|
Zaphod42 posted:It gets better. No matter how bad you think it is, it's worse. This is summarized from the trial transcript: Toyota had no software testing procedures, no peer review, no written specifications, no bug tracker, etc. The secondary backup CPU code was provided by a third party in compiled form, Toyota never examined it and couldn't actually say with certainty what it did. Their watchdog merely checked that the system was running and did not respond to task failures or CPU overload conditions so would not bother to reset the ECU, even if most of the tasks crashed. Since this is the basic function of a watchdog, they may as well not have had one. It was apparently gutted due to constant resets from an overloaded CPU, rather than upgrading. They claimed to be using ECC memory but did not, so anything from single bit errors to whole page corruption were undetected and uncorrected. A bunch of logic was jammed in one spaghetti task that was both responsible for calculating the throttle position, running various failsafes, and recording diagnostic error codes. Any failure of this task was undetected by the watchdog and disabled most of the failsafes. Due to no ECC and the stack issue below, a single bit error would turn off the runnable flag for this task and cause it to stop being scheduled for CPU time. No error codes would be recorded. They did not do any logging (eg of OS task scheduler state, number of ECU resets, etc), not even in the event of a crash or ECU reset. The code contained various recursive paths and no effort was made to prevent stack overflows. Worse, the RTOS kernel data structures were located immediately after the 4K stack, so stack overflows could smash these structures, including disabling tasks from running. They were supposed to be using mirroring of variables to detect memory smashing/corruption (write A and XOR A to separate locations, then compare them on read to make sure they match). They were not doing this for some critical variables for some inexplicable reason, including the throttle position so any memory corruption could write a max throttle value and be undetected. Instead of using the certified, audited version of the RTOS like most auto makers, they used an unverified version. Thanks to not bothering to review the OS code, they had no idea the OS data structures were not mirrored. A single bit flip can start or stop a task, even a life-safety critical one. These are just some of the massive glaring failures at every level of specifying, coding, and testing a safety-critical embedded system.
|
# ? Oct 30, 2013 05:32 |
|
|
# ? Jun 5, 2024 20:07 |
|
I'm normally against programming licenses, because everyone should be capable of learning at least a little programming, but I think that programmers who write real-time applications for safety-critical purposes should be required to have a license.
|
# ? Oct 30, 2013 06:57 |
|
This sort of car accident is a negligible risk, as it turns out, and car companies already have a natural economic incentive for their vehicles to not go wildly out of control. If you want some super-verified NASA-esque or airplane-esque software development cycle for automobiles, then you can kiss goodbye to the annual car model cycle and just forget about all the improvements vehicles have made in efficiency, reliability, troubleshooting, and safety, thanks to computer software control. The money you could spend on making better car software would be far better spent on the aspects of a vehicle's design that would actually save dozens of lives or more. The last thing we need is some car software FDA that makes airbag systems five times more expensive to innovate.
|
# ? Oct 30, 2013 07:08 |
|
shrughes posted:This sort of car accident is a negligible risk, as it turns out, and car companies already have a natural economic incentive for their vehicles to not go wildly out of control. If you want some super-verified NASA-esque or airplane-esque software development cycle for automobiles, then you can kiss goodbye to the annual car model cycle and just forget about all the improvements vehicles have made in efficiency, reliability, troubleshooting, and safety, thanks to computer software control. The money you could spend on making better car software would be far better spent on the aspects of a vehicle's design that would actually save dozens of lives or more. The last thing we need is some car software FDA that makes airbag systems five times more expensive to innovate. Nobody's asking for a car equivalent of the FAA, but the engineers that work on other aspects of systems cars have licensing procedures and certain good practices they must follow. In my field, electrical engineering, nobody cares if you have a license unless you are working for the government or on a safety-critical system. A similar model for software engineering might be a good idea - yes, it would increase costs, but not significantly so, and it has a decent chance of decreasing the likelyhood of shoddily-built systems like this taking lives. The debate is about extending something that already exists for the physical aspects of the car to cover the software too, not creating a governmental oversight organization.
