If memory serves the main ECU control loop didn't check for stack overflows so excessive recursion could smash the global variables on the stack and accidentally turn off any number of ECU tasks - including the one responsible for monitoring the accelerator and brake.

The ECU module includes watchdog support that runs on another chip or core (can't recall) that was intended to do backup monitoring of the main ECU - and especially it should have watched the brake pedal and of the brake was held for a minimum time it would override the ECU and force the accelerator to zero. However that function did not work reliably, making the watchdog useless.

The code itself was poorly structured, with lots of critical things done in one big "god" task that if accidentally disabled by a single bool flip in RAM would ultimately disable many safety critical functions. Normally you'd have multiple copies of such data structures that must agree, split the code up into separate isolated tasks so a failure of one doesn't stop the others, and implement basic stack overflow protection which again IIRC was available on the toolchain they were using but was not enabled.

The watchdog problems are especially inexcusable for a safety critical system.

Another one crash that I think about semi often was a bus crash in Queens that killed 3 people where the bus was doing 60 in a 30 and blew a red light. The cause was suspected to be a thermos wedged under the brake pedal and pushing on the gas. It seems like a dumb thing to think about sometimes, but I try to be aware of that risk. https://www.core77.com/posts/84534/How-a-Commuter-Thermos-Ma... https://www.nydailynews.com/new-york/queens/ny-metro-dropped...

I've definitely had a few instances (over a few decades of driving) when I lost confidence in my knowledge of which pedal was which. Rote knowledge is tricky that way. Fortunately, I was always able to safely test. I was never confidently incorrect, but I can see it from here. It's a scary thought.