Toyota’s killer firmware: Bad design and its consequences



Barr’s ultimate conclusions were that:

  • Toyota’s electronic throttle control system (ETCS) source code is of unreasonable quality.
  • Toyota’s source code is defective and contains bugs, including bugs that can cause unintended acceleration (UA).
  • Code-quality metrics predict presence of additional bugs.
  • Toyota’s fail safes are defective and inadequate (referring to them as a “house of cards” safety architecture).
  • Misbehaviors of Toyota’s ETCS are a cause of UA.


토요타의 주장과 Barr 그룹의 주장. Evidence를 들여다보고 싶다.

Category Toyota Barr Group
Hardware 2005 Camry’s CPU had error detecting and correcting(EDAC) RAM It didn’t. EDAC or at least parity RAM is relatively easy and low-cost insurance for safety-critical systems
Software Mirroring(where key data is written to redundant variables) was not always done.
This gains extra significance in light of stack overflow
only 41% of the allocated stack space was being used 94% was closer to the truth
stack-killing, MISRA-C rule-violating recursion was found in the code
 the CPU doesn’t incorporate memory protection to guard against stack overflow
Two key items were not mirrored: The RTOS’ critical internal data structures; and—the most important bytes of all, the final result of all this firmware—the TargetThrottleAngle global variable.
Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring.
Toyota’s ETCS used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant.
Unintentional RTOS task shutdown was heavily investigated as a potential source of the UA
As single bits in memory control each task, corruption due to HW or SW faults will suspend needed tasks or start unwanted ones
Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration
A litany of other faults were found in the code, including buffer overflow, unsafe casting, and race conditions between tasks

2 thoughts on “Toyota’s killer firmware: Bad design and its consequences”

  1. I solve agree with all the ideas you have presented in your post. They’re especially influential and will without doubt composition. Still, the posts are fantastically short representing newbies. Could you entertain extend them a bit from next time? Thanks for the post.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s