Should I Take Toyota's Software Update? 750
kiehlster writes "I'm a software developer, and I know that most software has bugs, but how much trust can we put in the many lines of code found in our automobiles? I have a 2009 Camry that is involved in both of the recent Toyota recalls. As part of the floor-mat issue, they're offering to install a software update that would cause 'the brake pedal to take precedence over the gas pedal if both were pressed,' or, as their latest notice states, 'would cut power to the engine if both pedals were pressed.' In the computer world, we're all taught to install firmware updates only if there is a real problem because a large percentage of firmware updates actually brick the hardware or cause other unforeseen consequences. On a base of 100 million lines of code, can I really trust a software update to work safely when it is delivered in a three-month development cycle? My driving habits don't cause the floor mat to slide much, so I see the update as overkill. What do you think? If it doesn't void the warranty, should I tell them to skip the update?"
You're looking at it wrong. (Score:5, Insightful)
You already took the 100 million lines of code when you bought the car.
Now do you want the bug fixes, or would you rather find out what a "fatal exception" means in more physical terms?
huh? (Score:4, Insightful)
Are you for real?
yes (Score:4, Insightful)
Umm... yes (Score:5, Insightful)
Unpatched PCs are bad enough. If I can't go outside because of morons with unpatched cars, I will be very unhappy.
Take the update (Score:5, Insightful)
Safety wise, it fixes a known bug.
Take the update.
Re:yes (Score:5, Insightful)
Uh - if the dealership "bricks" your car by applying the update they will fix it for free. This question is just plain stupid - get the damn update. If something ever happens and you crash your car the first thing they will say is that you declined to apply their update and so they are not liable.
Re:Take the update (Score:5, Insightful)
A bug that you know about. If, by chance, you find yourself in an accident, and get sued, I doubt a jury is going to look kindly on the "I passed up on the fix for the known bug because I thought it might brick my car" defense. If you pass on the deal, you are essentially taking full responsibility for Toyota's bad code.
That's not a good choice.
--AC
Absolutely (Score:5, Insightful)
Jane, you ignorant slut... (Score:4, Insightful)
Nobody taught you that. You pulled it out of your ass so you'd sound officious and get a post on
The vast majority of firmware updates work, fix problems and don't brick devices. Much more of this shit that gets by as posts and I'll be begging for Jon Katz to come back.
no shortage of reckless idiots (Score:3, Insightful)
So based on vague general principles without any specific knowledge of the engineering issues involved you are refusing to install a manufacturer recommended safety fix. In an accident situation this is arguably evidence of a reckless disregard for human life. Good luck with your insurance company.
it is an error catching routine (Score:3, Insightful)
Yes. Toyota's mechnical fix may not be the actual fix and the root issue may be a software based one.
The software update is a failsafe, think of it as an error catching routine. All programs can benefit from error catching routines, problem is that programmers don't have enough time to program for every error possibility. Toyota has taken the time to add one to their cars.
cc
If you don't (Score:5, Insightful)
100 million LOC (Score:3, Insightful)
Even in the most modern car, I find this hard to believe, unless you include the entertainment/nav system in the count.
In my opinion, it doesn't count since this is typically decoupled heavily from the safety-critical components of the car.
It is usually easier to write bug-free microcontroller code (ECUs and such) than general purpose PC code. Also, the distributed nature of most automotive microcontroller code keeps code separated into nice little easily-testable modules.
There are always exceptions, but it's very rare for a firmware update in a vehicle to cause regressions. Nearly all of the time, "bugs" in vehicular firmware are really unanticipated results of intentional design choices. For example, the Partial EMCC (PEMCC) code in early-1990s Chrysler A604 transmission firmware that slowly trashed torque converters was intended to improve fuel economy by partially engaging the torque converter lockup clutch - it turned out this wore out the clutch FAR faster than any of the mechanical engineers anticipated. In 1993 or so, this feature was removed once its contribution to premature transmission wear was discovered. (So yeah, this was a case where a bug really WAS originally a feature!)
Well (Score:3, Insightful)
100 million lines of code? Where are they getting this number? The entire Microsoft ecosystem is about that many lines of code.
Maybe they mean assembly code? I'd imagine that the microcontrollers that a car uses are probably programmed with lots of bare metal assembly coding.
I will be getting that firmware update (Score:5, Insightful)
I have an '09 Prius. And I'll be getting that firmware update. It's a feature they should have included in the first place. It's not the best implementation of the brake override I'd like. What I'd really like to have an electrical circuit connection between the brake pedal and the throttle fly-by-wire assembly. When the circuit is tripped, the throttle position output of the assembly drops to 0 regardless of actual pedal position or sensor position. But that would require new hardware.
