Update base 64 library

* Implement custom mean and std functions
* Use standard deviation in calibration measurment instead of peak-peak noise.

.gitmodules

@@ -6,3 +6,7 @@
 	url = https://git.shimatta.de/mhu/c-style-checker.git
 	branch = master
 
+[submodule "stm-firmware/base64-lib"]
+	path = stm-firmware/base64-lib
+	url = https://git.shimatta.de/mhu/base64-lib.git
+	branch = master

doc/source/Doxyfile.in

@@ -2138,7 +2138,7 @@ ENABLE_PREPROCESSING   = YES
 # The default value is: NO.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-MACRO_EXPANSION        = NO
+MACRO_EXPANSION        = YES
 
 # If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
 # the macro expansion is limited to the macros specified with the PREDEFINED and
@@ -2146,7 +2146,7 @@ MACRO_EXPANSION        = NO
 # The default value is: NO.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-EXPAND_ONLY_PREDEF     = NO
+EXPAND_ONLY_PREDEF     = YES
 
 # If the SEARCH_INCLUDES tag is set to YES, the include files in the
 # INCLUDE_PATH will be searched if a #include is found.
@@ -2178,7 +2178,8 @@ INCLUDE_FILE_PATTERNS  =
 # recursively expanded use the := operator instead of the = operator.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-PREDEFINED             =
+PREDEFINED             = __atribute(x)__= \
+			 IN_SECTION(x)=
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
 # tag can be used to specify a list of macro names that should be expanded. The

doc/source/firmware/error-handling.rst

@@ -1,9 +0,0 @@
-.. _safety_handling:
-
-Error Handling
-==============
-
-.. _safety_panic:
-
-Panic Mode
-----------

doc/source/firmware/index.rst

@@ -11,6 +11,6 @@ mechanisms and the behavior. For a detailed code documentation see the doxygen o
 	:maxdepth: 2
 	
 	pt1000-processing
-	safety
+	safety/index
 	code/index
 

doc/source/firmware/safety/backup-ram.rst

@@ -0,0 +1,112 @@
+.. _backup_ram:
+
+Safety Backup RAM
+=================
+
+Overview
+--------
+
+The STM controller's backup RAM is used to store different kinds of information that shall be preserved if the controller resets.
+The hardware setup is missing a separate powersupply for the controller's backup domain. Therefore, the backup RAM is cleared, when the power is cut.
+
+The backup RAM is used to store permanent error flags (See :ref:`safety_flags`). This ensures the flags that trigger hard faults / the panic mode, can be identified, although the wathcoog resets the controller. The only way to clear them is by cutting the power.
+Because cutting the power is a way to clear the backup RAM, no separate method for clearing the error entries in the backup RAM is defined.
+
+The backup RAM contents are protected by a `CRC Checksum`_. 
+
+The backup RAM is initialized and checked after boot. If the controller starts from a powered down state,
+the backup RAM is empty. This is detected by an invalid `Header`_ at the beginning of the backup RAM. If this is the case, the safety ocntoller
+will create a valid backup RAM image with a `Header`_, empty `Boot Status Flag Entries`_, empty `Config Overrides`_, an empty `Error Memory`_, and a valid `CRC Checksum`_.
+
+If the Header is valid during boot (verified by plausible values and correct magic numbers), the backup RAM is CRC checked and the error memory is
+checked for valid entries.
+In case of a CRC error or invalid entries in the error memory, the Backup RAM is wiped and reinitialized. On top of that, the error flag :ref:`safety_flags_safety_mem_corrupt` is set.
+
+.. note:: It may be possible that future versions of the hardware include a backup RAM battery / Goldcap. In this case, a way to clear the error memory will be implemented,
+    because it will no longer be possible to clear the error memory by cutting the power.
+    On top of that, the backup memory will also contain the calibration data.
+
+.. note:: The firmware will not use the ``NOP`` entries of the error memory by default, but they will be respected by the validity checker.
+
+Partitioning and Entries
+------------------------
+
+The backup RAM consists of multiple sections. The memory section are listed below. 
+
+Header
+~~~~~~
+
+The backup memory header is located at offset address:
+
+.. doxygendefine:: SAFETY_MEMORY_HEADER_ADDRESS
+
+The header is defined by the following structure:
+
+.. doxygenstruct:: safety_memory_header
+
+The validity of the header is checked, if the magic and inverse amgic fields contain the correct values, and if the offset address pointers
+have values that are located inside the error memory and are not ``0`` or the same value.
+
+The safety memory header magic is:
+
+.. doxygendefine:: SAFETY_MEMORY_MAGIC
+
+
+.. _backup_ram_boot_flags:
+
+Boot Status Flag Entries
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The boot status flag entries are use to store system states over resets.
+The flags are stored in memory using the follwoing structure:
+
+.. doxygenstruct:: safety_memory_boot_status
+
+Flags are evaluated active, if the corresponding word is unequal to ``0``.
+
+Config Overrides
+~~~~~~~~~~~~~~~~
+
+Config overrides are used to override persistance and flag weights dynamically. The safety controller will parse the entries on 
+startup.
+
+======================= ============ ================= ===================== =====================================
+Entry                   Byte 1 (LSB) Byte 2            Byte 3                Byte 4 (MSB)
+======================= ============ ================= ===================== =====================================
+Weight override         ``0xA2``      ``Weight``       ``Flag Number``       reserved don't care (written as 0xAA)
+Persistance override    ``0x8E``      ``Persistance``  ``Flag Number``       reserved don't care (written as 0xBB) 
+======================= ============ ================= ===================== =====================================
+
+All words, not matching the table above are ignored and do not cause an error. By default the firmware fills this memory area with zeroes.
+
+Error Memory
+~~~~~~~~~~~~
+
+The error memory contains error entries in form of 32 bit words. The entries are coded as stated below.
+
+``Error Flag`` entries are used to restore error flags after boot. In theory, all flags can be set using this entry type.
+However, only persistent flags are stored in the error memory by the firmware.
+
+``NOP`` entries have no meaning. They are used as a filler. When adding a new error memory entry, the error memory is scanned until the first ``NOP`` entry is found.
+It is replaced with a valid entry. If the error memory contains a word, that is not defined below, it is considered invalid and will trigger the RAM checker on boot.
+``NOP`` entries can be used to preallocate the error memory in advance. if the end of the error memory is reached, it is expanded by 1 word to first
+the new error entry, until the backup RAM is full. After this, no further errors are stored.
+
+If the same persistent error is triggered mutliple times, the ``COUNTER`` in the error entry is incremented.
+
+======================= ============ ================= ===================== =====================================
+Entry                   Byte 1 (LSB) Byte 2            Byte 3                Byte 4 (MSB)
+======================= ============ ================= ===================== =====================================
+Error Flag              ``0x51``     ``Flag Number``   ``COUNTER 7:0``       ``COUNTER 15:8``
+NOP Entry               ``0x22``     ``0x12``          ``0xAA``              ``0xC1``
+======================= ============ ================= ===================== =====================================
+
+CRC Checksum
+~~~~~~~~~~~~
+
+The CRC checksum is located after the error memory. The checksum is calculated by the internal peripheral module of the STM32F4 controller.
+Therefore, the CRC calculation is fixed.
+
+The polynomial is ``0x4C11DB7`` (Ethernet CRC32):
+
+.. math:: P_{CRC}(x) = x^{32}+x^{26}+x^{23}+x^{22}+x^{16}+x^{12}+x^{11}+x^{10}+x^{8}+x^{7}+x^{5}+x^{4}+x^{2}+x+1

doc/source/firmware/safety/error-handling.rst

@@ -0,0 +1,20 @@
+.. _safety_handling:
+
+Error Handling
+==============
+
+.. _safety_panic:
+
+Panic Mode
+----------
+
+
+.. _safety_error_mem:
+
+Error memory
+------------
+
+Permanent errors are stored in the backup RAM of the STM. This ensures, that errors can be read even after a full system reset has occured.
+
+.. seealso:: :ref:`backup_ram`
+

doc/source/firmware/safety/flags.rst

@@ -8,6 +8,10 @@ The safety flags are represented in software by the following enums
 .. doxygenenum:: safety_flag
 
