From what I know of the car industry, coding standards are very low. I don't think any car companies would look good if their code was audited by professional software engineers in other fields.
Then you don't know the motor industry very much as it has very strict coding standards like ISO 26262, the code has to be audited internally and by certified 3rd parties with every release to meet the development cycle requirements of the standards.
The industry also has specific coding standard for every language that is used in embedded systems like MISRA-C
https://en.wikipedia.org/wiki/MISRA_C
Today every thing you do with your car from using breaks to deploying air-bags is done through the computer, there's no way in hell that the motor industry would be releasing poor code "intentionally" because it would cost them billions in liabilities.
And you're not familiar with what happened when a 3rd party (Michael Barr) was allowed to FINALLY look inside Toyota's engine code and determine the cause of the "Unintended Acceleration" problem:
"Barr checked the [Toyota] source code against MISRA’s 2004 edition and found 81,514 violations."
The model year 2005 Camry in question from the trial would have been made available in 2004, and the electronic throttle control system was designed prior to 2004 (IIRC, the ETC design was carried forward from the previous model). How does it makes sense to apply MISRA-C:2004 in this case, especially when the Toyota ETC in question was admittedly not designed under MISRA-C:2004 nor prior MISRA-C revisions?
It is inaccurate to claim Michael Barr determined the cause of Toyota's unintended acceleration: he proposed a possible failure mode that was persuasive to a lay jury. His proposed failure mode didn't leave a DTC, so there's no way to actually know if his proposed failure mode actually happened in this case (or in any other).
I remember when this was posted on HN before, what I always wondered about is the discrepancy between the violations that NASA found and Barr.
NASA found 7000 and change Barr found over 81,000, I'm not sure whats the size of the code that was reviewed but that's allot, even if you count the fact that half of them might be silly like naming convention violations that still leaves quite an odd number for actual violations especially when considering that the code for an embedded system can't be that huge.
And the 10,000 global variables thing, well 10,000 sounds like a huge number but there wasn't any mention if they were a) necessary, b) implemented correctly, and c) out of how many variables in total? if the code they've tested has say 1 million variables then well....
And how they described global variables is also weird, they claimed that every software within the system can access them to me this sounds that your stereo or the rain sensor for the wipers can override data for the breaks, but that might be true only if everything is running within a single application.
If the breaks run as an independent application well then only every function within the break software (depending on the language and how global variables are implemented) could potentially access those variables.
To me pretty much that entire explanation seem to be constructed to sound worse than what it is, which is why I think that expert witnesses should only be allowed to be appointed and called by the court it self (as in by the judge so they and the jury could understand the technical details better) and not by either the defense or the prosecution.
> there wasn't any mention if they were a) necessary,
They were not. It is never necessary to have 10,000 global variables. If you have 10,000 global variables you are systematically Doing It Wrong. (That's not to say it's uncommon. From my experience I strongly suspect that it's a very common practice.) As one of the witnesses put it, quite correctly IMO:
"And in practice, five, ten, okay, fine. 10,000, no, we're done. It is not safe, and I don't need to see all 10,000 global variables to know that that is a problem,” Koopman testified.
Trying to justify this is like trying to justify not having a bug tracker. Which, BTW, they didn't.
> b) implemented correctly,
There's no way to check 10,000 global variables to see if they're implemented correctly, and that's the entire point.
> and c) out of how many variables in total?
That is completely irrelevant.
> they claimed that every software within the system can access them to me this sounds that your stereo or the rain sensor for the wipers can override data for the breaks,
This was the ECU, it only controls the engine, not the radio or the wipers. It has tasks for stuff like monitoring the engine and wheel speeds, the accelerator and brake pedal positions and controlling the fuel injection. And all of those tasks were only an extra header file and a typo away from stomping on one of the 10,000 global variables belonging to another task, but that isn't even the issue. The issue is that there is no way to trace the flow of data in the system because it's completely unstructured.
> but that might be true only if everything is running within a single application.
Welcome to the world of embedded RTOSs, where everything is running within a single application. It's not a PC. "Applications" aren't a thing. There's certainly no memory protection.
And 2 of my friends worked for BetterPlace (RIP) and it took years for Nissan to accept the code which had to be rewritten to comply and certified by an external 3rd party.
And that code wasn't even "mission critical" in terms of road safety.
I have seen both very good code and very bad code. Standards are in place for making it good but it really depends the most on who's implementing it and the SW team culture.
http://www.ldra.com/en/software-quality-test-tools/group/by-...
The industry also has specific coding standard for every language that is used in embedded systems like MISRA-C https://en.wikipedia.org/wiki/MISRA_C
Today every thing you do with your car from using breaks to deploying air-bags is done through the computer, there's no way in hell that the motor industry would be releasing poor code "intentionally" because it would cost them billions in liabilities.