wrote:
I agree that continuous rebooting is a bad idea.

Just FYI, NASA's Mars Spirit rover got itself into a continuous reboot
cycle too:

http://en.wikipedia.org/wiki/Spirit_rover

I've been involved in a couple of projects where we considered adding an
external hardware watchdog reboot system. (These are simple systems that
must be sent a heartbeat pulse periodically by the application, otherwise
the watchdog assumes the app died and does a hard reset of the application
system.)

Automatic reboot is of course a last resort, but given a choice between a
distant system that freezes up entirely and all hope of recovery is lost
and one that reboots into a state long enough to allow a small chance to
salvage the situation, I think the latter is preferred.