I'm getting the update because if the engine does start runaway acceleration, the brakes aren't enough to overcome the hybrid system's output. I know the right thing to do would be to put the car into neutral and get it safely off the road. But I don't react well to stressful situations.
Toyotaphobia getting out of hand (Score:5, Insightful)
I think the anti-Toyota mania is getting a little out of hand. The problem caused 34 deaths in 10 years. Given the tens (hundreds?) of millions of Toyotas on the road, it's actually not a big deal. It's an unimaginable tragedy to the people and families that died, and it should be fixed. But as a public safety issue, more people died of lightening strikes and bee stings during that period. Heart disease kills over 1,000 Americans per day. Let's keep it in perspective.
Now we don't trust their firmware updates? I think their safety record is pretty good. You're driving their car at death-defying speeds, aren't you?
The concept of a firmware update for your car is pretty interesting, though.
I call shanagans. (Score:4, Insightful)
To illustrate my point, take a made up piece of code that takes the position of 1 sensor, and uses that to control a servo. Lets say that for whatever reason a peice of the code looks like: ServoPosition =(sensor1 + offset) * ServoOffset
Offset is used to correct for initial installation differences for the sensor, so the sensor can detect where it normally sits at idle(when not pressed) so that it can calculate its real position and not its perceived one. NOW! Lets go one step further and say the offset is suppose to be a static variable the entire time the loop is running.. but what if, WHAT IF, the code doesn't lock the offset variable, and for whatever reason the chip is restarting its program over and over again, increasing the size of the offset variable. Eventually, this could cause the sensors to detect the pedal being floored, when its not. So how do you fix that? Remove the offset variable from the part that could be ran over and over again. Be sure to always set it to 0 when you restart the loop.
And then you wonder if its safe? Really they changed less then 1% of there code you fake developer.
Re:Jane, you ignorant slut... (Score:3, Insightful)
Ah, never thought I'd miss JonKatz, but kdawson makes me wonder sometimes...
Re:You're looking at it wrong. (Score:3, Insightful)
It's still 100M lines of code friend, regardless of who or what wrote it.
Re:You're looking at it wrong. (Score:5, Insightful)
That's like using the LOC count of a disassembled program written in C to express the size of the original code.
Re:Their new slogan (Score:2, Insightful)
There was when under-inflated tires were blowing out and causing rollovers.
Re:He is looking at it wrong... (Score:0, Insightful)
'would cut power to the engine if both pedals were pressed.'
Did I read that right? THAT would be fun at speed and trying to pull off to the side of the road to restart the car. Ever tried turning a newer car with power stearing off?
Re:Their new slogan (Score:5, Insightful)
Where was the Spanish Inquisition errr... Congress when Ford had to recall 4.5 million cars a few months ago due to their cruise control causing fires?
Agreed. This has the feel of a smear campaign to put GM back on top.
Re:huh? (Score:4, Insightful)
Wow, self-referential AND accurate. Amazing!
Re:You're looking at it wrong. (Score:5, Insightful)
I doubt the primary motivation is because of a suspected software problem. I'd say the primary motivation is because Toyota is the one (or one of the few) car manufacture that didn't have a brake-override feature in their fly-by-wire vehicles. After all of the publicity about the raw away cars, they are pulling out the stops to prevent it from getting worse.
I think it was Car and Driver who did a test of vehicles which had fly-by-wire throttle systems to see how they handled under runaway conditions. They basically took the cars up to certain speeds (20, 40 and 60 MPH IIRC), kept the throttle depressed, and then tried to stop the car with brakes and emergency breaks. Every vehicle with the brake override system, the engines immediately went down to idle power when the brakes where pressed even with the thottle held down. It was very easy to bring the vehicle to a controlled stop.
The Toyotas w/o the brake override system could be stopped if you were at slow speeds with a lot of effort on the brakes and emergency brake. At higher speeds, the breaks where not enough to stop the vehicle with only the brakes. They also tried turning the vehicles off which would stop the vehicle, but the driver had to manhandle the vehicle w/o benefit of power steering and power brakes.
Side note: The Toyota Prius has a surprising amount of power at full ouput. That's when the gas engine is driving the wheels, teh eletric drive motor is drawing off teh traction battery to drive the wheels, and the gas engine is driving a secondary motor/generator to creating electricity which is feed to the eletric drive motor. The secondary motor/generator is normally used to recharge the traction battery when the car is operating in usual conditions.