|
# ? Oct 30, 2013 07:16 |
|
And the best part: The failsafe measure that Toyota put in as a response to the acceleration claims? It was a firmware patch to add a sanity check to the same main loop whose total failure can generate the incorrect throttle command in the first place. e: Hypothetically, I just might be able to survive on this earth without annual model updates. Gazpacho fucked around with this message at 08:54 on Oct 30, 2013 |
# ? Oct 30, 2013 08:27 |
|
|
# ? Oct 30, 2013 10:18 |
|
Naming conventions are magic. Also, after hearing that litany of Toyota problems, I can understand the jury wanting to bump the award as high as possible
|
# ? Oct 30, 2013 12:28 |
|
Zemyla posted:I'm normally against programming licenses, because everyone should be capable of learning at least a little programming, but I think that programmers who write real-time applications for safety-critical purposes should be required to have a license. *raises paw* Licensing isn't the issue here, really. Agency approvals demanded by the Insurance Institute (or other crash tester type labs) would do the job fine. In industrial contexts where electronic devices are operated in hazardous areas (explosive gases, etc) the hardware has to be certified by FM or ATEX as intrinsically safe or nobody will buy it because they can't get their oil rig insured with non-IS devices used on it; in medical devices the firmware and hardware need to get certified under IEC 60601 or similar (this came about as a result of Therac 25, which someone linked earlier) or nobody will buy it for insurance and legal reasons; in industrial plants the process control systems the hardware and firmware of the safety systems and many/all of their component parts need to be certified to a certain "safety integrity level" or the plant doesn't get built because nobody will insure it at any price. All of these type of standards and the approval agencies have their issues (and MISRA-C which Barr mentioned in his report has some serious issues of its own), and all of them add development time, but none of them double it, especially when the safety-instrumented functions are properly cordoned off (so you get the airbags and the ABS and the throttle systems certified, but not the poo poo that adjusts the fuel trim and the cabin lights etc). The alternative approach (self-certification a la MISRA-C or CE marking for devices) tends to lead to widespread noncompliance. Incidentally, while the firmware issues are quite bad, the systems engineering issues are worse, as Barr's firm mostly detailed in their report. Blotto Skorzany fucked around with this message at 13:23 on Oct 30, 2013 |
# ? Oct 30, 2013 13:20 |
|
EntranceJew posted:I know a guy that manually checks blueprints that the architects hand him because if he built to their specifications, the buildings would have collapsed in on themselves seven times over and violated a slew of construction codes. It happens more than you should feel safe about. Architects are not engineers and the structural engineers know this (all too well). I'm married to a structural engineer and I swear I hear no end of bitching about architects doing crazy things that look good but would fall over if you blew at it. Luckily, every design that gets built requires a structural Professional Engineer to review and sign off on it - so I do feel fairly safe about it.
|
# ? Oct 30, 2013 14:29 |
|
Consulting horror: My company apparently sold TDD training to QA teams. Why I love my company: When I mentioned that we did that to my boss, he agreed that it was dumb and that he'll make sure it doesn't happen again.
|
# ? Oct 30, 2013 15:24 |
|
A JPEG screenshot? You monster.
|
# ? Oct 30, 2013 16:17 |
|
I like how the choice of variable names masks everything else which is wrong with that code. What if MLP[] has no entries? What if i is 0 or negative? Why isn't applejack initialised? Why the fencepost errors (if i is 5, we compute the largest/smallest/sum/average of entries 0, 1, 2 and 3)?
|
# ? Oct 30, 2013 16:36 |
|
Job security.
|
# ? Oct 30, 2013 16:44 |
|
This is code some (freshman or sophomore) student turned in, right? Right?