 The safety flags can be temporarily or permanent. Some temporary flags are reset automatically, once the error condition disappears. Others have to be explicitly cleared. 
+The safety weights (if a flag stops the PID controller, or triggers the panic mode) are configured by default as described below. However, it will be possible to override these weights by
+setting config entries in the safety memory.
+
+.. todo:: Change docu of config entires in memory
 
 ----------------------------------------------------------------------------------------------------------------------------------
 
@@ -72,4 +76,39 @@ ERR_FLAG_MEAS_ADC_UNSTABLE
 persistent self-clearing Stops PID     Panic Mode
 ========== ============= ============= ===========
 no         yes           no            no
-========== ============= ============= ===========
+========== ============= ============= ===========
+
+
+.. _safety_flags_safety_mem_corrupt:
+
+ERR_FLAG_SAFETY_MEM_CORRUPT
+---------------------------
+
+``ERR_FLAG_SAFETY_MEM_CORRUPT`` is set during the initialization of the controller, in case a corrupted safety memory is encountered.
+In this case the error memory is reinitialized and the flag is set in the error memory. Afer a reboot it will stay asserted until the 
+safety backup memory is cleared
+
+.. seealso:: :ref:`backup_ram`
+
+========== ============= ============= ===========
+persistent self-clearing Stops PID     Panic Mode
+========== ============= ============= ===========
+yes        no            yes           no
+========== ============= ============= ===========
+
+
+.. _safety_flags_stack:
+
+ERR_FLAG_STACK
+---------------------------
+
+``ERR_FLAG_STACK`` ialization of the controller, in case a corrupted safety memory is encountered.
+This error is not recoverable and will trigger the panic mode.
+
+.. seealso:: :ref:`safety_stack_checking`
+
+========== ============= ============= ===========
+persistent self-clearing Stops PID     Panic Mode
+========== ============= ============= ===========
+yes        no            yes           yes
+========== ============= ============= ===========

doc/source/firmware/safety/index.rst

@@ -10,10 +10,15 @@ Severe error flags, like a drifting reference voltage, stop the PID controller a
 The controller stays in a usable state. After the errors have been cleared, normal operation may continue.
 
 On the other hand, fatal errors like an over-temperature error, or memory problem, lead to the activation of the :ref:`safety_panic`,
-which forces the output zero, but does not allow any more interaction.
+which forces the output zero, but does not allow any further interaction.
+
+On top of this, a :ref:`backup_ram` is implemented. It stores permantent errors, which are reset at a restart. On top of that, it stores the :ref:`backup_ram_boot_flags`,
+which are used to retain boot information across resets, for example to communicate with the firmware updater etc. The RAM also contains entries, that allow overrides of flag weights and persistance.
 
 .. toctree::
-	:maxdepth: 2
+	:maxdepth: 3
 	
 	flags
+	backup-ram
 	error-handling
+	stack-checking

doc/source/firmware/safety/stack-checking.rst

@@ -0,0 +1,39 @@
+.. _safety_stack_checking:
+
+Safety Stack Checking
+=====================
+
+To ensure correct operation of the controller, the stack is continuously monitored. For this, the :ref:`firmware_safety` checks the stack in each run.
+These checks include:
+
+1. Checking of used stack space and limit to end of stack
+2. Checking a protection area between heap and stack for memory corruption
+
+Any detected error will set the :ref:`safety_flags_stack` error flag.
+
+Stack Pointer Checking
+----------------------
+
+The stack pointer is checked using :c:func:`stack_check_get_free`. The returned value for the remaining stack space is checked against
+
+.. doxygendefine:: SAFETY_MIN_STACK_FREE
+
+.. doxygenfunction:: stack_check_get_free 
+
+
+Stack and Heap Corruption Checking
+----------------------------------
+
+A section of memory is located between the stack and the heap. It is defined inside the linker script. It's size is configured by the linker script parameter ``__stack_corruption_area_size``, which is set to ``128`` by default.
+This section is filled at the initializazion of the safety controller by a call to
+
+.. doxygenfunction:: stack_check_init_corruption_detect_area
+
+On each run of the safety controller's handling function (:c:func:`safety_controller_handle`) the following function is called:
+
+.. doxygenfunction:: stack_check_corruption_detect_area
+
+
+This function constantly checks the memory area for write modifications, and therefore detects, if the stack or heap have grown outside their boundaries.
+
+

stm-firmware/Makefile

@@ -9,8 +9,8 @@ INCLUDEPATH = -Iinclude
 
 OBJDIR_BASE = obj
 TARGET_BASE = reflow-controller
-LIBRARYPATH = -L. -Lmathlib
-LIBRARIES = -larm_cortexM4lf_math -lm
+LIBRARYPATH = -L.
+LIBRARIES =
 
 DEFINES = -DSTM32F407xx -DSTM32F4XX -DARM_MATH_CM4 -DHSE_VALUE=8000000UL
 MAPFILE_BASE = memory-mapping
@@ -36,21 +36,29 @@ DEFINES += -DSHELLMATTA_HELP_ALIAS=\"?\"
 # RCC Manager
 CFILES += stm-periph/clock-enable-manager.c
 CFILES += stm-periph/uart.c stm-periph/dma-ring-buffer.c stm-periph/backup-ram.c
+CFILES += stm-periph/rng.c
 CFILES += digio.c
 CFILES += stm-periph/unique-id.c
 CFILES += calibration.c
 CFILES += temp-converter.c
 CFILES += rotary-encoder.c button.c
-CFILES += stack-check.c
 CFILES += ui/lcd.c ui/menu.c reflow-menu.c
 CFILES += fatfs/diskio.c fatfs/ff.c fatfs/ffsystem.c fatfs/ffunicode.c fatfs/shimatta_sdio_driver/shimatta_sdio.c
 CFILES += pid-controller.c oven-driver.c
 CFILES += settings/settings.c settings/settings-sd-card.c
+CFILES += stm-periph/crc-unit.c
+CFILES += safety/safety-adc.c safety/safety-controller.c safety/watchdog.c safety/fault.c safety/safety-memory.c safety/stack-check.c
+
+CFILES += config-parser/config-parser.c
+INCLUDEPATH += -Iconfig-parser/include
+
+CFILES += base64-lib/src/base64-lib.c
+INCLUDEPATH += -Ibase64-lib/include
+DEFINES += -DBASE64_LOOKUP_TABLE_SECTION="\".ccm.bss\""
 
-CFILES += safety/safety-adc.c safety/safety-controller.c safety/watchdog.c safety/fault.c
 
 DEBUG_DEFINES = -DDEBUGBUILD
-RELEASE_DEFINES =
+RELEASE_DEFINES = -DUART_ON_DEBUG_HEADER
 
 ###################################################################################
 ifeq ($(CROSS_COMPILE),)

stm-firmware/adc-meas.c

@@ -309,7 +309,9 @@ static inline __attribute__((optimize("O3"))) void adc_pt1000_filter(float adc_p
 			safety_controller_ack_flag_with_key(ERR_FLAG_MEAS_ADC_UNSTABLE, MEAS_ADC_SAFETY_FLAG_KEY);
 	}
 
