variables." They obtained andreviewed the source code for the "sub-CPU," and they "uncoveredgaps and defects in the throttle fail safes."


Further, theteam ran simulations in the Green Hills Simulator. "This confirmed taskscan die without the watchdog resetting the processor." His group alsoindependently checked worst-case stack depth. "We found many big mistakesin the Toyota analysis that NASA relied on."


The expertsdemonstrated that "the defects we found were linked to unintendedacceleration through vehicle testing," Barr said. "We also obtainedand reviewed the source code for the black box and found that it can recordfalse information about the driver's actions in the final seconds before acrash."


It's importantto note Barr Group testimony led to a billion-dollar economic-loss settlementby Toyota last December. Because of that settlement, details of the technicaldiscoveries made back then by the experts were not made public until theOklahoma trial. The economic-loss settlement resolved hundreds of lawsuitsclaiming vehicles depreciated after the company issued recalls related tofaulty acceleration. Toyota still faces lawsuits claiming injury or deathrelated to the recalls.


Task X death

Now that theexperts' testimony and findings have been made public through the Oklahomatrial, let's get into details. What defects were found in Toyota's electronicthrottle control systems?


Barr said thatthe 2005 Camry L4 source code and in-vehicle tests by the experts confirmedthat some critical variables are not protected from corruption, and sources ofmemory corruption are present. He believes that Toyota's engineers sought toprotect numerous variables against software- and hardware-cause corruptions,but they failed to mirror several key critical variables, and they made nohardware protection available against bit flips.


Stack overflowand software bugs led to memory corruption, he said. And it turns out that thecrux of the issue was these memory corruptions, which acted "likericocheting bullets."


Barr explains the issue this way:


Memorycorruption as little as one bit flip can cause a task to die. This can happenby hardware single-event upsets -- i.e., bit flip -- or via one of the manysoftware bugs, such as buffer overflows and race conditions, we identified inthe code.

There are tensof millions of combinations of untested task death, any of which could happenin any possible vehicle/software state. Too many to test them all. But vehicletests we have done in 2005 and 2008 Camrys show that even just the death ofTask X by itself can cause loss of throttle control by the driver -- even ascombustion continues to power the engine. In a nutshell, the fail safes Toyotadid install have gaps in them and are inadequate to detect all of the ways UAcan occur via software.

Just to clarify,the "tasks" are equivalent to apps running on smartphones or PCs. Allsoftware malfunctions from time to time -- we often have to reboot ourmachines. The 2005 Camry L4 has a set of dozens of apps (or tasks). Becausethey are all meant to be running always, the death of one could have direconsequences.


When asked ifthe whole case for unintended acceleration could be pinned on the task X death,Barr replied, "The task X death in combination with other taskdeaths." There are dozens of tasks and 16 million different ways thosetasks can die. The experts group was able to demonstrate at least one way forthe software to cause unintended acceleration, but there are so many other waysthat could have happened.


Barr also saidmore than half the dozens of tasks' deaths studied by the experts in theirexperiments "were not detected by any fail safe."


What's next for NHTSA

After theOklahoma trial, what steps should the NHTSA be taking? Barr made somesuggestions:


NHTSA needs toget Toyota to make its existing cars safe and also needs to step up on softwareregulation and oversight. For example, FAA and FDA both have guidelines forsafety-critical software design (e.g., DO-178) within the systems they oversee.NHTSA has nothing.

Also, NHTSArecently mandated the presence and certain features of black boxes in all UScars, but that rule does not go far enough. We observed that Toyota's black boxcan malfunction during unintended acceleration specifically, and this willcause the black box to falsely report no braking. NHTSA's rules need to addressthis, e.g., by being more specific about where and how the black box gets itsdata, so that it does not have a common failure point with the engine computer.






原告律师的证词集中在丰田的电子节气门控制系统 - 特别是,它的源代码。














Task X death:


Barr说, 2005年凯美瑞L4源代码在车辆测试由专家确认一些关键变量数据被损坏,并且内存数据也被损坏。他认为,丰田的工程师想防止软件和硬件对众多变量的损坏,但他们没能对几个关键变量作镜像,而且他们没有防止硬件的位翻转。



Barr explains the issue this way:


太多的未经测试的任务(程序)会造成终止,其中的任何一个都有可能发生在汽车/软件状态中。全部去测试他们实在是太多了。但是在我们2005—2008年对丰田凯美瑞的测试中显示:仅仅是随意一个task x都会造成驾驶员对电子气节门的失控,而这时发动机还在加速。总之,丰田的安全故障来源于软件的缺陷,并且不是软件测试可以全部检测到的。

澄清一点,这里我们说的task(任务)是不等价于运行在PC和智能手机上的app的。一次又一次的软件失灵,我们只需要重启我们的机器。凯美瑞L4有许多重要的 需要同时运行的task,任何一个task的终止都会造成可怕的后果。

那么是不是意外的加速全都是因为task x的终止呢?Barr回答说,是因为task x和其他的task共同终止造成的。有许多个task,并且有1600万种方式会造成task终止。研究小组只举出了至少这样一个造成意外加速的例子,其实还有很多可能发生的。



What's nextfor NHTSA:

Oklahoma 审判之后, 国家公路交通安全管理局下一步应该采取什么样的措施呢?Barr给了一些建议:







