Fiy style issues

This commit is contained in:
Mario Hüttel 2022-07-16 13:01:38 +02:00
parent 14ea4d22fe
commit 5ddae7efee
4 changed files with 102 additions and 115 deletions

View File

@ -70,14 +70,14 @@ struct timing_monitor_info {
* You have to call safety_controller_handle
* If this function fails, it will hang, because errors in the safety controller are not recoverable
*/
void safety_controller_init();
void safety_controller_init(void);
/**
* @brief Handle the safety controller.
* @note This function must be executed periodically in order to prevent the watchdog from resetting the firmware
* @return 0 if successful
*/
int safety_controller_handle();
int safety_controller_handle(void);
/**
* @brief Report one or multiple errors to the safety controller
@ -170,13 +170,13 @@ bool safety_controller_get_flags_by_mask(enum safety_flag mask);
* @brief Get the count of error flags
* @return Error flag count
*/
uint32_t safety_controller_get_flag_count();
uint32_t safety_controller_get_flag_count(void);
/**
* @brief Get the count of analog monitors
* @return Analog monitor count
*/
uint32_t safety_controller_get_analog_monitor_count();
uint32_t safety_controller_get_analog_monitor_count(void);
/**
* @brief Get an error flag's name by its index.

View File

@ -78,5 +78,6 @@ void panic_mode(void)
}
/* Let the watchdog do the rest */
while (1);
while (1)
;
}

View File

@ -60,7 +60,8 @@ void safety_adc_init(void)
rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_DMA2EN));
if (hw_rev != HW_REV_V1_2) {
rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PORT_RCC_MASK));
rcc_manager_enable_clock(&RCC->AHB1ENR,
BITMASK_TO_BITNO(SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PORT_RCC_MASK));
SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PORT->MODER &= MODER_DELETE(SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PIN);
SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PORT->MODER |= ANALOG(SAFETY_ADC_SUPPLY_VOLTAGE_MONITOR_PIN);
}
@ -97,7 +98,8 @@ void safety_adc_init(void)
DMA2_Stream4->PAR = (uint32_t)&SAFETY_ADC_ADC_PERIPHERAL->DR;
DMA2_Stream4->M0AR = (uint32_t)safety_adc_conversions;
DMA2_Stream4->NDTR = SAFETY_ADC_NUM_OF_CHANNELS;
DMA2_Stream4->CR = DMA_SxCR_PL_0 | DMA_SxCR_MSIZE_0 | DMA_SxCR_PSIZE_0 | DMA_SxCR_MINC | DMA_SxCR_CIRC | DMA_SxCR_TCIE | DMA_SxCR_EN;
DMA2_Stream4->CR = DMA_SxCR_PL_0 | DMA_SxCR_MSIZE_0 | DMA_SxCR_PSIZE_0 | DMA_SxCR_MINC | DMA_SxCR_CIRC |
DMA_SxCR_TCIE | DMA_SxCR_EN;
NVIC_EnableIRQ(DMA2_Stream4_IRQn);
/* Enable ADC */
@ -175,7 +177,7 @@ void safety_adc_trigger_meas(void)
safety_adc_triggered = 1;
}
void DMA2_Stream4_IRQHandler()
void DMA2_Stream4_IRQHandler(void)
{
uint32_t hisr;