-	pt1000_res_raw_lf = (1.0f-filter_alpha) * pt1000_res_raw_lf + filter_alpha * ADC_TO_RES(adc_prefiltered_value);
+	pt1000_res_raw_lf = (1.0f - filter_alpha) * pt1000_res_raw_lf +
+			filter_alpha * ADC_TO_RES(adc_prefiltered_value);
+
 	safety_controller_report_timing(ERR_TIMING_MEAS_ADC);
 }
 

stm-firmware/base64-lib

@@ -0,0 +1 @@
+Subproject commit 80090b4b20b779dd18803b3194c6d90235a1785b

stm-firmware/calibration.c

@@ -23,7 +23,6 @@
 #include <reflow-controller/adc-meas.h>
 #include <stm-periph/uart.h>
 #include <helper-macros/helper-macros.h>
-#include <arm_math.h>
 #include <stdlib.h>
 #include <float.h>
 #include <reflow-controller/safety/safety-controller.h>
@@ -75,14 +74,77 @@ free_mem:
 	return NULL;
 }
 
-static int calibration_poll_data_acquisition(float *mem_array, uint32_t count, volatile int *flag, float *mu, float *max_dev)
+static float calculate_mean(float *values, uint32_t count)
+{
+	uint32_t loop_cnt = (count + 7) / 8;
+	uint32_t remainder = count % 8;
+	float sum = 0;
+
+	switch (remainder) {
+	case 0: do { sum += *values++; /* FALLTHRU */
+	case 7:      sum += *values++; /* FALLTHRU */
+	case 6:      sum += *values++; /* FALLTHRU */
+	case 5:      sum += *values++; /* FALLTHRU */
+	case 4:      sum += *values++; /* FALLTHRU */
+	case 3:      sum += *values++; /* FALLTHRU */
+	case 2:      sum += *values++; /* FALLTHRU */
+	case 1:      sum += *values++;
+		} while (--loop_cnt > 0);
+	}
+
+	return sum / (float)count;
+}
+
+static float calculate_standard_deviation(float *values, uint32_t count, float mean)
+{
+	uint32_t loop_cnt = (count + 7) / 8;
+	uint32_t remainder = count % 8;
+	float sum = 0;
+	float res;
+
+	switch (remainder) {
+	case 0:	do {
+		sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 7:	sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 6: sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 5:	sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 4: sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 3: sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 2: sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+	case 1: sum += (*values - mean) * (*values - mean);
+		values++;
+		/* FALLTHRU */
+		} while (--loop_cnt > 0);
+	}
+
+	sum /= (float)count;
+	/* Compute the square root using the FPU.
+	 * The constraint 't' tells GCC to use a floating point register
+	 */
+	__asm__ __volatile__("vsqrt.f32 %0, %1" : "=t"(res) : "t"(sum));
+
+	return res;
+}
+
+static int calibration_poll_data_acquisition(float *mem_array, uint32_t count, volatile int *flag, float *mu, float *std_dev)
 {
 	int ret_val = 0;
-	float min_val = FLT_MAX;
-	float max_val = -FLT_MAX;
-	uint32_t i;
 
-	if (!flag || !mem_array || !mu || !max_dev)
+	if (!flag || !mem_array || !mu || !std_dev)
 		return -1000;
 
 	if (*flag == 0) {
@@ -99,19 +161,9 @@ static int calibration_poll_data_acquisition(float *mem_array, uint32_t count, v
 	/* Convert the stream memory to Ohm readings */
 	adc_pt1000_convert_raw_value_array_to_resistance(NULL, mem_array, count);
 
-	/* Do not compute std-deviation. Too imprecise
-	 * arm_std_f32(stream_mem, count, sigma);
-	 */
-	arm_mean_f32(mem_array, count, mu);
-
-	/* Find min and max values of array */
-	for (i = 0U; i < count; i++) {
-		min_val = MIN(min_val, mem_array[i]);
-		max_val = MAX(max_val, mem_array[i]);
-	}
-
-	/* Compute maximum deviation range */
-	*max_dev = max_val - min_val;
+	/* Do not compute std-deviation. Too imprecise */
+	*mu = calculate_mean(mem_array, count);
+	*std_dev = calculate_standard_deviation(mem_array, count, *mu);
 
 ret_free_mem:
 	free(mem_array);
@@ -181,7 +233,7 @@ shellmatta_retCode_t calibration_sequence_shell_cmd(shellmatta_handle_t shell, c
 			ret_val = SHELLMATTA_BUSY;
 			cal_state = CAL_MEAS_RES1;
 		} else if (res == 0) {
-			shellmatta_printf(shell, "R=%.2f, Noise peak-peak: %.2f\r\n", mu, dev);
+			shellmatta_printf(shell, "R=%.2f, Std-Dev: %.2f\r\n", mu, dev);
 			error_occured = safety_controller_get_flags_by_mask(meas_adc_err_mask);
 			if (error_occured) {
 				shellmatta_printf(shell, "Error in resistance measurement");
@@ -232,7 +284,7 @@ shellmatta_retCode_t calibration_sequence_shell_cmd(shellmatta_handle_t shell, c
 			ret_val = SHELLMATTA_BUSY;
 			cal_state = CAL_MEAS_RES2;
 		} else if (res == 0) {
-			shellmatta_printf(shell, "R=%.2f, Noise peak-peak: %.2f\r\n", mu2, dev2);
+			shellmatta_printf(shell, "R=%.2f, Std-Dev: %.2f\r\n", mu2, dev2);
 			error_occured = safety_controller_get_flags_by_mask(meas_adc_err_mask);
 			if (error_occured) {
 				shellmatta_printf(shell, "Error in resistance measurement");
@@ -242,8 +294,8 @@ shellmatta_retCode_t calibration_sequence_shell_cmd(shellmatta_handle_t shell, c
 				ret_val = SHELLMATTA_OK;
 				cal_state = CAL_START;
 
-				if (dev > CALIBRATION_MAX_PEAK_PEAK_NOISE_OHM ||
-				    dev2 > CALIBRATION_MAX_PEAK_PEAK_NOISE_OHM) {
+				if (dev > CALIBRATION_MAX_NOISE_OHM ||
+				    dev2 > CALIBRATION_MAX_NOISE_OHM) {
 					shellmatta_printf(shell, "Calibration failed! Too much noise. Check your hardware.\r\n");
 					break;
 				}

