
The Coming Software Apocalypse - statictype
https://www.theatlantic.com/technology/archive/2017/09/saving-the-world-from-code/540393/
======
Ace17
> The fail-safe code that Toyota had put in place wasn’t enough to stop it.

> “You have software watching the software,” Barr testified.

> “If the software malfunctions and the same program or same app that is
> crashed

> is supposed to save the day, it can’t save the day because it is not
> working.”

The failure of Toyota was a memory corruption due to a stack overflow, because
an IRQ had been triggered at exactly the wrong time (i.e the thread being
interrupted is already using almost all of its stack space).

Thus, the probability for the failure to occur was small ; which means
rebooting the system, to run again the same erroneous code might actually make
sense (and save lives).

I think the real problem with a fail-safe, in the case of Toyota, is _when_ to
trigger it. It's not as if we had a memory-corruption handler that gets called
everytime something gets overwritten by mistake.