|
# ? Oct 30, 2013 16:47 |
|
PHP horrors are almost run of the mill, but nevertheless... http://3v4l.org/XXbtf PHP code:
code:
|
# ? Oct 30, 2013 19:25 |
|
Doctor w-rw-rw- posted:PHP horrors are almost run of the mill, but nevertheless... PHP code:
PHP code:
Obviously, date() and strtotime() have some design flaws in addition to those bugs.
|
# ? Oct 30, 2013 19:41 |
|
https://github.com/YaroslavGaponov/node-jvm Yes. We needed this.
|
# ? Oct 30, 2013 19:59 |
|
I see it as a cool hack someone did in a weekend, not actually something to be deployed in production. I've done similar things for fun.
|
# ? Oct 30, 2013 20:11 |
|
Arcsech posted:This is code some (freshman or sophomore) student turned in, right? So I'm told.
|
# ? Oct 30, 2013 20:12 |
|
JawnV6 posted:https://github.com/YaroslavGaponov/node-jvm
|
# ? Oct 30, 2013 21:17 |
|
Ithaqua posted:I have a co-worker who does that, and it's baffling. We're already using source control, there's literally no reason to do what he does. He also leaves giant chunks of code commented out. Having big comment-chunks is fine when you're actively developing, but for the love of god, clean it up before you check the code in. Today I found a C++ code:
|
# ? Oct 30, 2013 21:40 |
|
You know, I'd think that a huge multinational like Toyota would have its act together, but again I am confronted with the folly of man. That makes me wonder about the whole lot of it. Do contractors for the military end up with spaghetti code running their blackhawks? What about the NSA? Is it spaghetti all the way down?
|
# ? Oct 30, 2013 23:56 |
|
Cheekio posted:Is it spaghetti all the way down? Yes. I'm sure every industry has at least some major players running software held together with twine and duct tape.
|
# ? Oct 30, 2013 23:59 |
Cheekio posted:You know, I'd think that a huge multinational like Toyota would have its act together, but again I am confronted with the folly of man. I'm contracting for the USAF right now, and in the areas I'm working, there's a lot of old horrors, but the air force has bought wholeheartedly into a lot of ideas, including the idea that paying down technical debt is worth it. We more or less take 10% of our time per sprint to spend on nothing but making the code better structurally, more understandable, etc, completely aside from time spent fixing bugs or implementing new features. They also frequently prioritize issues where we tell them up front that we're going to take a bit longer than strictly necessary to make sure the code is solid, understandable, and easier for everybody to work with in the future. Our product owner is actually doing his master's thesis right now, and from his comments, it involves running the numbers on the effect out of cycle rush requests have on overall productivity of the entire project. (Spoiler: It costs us bad every time it happens.)
|
|
# ? Oct 31, 2013 00:07 |
|
So, someone decided to load a bunch of files as binary objects into a database, using a VB script. They declared a byte array equal to File.Length, except in this version of VB declaring a byte array of length X actually creates X+1 spots in the array. So all files are in the database with an extra byte. Some file types are ok with this, some can't be opened. Fix the loader, fix the DB right? I update the loader code and write a quick script to fix the application. Easy solution, right? Wrong. The person who wrote the code refuses to acknowledge that the loader is wrong. Swears that SQLServer is just adding a byte to all the things we store in the database. I write a unit test that proves that SQLServer isn't just corrupting data. The developer ignores it, he pushes through a fix. The fix is to adjust the reader to ignore the last byte. Data is being loaded wrong. Data is being stored wrong. The Data can only be accessed correctly through one application. But hey, only one change ticket!