stm-firmware/config-parser/config-parser.c

@@ -0,0 +1,182 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * @addtogroup config-parser
+ * @{
+ */
+
+#include <config-parser/config-parser.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define CONFIG_PARSER_MAGIC 0x464a6e2bUL
+#define CONFIG_PARSER(p) ((struct config_parser *)(p))
+
+#define config_parser_check_handle(handle) do { if (!(handle) || \
+						((struct config_parser *)(handle))->magic != CONFIG_PARSER_MAGIC) \
+							return CONFIG_PARSER_PARAM_ERR; \
+						} while (0)
+
+config_parser_handle_t config_parser_open_file(struct config_parser *config_parser, bool write, const char *file_name,
+					       char *working_buffer, size_t buff_size)
+{
+	FRESULT res;
+
+	if (!config_parser || !file_name || !working_buffer)
+		return NULL;
+
+	config_parser->magic = CONFIG_PARSER_MAGIC;
+	config_parser->write = write;
+	config_parser->buffer = working_buffer;
+	config_parser->buff_size = buff_size;
+
+	res = f_open(&config_parser->file, file_name, (write ? FA_CREATE_ALWAYS | FA_WRITE : FA_READ));
+	if (res != FR_OK)
+		return NULL;
+
+	return (config_parser_handle_t)config_parser;
+}
+
+static const char * const token_delim = " \t";
+
+static int parse_value(struct config_parser_entry  *entry, char *value_start_token)
+{
+	char *dot;
+	char *endptr;
+
+	/* Check if token is a float number */
+	dot = strstr(value_start_token, ".");
+	if (dot) {
+		/* Try parsing as float */
+		entry->value.float_val = strtof(value_start_token, &endptr);
+		if (endptr == value_start_token)
+			return -1;
+		entry->type = CONFIG_PARSER_TYPE_FLOAT;
+		goto exit;
+	}
+
+	if (value_start_token[0] != '-') {
+		/* Try parsing as ul */
+		/* Try parsing as int */
+		entry->value.uint_val = strtoul(value_start_token, &endptr, 0);
+		if (endptr == value_start_token) {
+			return -1;
+		}
+		entry->type = CONFIG_PARSER_TYPE_UINT;
+		goto exit;
+	} else {
+		/* Try parsing as int */
+		entry->value.int_val = strtod(value_start_token, &endptr);
+		if (endptr == value_start_token) {
+			return -1;
+		}
+		entry->type = CONFIG_PARSER_TYPE_INT;
+	}
+
+exit:
+	return 0;
+}
+
+enum config_parser_ret config_parser_get_line(config_parser_handle_t handle, struct config_parser_entry *entry)
+{
+	struct config_parser *p;
+	config_parser_check_handle(handle);
+	p = CONFIG_PARSER(handle);
+	char *token;
+	int token_round = 0;
+
+	if (!entry)
+		return CONFIG_PARSER_PARAM_ERR;
+
+	p->buffer[0] = '\0';
+	if (f_gets(p->buffer, (int)p->buff_size, &p->file) == NULL)
+		return CONFIG_PARSER_IOERR;
+
+	token = strtok(p->buffer, token_delim);
+	while (token != NULL) {
+		/* Check for comment */
+		if (token[0] == '#') {
+			if (token_round == 0)
+				return CONFIG_PARSER_LINE_COMMENT;
+			else
+				break;
+		}
+
+		switch (token_round) {
+		case 0: /* KEY */
+			entry->name = token;
+			break;
+		case 1: /* = Symbol */
+			if (strcmp(token, "=")) {
+				return CONFIG_PARSER_LINE_MALFORM;
+			}
+			break;
+		case 2: /* VALUE */
+			if (parse_value(entry, token))
+				return CONFIG_PARSER_LINE_MALFORM;
+			break;
+		default:
+			return CONFIG_PARSER_LINE_MALFORM;
+		}
+
+		token_round++;
+		token = strtok(NULL, token_delim);
+	}
+
+	return CONFIG_PARSER_OK;
+}
+
+enum config_parser_ret config_parser_reset_to_start(config_parser_handle_t handle)
+{
+	FRESULT res;
+	struct config_parser *p;
+	config_parser_check_handle(handle);
+	p = CONFIG_PARSER(handle);
+
+	res = f_rewind(&p->file);
+	if (res != FR_OK)
+		return CONFIG_PARSER_IOERR;
+
+	return CONFIG_PARSER_OK;
+}
+
+enum config_parser_ret config_parser_write_entry(config_parser_handle_t handle, const struct config_parser_entry *entry)
+{
+	(void)entry;
+	config_parser_check_handle(handle);
+
+	return CONFIG_PARSER_OK;
+}
+
+enum config_parser_ret config_parser_close_file(config_parser_handle_t handle)
+{
+	struct config_parser *p;
+	FRESULT res;
+	config_parser_check_handle(handle);
+	p = CONFIG_PARSER(handle);
+
+	res = f_close(&p->file);
+
+	return (res == FR_OK ? CONFIG_PARSER_OK : CONFIG_PARSER_IOERR);
+}
+
+/** @} */

stm-firmware/config-parser/include/config-parser/config-parser.h

@@ -0,0 +1,95 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/**
+ * @file config-parser.h
+ * @brief Header file for the key-value pair config parser
+ * @addtogroup config-parser
+ * @{
+ */
+
+#ifndef _CONFIG_PARSER_H_
+#define _CONFIG_PARSER_H_
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <fatfs/ff.h>
+
+struct config_parser {
+	uint32_t magic;
+	bool write;
+	FIL file;
+	char *buffer;
+	size_t buff_size;
+};
+
+typedef void * config_parser_handle_t;
+
+enum config_parser_value_type {
+	CONFIG_PARSER_TYPE_UINT = 0,
+	CONFIG_PARSER_TYPE_INT,
+	CONFIG_PARSER_TYPE_FLOAT,
+};
+
+enum config_parser_ret {
+	CONFIG_PARSER_OK = 0,
+	CONFIG_PARSER_PARAM_ERR,
+	CONFIG_PARSER_GENERIC_ERR,
+	CONFIG_PARSER_IOERR,
+	CONFIG_PARSER_LINE_COMMENT,
+	CONFIG_PARSER_LINE_TOO_LONG,
+	CONFIG_PARSER_LINE_MALFORM,
+	CONFIG_PARSER_END_REACHED,
+	CONFIG_PARSER_WRONG_MODE,
+};
+
+struct config_parser_entry {
+	const char *name;
+	enum config_parser_value_type type;
+	union {
+		uint32_t uint_val;
+		int32_t int_val;
+		float float_val;
+	} value;
+};
+
+config_parser_handle_t config_parser_open_file(struct config_parser *config_parser, bool write, const char *file_name,
+					       char *working_buffer, size_t buff_size);
+
+/**
+ * @brief Parse the current line in the config file.
+ * @param handle Config parser handle
+ * @param[out] entry Entry read from config file.
+ * @warning \p entry is only valid as long as no other function was called on the same \p handle. If necessary, the values
+ * have to be copied
+ * @return Config parser error
+ */
+enum config_parser_ret config_parser_get_line(config_parser_handle_t handle, struct config_parser_entry *entry);
+
+enum config_parser_ret config_parser_reset_to_start(config_parser_handle_t handle);
+
+enum config_parser_ret config_parser_write_entry(config_parser_handle_t handle, const struct config_parser_entry *entry);
+
+enum config_parser_ret config_parser_close_file(config_parser_handle_t handle);
+
+#endif /* _CONFIG_PARSER_H_ */
+
+/** @} */

stm-firmware/doxygen/Doxyconfig

@@ -1,4 +1,4 @@
-# Doxyfile 1.8.18
+# Doxyfile 1.8.20
 
 # This file describes the settings to be used by the documentation system
 # doxygen (www.doxygen.org) for a project.
@@ -227,6 +227,14 @@ QT_AUTOBRIEF           = NO
 
 MULTILINE_CPP_IS_BRIEF = NO
 
+# By default Python docstrings are displayed as preformatted text and doxygen's
+# special commands cannot be used. By setting PYTHON_DOCSTRING to NO the
+# doxygen's special commands can be used and the contents of the docstring
+# documentation blocks is shown as doxygen documentation.
+# The default value is: YES.
+
+PYTHON_DOCSTRING       = YES
+
 # If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
 # documentation from any documented member that it re-implements.
 # The default value is: YES.
@@ -449,6 +457,19 @@ TYPEDEF_HIDES_STRUCT   = NO
 
 LOOKUP_CACHE_SIZE      = 0
 
+# The NUM_PROC_THREADS specifies the number threads doxygen is allowed to use
+# during processing. When set to 0 doxygen will based this on the number of
+# cores available in the system. You can set it explicitly to a value larger
+# than 0 to get more control over the balance between CPU load and processing
+# speed. At this moment only the input processing can be done using multiple
+# threads. Since this is still an experimental feature the default is set to 1,
+# which efficively disables parallel processing. Please report any issues you
+# encounter. Generating dot graphs in parallel is controlled by the
+# DOT_NUM_THREADS setting.
+# Minimum value: 0, maximum value: 32, default value: 1.
+
+NUM_PROC_THREADS       = 1
+
 #---------------------------------------------------------------------------
 # Build related configuration options
 #---------------------------------------------------------------------------
@@ -553,7 +574,7 @@ INTERNAL_DOCS          = NO
 # names in lower-case letters. If set to YES, upper-case letters are also
 # allowed. This is useful if you have classes or files whose names only differ
 # in case and if your file system supports case sensitive file names. Windows
-# (including Cygwin) ands Mac users are advised to set this option to NO.
+# (including Cygwin) and Mac users are advised to set this option to NO.
 # The default value is: system dependent.
 
