As a software engineer, my daily job is to create bugs (as a by-product of writing code) and fix (hopefully a large percent of) them. When my code is shipped to millions of customers, inevitably and sadly, it still has bugs. The cost could be customers losing time restarting computer or losing data.
However, for the software used in cars, the cost could be losing people's lives! Finding and fixing all bugs in complex software is extremely hard, if not impossible. I hope one day we could prove the correctness of any software (see L4 kernel). But before that day comes, we still have to deal with software bugs.
There are news saying that the cars recalled and repaired by Toyota can still runaway. This could imply that Toyota didn't really fix the problem. Here are possible reasons of the problem that I can think of:
- Driver's problem. If the driver pushes pedal to the end, the car will runaway. This is the most common cause of runaway cars, but is not the case in several Toyota accidents.
- Hardware problem. I find it hard to believe floor mat could stuck the gas pedal, because the floor mat is very sticky to the floor and not likely be pushed over, and it is not that hard to be able to hold gas pedal all the way down. Is it possible that the gas pedal just sticks itself? Since I never heard stories about sticky gas pedals before software is widely used in car's control, this sounds not very likely too.
- Software problem. I think this is the most possible reason.
So I think a sandbox could be used as a way of protection. If the control software runs inside of the sandbox, the sandbox could perform this check and reject unreasonable commands sent by the control software, and restart the control software to reset its status. In this way, no matter what bugs happened inside of the sandbox, unreasonable combination of commands will never happen.
