发信人: chauncey (ag), 信区: Automobile
标 题: 丰田的自动加速是因为ECM代码写的太烂了
发信站: BBS 未名空间站 (Sun Apr 26 11:27:39 2015, 美东)
>> The Camry ETCS code was found to have 11,000 global variables. Barr
described the code as “spaghetti.” Using the Cyclomatic Complexity metric,
67 functions were rated untestable (meaning they scored more than 50). The
throttle angle function scored more than 100 (unmaintainable).
>> Toyota loosely followed the widely adopted MISRA-C coding rules but Barr
’s group found 80,000 rule violations. Toyota's own internal standards make
use of only 11 MISRA-C rules, and five of those were violated in the actual
code. MISRA-C:1998, in effect when the code was originally written, has 93
required and 34 advisory rules. Toyota nailed six of them.
Stack overflow. Toyota claimed only 41% of the allocated stack space was
being used. Barr's investigation showed that 94% was closer to the truth. On
top of that, stack-killing, MISRA-C rule-violating recursion was found in
the code, and the CPU doesn't incorporate memory protection to guard against
stack overflow.
Toyota's ETCS used a version of OSEK, which is an automotive standard RTOS
API. For some reason, though, the CPU vendor-supplied version was not
certified compliant.
Unintentional RTOS task shutdown was heavily investigated as a potential
source of the UA. As single bits in memory control each task, corruption due
to HW or SW faults will suspend needed tasks or start unwanted ones.
Vehicle tests confirmed that one particular dead task would result in loss
of throttle control, and that the driver might have to fully remove their
foot from the brake during an unintended acceleration event before being
able to end the unwanted acceleration.
※ 来源:·WWW 未名空间站 网址:mitbbs.com 移动:在应用商店搜索未名空间·[FROM: 128.]
No comments:
Post a Comment