 CASE_SENSE_NAMES       = NO
@@ -1375,7 +1396,7 @@ CHM_FILE               =
 HHC_LOCATION           =
 
 # The GENERATE_CHI flag controls if a separate .chi index file is generated
-# (YES) or that it should be included in the master .chm file (NO).
+# (YES) or that it should be included in the main .chm file (NO).
 # The default value is: NO.
 # This tag requires that the tag GENERATE_HTMLHELP is set to YES.
 
@@ -1541,8 +1562,8 @@ EXT_LINKS_IN_WINDOW    = NO
 # tool (see https://github.com/dawbarton/pdf2svg) or inkscape (see
 # https://inkscape.org) to generate formulas as SVG images instead of PNGs for
 # the HTML output. These images will generally look nicer at scaled resolutions.
-# Possible values are: png The default and svg Looks nicer but requires the
-# pdf2svg tool.
+# Possible values are: png (the default) and svg (looks nicer but requires the
+# pdf2svg or inkscape tool).
 # The default value is: png.
 # This tag requires that the tag GENERATE_HTML is set to YES.
 
@@ -1842,9 +1863,11 @@ LATEX_EXTRA_FILES      =
 
 PDF_HYPERLINKS         = YES
 
-# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
-# the PDF file directly from the LaTeX files. Set this option to YES, to get a
-# higher quality PDF documentation.
+# If the USE_PDFLATEX tag is set to YES, doxygen will use the engine as
+# specified with LATEX_CMD_NAME to generate the PDF file directly from the LaTeX
+# files. Set this option to YES, to get a higher quality PDF documentation.
+#
+# See also section LATEX_CMD_NAME for selecting the engine.
 # The default value is: YES.
 # This tag requires that the tag GENERATE_LATEX is set to YES.
 
@@ -2083,6 +2106,10 @@ DOCBOOK_PROGRAMLISTING = NO
 
 GENERATE_AUTOGEN_DEF   = NO
 
+#---------------------------------------------------------------------------
+# Configuration options related to Sqlite3 output
+#---------------------------------------------------------------------------
+
 #---------------------------------------------------------------------------
 # Configuration options related to the Perl module output
 #---------------------------------------------------------------------------
@@ -2138,7 +2165,7 @@ ENABLE_PREPROCESSING   = YES
 # The default value is: NO.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-MACRO_EXPANSION        = NO
+MACRO_EXPANSION        = YES
 
 # If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
 # the macro expansion is limited to the macros specified with the PREDEFINED and
@@ -2146,7 +2173,7 @@ MACRO_EXPANSION        = NO
 # The default value is: NO.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-EXPAND_ONLY_PREDEF     = NO
+EXPAND_ONLY_PREDEF     = YES
 
 # If the SEARCH_INCLUDES tag is set to YES, the include files in the
 # INCLUDE_PATH will be searched if a #include is found.
@@ -2178,7 +2205,8 @@ INCLUDE_FILE_PATTERNS  =
 # recursively expanded use the := operator instead of the = operator.
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 
-PREDEFINED             =
+PREDEFINED             = __attribute__(x)= \
+			 IN_SECTION(x)=
 
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
 # tag can be used to specify a list of macro names that should be expanded. The

stm-firmware/fatfs/shimatta_sdio_driver/shimatta_sdio.c

@@ -139,7 +139,8 @@ static int sdio_switch_appmode_cmd55()
 	return -1;
 }
 
-enum acmd41_ret sdio_init_card_acmd41(uint8_t HCS){
+enum acmd41_ret sdio_init_card_acmd41(uint8_t HCS)
+{
 	uint32_t response;
 	int retry = 0x20;
 	if (sdio_switch_appmode_cmd55())
@@ -184,12 +185,13 @@ static int sdio_send_csd_cmd9(uint16_t rca, uint32_t *response_buffer) {
  * @param blklen Log2 of block length (9 in case of 512 byte block)
  * @param buff Buffer to send
  */
-static void sdio_write_buffer(uint32_t dlen, uint32_t log_blklen, const unsigned char *buff)
+static int sdio_write_buffer(uint32_t dlen, uint32_t log_blklen, const unsigned char *buff)
 {
 	uint32_t count;
 	int byte_count;
 	int byte_max;
 	uint32_t fifo;
+	uint32_t status_reg;
 
 	SDIO->DLEN = dlen;
 
@@ -212,6 +214,8 @@ static void sdio_write_buffer(uint32_t dlen, uint32_t log_blklen, const unsigned
 			fifo |= (((uint32_t)*(buff++)) << 24) & 0xFF000000;
 		}
 
+
+
 		/* Wait as long as FIFO is full */
 		while (SDIO->STA & SDIO_STA_TXFIFOF);
 
@@ -221,6 +225,14 @@ static void sdio_write_buffer(uint32_t dlen, uint32_t log_blklen, const unsigned
 
 	/* Wait for TX to complete */
 	while (SDIO->STA & SDIO_STA_TXACT);
+
+	status_reg = SDIO->STA;
+	if (status_reg & (SDIO_STA_DTIMEOUT | SDIO_STA_TXUNDERR | SDIO_STA_DCRCFAIL)) {
+		SDIO->DCTRL = 0UL;
+		return -1;
+	}
+
+	return 0;
 }
 
 static int sdio_send_write_block_cmd24(uint32_t addr)
@@ -778,17 +790,11 @@ DRESULT sdio_disk_write(const BYTE *buff, DWORD sector, UINT count)
 	if (ret)
 		return RES_ERROR;
 
-	while (count) {
-
-		sdio_write_buffer(512, 9, &buff[buff_offset]);
-
-		buff_offset += 512;
-		addr += (card_info.type == SD_V2_HC ? 1 : 512);
-		count--;
-	}
+	ret = 0;
+	ret = sdio_write_buffer((count * 512UL), 9, &buff[buff_offset]);
 
 	if (count_backup > 1)
 		(void)sdio_send_stop_transmission_cmd12();
 
-	return RES_OK;
+	return (ret ? RES_ERROR : RES_OK);
 }

stm-firmware/fatfs/shimatta_sdio_driver/shimatta_sdio_config.h

@@ -3,6 +3,8 @@
 
 #include <stm32/stm32f4xx.h>
 
+#define SDIO_CLOCK_FREQ 42000000UL
+
 //General Definitions
 //Blocksize: 512 = 2^9 => 9
 #define BLOCKSIZE 9     //9
@@ -12,11 +14,14 @@
 //4 bit: 4
 #define BUSWIDTH  4    //4
 //Initial Transfer CLK (ca. 400kHz)
-#define INITCLK   140   //120
+#define INITCLK   140UL   //120
 //Working CLK (Maximum)
-#define WORKCLK   8   //0
+#define WORKCLK   30UL   //0
 //Data Timeout in CLK Cycles
-#define DTIMEOUT  0x6000   //150
+
+#define DATA_TIMEOUT_MS 250UL // 250
+
+#define DTIMEOUT  (((SDIO_CLOCK_FREQ / (WORKCLK+2))) * DATA_TIMEOUT_MS / 1000UL)
 //DMA Stream used for TX and RX DMA2 Stream 3 or 6 possible
 // Currently not used due to possible misalignment of the data buffer.
 //#define DMASTREAM DMA2_Stream6

stm-firmware/include/helper-macros/helper-macros.h

@@ -30,6 +30,7 @@
 #define CONCAT(x,y) x##y
 
 #define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x])))))
+#define wordsize_of(x) ((sizeof(x) / 4U) / ((sizeof(x) % 4U) ? 0U : 1U))
 
 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
 #define MAX(a,b) (((a) > (b)) ? (a) : (b))

stm-firmware/include/reflow-controller/calibration.h

@@ -21,7 +21,7 @@
 #ifndef __CALIBRATION_H__
 #define __CALIBRATION_H__
 
-#define CALIBRATION_MAX_PEAK_PEAK_NOISE_OHM 8.0f
+#define CALIBRATION_MAX_NOISE_OHM 3.0f
 
