[zb]

> there wasn't any mention if they were a) necessary,

They were not. It is never necessary to have 10,000 global variables. If you have 10,000 global variables you are systematically Doing It Wrong. (That's not to say it's uncommon. From my experience I strongly suspect that it's a very common practice.) As one of the witnesses put it, quite correctly IMO:

"And in practice, five, ten, okay, fine. 10,000, no, we're done. It is not safe, and I don't need to see all 10,000 global variables to know that that is a problem,” Koopman testified.

Trying to justify this is like trying to justify not having a bug tracker. Which, BTW, they didn't.

> b) implemented correctly,

There's no way to check 10,000 global variables to see if they're implemented correctly, and that's the entire point.

> and c) out of how many variables in total?

That is completely irrelevant.

> they claimed that every software within the system can access them to me this sounds that your stereo or the rain sensor for the wipers can override data for the breaks,

This was the ECU, it only controls the engine, not the radio or the wipers. It has tasks for stuff like monitoring the engine and wheel speeds, the accelerator and brake pedal positions and controlling the fuel injection. And all of those tasks were only an extra header file and a typo away from stomping on one of the 10,000 global variables belonging to another task, but that isn't even the issue. The issue is that there is no way to trace the flow of data in the system because it's completely unstructured.

> but that might be true only if everything is running within a single application.

Welcome to the world of embedded RTOSs, where everything is running within a single application. It's not a PC. "Applications" aren't a thing. There's certainly no memory protection.

[cnvogel]

    > Welcome to the world of embedded RTOSs, where
    > everything is running within a single application.
    > There's certainly no memory protection.

Generally, I agree, even though there have been quite a few chips already that have a primitive "Memory Protection Unit" that typically only distinguishes two processor states and you'd be able to protect the working data of e.g. the scheduler and your watchdog from the rest of the code running on your system. Which is much better than nothing!

But in the end the important consequence is: Having everything in one address space encourages people to violate the concepts that memory protection between tasks on your PC typically enforces, e.g. tasks reading from, and writing to other tasks' data structures without proper synchronization; instead of using proper IPC mechanisms like queues. Which is probably what these 10'000 global variables were used for.