I was doing 65-75 MPH up the foothills in Arizona and Southern California. I was outdoing a lot of other vehicles with power engines. My cruise control kept at the set speed and didn't slow down at all. Unfortunately the Prius can only maintain that kind of output as the traction battery charge lasts. And the gas milage really sucks in that mode.
Re:You're looking at it wrong. (Score:5, Insightful)
Re:You're looking at it wrong. (Score:3, Insightful)
EXACTLY.
1) What is your basis for claiming it is 100m lines of code.
2) Just because the recall was announced 3 months ago doesn't mean that when they started working on a fix.
3) It's not just your inability to get coverage for yourself if this "bug" affects you, you may have personal liability for others you injure in the process.
Crap! That sucks! (Score:3, Insightful)
No brake and gas at the sametime? That majorly sucks. Albeit, not usually needed but there are situations where you need to press both, besides when doing a burnout on a RWD ...
Drive By Wire in itself is a bit stupid idea ... Servos break more easily tha hydraulic cylinders or legs. Electric connections get loose easier than hydraulic sealings start to leak. Nevermind the lost feeling of brake, gas and clutch pedals.
I drove once a drive by wire car, and i seriously couldn't use it during the winter: I had to take my shoes of to feel the pedals enough to know how much i'm pressing brake or acceleration.
Nevermind the fact that using traditional systems you apply force mostly directly to the brakes, and there can't be any software bugs.
I just wish in 20 years time i can still find "oldschool" cars which does not have drive by wire and issues it may cause, and rather has hard lines.
Did you think about the fact that this "floor mat" issue might not exist if there was traditional pedals with the amount of force being needed to press than in older cars? Not only will you actually feel the throttle position, but it wouldn't so easily be pressed by accident.
Re:I will be getting that firmware update (Score:3, Insightful)
Putting the car in neutral should also disconnect the throttle fly-by-wire assembly. Unless someone likes constantly revving their engine in neutral (this is for the automatic transmission style only) it wouldn't cause anyone any real grief.
As we get more and more involved with electronics in cars though, there's also the issue that the ECM could ignore the fact that you put the car in neutral. My wife's car has a gear selector that I know is electronic; couple that with electric throttle and push-button start and you could have a real problem to where one failure compounds on the others.
One more thought - how to get the car to realize that if I push the button to stop the engine, it kills it immediately instead of waiting a specific time period to shut down. I know that the delay is so that the machine understands that you do really want to shut down the engine rather than "I just bumped the button" but there has to be some stupid simple solution to that issue. As convenient as it would be for me to just get in the car and drive rather than have to put a key in a cylinder, I like being able to turn that cylinder at a moment's notice if there's something wrong....
Re:You're looking at it wrong. (Score:3, Insightful)
Presumably they will deny his claims not just for this particular bug, but for anything he wants to claim!
Flawed Fix (Score:4, Insightful)
would cut power to the engine if both pedals were pressed
So anyone who starts from a stop on a steep incline by slowly depressing the brake while simultaneously pressing the gas to avoid rolling back into the vehicle behind them will now stall their vehicle?
The accidents that have occurred as a result of this are tragic. But adding quirky behavior as a stop-gap measure seems ridiculous and sets a bad precedent. Is there anything out there to make sure vehicle behavior is reasonably consistent across different vehicles (or even vehicle firmware versions)? Or are we going to have to be aware of all the different firmware ins and outs between different models and firmware versions.
I've been especially surprised at the fact that so many people seem to think that sudden acceleration is unstoppable. If you're driving a vehicle that suddenly accelerates and you cannot prevent the acceleration PUT THE VEHICLE IN NEUTRAL OR DOWNSHIFT (and yes you can downshift with automatics)! How people can get their driver's license while thinking the only way to slow/stop a vehicle is to press the brake is beyond me. I know panic can set in and can make reacting to unexpected dangerous situations difficult, but isn't that why you had a learner's permit first? My father took me to an empty lot and had me practice reacting to different situations that you can encounter which can be dangerous if you panic (ie: sliding, hydroplaning, slamming on brakes, etc.). Perhaps drivers education courses should focus more on these kinds of situations rather than merely how to obey traffic laws.
Re:You're looking at it wrong. (Score:3, Insightful)
Lovin' my manual-shift Jetta TDI even more, for the same reason. It would take a truly odd and scary set of circumstances that would prevent me from disengaging the engine from the wheels in the extremely unlikely event of the go pedal getting stuck on 11.
