Breaking News
Newest First | Oldest First | Threaded View
Page 1 / 7   >   >>
User Rank
Redundancy and fault-proof design
asta4vista   11/16/2013 12:29:51 PM
Seems like Toyota engineers are not aware of fault-proof design basics. Well developed in 60-s and 70-s, redundancy and fault-proof reliability is standard in high fault cost areas like avionics or nuclear station control but is almost forgotten in gadget-oriented main stream electronics. Some comments below illustrate it even more: with forgotten general principles, companies and engineers create some home-brew and "common sense" based recipies

User Rank
This is unbelievable
Simon7382   11/11/2013 6:05:39 AM
Running the break override routine on the same main processor as part of the "kitchensink" firmware is either incredibly irresponsible or shows total ignorance regarding the basics of real time software. Not even a rookie sw engineer would do this in the US. And this is the firmware of the best selling car in the US, probably one of the best selling cars of the world. It will be many many years before I would consider buying a Toyota, even though I had two of them in the past 30 years and was reasonably satisfied with both.

User Rank
multiple stability/security checks
Wobbly   11/7/2013 1:54:37 PM
If you go back to my original post, we always use asserts on critical data on function entry and always use asserts on returned data, and those asserts stay in the delivered code.

Asserts are fine within a single task flow, but they do not protect adjacent tasks that can be corrupted by bad behavior between asserts. Hardware protection protects against cross infection, and ECC would have helped avoid the root cause (if the root cause was a bit flip).

It comes down to having layered defenses, both for stability, but also for intrusion and modification protection.

We haven't even discussed hardware assisted stack canaries or pseudo random cache line replacement.
User Rank
Re: Use software assertions and leave them in the product!   11/7/2013 12:04:19 PM
Naturally, software assertions use a different mechanism than MPUs, ECCs, WDTs, and other such hardware. But, still I think it is very beneficial to view all these mechanisms as complementary aspects of the **same** basic method.

This basic method is to intentionally introduce redundancy checks (either software-based or hardware-based) to ensure that the system operates as intended.

The problem with viewing software assertions as "another thing all together" than MPUs, ECCs, WDTs, etc. is that redundancy checks that are very easy to perform in software, but difficult in hardware, are not being done.

Too often this mindset leads to gaping security holes and sub-optimal designs. I believe that it is exactly what could have saved the day in the Toyota UA case. Please note that even if ECC was used, it would not detect memory corruption due to the alleged stack overflow or an array index out of bounds. Simple software assertions, on the other hand, would have easily detect such things.

So I repeat the main point of my original post. Software assertions are no less important than MPUs, ECCs, WDTs, etc. Unfortuantely, they are routinely under-utilized or disabled in the production code. I just hope that we could use the Toyota case to change this perception.


User Rank
Re: Use software assertions and leave them in the product!
Wobbly   11/7/2013 7:57:40 AM
Client side MPUs actually prevent resource access, read, write, or both, on chip select or address or even register level granularity. The access permission is granted based on VMID characteristcs that are driven as part of the bus cycle. The VMID characteristics are steered at the bus master by various attributes of the access, including (possibly) Task ID running on the core.

If a carved out RAM region, or a set of device registers, are reserved for a particular VMID, that is associated with a  particular TASK, then other tasks are prevented from accessing those resources even if the processor would otherwise be taking a legitimate action.

It prevents against software defects, it prevents against directed attacks on the system.

It is particularly useful in multicore systems with shared resources.

This is very different from the behavior of the CPU tied MMU.

In one of our current SOCS, which contains eight 32bit CPUs and eigth 32bit DSPs, there are roughly sixty client port MPUs to provide protection domains to the individual device and memory space that is shared between all sixteen cores.

So even if your assert becomes corrupted because of a bit flip or some other data failure that occurs outside the domain of the assert, the end point will block the access.

Each of these capabilities form a layered protection scheme. MPUs alone are not sufficient, MMUs alone are not sufficient, ASSERTS alone, are not sufficient, ECC alone is not sufficient. Together they provide a layered protection that provide defense in depth.
User Rank
Re: Use software assertions and leave them in the product!   11/6/2013 5:26:52 PM
@Wobbly: I still fail to see why an MPU-detected failure is "another thing all together" than a failing software assertion. For example, an assertion might check for an array index out of bounds. Why is such a failure so fundamentally different than an attempt to de-reference a NULL pointer, which might trip the MPU?

User Rank
Re: Use software assertions and leave them in the product!
Wobbly   11/6/2013 1:31:55 PM
Well, there are two ECC possibilites.

