If memory serves the main ECU control loop didn't check for stack overflows so excessive recursion could smash the global variables on the stack and accidentally turn off any number of ECU tasks - including the one responsible for monitoring the accelerator and brake.
The ECU module includes watchdog support that runs on another chip or core (can't recall) that was intended to do backup monitoring of the main ECU - and especially it should have watched the brake pedal and of the brake was held for a minimum time it would override the ECU and force the accelerator to zero. However that function did not work reliably, making the watchdog useless.
The code itself was poorly structured, with lots of critical things done in one big "god" task that if accidentally disabled by a single bool flip in RAM would ultimately disable many safety critical functions. Normally you'd have multiple copies of such data structures that must agree, split the code up into separate isolated tasks so a failure of one doesn't stop the others, and implement basic stack overflow protection which again IIRC was available on the toolchain they were using but was not enabled.
The watchdog problems are especially inexcusable for a safety critical system.
The ECU module includes watchdog support that runs on another chip or core (can't recall) that was intended to do backup monitoring of the main ECU - and especially it should have watched the brake pedal and of the brake was held for a minimum time it would override the ECU and force the accelerator to zero. However that function did not work reliably, making the watchdog useless.
The code itself was poorly structured, with lots of critical things done in one big "god" task that if accidentally disabled by a single bool flip in RAM would ultimately disable many safety critical functions. Normally you'd have multiple copies of such data structures that must agree, split the code up into separate isolated tasks so a failure of one doesn't stop the others, and implement basic stack overflow protection which again IIRC was available on the toolchain they were using but was not enabled.
The watchdog problems are especially inexcusable for a safety critical system.