View File

@ -318,8 +318,7 @@ static const struct crc_monitor_register safety_adc_crc_regs[] = {
{NULL, 0, 0}
};
static struct crc_mon IN_SECTION(.ccm.data) crc_monitors[] =
{
static struct crc_mon IN_SECTION(.ccm.data) crc_monitors[] = {
{
.registers = meas_adc_crc_regs,
.monitor = ERR_CRC_MON_MEAS_ADC,
@ -360,7 +359,8 @@ static void set_overtemp_config(float over_temperature)
safety_controller_overtemp_config.crc_dummy_seed = 0xA4F5C7E6UL;
safety_controller_overtemp_config.overtemp_deg_celsius = over_temperature;
safety_controller_overtemp_config.overtemp_equiv_resistance = resistance;
crc_unit_input_array((const uint32_t *)&safety_controller_overtemp_config, wordsize_of(struct overtemp_config) - 1);
crc_unit_input_array((const uint32_t *)&safety_controller_overtemp_config,
wordsize_of(struct overtemp_config) - 1);
safety_controller_overtemp_config.crc = crc_unit_get_crc();
}
@ -369,7 +369,8 @@ static bool over_temperature_config_check(void)
if (safety_controller_overtemp_config.crc_dummy_seed != 0xA4F5C7E6UL)
return true;
crc_unit_reset();
crc_unit_input_array((const uint32_t *)&safety_controller_overtemp_config, wordsize_of(struct overtemp_config) - 1);
crc_unit_input_array((const uint32_t *)&safety_controller_overtemp_config,
wordsize_of(struct overtemp_config) - 1);
if (crc_unit_get_crc() != safety_controller_overtemp_config.crc)
return true;
@ -519,9 +520,8 @@ static int safety_controller_check_crc_monitors(void)
if (crc_monitor_calculate_crc(mon->registers, &crc))
return -1;
if (mon->expected_crc != crc || ~mon->expected_crc_inv != crc) {
if (mon->expected_crc != crc || ~mon->expected_crc_inv != crc)
safety_controller_report_error(mon->flag_to_set);
}
mon->last_crc = crc;
}
@ -608,16 +608,14 @@ static void apply_config_overrides(void)
case SAFETY_MEMORY_CONFIG_OVERRIDE_WEIGHT:
flag_enum = flag_no_to_flag_enum(override.entry.weight_override.flag);
flag = find_error_flag(flag_enum);
if (flag && flag->weight) {
if (flag && flag->weight)
flag->weight->weight = override.entry.weight_override.weight;
}
break;
case SAFETY_MEMORY_CONFIG_OVERRIDE_PERSISTENCE:
flag_enum = flag_no_to_flag_enum(override.entry.persistence_override.flag);
flag = find_error_flag(flag_enum);
if (flag && flag->persistence) {
if (flag && flag->persistence)
flag->persistence->persistence = override.entry.persistence_override.persistence;
}
break;
default:
continue;
@ -647,12 +645,11 @@ static bool error_flag_get_status(const volatile struct error_flag *flag)
if (!flag)
return true;
if (flag->error_state == flag->error_state_inv) {
if (flag->error_state == flag->error_state_inv)
return true;
} else {
else
return flag->error_state;
}
}
/**
* @brief Find a analog value monitor structure by its enum number
@ -693,7 +690,7 @@ static volatile struct timing_mon *find_timing_mon(enum timing_monitor mon)
/**
* @brief Check the active timing monitors and set the appropriate flags in case of an error.
*/
static void safety_controller_process_active_timing_mons()
static void safety_controller_process_active_timing_mons(void)
{
uint32_t i;
volatile struct timing_mon *current_mon;
@ -716,7 +713,8 @@ static void safety_controller_process_active_timing_mons()
* Process the analog and timing monitors and set the relevant flags in case of a monitor outside its limits.
* Furthermore, the PT1000 resistance is checked for overtemperature
*
* The checking of the analog monitors will only be armed after a startup delay of 1000 ms to allow the values to stabilize.
* The checking of the analog monitors will only be armed after a startup delay of 1000 ms to
* allow the values to stabilize.
*/
static void safety_controller_process_monitor_checks(void)
{
@ -731,21 +729,18 @@ static void safety_controller_process_monitor_checks(void)
if (startup_completed) {
analog_mon_count = safety_controller_get_analog_monitor_count();
for (idx = 0; idx < analog_mon_count; idx++) {
for (idx = 0; idx < analog_mon_count; idx++)
if (safety_controller_get_analog_mon_by_index(idx, &amon_info)) {
panic_mode();
}
if (amon_info.status != ANALOG_MONITOR_OK) {
if (amon_info.status != ANALOG_MONITOR_OK)
safety_controller_report_error(amon_info.associated_flag);
}
}
}
adc_pt1000_get_current_resistance(&pt1000_val);
if (pt1000_val > safety_controller_overtemp_config.overtemp_equiv_resistance) {
if (pt1000_val > safety_controller_overtemp_config.overtemp_equiv_resistance)
safety_controller_report_error(ERR_FLAG_OVERTEMP);
}
(void)safety_controller_check_crc_monitors();