 #include <stdint.h>
 #include <shellmatta.h>

stm-firmware/include/reflow-controller/digio.h

@@ -29,7 +29,7 @@
 #define DIGIO_RCC_MASK RCC_AHB1ENR_GPIOBEN
 #define DIGIO_PINS 4,5,6,7
 
-#ifdef DEBUGBUILD
+#if defined(DEBUGBUILD) || defined(UART_ON_DEBUG_HEADER)
 #define DIGIO_INOUT_DEFAULT 0,0,0,0
 #define DIGIO_ALTFUNC_DEFAULT 0,0,0,0
 #else
@@ -41,7 +41,7 @@
 #define BEEPER_RCC_MASK RCC_AHB1ENR_GPIOBEN
 
 
-void digio_setup_default_all();
+void digio_setup_default_all(void);
 
 void digio_setup_pin(uint8_t num, uint8_t in_out, uint8_t alt_func);
 void digio_set(uint8_t num, int val);
@@ -51,7 +51,7 @@ int digio_get(uint8_t num);
 #define LED_RCC_MASK RCC_AHB1ENR_GPIOBEN
 #define LED_PINS 2,3
 
-void led_setup();
+void led_setup(void);
 void led_set(uint8_t num, int val);
 int led_get(uint8_t num);
 
@@ -60,9 +60,9 @@ int led_get(uint8_t num);
 #define LOUDSPEAKER_PIN 1
 #define LOUDSPEAKER_MULTIFREQ 1
 
-void loudspeaker_setup();
+void loudspeaker_setup(void);
 void loudspeaker_set(uint16_t val);
-uint16_t loudspeaker_get();
+uint16_t loudspeaker_get(void);
 
 
 #endif /* __DIGIO_H__ */

stm-firmware/include/reflow-controller/oven-driver.h

@@ -43,6 +43,8 @@ void oven_pid_handle(float target_temp);
 
 void oven_pid_stop(void);
 
+void oven_pid_abort(void);
+
 void oven_driver_apply_power_level(void);
 
 enum oven_pid_status oven_pid_get_status(void);

stm-firmware/include/reflow-controller/safety/safety-config.h

@@ -23,6 +23,7 @@
 
 
 enum safety_flag {
+	ERR_FLAG_NO_FLAG = 0,
 	ERR_FLAG_MEAS_ADC_OFF = (1<<0),
 	ERR_FLAG_MEAS_ADC_OVERFLOW = (1<<1),
 	ERR_FLAG_MEAS_ADC_WATCHDOG = (1<<2),
@@ -38,6 +39,8 @@ enum safety_flag {
 	ERR_FLAG_UNCAL = (1<<12),
 	ERR_FLAG_DEBUG = (1<<13),
 	ERR_FLAG_TIMING_MAIN_LOOP = (1<<14),
+	ERR_FLAG_SAFETY_MEM_CORRUPT = (1<<15),
+	ERR_FLAG_SAFETY_TAB_CORRUPT = (1<<16),
 };
 
 enum timing_monitor {
@@ -52,6 +55,11 @@ enum analog_value_monitor {
 	ERR_AMON_UC_TEMP = (1<<1),
 };
 
+#define ERR_FLAG_ENTRY(errflag) {.name=#errflag, .flag = (errflag), .error_state = false, .error_state_inv = true, .key = 0UL, .weight = NULL, .persistency = NULL}
+#define TIM_MON_ENTRY(mon, min, max, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min_delta = (min), .max_delta = (max), .last = 0ULL, .enabled= false}
+#define ANA_MON_ENTRY(mon, min_value, max_value, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min = (min_value), .max = (max_value), .value = 0.0f, .valid = false}
+#define ERR_FLAG_WEIGHT_ENTRY(_flag, _weight) {.flag = (_flag), .flag_ptr = NULL, .weight = (_weight), .start_dummy = 0x11823344, .end_dummy = 0xAABBCCFD}
+#define ERR_FLAG_PERSIST_ENTRY(_flag, _persist) {.flag = (_flag), .flag_ptr = NULL, .persistency = (_persist), .start_dummy = 0xFF1100BB, .end_dummy = 0xEBB439A2}
 
 /**
  * @brief Magic key used to reset the watchdog using the @ref watchdog_ack function
@@ -69,8 +77,11 @@ enum analog_value_monitor {
 #define WATCHDOG_HALT_DEBUG (0)
 #endif
 
-#define WATCHDOG_PRESCALER 8
+#define WATCHDOG_PRESCALER 16
 
+/**
+ * @brief Minimum number of bytes that have to be free on the stack. If this is not the case, an error is detected
+ */
 #define SAFETY_MIN_STACK_FREE 0x100
 
 #define PID_CONTROLLER_ERR_CAREMASK (ERR_FLAG_STACK | ERR_FLAG_AMON_UC_TEMP | ERR_FLAG_AMON_VREF | \
@@ -92,4 +103,42 @@ enum analog_value_monitor {
 
 #define SAFETY_CONTROLLER_ADC_DELAY_MS 120
 
+#define SAFETY_CONFIG_DEFAULT_PERSIST	ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_MEAS_ADC_OFF, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_MEAS_ADC_WATCHDOG, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_MEAS_ADC_UNSTABLE, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_MEAS_ADC_OVERFLOW, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_TIMING_MEAS_ADC, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_TIMING_PID, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_AMON_UC_TEMP, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_AMON_VREF, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_STACK, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_SAFETY_ADC, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_SYSTICK, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_WTCHDG_FIRED, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_UNCAL, false), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_DEBUG, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_TIMING_MAIN_LOOP, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_SAFETY_MEM_CORRUPT, true), \
+					ERR_FLAG_PERSIST_ENTRY(ERR_FLAG_SAFETY_TAB_CORRUPT, true),
+
+#define SAFETY_CONFIG_DEFAULT_WEIGHTS 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_OFF, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_WATCHDOG, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_UNSTABLE, SAFETY_FLAG_CONFIG_WEIGHT_NONE), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_OVERFLOW, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_MEAS_ADC, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_PID, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_AMON_UC_TEMP, SAFETY_FLAG_CONFIG_WEIGHT_PANIC), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_AMON_VREF, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_STACK, SAFETY_FLAG_CONFIG_WEIGHT_PANIC), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SAFETY_ADC, SAFETY_FLAG_CONFIG_WEIGHT_PANIC), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SYSTICK, SAFETY_FLAG_CONFIG_WEIGHT_PANIC), \
+			/* Watchdog timeout is not handled perioodically, but only on startup.
+			 * Therefore, it is not listed here */\
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_WTCHDG_FIRED, SAFETY_FLAG_CONFIG_WEIGHT_NONE), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_UNCAL, SAFETY_FLAG_CONFIG_WEIGHT_NONE), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_DEBUG, SAFETY_FLAG_CONFIG_WEIGHT_NONE), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_MAIN_LOOP, SAFETY_FLAG_CONFIG_WEIGHT_PANIC), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SAFETY_MEM_CORRUPT, SAFETY_FLAG_CONFIG_WEIGHT_PID), \
+			ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SAFETY_TAB_CORRUPT, SAFETY_FLAG_CONFIG_WEIGHT_PANIC),
+
 #endif /* __SAFETY_CONFIG_H__ */

stm-firmware/include/reflow-controller/safety/safety-controller.h

@@ -23,7 +23,6 @@
  * @{
  */
 
-
 #ifndef __SAFETY_CONTROLLER_H__
 #define __SAFETY_CONTROLLER_H__
 
@@ -32,30 +31,39 @@
 #include <stdint.h>
 #include <stddef.h>
 
-enum analog_monitor_status {ANALOG_MONITOR_OK = 0,
-			    ANALOG_MONITOR_ERROR,
-			    ANALOG_MONITOR_INACTIVE,
-			    ANALOG_MONITOR_OVER,
-			    ANALOG_MONITOR_UNDER};
+/**
+ * @brief State of an analog monitor
+ */
+enum analog_monitor_status {ANALOG_MONITOR_OK = 0,	/**< @brief Monitor set up and ok */
+			    ANALOG_MONITOR_ERROR,	/**< @brief An internal error occured */
+			    ANALOG_MONITOR_INACTIVE,	/**< @brief Monitor inactive. Reading is not valid */
+			    ANALOG_MONITOR_OVER,	/**< @brief Value too high */
+			    ANALOG_MONITOR_UNDER};	/**< @brief Value too low */
 
