Sunday, October 5, 2014

Nigel Jones blog visitor Mike Ficco: How can anyone dare exonerate a sloppy mess of code?


Plaintiffs expert Nigel Jones, who is one of the embedded systems experts who examined the Toyota source code, has a blog called "Stack Overflow." There, he has posted a few publicly known facts about the source code review and class action settlement.

However, his blog visitors are free to speak their minds.  Here's a visitor's feisty, honest response to Toyota's ETCS investigation by NASA that I found worth reading even nearly 2 years later:

Mike Ficco says:
I remember hearing on the radio that NASA reviewed the Toyota engineering and concluded sudden acceleration could not happen. At the time I laughed, thinking of all the times I experienced things that couldn’t happen on my projects. After your recent blog I did a quick search and found statements like:
“Toyota exonerated by NHTSA, NASA” and
“Toyota welcomes the findings of NASA and NHTSA regarding our Electronic Throttle Control System with intelligence (ETCS-i) and we appreciate the thoroughness of their review. We believe this rigorous scientific analysis by some of America’s foremost engineers should further reinforce confidence in the safety of Toyota and Lexus vehicles. We hope this important study will help put to rest unsupported speculation about Toyota’s ETCS-i, which is well-designed and well-tested to ensure that a real world, un-commanded acceleration of the vehicle cannot occur.”
Nigel I’m not sure how much the confidentiality agreements will allow you to say but I’m confused and wonder if you could comment. I skimmed the NASA report and read the appendix.
Some of their guidelines are silly, like – “Do not use function calls in if conditionals (to avoid possible side-effects)”
Some of their guidelines are wrong, like – “Place the opening curly brace of a block on same line as an if, while, or for statement.” Everyone knows they go on the NEXT line.
However, some things in the NASA report reflect badly on the Toyota engineering. Among other things, NASA reported that there were 2,659 uses of #undef, 17 Potentially unbounded loops, and the use of 13 uninitialized variables. There were also 2,272 global variable declared with different types, 962 buffer overruns, 13 macros called with insufficient parameters. This kind of stuff jumps out at me and says SLOPPY PROGRAMMING! How can anybody conclude that there is no chance of unintended acceleration with this many smoking guns? Wait, the piece de resistance is a whole slew of global variables accessed from different asynchronous tasks (including 909 accessed by 2 tasks and 6 accessed by 14 tasks (14!!!)).
Also, why all the redactions in the NASA report?
So, let me be clear – I have not reviewed any of the Toyota code, have never spoken to anybody from Toyota, and am under no confidentiality agreements. My most detailed knowledge of this comes from the publicly available NASA report. So here is my question: How can anyone say and how dare reputable news agencies report that Toyota was exonerated when their code appears to be a sloppy mess and safety appears to rest on the watchdog triggering when something goes wrong – a watchdog that NASA notes does not log its triggering. Why would you not log the watchdog triggering? THAT is additional bad engineering.
Exonerated? I hope the billion dollar settlement also requires them to fix their sloppy mess.

Mr. Jones has also posted this lovely, insightful piece about the crazy pressures under which engineers are often forced to work:
Somehow, my gut instinct is that Toyota's software engineers must have faced similar pressures from their financial overseers who spent careers wringing pennies out of the costs of mechanical parts.