I believe in case of Mars Pathfinder, a software bug in the operating system caused a lockup, so a normal reset (and the system restarting in a safe mode) would have been sufficient. They were able to find the bug, fix it, and upload the corrected software to the rover after this incident.



What action the watchdog should take on triggering depends on the target system. If the CPU can end up in states that can only be exited by cycling the power (the external slow clock one is one of them, but there are tiny chances that the processor might end up in boundary scan mode or fast flash programming mode if the external events are severe enough), the watchdog should do that. However, other parts of the hardware might not end up in a safe state if power is suddenly cut. That's one of the recommendations Jack Ganssles article gives - have hardware put the system in a safe state (even if that safe state means blowing up a rocket carrying a few hundred million Euro worth of satellites over the Pacific ... oops).

But yes, the uC in question had several documented states in which it will not even respond to an external reset. I guess the manufacturer didn't want to explicitly recommend an external watchdog that can cycle power, but I'll add it to my mental notes that even the mere mention of processor states that last until the next power cycle means that the watchdog must be able to cycle power of the uC.



True. We started with engineering samples of the uC in question, and the manufacturer kept, err, updating the documentation of the power-up sequencing. Fun. Especially since it wasn't just a simple case of keeping the slew rate where the processor wanted it, but different voltages (VDDIO, VCORE) had to follow rules like "one may not exceed the other", or "one must reach at least voltage X before the other reaches voltage Y". Sometimes I'm glad I'm only the firmware engineer and the hardware is done by people who have about infinitely more knowledge about the subject than I.



Possibly. However, in our case, I believe there are limits to the circuitry given by the requirements spec (amplitude response, input impedance, etc), and the device is explicitly not expected to continue operating through some of the more severe external events, it's just required that it does not suffer permanent damage and returns to normal operation within ten seconds.