Having said that, my reaction to this letter would be to stop whatever it is that I am doing and head straight to my Toyota dealership, and politely request that the software patch be installed immediately if not sooner. Whatever else this bug fix could introduce, it seems to have been written clearly with a "disengage the engine if the brake is engaged" instruction that, in my mind, overrides all concerns I might have about the short testing interval of the patch. Even if it causes the engine to disengage randomly and for no reason, I can always coast to the side of the road. I'd rather be at a full stop complaining that the car won't move, than moving along complaining that I can't get the car to a full stop.
It's like the old aviation joke: "I'd rather be DOWN HERE wishing I was UP THERE, than UP THERE wishing I was DOWN HERE."
Re:You're looking at it wrong. (Score:2, Insightful)
The Toyotas w/o the brake override system could be stopped if you were at slow speeds with a lot of effort on the brakes and emergency brake. At higher speeds, the breaks where not enough to stop the vehicle with only the brakes. They also tried turning the vehicles off which would stop the vehicle, but the driver had to manhandle the vehicle w/o benefit of power steering and power brakes.
Can power not be cut by putting the gearbox in neutral, thereby keeping the power steering and brakes working?
Re:You're looking at it wrong. (Score:5, Insightful)
So he's using it wrong because he optimizes it and actually evaluates the running code, and you're using it correctly because you treat it as a black box?
Interesting.
No sh*t, YOU are really looking at it wrong. (Score:3, Insightful)
It's still 100M lines of code friend, regardless of who or what wrote it.
When you write code and estimate its LOC size, do you also include the LOCs of the trusted libraries you use to build your apps? If you do a printf("%u\n",1), do you count this as one LOC or do you also count the LOCs in printf? When you use a GNU compiler, do you also count the thousands LOCs generated by it in assembler?
Does it really not matter *who/what* wrote it? Pretty myopictardic and useless way of software estimation if you ask me.
Re:Take the update (Score:3, Insightful)
I dunno about that crap, I only drive the car, didn't know that there's this ... what? "Firm ware"? Didn't even know there's a computer in my car...
Considering you don't install the firmware, that would be an interesting response to "why didn't you take your car to the dealership for the safety recall when you received the notice?"
Re:You're looking at it wrong. (Score:5, Insightful)
I would add that the "floor mat" excuse always sounded like BS to me. I'm guessing there is a firmware bug in there somewhere that they can't find that just registers the gas pedal as down. They'd never admit to that, as it would reduce the public perception of security of drive-by-wire systems, and might introduce expensive public testing procedures.
In that case, your only chance is the brake overriding the gas (a process which should have been true from the beginning anyway). Of course, it might be something else and you might still be screwed... unknown computer bugs are like that.
Re:You're looking at it wrong. (Score:3, Insightful)
If you stick a newline after every operator in a C program, you'll probably end up with 10x LOC, but the amount of actual code that runs is the same.
GP was merely pointing out that, for this particular question, measuring KLOC of generated C code is a meaningless metric for practically any purpose (and specifically for the purpose of estimating the likelihood of a bug).
I can't believe I'm wading in to this... (Score:3, Insightful)
KDE, Gnome, Linux, OpenOffice, etc. ARE written in assembly language, for the purposes of this bizarre argument.
The media is taking what's in essential a high-level language (MATLAB and/or other code builders) and counting the source lines it creates to get a huge number.
When we write in C or Java, it creates source lines at a level below that (assembly or VM opcodes). And YES, YES, all those programs are in at least only off the 100 million lines of code by one order of magnitude.
But let's just say one opcode is one byte. It's not, but let's say that for yucks that it is, then OpenOffice would need to be 100 megabytes to possibly have that many lines. OpenOffice writer is only 7MB, but we know it uses libraries and other packages, and so, adding all that crap in willy nilly, we probably get up to at least 100MB, and thus (in silly-think) 100 million lines of code.
But let's step back a second. Let's ask ourselves (and I KNOW that there are people who read this who know the answer) "how big is the PROM/ROM/CMOS RAM whatever on the Toyota car computer?" If it's 128MB then this silliness is (for what it's worth) correct-ish. If it's 64MB, it's INSANE. If it's a lot less, it's just mindlessly wrong.
Trust your automaker (Score:3, Insightful)
If you have to bet between your judgement and that of your auto manufacturer, I'd suggest that unless you really know what you're talking about, bet on the auto manufacturer. They're the experts.
