Merge branch 'issue/18-Backup-RAM' into issue/15-safety-controller-hardening

2020-09-06 19:54:09 +02:00
parent 9880c701b1 910037a562
commit 192bcf01f6
3 changed files with 211 additions and 9 deletions
--- a/stm-firmware/include/reflow-controller/safety/safety-memory.h
+++ b/stm-firmware/include/reflow-controller/safety/safety-memory.h
@@ -23,6 +23,10 @@

 #include <stdint.h>

+/** @addtogroup safety-memory
+ * @{
+ */
+
 /**
 * @brief Magic number to signal a valid safety memory header.
 */
@@ -81,23 +85,37 @@ struct safety_memory_boot_status {
 	uint32_t reset_from_panic;
 };

+/**
+ * @brief The state of the safety memory
+ *
+ * This is returned by certain functions in order to signal, if the header and CRC infos are valid.
+ */
 enum safety_memory_state {
-	SAFETY_MEMORY_INIT_FRESH = 0,
-	SAFETY_MEMORY_INIT_CORRUPTED = 1,
-	SAFETY_MEMORY_INIT_VALID_MEMORY = 2,
+	SAFETY_MEMORY_INIT_FRESH = 0,		/**< @brief Memory header not found */
+	SAFETY_MEMORY_INIT_CORRUPTED = 1,	/**< @brief Header found, but corrupt memory */
+	SAFETY_MEMORY_INIT_VALID_MEMORY = 2,	/**< @brief Valid header found and CRC check is valid */
 };

+/**
+ * @brief Types of error memory entries
+ */
 enum safety_memory_error_entry_type {
-	SAFETY_MEMORY_ERR_ENTRY_FLAG = 1,
-	SAFETY_MEMORY_ERR_ENTRY_NOP = 2,
+	SAFETY_MEMORY_ERR_ENTRY_FLAG = 1,	/**< @brief Flag error entry. Logs a flag */
+	SAFETY_MEMORY_ERR_ENTRY_NOP = 2,	/**< @brief NOP entry. Has no meaning, but will be treated as a valid entry */
 };

+/**
+ * @brief Firmware internal representation of an error memory entry.
+ */
 struct error_memory_entry {
 	enum safety_memory_error_entry_type type;
 	uint8_t flag_num;
 	uint16_t counter;
 };

+/**
+ * @brief Types of conig override entries
+ */
 enum config_override_entry_type {
 	SAFETY_MEMORY_CONFIG_OVERRIDE_WEIGHT = 1,
 	SAFETY_MEMORY_CONFIG_OVERRIDE_PERSISTANCE = 2,
@@ -120,7 +138,7 @@ struct config_override {
 	union {
 		struct {
 			uint8_t flag;
-			uint8_t weight;
+			enum config_override_weight weight;
 		} weight_override;
 		struct {
 			uint8_t flag;
@@ -129,26 +147,104 @@ struct config_override {
 	} entry;
 };

+/**
+ * @brief First time init the safety memory. This requests all clocks etc.
+ *
+ * The error memory is always vlaid after this function. At least, if it returns without error.
+ * The \p found_state output tells the caller, in which state the memory was found. If it was uninitialized,
+ * or corrupted, it is completely wiped and a fresh memory structure is written.
+ *
+ * @param[out] found_state State the error memory was found in
+ * @return 0 if successful
+ * @warning Also check @ref safety_memory_reinit
+ */
 int safety_memory_init(enum safety_memory_state *found_state);

+/**
+ * @brief Same as @ref safety_memory_init, but without specifically requesting the clock modules.
+ *
+ * Use this, if a call to @ref safety_memory_init has already been done.
+ *
+ * @param[out] found_state State the error memory was found in
+ * @return 0 if successful
+ */
 int safety_memory_reinit(enum safety_memory_state *found_state);

+/**
+ * @brief Get the boot status structure from safety memory
+ * @param[out] status Status read from memory.
+ * @return 0 if successful
+ */
 int safety_memory_get_boot_status(struct safety_memory_boot_status *status);

+/**
+ * @brief Write the boot status structure to safety memory
+ * @param[in] status Status to write
+ * @return 0 if successful
+ */
 int safety_memory_set_boot_status(const struct safety_memory_boot_status *status);

+/**
+ * @brief Get the amout of error entries in the error memory. This also includes NOP entries.
+ * @param[out] count Count
+ * @return 0 if successful
+ */
 int safety_memory_get_error_entry_count(uint32_t *count);

+/**
+ * @brief Check the header and CRC of the safety memory.
+ * @return 0 if all checks pass
+ */
 int safety_memory_check(void);

+/**
+ * @brief Read an error entry from the error memory
+ * @param idx Index of the entry
+ * @param[out] entry Error entry
+ * @return 0 if successful
+ */
 int safety_memory_get_error_entry(uint32_t idx, struct error_memory_entry *entry);

+/**
+ * @brief Insert an error entry
+ *
+ * This function inserts an error entry on the first NOP entry found in the error memory.
+ * If an entry is found with the same flag number, its counter is incremented by the counter value of the
+ * element to insert.
+ *
+ * If there are no NOPs or fitting entries in the error memory, error memory is expanded until it hits the memory
+ * boundary.
+ *
+ * @param entry Error entry to insert
+ * @returns 0 if successful, -3 if out of memory, and other negative error codes
+ */
 int safety_memory_insert_error_entry(struct error_memory_entry *entry);

