Barr’s ultimate conclusions were that:
- Toyota’s electronic throttle control system (ETCS) source code is of unreasonable quality.
- Toyota’s source code is defective and contains bugs, including bugs that can cause unintended acceleration (UA).
- Code-quality metrics predict presence of additional bugs.
- Toyota’s fail safes are defective and inadequate (referring to them as a “house of cards” safety architecture).
- Misbehaviors of Toyota’s ETCS are a cause of UA.
토요타의 주장과 Barr 그룹의 주장. Evidence를 들여다보고 싶다.
Category | Toyota | Barr Group |
Hardware | 2005 Camry’s CPU had error detecting and correcting(EDAC) RAM | It didn’t. EDAC or at least parity RAM is relatively easy and low-cost insurance for safety-critical systems |
Software | Mirroring(where key data is written to redundant variables) was not always done. | |
This gains extra significance in light of stack overflow | ||
only 41% of the allocated stack space was being used | 94% was closer to the truth | |
stack-killing, MISRA-C rule-violating recursion was found in the code | ||
the CPU doesn’t incorporate memory protection to guard against stack overflow | ||
Two key items were not mirrored: The RTOS’ critical internal data structures; and—the most important bytes of all, the final result of all this firmware—the TargetThrottleAngle global variable. | ||
Toyota missed some of the calls made via pointer, missed stack usage by library and assembly functions (about 350 in total), and missed RTOS use during task switching. They also failed to perform run-time stack monitoring. | ||
Toyota’s ETCS used a version of OSEK, which is an automotive standard RTOS API. For some reason, though, the CPU vendor-supplied version was not certified compliant. | ||
Unintentional RTOS task shutdown was heavily investigated as a potential source of the UA | ||
As single bits in memory control each task, corruption due to HW or SW faults will suspend needed tasks or start unwanted ones | ||
Vehicle tests confirmed that one particular dead task would result in loss of throttle control, and that the driver might have to fully remove their foot from the brake during an unintended acceleration event before being able to end the unwanted acceleration | ||
A litany of other faults were found in the code, including buffer overflow, unsafe casting, and race conditions between tasks |