|
# ? Oct 31, 2013 03:25 |
|
shrughes posted:This sort of car accident is a negligible risk, as it turns out, and car companies already have a natural economic incentive for their vehicles to not go wildly out of control. If you want some super-verified NASA-esque or airplane-esque software development cycle for automobiles, then you can kiss goodbye to the annual car model cycle and just forget about all the improvements vehicles have made in efficiency, reliability, troubleshooting, and safety, thanks to computer software control. The money you could spend on making better car software would be far better spent on the aspects of a vehicle's design that would actually save dozens of lives or more. The last thing we need is some car software FDA that makes airbag systems five times more expensive to innovate. Did you even bother to read my post? Not to get all Linus here but you're a fool. They didnt just fail at embedded engineering 101; they failed abysmally. They spent time and effort to do the opposite of what you should do. I mean, every single embedded system ever has a watchdog timer system. That is, quite literally, Baby's First Embedded System. The function of the simplest, dumbest watch dog is to verify that all required tasks are running and restart any that have failed. A marginally smarter one will also catch tasks that run too often or not enough and kill a lower-priority task that eats up too much CPU time but lets not get too fancy here. Toyota shipped Camrys (and other models) in 2005, 2006, 2007, 2008, 2009, and 2010 (maybe more) using almost the exact same code that had a basically non-functional watchdog. Almost every single task in the entire ECU could poo poo itself and the watchdog would keep going "ALL SYSTEMS GO, FULL STEAM AHEAD!". We are talking a basic function that was shared across millions of cars that wouldn't take anything more than a peer review and a week of one coders time to fix. Instead any stack overflow, race condition, pointer dereferencing bug, cosmic ray, et al can disable almost all the car's failsafes and/or trigger unintended acceleration. Or just randomly tilt the driver's side mirror. No one knows and there won't be any logs or diagnostic codes written, the ECU will just randomly start doing or not doing... well... something! Not that Toyota would know this, as they never tested the software or bothered to look for the non-existent logs anyway. Edit: if I were an insurance company, I'd refuse to cover these Toyota vehicles until Toyota brought in outside programmers to help train their people, review the code, and implement some better processes. Instead Toyota seems to be pulling a Tobacco company / American car company in the 70s "nothing to see here, move along, it was all driver error, what's fault injection?" Simulated fucked around with this message at 04:22 on Oct 31, 2013 |
# ? Oct 31, 2013 04:19 |
|
Insurance companies have a lot more statistics about Toyota than you do. Guess what: Toyota shipped cars from 2005-2010 and they worked drat well. Edit: quote:Edit: if I were an insurance company, I'd refuse to cover these Toyota vehicles until Toyota brought in outside programmers to help train their people, review the code, and implement some better processes. Instead Toyota seems to be pulling a Tobacco company / American car company in the 70s "nothing to see here, move along, it was all driver error, what's fault injection?" Let's gather in our knowledge of basic microeconomic principles and consider this quote a beginner exercise: Which is more likely: that this poster knows what he's talking about? Or that this poster doesn't know poo poo? The answer is left to the reader. shrughes fucked around with this message at 05:06 on Oct 31, 2013 |
# ? Oct 31, 2013 04:56 |
|
the software development practices described in the trial papers are unacceptably lovely and costly for *trivial* software. this is not about wanting cars to be super-safe; it's below the standard you'd expect of a phone clock app!
|
# ? Oct 31, 2013 06:08 |
|
shrughes posted:Insurance companies have a lot more statistics about Toyota than you do. Guess what: Toyota shipped cars from 2005-2010 and they worked drat well. As a developer who has a bachelors in Economics *and* owns a 2010 Toyota, I feel I am uniquely qualified on this subject.
|
# ? Oct 31, 2013 14:08 |
People used to give MS Word poo poo for writing bad HTML. They obviously haven't seen what Apple Mail can do. I was asked to make an automatic mail that should look like it comes from one of our customer service representatives, so I went to base my template on a regular mail from him. Turns out that might not be such a great idea after all. The majority of those towers is composed of identical, nested <span> tags. The jagged middle part is a signature that looks like it's copied out of MS Outlook, it has some MS Office-type styling, but at least that part is reasonably neat. The long plateau near the end is a series of <span></span><span></span> (empty, unstyled, forever). Edit: Okay one mistake from me, I managed to cut the HTML a bit short before indenting it, all tags actually are properly closed. nielsm fucked around with this message at 15:25 on Oct 31, 2013 |
|
# ? Oct 31, 2013 15:18 |
|
You know you're in it when you have to describe your markup/code in terms of geographical features.