Likewise, if you're some independent thinker and have an idea how something works, but the scientific community has significant work in the field, you should generally bet on them rather than you.
Re:You're looking at it wrong. (Score:5, Insightful)
How can I trust that that push-button ignition will still shut off the car? I know it's conceivable that even a key-start ignition might turn all ignition control over to an ECM, but who's done that?
Re:You're looking at it wrong. (Score:4, Insightful)
If my car ever goes into hyperdrive because of a stuck throttle, I take comfort in knowing I still have a kill switch, and I grew up driving tractors and cars without power steering or power-assist braking, so I can cope.
Of course, if your car ever does go into hyperdrive, you’ll probably be several light-years away by the time you can hit the kill switch, and you’ll have hard vacuum to cope with (assuming you haven’t passed right through the core of a nearby star or planet).
Re:1st bug found (Score:3, Insightful)
Yes, people do it all the time when someone is tailgating them.
He drives much too slowly, and then when someone is following him, wishing he would speed up and drive the same speed as everyone else, he taps his brakes.
Of course, tailgating someone so they'll accelerate to my desired speed is also a "stupid asshole tactic". Probably a better bet when encountering someone driving "too slowly" for your tastes is to either pass (if possible) or suck it up, Nancy. Maybe even give them more distance, not less. Even if they are driving so slowly as to create a traffic hazard (not just an inconvenience). Especially then. Because if someone is unintentionally creating a nuisance or a hazard, you ought to keep your distance to avoid making an accident even more likely. And if they're doing it intentionally, it's an even better idea. In no event is tailgating the "offending driver" going to make things better. If you wreck your car to make some kind of point, well, you've still got a wrecked car.
Naturally this doesn't apply to operators of trucks over 1 1/2 ton, who are specifically permitted by most rural and southern states to "run over his slow ass". Yes, mods, that sentence was "sar-cas-tic".
Re:You're looking at it wrong. (Score:5, Insightful)
Re:You're looking at it wrong. (Score:3, Insightful)
Just why is it that we need to do away with a physical throttle cable anyway? There was nothing wrong with throttle cables. They have been giving us reliable acceleration (and provided a means of "brute forcing" deceleration in "sticky" situations more or less since the dawn of automobiles.
Drive-by-wire (DBW) systems enable many features of modern cars. Stability control, throttle response control, direct injection, knock detection, and some variable valve timing systems require DBW. It provides more fine grained control of the throttle and fuel system than a traditional cable drive. As the driver of a modified turbocharged car, I appreciate the advantages of DBW. But I can understand your trepidation. Leaving control of critical functions to a computer introduces risk.
If you are averse to cars equipped with DBW, you should take good care of your current car. DBW is the way of the future, for good or ill. Like power windows, soon every car will have it.
Re:If it bricks, it's their fault. (Score:2, Insightful)
First, this is about your safety.
I don't give a flying crap about HIS safety. I care about mine! I want you to be able to stop only so you don't hurt me. Go ahead and fly into a field all by yourself, just don't take me with you.
Re:You're looking at it wrong. (Score:5, Insightful)
Push-button ignition can be turned off by holding down the button (kind of like with a computer)...
... and waiting for the software interrupt to get picked up by the CPU, which may be in a hung state.
Re:You're looking at it wrong. (Score:5, Insightful)
Push-button ignition can be turned off by holding down the button (kind of like with a computer)...
... and waiting for the software interrupt to get picked up by the CPU, which may be in a hung state.
Not to mention that it's hard to hold a button down for three seconds while you're weaving in and out of traffic and urinating on yourself.
Re:You're looking at it wrong. (Score:3, Insightful)
You keep an off switch for any situation when you want the car to be off RIGHT NOW, not three seconds from now. Immediately. Maybe the engine is on fire, maybe someone was [stupidly] working on the engine while it was running and got their sleeve stuck in a belt, maybe the brakes failed at the same time as your accelerator stuck. Whatever the reason, you should be able to kill the engine in a moment if needed.
Besides, it rather annoys me when my control is artificially limited. For example, in my car, if you switch the heat to to the defrost setting, the outside air setting is also engaged. I know the reason for this is that the inside air tends to become humid, and thus does not work as well at clearing the windshield... but there IS a solution to that... turn on the AC. Somewhat counterproductive in the winter, i'll give you that, but at least I wouldn't have to breath the black smoking exhaust from the poorly maintained vehicle that I am stuck following. If they would just let me engage recirculate while defrosting i would be happy, but the electronics prevent that.