+/**
+ * @brief Info structure describing an analog monitor
+ */
 struct analog_monitor_info {
-	float value;
-	float min;
-	float max;
-	enum analog_monitor_status status;
-	uint64_t timestamp;
-};
-
-struct timing_monitor_info {
-	uint64_t last_run;
-	uint64_t min;
-	uint64_t max;
-	bool enabled;
-	uint64_t delta;
+	float value;	/**< @brief Current analog value */
+	float min;	/**< @brief Minumum value allowed */
+	float max;	/**< @brief Maximum value allowed */
+	enum analog_monitor_status status; /**< @brief Current monitor status */
+	uint64_t timestamp; /**< @brief ms timestamp when @ref analog_monitor_info::value was taken. */
 };
 
 /**
- * @brief Initialize the safety controller
+ * @brief Info structure describing a timing monitor
+ */
+struct timing_monitor_info {
+	uint64_t last_run;	/**< @brief Timestamp, when the monitor was last triggered */
+	uint64_t min;		/**< @brief Minimum delay between two activations in ms */
+	uint64_t max;		/**< @brief Maximum delay between two activations in ms */
+	bool enabled;		/**< @brief Monitor enabled */
+	uint64_t delta;		/**< @brief Last delta between two activations */
+};
+
+/**
+ * @brief Initialize the safety controller.
  *
  * After a call to this function the controller is iniotlaized and the watchdog is set up.
  * You have to call safety_controller_handle
@@ -70,42 +78,177 @@ void safety_controller_init();
  */
 int safety_controller_handle();
 
+/**
+ * @brief Report one or multiple errors to the safety controller
+ *
+ * When passing multipe error glags, the flags have to be ORed together.
+ *
+ * @param flag Error flag to report
+ * @return 0 if successful.
+ */
 int safety_controller_report_error(enum safety_flag flag);
 
+/**
+ * @brief Report one or multiple error flags with a key.
+ *
+ * When setting a \p key on an error flag. The error flag can only be cleared,
+ * by passing the same key value to the @ref safety_controller_ack_flag_with_key function.
+ *
+ * @param flag Error flag to report
+ * @param key Key
+ * @return 0 if successful
+ */
 int safety_controller_report_error_with_key(enum safety_flag flag, uint32_t key);
 
+/**
+ * @brief Report timing to a timing monitor.
+ * @param monitor Monitor to report
+ */
 void safety_controller_report_timing(enum timing_monitor monitor);
 
+/**
+ * @brief Report an analog value to an analog value monitor
+ * @param monitor Monitor to report
+ * @param value Analog value
+ */
 void safety_controller_report_analog_value(enum analog_value_monitor monitor, float value);
 
+/**
+ * @brief Enable or disable a timing monitor.
+ * @param monitor Monitor to enable
+ * @param enable State to set the monitor to.
+ * @return 0 if successful.
+ */
 int safety_controller_enable_timing_mon(enum timing_monitor monitor, bool enable);
 
+/**
+ * @brief Get the value of an analog monitor.
+ * @param monitor Monitor to get value from
+ * @param[out] value The analog value
+ * @returns Status of the analog monitor. \p value only valid, if return value does not indicate an internal error,
+ *          or an inactive monitor.
+ */
 enum analog_monitor_status safety_controller_get_analog_mon_value(enum analog_value_monitor monitor, float *value);
 
+/**
+ * @brief Get error flag state and optionally acknowledge the flag
+ *
+ * If the flag is persistent, it cannot be ack'ed. In this case this function
+ * does not return an error code.
+ *
+ * @param flag Error flag
+ * @param[out] status state of the flag.
+ * @param try_ack Try to ack the flag. This might fail, if the flag is persistent.
+ * @return 0 if successful.
+ */
 int safety_controller_get_flag(enum safety_flag flag, bool *status, bool try_ack);
 
+/**
+ * @brief Ack an error flag
+ * @param flag Error flag to ack
+ * @return 0 if successful, -2 if flag is persistent or keyed. All other values: Errors
+ */
 int safety_controller_ack_flag(enum safety_flag flag);
 
+/**
+ * @brief Acknowledge error flag with a key
+ * @param flag Error flag
+ * @param key Key
+ * @return 0 if successful, -2 if flag is persistent or key wrong. All other values: Errors
+ */
 int safety_controller_ack_flag_with_key(enum safety_flag flag, uint32_t key);
 
+/**
+ * @brief Get an ored status of multiple flags.
+ * @param mask Flags to check
+ * @return True if errors. False if no errors.
+ */
 bool safety_controller_get_flags_by_mask(enum safety_flag mask);
 
+/**
+ * @brief Get the count of error flags
+ * @return Error flag count
+ */
 uint32_t safety_controller_get_flag_count();
 
+/**
+ * @brief Get the count of analog monitors
+ * @return Analog monitor count
+ */
 uint32_t safety_controller_get_analog_monitor_count();
 
+/**
+ * @brief Get an error flag's name by its index.
+ *
+ * The name of the flag will be cropped, if the buffersize is too small.
+ * Paramter \p buffsize may not be zero.
+ *
+ * @param index 0 based index.
+ * @param[out] buffer Buffer to write the name to.
+ * @param buffsize Buffer size. This has to be big enough to hold the name and the \0-terminator
+ * @return 0 of successful
+ */
 int safety_controller_get_flag_name_by_index(uint32_t index, char *buffer, size_t buffsize);
 
+/**
+ * @brief Get the safety flag by its internal index.
+ * @param index 0 based index.
+ * @param[out] status Current flag state. May be NULL.
+ * @param[out] flag_enum Flag enum used in SW. May be NULL.
+ * @return 0 if successful; else: negative
+ */
 int safety_controller_get_flag_by_index(uint32_t index, bool *status, enum safety_flag *flag_enum);
 
+/**
+ * @brief Get an analog monitor info by the monitor's index
+ * @param index 0 based index
+ * @param[out] info Info structure.
+ * @return 0 if successful.
+ *         -1001, if \p index out of range
+ *         -1002, if \p info is NULL
+ */
 int safety_controller_get_analog_mon_by_index(uint32_t index, struct analog_monitor_info *info);
 
+/**
+ * @brief Get the name of an analog monitor by its index
+ *
+ * The buffer has to be large enough to hold the name plus a null terminator.
+ * If the buffer is not large enough, The name will be cropped.
+ * Parameter \p buffsize may not be zero.
+ *
+ * @param index 0 based index
+ * @param buffer Buffer to write name to
+ * @param buffsize Buffer size
+ * @return
+ */
 int safety_controller_get_analog_mon_name_by_index(uint32_t index, char *buffer, size_t buffsize);
 
+/**
+ * @brief Get timing monitor information by index
+ * @param index 0 based index
+ * @param[out] info Info
+ * @return 0 if successful
+ */
 int safety_controller_get_timing_mon_by_index(uint32_t index, struct timing_monitor_info *info);
 