|
# ? Oct 31, 2013 15:34 |
Forgot the best single tag:HTML code:
|
|
# ? Oct 31, 2013 15:41 |
|
nielsm posted:People used to give MS Word poo poo for writing bad HTML. poo poo like this just makes me wonder how much of the internet is redundant wasted data. Its gotta be a whole hell of a lot.
|
# ? Oct 31, 2013 16:02 |
|
Well, you know Tim Berners-Lee apologised for unnecessary "//" in "http://", wasting two characters in every URL ever.
|
# ? Oct 31, 2013 16:32 |
|
shrughes posted:Insurance companies have a lot more statistics about Toyota than you do. Guess what: Toyota shipped cars from 2005-2010 and they worked drat well. You know I thought about it after I posted and I'm sure the underwriters are already including this in the stats so it is likely owners of these models already have the costs built in to the premium. The Ford Pinto worked just fine so long as you weren't in a rear-end crash. A 2004 Audi A4 is just fine, so long as you don't happen to be in a side-impact crash and unlucky enough to have the airbag cable failure problem. Firestone had a large number of fine tires a few years back. A lot of things are "fine" in the sense that they don't immediately explode or kill millions of people, yet with even minimal effort on the part of the manufacturer could avoid accidents and deaths. I'm not saying Toyota needs to spend a billion dollars on their software. Again, my point is hire a couple of QA people, get some developer training, and make a minimal investment that will pay off in millions of vehicles across many years. Once you harden and certify your ECU OS, it's done and you can use it in every car for the next 20 years. Your response to even basic failures of software design and process is what? Do nothing? We shouldn't care that Toyota displayed PHP-levels of incompetence that has caused at least a few confirmed deaths? That even some safeguards that would have cost them zero dollars per vehicle weren't implemented is totally OK with you? I guess the Therac was a fine machine, even if it burned a couple of people to death. I mean, testing software is expensive amirite?
|
# ? Oct 31, 2013 19:51 |
|
Doctor w-rw-rw- posted:PHP horrors are almost run of the mill, but nevertheless... If people are curious what's going on here: In 4.3.0-5.0.5, strtotime("February") returns -1, ie one second before epoch, so the last second in December 1969. In 5.1.0-5.1.6, strtotime("February") returns nothing, which is interpreted as epoch, ie January 1970. In 5.2.0-5.5.5, strtotime("February") returns the current date and time, with the month forced to February, ie 31st February, which in true PHP style is the 3rd March.
|
# ? Oct 31, 2013 21:53 |
|
Ender.uNF posted:I guess the Therac was a fine machine, even if it burned a couple of people to death. I mean, testing software is expensive amirite?
|
# ? Nov 1, 2013 00:39 |
|
My Rhythmic Crotch posted:This hits close to home. I worked on software systems for medical particle accelerators for about 5 years... and... yeah. The Therac malfunctions were always gnawing at the back of my mind. Our stuff was better than the Toyota ECU, but only just. I should make a thread about it sometime. Please make that thread. I've always wondered about the software that drives things like medical accelerators and LASIK lasers, as to how that stuff is developed and vetted before it goes throwing potentially murderous or blinding energy at a human patient.
|
# ? Nov 1, 2013 01:46 |
|
My Rhythmic Crotch posted:This hits close to home. I worked on software systems for medical particle accelerators for about 5 years... and... yeah. The Therac malfunctions were always gnawing at the back of my mind. Our stuff was better than the Toyota ECU, but only just. I should make a thread about it sometime. What agency approvals did you guys have to get?
|
# ? Nov 1, 2013 02:04 |
|
|
# ? Jun 5, 2024 20:07 |
|
Welp, I'm off to document a class with 181 public methods.
|
# ? Nov 1, 2013 16:03 |