This seems to be a mix of C++ and Python, including a script called "realtime.py" (oxymoron?). So am I now exposed to other people using Python on the roads to operate heavy machinery?
So what, you want everything written in RUST on a linux kernel with hard real-time patches? It uses machine vision anyway, which has no hard guarantees at all. The software it uses to detect lanes or cars is probabilistic by it's very nature.
Python does pretty good at soft real time if you manage your own event loop and disable the garbage collector, and you're a lot less likely to get "crash the entire stack" style memory allocation bugs. Sure, GO or RUST would be better, I think CPP could be worse if handled inexpertly.
Python has segfault issues, surprising exceptions and version incompatibility.
I've been using Linux/BSD for over a decade now. No C or C++ application has ever crashed, I cannot say the same about Python applications. Outright segfaults are rare but happen. Rogue exceptions are much more common and could basically have the same detrimental effect on a self-driving system as a segfault. And let's not talk about logic bugs due to version incompatibility and the obsessive rewriting of those who took control over CPython.
Ahh, you've been running some grad students first python project as if it was a serious project like curl with 20 years of history, and expecting it to have the same quality. But you've somehow avoided the tons of grad-student CPP programs with similar quality issues, or the broken code pushed by companies like crowdstrike or IBM.
Fair enough, your experience may vary. I'd suggest not judging the language by the standards of some hobbyist code that just so happened to end up on github. I've had tons of bugs in c/cpp programs over the years, some more critical than others.
I've seen a lot of shitty and unreliable python code, and a lot of good and mature C/CPP projects. I've also seen really bad security issues and crashes with bad C code, heartbleed, crowdstrike, etc.
For what it's worth I've never had youtube-dl hard crash on me, and I could argue that it's a more complicated problem to solve than what curl is solving. In an apples-to-apples comparison I think it does pretty well.
No matter what language you use for this you're going to be relying on an AI vision model with no hard guarantees.
Actually Python was insufficient for the sort of grad student bugs I wanted to write, I was able to just wrap everything up in giant try blocks and then,
except:
print(“Something happened”, i)
(Where I might be an index. Or an element).
Fortran is able to generate better bugs, because it has allocate/free.
You have much more control over a pure C/C++ application because it does not involve the Python runtime. Crowdstrike etc. are exploits that don't really matter here: If you are on the CAN bus it's game over already.
That said, I'm pretty sure CPython has exploits, too. They'll be harder to find and trigger though.
Sure, runtimes exist and have engineering trade-offs. You avoid a whole class of memory related bugs but you lose a lot of control over memory allocation. You can do soft real-time as long as you manually manage the garbage collection and accept that there will be some (bounded) jitter on memory allocations.
The first rule of the tautology club is the first rule of the tautology club. Things have trade-offs. Python removes (or at least significantly reduces) a whole class of bugs that appear when using lower-level languages, that's part of why it's a good glue language.
The interface between the openpilot and the car is a standalone device (the panda) that provides and enforces the safety model. All code is written in C to automotive safety standards including ISO26262, ISO11270, ISO15622, and MISRA-C. 100% line coverage for all safety unt tests.
They also run pretty extensive tests (regression, unit, hardware/software-in-the-loop, mutation, and vehicle specific) on every commit and have actual hardware devices continually running real routes looking for regressions.
Just so we're all clear here, there is a lot of gobbly-gook in this answer which is either off target or irrelevant.
> a standalone device (the panda) that provides and enforces the safety model
What the actual safety model is that is being enforced is far more important here. The safety model could be "there is no safety guarantee whatsoever" and this sentence would still be true.
> All code is written in C to automotive safety standards including ISO26262, ISO11270, ISO15622, and MISRA-C.
26262 says practically nothing about software, what you really want is 21448. And 11270 and 15622 are super low targets for the amount of control authority available here.
MISRA-C is mostly a waste of time when it comes to safety. It gives software developers the warm blanket of having a checklist they can tick items off of, but does little to prevent unsafe systems from being built. Programmers have gotten pretty good about at least using tests and other analysis tools to make sure they're not doing the wildly stupid things that MISRA tries to prevent.
> 100% line coverage for all safety unt tests
100% like coverage is also rather trivial to achieve and doesn't say much. Branch coverage would be better, but being able to make some claims about state space coverage with exposure numbers would be what I'm expecting here.
> So am I now exposed to other people using Python on the roads to operate heavy machinery?
yes in the sense that python is running the ML models and deciding what the vehicle should do, but it is heavily bounded in what it can do by the safety model which is implemented in bare-metal MISRA C running on the microcontroller that interfaces between openpilot and the CAN bus (panda). It enforces things like accel/braking limits and steering rate limits along with consistency checks, heartbeats, vehicle status checks, etc.
Level 2 self driving is already only a best effort system so if python caused an issue it would just fall back to the safety model on the panda and ultimately the driver to operate the vehicle safely.
Sort of. It operates after your vehicle safety systems, so yes, python is controlling the car to an extent, but only within the limits of the built in safety systems.
