NASA and the great Toyota spaghetti monster
Blog post by a smart guy who doesn't give his name
Examination of the code found that throttle control variables are protected from corruption by storing multiple copies…Extensive software testing and analysis was performed on TMC 2005 Camry L4 source code using static analysis, logic model testing, recursion testing, and worse case execution timing. With the tools utilized during the course of this study, software defects that unilaterally cause a Unintended Accelerations were not found…
NESC Assessment #: TI-10-00618
In contrast Michael Barr’s team following on from the NASA assessment found that some critical variables were not protected from corruption via mirroring (apparently NASA did not know this), there was no hardware protection provided against single bit errors by hardware (again NASA did not know this) there were multiple possible software causes of memory corruption (neither Toyota or NASA knew that stack usage was actually sitting at 91% rather than 41%). Thus a single bit flip or software stack overflow could kill a safety critical task which would result in an unintended acceleration and the Barr team subsequently verified this failure mode through testing.