似乎遇见了认真的朋友，幸会。

我也提醒你注意一下，楼主的转贴，也没有贴全，原文一共有三页，楼主只贴了两页内容，这个网站，有个限制，读文章一天只能翻两页，要读第三页，需要注册。我玩了一下小技巧，把全文都抽了出来，先转贴在这里，让大家一窥全豹

Toyota Case: Single Bit Flip That Killed

MADISON, Wis. — Could bad code kill a person? It could, and it apparently did.
The Bookout v Toyota Motor Corp. case, which blamed sudden acceleration in a Toyota Camry for a wrongful death, touches the issue directly.
This case -- one of several hundred contending that Toyota's vehicles inadvertently accelerated -- was the first in which a jury heard the plaintiffs' attorneys supporting their argument with extensive testimony from embedded systems experts. That testimony focused on Toyota's electronic throttle control system -- specifically, its source code.
The plaintiffs' attorneys closed their argument by saying that the electronics throttle control system caused the sudden acceleration of a 2005 Camry in a September 2007 accident that killed one woman and seriously injured another on an Oklahoma highway off-ramp. It wasn't loose floor mats, a sticky pedal, or driver error.
An Oklahoma judge announced that a settlement to avoid punitive damages had been reached Thursday evening. This was announced shortly after an Oklahoma County jury found Toyota liable for the crash and awarded $1.5 million of compensation to Jean Bookout, the driver, who was injured in the crash, and $1.5 million to the family of Barbara Schwarz, who died.
During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration.
"We've demonstrated how as little as a single bit flip can cause the driver to lose control of the engine speed in real cars due to software malfunction that is not reliably detected by any fail-safe," Michael Barr, CTO and co-founder of Barr Group, told us in an exclusive interview. Barr served as an expert witness in this case.
A core group of seven experts, including four from Barr Group, analyzed the Toyota case. Their analysis ultimately resulted in Barr's 800-plus-page report.
In Toyota's own view, though, the automaker had been already exonerated when the National Highway Traffic Safety Administration closed its probe of Toyota models in February 2011. The NHTSA decision came after NASA investigated Toyota's electronic throttle control system and found no electronic causes of unintended acceleration during a 10-month review.
But not everyone in the embedded systems industry thinks NASA had enough time to come up with a complete report. Perhaps more significantly, in its report, NASA itself did not rule out the possibility of software having caused unintended acceleration.
The group of seven experts was given the task of picking up where the NASA investigation left off.

"We did a few things that NASA apparently did not have time to do," Barr said. For one thing, by looking within the real-time operating system, the experts identified "unprotected critical variables." They obtained and reviewed the source code for the "sub-CPU," and they "uncovered gaps and defects in the throttle fail safes."
Further, the team ran simulations in the Green Hills Simulator. "This confirmed tasks can die without the watchdog resetting the processor." His group also independently checked worst-case stack depth. "We found many big mistakes in the Toyota analysis that NASA relied on."
The experts demonstrated that "the defects we found were linked to unintended acceleration through vehicle testing," Barr said. "We also obtained and reviewed the source code for the black box and found that it can record false information about the driver's actions in the final seconds before a crash."
It's important to note Barr Group testimony led to a billion-dollar economic-loss settlement by Toyota last December. Because of that settlement, details of the technical discoveries made back then by the experts were not made public until the Oklahoma trial. The economic-loss settlement resolved hundreds of lawsuits claiming vehicles depreciated after the company issued recalls related to faulty acceleration. Toyota still faces lawsuits claiming injury or death related to the recalls.
Task X death
Now that the experts' testimony and findings have been made public through the Oklahoma trial, let's get into details. What defects were found in Toyota's electronic throttle control systems?
Barr said that the 2005 Camry L4 source code and in-vehicle tests by the experts confirmed that some critical variables are not protected from corruption, and sources of memory corruption are present. He believes that Toyota's engineers sought to protect numerous variables against software- and hardware-cause corruptions, but they failed to mirror several key critical variables, and they made no hardware protection available against bit flips.
Stack overflow and software bugs led to memory corruption, he said. And it turns out that the crux of the issue was these memory corruptions, which acted "like ricocheting bullets."
Barr explains the issue this way:
Memory corruption as little as one bit flip can cause a task to die. This can happen by hardware single-event upsets -- i.e., bit flip -- or via one of the many software bugs, such as buffer overflows and race conditions, we identified in the code.
There are tens of millions of combinations of untested task death, any of which could happen in any possible vehicle/software state. Too many to test them all. But vehicle tests we have done in 2005 and 2008 Camrys show that even just the death of Task X by itself can cause loss of throttle control by the driver -- even as combustion continues to power the engine. In a nutshell, the fail safes Toyota did install have gaps in them and are inadequate to detect all of the ways UA can occur via software.
Just to clarify, the "tasks" are equivalent to apps running on smartphones or PCs. All software malfunctions from time to time -- we often have to reboot our machines. The 2005 Camry L4 has a set of dozens of apps (or tasks). Because they are all meant to be running always, the death of one could have dire consequences.
When asked if the whole case for unintended acceleration could be pinned on the task X death, Barr replied, "The task X death in combination with other task deaths." There are dozens of tasks and 16 million different ways those tasks can die. The experts group was able to demonstrate at least one way for the software to cause unintended acceleration, but there are so many other ways that could have happened.
Barr also said more than half the dozens of tasks' deaths studied by the experts in their experiments "were not detected by any fail safe."
What's next for NHTSA
After the Oklahoma trial, what steps should the NHTSA be taking? Barr made some suggestions:
NHTSA needs to get Toyota to make its existing cars safe and also needs to step up on software regulation and oversight. For example, FAA and FDA both have guidelines for safety-critical software design (e.g., DO-178) within the systems they oversee. NHTSA has nothing.
Also, NHTSA recently mandated the presence and certain features of black boxes in all US cars, but that rule does not go far enough. We observed that Toyota's black box can malfunction during unintended acceleration specifically, and this will cause the black box to falsely report no braking. NHTSA's rules need to address this, e.g., by being more specific about where and how the black box gets its data, so that it does not have a common failure point with the engine computer.