@ -820,10 +815,9 @@ void safety_controller_report_timing(enum timing_monitor monitor)
tim = find_timing_mon(monitor);
if (tim) {
if (tim->enabled) {
if (!systick_ticks_have_passed(tim->last, tim->min_delta) && tim->min_delta > 0U) {
if (!systick_ticks_have_passed(tim->last, tim->min_delta) && tim->min_delta > 0U)
safety_controller_report_error(tim->associated_flag);
}
}
tim->calculated_delta = timestamp - tim->last;
tim->last = timestamp;
@ -870,10 +864,9 @@ static int get_safety_flags_from_error_mem(enum safety_flag *flags)
for (idx = 0; idx < count; idx++) {
res = safety_memory_get_error_entry(idx, &entry);
if (entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG) {
if (entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG)
return_flags |= flag_no_to_flag_enum(entry.flag_num);
}
}
*flags = return_flags;
return 0;
@ -884,11 +877,12 @@ static int get_safety_flags_from_error_mem(enum safety_flag *flags)
*
* The external harware watchdog has to be periodically reset or it will reset hte controller.
* Because debugging is not possible, when the watchdog is active, it is only activated, if the application is
* compiled in release mode. Any interruption of the main programm will then trigger the internal and/or the external watchdog.
* compiled in release mode. Any interruption of the main programm will then trigger the internal and/or
* the external watchdog.
*
* @note When enabled, execute the @ref external_watchdog_toggle function to reset the external watchdog.
*/
static void safety_controller_init_external_watchdog()
static void safety_controller_init_external_watchdog(void)
{
rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(SAFETY_EXT_WATCHDOG_RCC_MASK));
SAFETY_EXT_WATCHDOG_PORT->MODER &= MODER_DELETE(SAFETY_EXT_WATCHDOG_PIN);
@ -899,7 +893,7 @@ static void safety_controller_init_external_watchdog()
__DSB();
}
void safety_controller_init()
void safety_controller_init(void)
{
enum safety_memory_state found_memory_state;
enum safety_flag flags_in_err_mem = ERR_FLAG_NO_FLAG;
@ -967,7 +961,7 @@ void safety_controller_init()
* 1) Checking the remaining free space at the moment between stack pointer and top of heap.
* 2) Checking The CRC of the corruption detect area between heap and stack
*/
static void safety_controller_check_stack()
static void safety_controller_check_stack(void)
{
int32_t free_stack;
@ -975,18 +969,17 @@ static void safety_controller_check_stack()
if (free_stack < SAFETY_MIN_STACK_FREE)
safety_controller_report_error(ERR_FLAG_STACK);
if (stack_check_corruption_detect_area()) {
if (stack_check_corruption_detect_area())
safety_controller_report_error(ERR_FLAG_STACK);
}
}
/**
* @brief Handle the Safety ADC
*
* This function handles the safety ADC.
* If the safety ADC ius not executing a measurment and the time since the last measurement has
* passed @ref SAFETY_CONTROLLER_ADC_DELAY_MS, the safety ADC is retriggered and will automatically perform a measurement
* on all of its channels.
* If the safety ADC is not executing a measurment and the time since the last measurement has
* passed @ref SAFETY_CONTROLLER_ADC_DELAY_MS, the safety ADC is retriggered and will automatically perform a
* measurement on all of its channels.
* When called again, this function will retrieve the data from the safety ADC and converts it into the
* appropriate analog values for the analog value monitors.
*
@ -995,7 +988,7 @@ static void safety_controller_check_stack()
*
* The channels, the ssafety ADC will convert is defined in its header file using the define @ref SAFETY_ADC_CHANNELS.
*/
static void safety_controller_handle_safety_adc()
static void safety_controller_handle_safety_adc(void)
{
static uint64_t last_result_timestamp = 0;
const uint16_t *channels;
@ -1066,10 +1059,9 @@ static void safety_controller_handle_memory_checks(void)
/* Check the safety memory */
if (safety_memory_check()) {
(void)safety_memory_reinit(&found_state);
if (found_state != SAFETY_MEMORY_INIT_VALID_MEMORY) {
if (found_state != SAFETY_MEMORY_INIT_VALID_MEMORY)
safety_controller_report_error(ERR_FLAG_SAFETY_MEM_CORRUPT);
}
}
/* If flag weight table is broken, reinit to default and set flag */
if (flag_weight_table_crc_check()) {
@ -1097,7 +1089,7 @@ static void safety_controller_handle_memory_checks(void)
* If the systick stays constant for more than 1000 calls of this function,
* the @ref ERR_FLAG_SYSTICK flag is set.
*/
static void safety_controller_do_systick_checking()