1) Correctable error, which is completely allowable. That is why you use ECC, though ECC events should be tracked and thresholded. On a car, for example, ECC events that cross a threshold could trip the ECU lamp for a service error. Note, the threshold would not be a total count, but a count per unit runtime. You need to filter them over time.

2) Uncorrectable errors. On typical ECC controllers, this throws a hardware exception.

The ECC implementations that I have dealt with actually drove a bus fault on the read cycle, they could not be byassed once they were enabled.

On client side MPUs, those also throw hardware exceptions. That is why I specifically asked about client side MPUs, as apposed to traditional MMU protection at the host side.

Assertions in code are one thing, but MPUs that actually throw back a physical bus fault into the core, that is another thing all together.

As far as software assertions, we never turn them off. They are in the production code.

User Rank
selinz   11/6/2013 1:28:50 PM
So I'm still not clear whether this task x would disable the brakes. Is that what they are saying?
User Rank
Use software assertions and leave them in the product!   11/6/2013 12:24:14 PM
I am really surprised that nobody so far mentioned the use of simple software assertions.

Most people point out that ECC or MPU were not used. But these layers of protection are really nothing else than hardware-assisted assertions. I mean, what do you do when your ECC detects a parity error or your MPU detects an unauthorized memory access? Well, you execute an exception handler, which puts your system in a fail-safe state (typically a reset).

This is exactly what simple software assertions do too, except that software assertions can easily catch subtle logic errors that no hardware can detect.

So here comes my main point. Too often I see software assertions **disabled** in the production code. Interestingly, this is done by the same people, who advocate the use of ECCs or MPUs. Isn't this a bit inconsistent? How many readers of this article ship products with assertions enabled?

User Rank
Re: software and hardware stability
junko.yoshida   11/5/2013 10:27:04 AM
@Wobbly, exactly.

I think a lot of people are surprised, too. Although the lack of EDAC in Toyota's memory devices used at that time is not the ONLY reason that led to the bit flip, it is one important factor. 

Page 1 / 7   >   >> Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)

What are the engineering and design challenges in creating successful IoT devices? These devices are usually small, resource-constrained electronics designed to sense, collect, send, and/or interpret data. Some of the devices need to be smart enough to act upon data in real time, 24/7. Specifically the guests will discuss sensors, security, and lessons from IoT deployments.

Brought to you by:

Most Recent Comments
Most Recent Messages
4:48:30 PM
michigan0 Sang Kim First, 28nm bulk is in volume manufacturing for several years by the major semiconductor companies but not 28nm FDSOI today yet. Why not? Simply because unlike 28nm bulk the LDD(Lightly Doped Drain) to minimize hot carrier generation can't be implemented in 28nm FDSOI. Furthermore, hot carrier reliability becomes worse with scaling, That is the major reason why 28nm FDSOI is not manufacturable today and will not be. Second, how can you suppress the leakage currents from such ultra short 7nm due to the short channel effects? How thin SOI thickness is required to prevent punch-through of un-dopped 7nm FDSOI? Possibly less than 4nm. Depositing such an ultra thin film less then 4nm filum uniformly and reliably over 12" wafers at the manufacturing line is extremely difficult or not even manufacturable. If not manufacturable, the 7nm FDSOI debate is over!Third, what happens when hot carriers are generated near the drain at normal operation of 7nm FDSOI? Electrons go to the positively biased drain with no harm but where the holes to go? The holes can't go to the substrate because of the thin BOX layer. Some holes may become trapped at the BOX layer causing Vt shift. However, the vast majority of holes drift through the the un-dopped SOI channel toward the N+Source,...
Like Us on Facebook
Special Video Section
Once the base layer of a design has been taped out, making ...
In this short video we show an LED light demo to ...
The LTC2380-24 is a versatile 24-bit SAR ADC that combines ...
In this short video we show an LED light demo to ...
Wireless Power enables applications where it is difficult ...
LEDs are being used in current luxury model automotive ...
With design sizes expected to increase by 5X through 2020, ...
Linear Technology’s LT8330 and LT8331, two Low Quiescent ...
The quality and reliability of Mill-Max's two-piece ...
LED lighting is an important feature in today’s and future ...
The LT8602 has two high voltage buck regulators with an ...
Silego Technology’s highly versatile Mixed-signal GreenPAK ...
The quality and reliability of Mill-Max's two-piece ...
Why the multicopter? It has every thing in it. 58 of ...
Security is important in all parts of the IoT chain, ...
Infineon explains their philosophy and why the multicopter ...
The LTC4282 Hot SwapTM controller allows a board to be ...
This video highlights the Zynq® UltraScale+™ MPSoC, and sho...
Homeowners may soon be able to store the energy generated ...
The LTC®6363 is a low power, low noise, fully differential ...