做过码农的人Mark一下。很有后怕。

好吧，某些单片机确实有bit操作，譬如51... 但这不是关键问题了。

关键问题是码农说丰田对于某些关键变量没加校验，软的硬的都没有

丰田当然不可能做出ECU软件不做校验这么低级的事情，应该只是漏了。

但是为啥连硬件校验也没呢？片内RAM带个奇偶校验应该稀松平常吧？ 本帖最后由 mcv 于 2013-10-27 23:52 编辑

说的应该是发动机ECU程序了，这东西说是嵌入式系统也行，我觉得更倾向于单片机，拆开过，看着也真是单片机，这东西的复杂程度远远不到手机系统，就按单片机理解应该没错，它没有一个系统平台，简单说直接就是一段程序，一块ROM放程序及数据表，一块RAM运行程序，所以说到内存管理它都达不到级别，并且比较特别的是软件运行的时候可以直接对某些位操作，事实上是必须对某些位直接操作。

既然是美国码农发现的，估计不是硬件问题，应该是程序问题，栈溢出或者数组越界这种可能性非常小，单片机不像嵌入式系统那样复杂，数据量不大，就那么些可操作内存空间，都能一个个字节数过来，写程序的会非常注意。可能是某些意外情况出现的时候语句非受控地修改了某个关键控制位了，软件出错肯定是丰田责任了，不过，这种问题一旦发现很好解决。

ECU程序主错主要是来源于电磁干扰，汽车上的电磁干扰很严重，启动的时候启动机干扰，行车的时候点火线圈干扰，别的因素影响相对小很高。如果说某次过于高压的点火绕圈放电干扰使ECU某位意外翻转了，然后程序就出错，这种硬件故障都不算什么希奇，错误校验是肯定有的。但如果是程序设计的时候就存在这个隐患，执行的时候就是合理的，则不关校验什么事了，那设计者显然是责有任的。

第一应该是ECC, 但丰田没有做。
第二应该是关键变量双重备份保护（mirroring）, 但丰田没有做。
第三应该是刹车优先进一步保护。

当然这只是说这样的设计可能出故障，没法证明这事情就一定（频繁）发生过，虽然有墨菲定律在那里。

肯定有。

问题是不知道bug存在的话就很难改掉。

而且每次车升级软件不会全部重写，所以bug就会一直一直传下去…

阿丽亚娜5型火箭首发失败差不多就是这么回事，由于5比4的性能更高，某些运动信息数值也就更大。结果导致一段从4来的软件中一个变量溢出了，虽然他们在4上面是久经考验的
本帖由 V2.5.0 iPad 客户端发布

对，莫非定律，我没睡醒

任何软件都可能出错，出错后如何处理，是衡量软件质量的重要因素

很显然，丰田做得不好

这个么，参见摩尔定律（是叫这个名字吧）

以我这个吊死码农的可怜的工作经验，但凡被发现的，多半都能在现实中发生

不过，楼主属于给老婆踢下床的，已经不会好好说话了

@今是若

帮你逗号换个位置，牛，B就不要出来卖。
本帖由 Sony SGP311 客户端发布

单bit翻转引起的错误别的厂家有预防吗？ 本帖最后由 motofox2 于 2013-10-27 20:55 编辑

是啊，这个话题皇协军必然要出来丢人显眼，有人只要指摘太君出问题，那些自带干粮的慰安妇后代伪军比被杀父淫母还要心疼，巴巴的蹦出来对号入座，用各种体位给太君舔沟，真是人间奇景

慰安妇养出来的杂种，一时间把自己当成纯种了？

大※※就是对号入座的马甲

被老子骂的那些大※※，一个一个跟三孙子一样对号入座，还不敢现真身，逼一样的马甲现出来接受检阅

说实在的，这对大众车主来说是挺丢人的事儿。当然，咱们理解角度总是不同。就像我很关心自己车子的问题，而你却操心别人车子的问题。
本帖由 Sony LT30p 客户端发布