static void safety_controller_do_systick_checking(void)
{
static uint64_t last_systick;
static uint32_t same_systick_cnt = 0UL;
@ -1122,7 +1114,7 @@ static void safety_controller_do_systick_checking()
* @note If no flag weigth is present for a given error flag, it is treated as the most critical category
* (@ref SAFETY_FLAG_CONFIG_WEIGHT_PANIC)
*/
static void safety_controller_handle_weighted_flags()
static void safety_controller_handle_weighted_flags(void)
{
uint32_t flag_index;
volatile struct error_flag *current_flag;
@ -1132,9 +1124,8 @@ static void safety_controller_handle_weighted_flags()
current_flag = &flags[flag_index];
/* Continue if this flag is not set */
if (!error_flag_get_status(current_flag)) {
if (!error_flag_get_status(current_flag))
continue;
}
flag_weigth = get_flag_weight(current_flag);
switch (flag_weigth) {
@ -1155,13 +1146,13 @@ static void safety_controller_handle_weighted_flags()
}
#ifndef DEBUGBUILD
static void external_watchdog_toggle()
static void external_watchdog_toggle(void)
{
SAFETY_EXT_WATCHDOG_PORT->ODR ^= (1<<SAFETY_EXT_WATCHDOG_PIN);
}
#endif
int safety_controller_handle()
int safety_controller_handle(void)
{
int ret = 0;
#ifndef DEBUGBUILD
@ -1273,9 +1264,8 @@ int safety_controller_ack_flag_with_key(enum safety_flag flag, uint32_t key)
int ret = -1;
volatile struct error_flag *found_flag;
if (!is_power_of_two(flag)) {
if (!is_power_of_two(flag))
return -1001;
}
found_flag = find_error_flag(flag);
if (found_flag) {
@ -1306,17 +1296,17 @@ bool safety_controller_get_flags_by_mask(enum safety_flag mask)
return ret;
}
uint32_t safety_controller_get_flag_count()
uint32_t safety_controller_get_flag_count(void)
{
return COUNT_OF(flags);
}
uint32_t safety_controller_get_analog_monitor_count()
uint32_t safety_controller_get_analog_monitor_count(void)
{
return COUNT_OF(analog_mons);
}
uint32_t safety_controller_get_timing_monitor_count()
uint32_t safety_controller_get_timing_monitor_count(void)
{
return COUNT_OF(timings);
}
@ -1423,9 +1413,8 @@ int safety_controller_get_timing_mon_by_index(uint32_t index, struct timing_moni
if (!info)
return -1002;
if (index >= COUNT_OF(timings)) {
if (index >= COUNT_OF(timings))
return -1001;
}
mon = &timings[index];
@ -1462,14 +1451,13 @@ extern const uint32_t __ld_sdata;
extern const uint32_t __ld_edata;
extern const uint32_t __ld_load_data;
int safety_controller_trigger_flash_crc_check()
int safety_controller_trigger_flash_crc_check(void)
{
/* This structs needs to be volatile!!
* This prevents the compiler form optimizing out the reads to the crcs which will be patched in later by
* a separate python script!
*/
static volatile const struct flash_crcs IN_SECTION(.flashcrc) crcs_in_flash =
{
static volatile const struct flash_crcs IN_SECTION(.flashcrc) crcs_in_flash = {
.start_magic = 0xA8BE53F9UL,
.crc_section_ccm_data = 0UL,
.crc_section_text = 0UL,
@ -1491,10 +1479,9 @@ int safety_controller_trigger_flash_crc_check()
crc_unit_reset();
crc_unit_input_array(&__ld_vectors_start, len);
crc = crc_unit_get_crc();
if (crc != crcs_in_flash.crc_section_vectors) {
if (crc != crcs_in_flash.crc_section_vectors)
safety_controller_report_error(ERR_FLAG_FLASH_CRC_CODE);
}
}
/* Perform CRC check over text section */
len = (uint32_t)((void *)&__ld_text_end - (void *)&__ld_text_start);
@ -1505,10 +1492,9 @@ int safety_controller_trigger_flash_crc_check()
crc_unit_reset();
crc_unit_input_array(&__ld_text_start, len);
crc = crc_unit_get_crc();
if (crc != crcs_in_flash.crc_section_text) {
if (crc != crcs_in_flash.crc_section_text)
safety_controller_report_error(ERR_FLAG_FLASH_CRC_CODE);
}
}
/* Perform CRC check over data section */
len = (uint32_t)((void *)&__ld_edata - (void *)&__ld_sdata);
@ -1519,10 +1505,9 @@ int safety_controller_trigger_flash_crc_check()
crc_unit_reset();
crc_unit_input_array(&__ld_load_data, len);
crc = crc_unit_get_crc();
if (crc != crcs_in_flash.crc_section_data) {
if (crc != crcs_in_flash.crc_section_data)
safety_controller_report_error(ERR_FLAG_FLASH_CRC_DATA);
}
}
/* Perform CRC check over ccm data section */
len = (uint32_t)((void *)&__ld_edata_ccm - (void *)&__ld_sdata_ccm);
@ -1533,10 +1518,9 @@ int safety_controller_trigger_flash_crc_check()
crc_unit_reset();
crc_unit_input_array(&__ld_load_ccm_data, len);
crc = crc_unit_get_crc();
if (crc != crcs_in_flash.crc_section_ccm_data) {
if (crc != crcs_in_flash.crc_section_ccm_data)
safety_controller_report_error(ERR_FLAG_FLASH_CRC_DATA);
}
}
ret = 0;
return ret;