+/**
+ * @brief Insert a config override entry at the first free location.
+ *
+ * Free locations are entries containing 0x00000000
+ *
+ * @param config_override Config to write
+ * @return 0 if successful
+ */
 int safety_memory_insert_config_override(struct config_override *config_override);

+/**
+ * @brief Get count of config overrides
+ * @param[out] count Number of overrides
+ * @return 0 if successful
+ */
 int safety_memory_get_config_override_count(uint32_t *count);

+/**
+ * @brief Get a config ovveide entry
+ * @param idx Index of the requested entry
+ * @param[out] config_override READ override
+ * @return 0 if successful
+ */
 int safety_memory_get_config_override(uint32_t idx, struct config_override *config_override);

 #endif /* __SAFETY_MEMORY_H__ */
+
+/** @} */
--- a/stm-firmware/safety/safety-controller.c
+++ b/stm-firmware/safety/safety-controller.c
@@ -218,13 +218,28 @@ int safety_controller_report_error_with_key(enum safety_flag flag, uint32_t key)
 {
 	uint32_t i;
 	int ret = -1;
+	bool old_state;
+	int res;
+	struct error_memory_entry err_mem_entry;

 	for (i = 0; i < COUNT_OF(flags); i++) {
 		if (flags[i].flag & flag) {
+			old_state = flags[i].error_state;
 			flags[i].error_state = true;
 			flags[i].error_state_inv = !flags[i].error_state;
 			flags[i].key = key;
-			ret = 0;
+
+			if (flags[i].persistent && !old_state) {
+				err_mem_entry.counter = 1;
+				err_mem_entry.flag_num = i;
+				err_mem_entry.type = SAFETY_MEMORY_ERR_ENTRY_FLAG;
+				res = safety_memory_insert_error_entry(&err_mem_entry);
+				if (res) {
+					ret = -12;
+				}
+			} else {
+				ret = 0;
+			}
 		}
 	}

--- a/stm-firmware/safety/safety-memory.c
+++ b/stm-firmware/safety/safety-memory.c
@@ -107,6 +107,11 @@ return_val:
 	return ret;
 }

+static void safety_memory_write_header(const struct safety_memory_header *header)
+{
+	backup_ram_write_data(0UL, (uint32_t *)header, wordsize_of(*header));
+}
+
 static void safety_memory_write_new_header(void)
 {
 	struct safety_memory_header header;
@@ -120,7 +125,7 @@ static void safety_memory_write_new_header(void)
 	header.magic_i = ~SAFETY_MEMORY_MAGIC;

 	backup_ram_wipe();
-	backup_ram_write_data(0UL, (uint32_t *)&header, wordsize_of(header));
+	safety_memory_write_header(&header);
 }

 static int safety_memory_check_crc()
@@ -371,7 +376,93 @@ return_value:
 	return ret;
 }

-int safety_memory_insert_error_entry(struct error_memory_entry *entry);
+int safety_memory_insert_error_entry(struct error_memory_entry *entry)
+{
+	int res;
+	int ret = -0xFFFF;
+	uint32_t addr;
+	uint32_t data;
+	bool found;
+	uint32_t input_data;
+	struct error_memory_entry current_entry;
+
+	struct safety_memory_header header;
+
+	input_data = error_memory_entry_to_word(entry);
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	if (entry->type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+		/* Append to end */
+		if ((header.err_memory_end + 1U) < backup_ram_get_size_in_words()) {
+			/* Still fits in memory */
+			backup_ram_write_data(header.err_memory_end, &input_data, 1UL);
+			header.err_memory_end++;
+			safety_memory_write_header(&header);
+			safety_memory_gen_crc();
+			ret = 0;
+		}
+	} else if (entry->type == SAFETY_MEMORY_ERR_ENTRY_FLAG) {
+		found = false;
+		for (addr = header.err_memory_offset; addr < header.err_memory_end; addr++) {
+			res = backup_ram_get_data(addr, &data, 1UL);
+			if (res) {
+				ret = -1;
+				goto return_value;
+			}
+			res = word_to_error_memory_entry(data, &current_entry);
+			if (res) {
+				ret = -2;
+				goto return_value;
+			}
+
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG &&
+					current_entry.flag_num == entry->flag_num) {
+				found = true;
+				break;
+			}
+
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+				found = true;
+				break;
+			}
+		}
+
+		if (!found) {
+			/* No suitable place found in memory. Append */
+
+			if ((addr + 1) < backup_ram_get_size_in_words()) {
+				backup_ram_write_data(addr, &input_data, 1UL);
+				header.err_memory_end++;
+				safety_memory_write_header(&header);
+			} else {
+				ret = -3;
+				goto return_value;
+			}
+		} else {
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+				backup_ram_write_data(addr, &input_data, 1UL);
+			} else {
+				current_entry.counter += entry->counter;
+				if (current_entry.counter < entry->counter)
+					current_entry.counter = 0xFFFF;
+				data = error_memory_entry_to_word(&current_entry);
+				backup_ram_write_data(addr, &data, 1UL);
+			}
+		}
+
+		safety_memory_gen_crc();
+		ret = 0;
+
+	} else {
+		ret = -1001;
+	}
+
+return_value:
+	return ret;
+}

 int safety_memory_insert_config_override(struct config_override *config_override);