+/**
+ * @brief Get the name of a timing monitor by its index
+ *
+ * The buffer has to be large enough to hold the name plus a null terminator.
+ * If the buffer is not large enough, The name will be cropped.
+ * Parameter \p buffsize may not be zero.
+ *
+ * @param index 0 based index
+ * @param buffer Buffer to write name to.
+ * @param buffsize Buffer size
+ * @return 0 if successful
+ */
 int safety_controller_get_timing_mon_name_by_index(uint32_t index, char *buffer, size_t buffsize);
 
+/**
+ * @brief Get the count of timing monitors
+ * @return Timing monitor count
+ */
 uint32_t safety_controller_get_timing_monitor_count();
 
 #endif /* __SAFETY_CONTROLLER_H__ */

stm-firmware/include/reflow-controller/safety/safety-memory.h

@@ -0,0 +1,260 @@
+/* Reflow Oven Controller
+*
+* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+*
+* This file is part of the Reflow Oven Controller Project.
+*
+* The reflow oven controller is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License version 2 as
+* published by the Free Software Foundation.
+*
+* The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with the reflow oven controller project.
+* If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __SAFETY_MEMORY_H__
+#define __SAFETY_MEMORY_H__
+
+#include <stdint.h>
+#include <stddef.h>
+
+/** @addtogroup safety-memory
+ * @{
+ */
+
+/**
+ * @brief Magic number to signal a valid safety memory header.
+ */
+#define SAFETY_MEMORY_MAGIC 0x12AA5CB7
+
+/**
+ * @brief Error memory NOP entry
+ */
+#define SAFETY_MEMORY_NOP_ENTRY 0xC1AA1222
+
+/**
+ * @brief Offset address for the safety_memory_header.
+ * @note Any other value than 0UL doesn't really make sense. Therfore, this should not be changed.
+ */
+#define SAFETY_MEMORY_HEADER_ADDRESS 0UL
+
+#define SAFETY_MEMORY_CONFIG_OVERRIDE_COUNT 32UL
+
+/**
+ * @brief Safety memory header
+ */
+struct safety_memory_header {
+	uint32_t magic;			/**< @brief Magic. Set to @ref SAFETY_MEMORY_MAGIC */
+	uint32_t boot_status_offset;	/**< @brief Offset of the safety_memory_boot_status struct (in 32 bit words)*/
+	uint32_t config_overrides_offset; /**< @brief Offset address of override entries */
+	uint32_t config_overrides_len;	/**< @brief Length of override entries in words */
+	uint32_t err_memory_offset;	/**< @brief Offset of the error memory */
+	uint32_t err_memory_end;	/**< @brief End of the error memory. This points to the word after the error memory, containing the CRC of the whole backup RAM. */
+	uint32_t crc;		/**< @brief  CRC of the header */
+};
+
+struct safety_memory_boot_status {
+	/**
+	 * @brief Reboot into the bootloader
+	 *
+	 * When this flag is set, the controller will load the bootloader to
+	 * memory and execute it.
+	 */
+	uint32_t reboot_to_bootloader;
+
+	/**
+	 * @brief Bootloader has updated the code
+	 *
+	 * This flag is set, if the firmware ahs been updated successfully
+	 */
+	uint32_t code_updated;
+
+	/**
+	 * @brief reset_from_panic
+	 *
+	 * This flag is set, when entering the panic mode.
+	 * Because the panic mode is reset by a watchdog reset,
+	 * this flag is needed, in order to ensure, that the panic is handled correcly after
+	 * the watchdog reset.
+	 */
+	uint32_t reset_from_panic;
+};
+
+/**
+ * @brief The state of the safety memory
+ *
+ * This is returned by certain functions in order to signal, if the header and CRC infos are valid.
+ */
+enum safety_memory_state {
+	SAFETY_MEMORY_INIT_FRESH = 0,		/**< @brief Memory header not found */
+	SAFETY_MEMORY_INIT_CORRUPTED = 1,	/**< @brief Header found, but corrupt memory */
+	SAFETY_MEMORY_INIT_VALID_MEMORY = 2,	/**< @brief Valid header found and CRC check is valid */
+};
+
+/**
+ * @brief Types of error memory entries
+ */
+enum safety_memory_error_entry_type {
+	SAFETY_MEMORY_ERR_ENTRY_FLAG = 1,	/**< @brief Flag error entry. Logs a flag */
+	SAFETY_MEMORY_ERR_ENTRY_NOP = 2,	/**< @brief NOP entry. Has no meaning, but will be treated as a valid entry */
+};
+
+/**
+ * @brief Firmware internal representation of an error memory entry.
+ */
+struct error_memory_entry {
+	enum safety_memory_error_entry_type type;
+	uint8_t flag_num;
+	uint16_t counter;
+};
+
+/**
+ * @brief Types of conig override entries
+ */
+enum config_override_entry_type {
+	SAFETY_MEMORY_CONFIG_OVERRIDE_WEIGHT = 1,
+	SAFETY_MEMORY_CONFIG_OVERRIDE_PERSISTANCE = 2,
+};
+
+/**
+ * @brief Weights of error flags.
+ */
+enum config_weight {
+	SAFETY_FLAG_CONFIG_WEIGHT_NONE = 0, /**< @brief This flag has no global error consequence, but might be respected by certain software modules. */
+	SAFETY_FLAG_CONFIG_WEIGHT_PID = 1, /**< @brief This flag will force a stop of the temperature PID controller */
+	SAFETY_FLAG_CONFIG_WEIGHT_PANIC = 2, /**< @brief This flag will trigger the panic mode */
+};
+
+/**
+ * @brief representation of a config override memory entry
+ */
+struct config_override {
+	enum config_override_entry_type type;
+	union {
+		struct {
+			uint8_t flag;
+			enum config_weight weight;
+		} weight_override;
+		struct {
+			uint8_t flag;
+			uint8_t persistance;
+		} persistance_override;
+	} entry;
+};
+
+/**
+ * @brief First time init the safety memory. This requests all clocks etc.
+ *
+ * The error memory is always vlaid after this function. At least, if it returns without error.
+ * The \p found_state output tells the caller, in which state the memory was found. If it was uninitialized,
+ * or corrupted, it is completely wiped and a fresh memory structure is written.
+ *
+ * @param[out] found_state State the error memory was found in
+ * @return 0 if successful
+ * @warning Also check @ref safety_memory_reinit
+ */
+int safety_memory_init(enum safety_memory_state *found_state);
+
+/**
+ * @brief Same as @ref safety_memory_init, but without specifically requesting the clock modules.
+ *
+ * Use this, if a call to @ref safety_memory_init has already been done.
+ *
+ * @param[out] found_state State the error memory was found in
+ * @return 0 if successful
+ */
+int safety_memory_reinit(enum safety_memory_state *found_state);
+
+/**
+ * @brief Get the boot status structure from safety memory
+ * @param[out] status Status read from memory.
+ * @return 0 if successful
+ */
+int safety_memory_get_boot_status(struct safety_memory_boot_status *status);
+
+/**
+ * @brief Write the boot status structure to safety memory
+ * @param[in] status Status to write
+ * @return 0 if successful
+ */
+int safety_memory_set_boot_status(const struct safety_memory_boot_status *status);
+
+/**
+ * @brief Get the amout of error entries in the error memory. This also includes NOP entries.
+ * @param[out] count Count
+ * @return 0 if successful
+ */
+int safety_memory_get_error_entry_count(uint32_t *count);
+
+/**
+ * @brief Check the header and CRC of the safety memory.
+ * @return 0 if all checks pass
+ */
+int safety_memory_check(void);
+
+/**
+ * @brief Read an error entry from the error memory
+ * @param idx Index of the entry
+ * @param[out] entry Error entry
+ * @return 0 if successful
+ */
+int safety_memory_get_error_entry(uint32_t idx, struct error_memory_entry *entry);
+
+/**
+ * @brief Insert an error entry
+ *
+ * This function inserts an error entry on the first NOP entry found in the error memory.
+ * If an entry is found with the same flag number, its counter is incremented by the counter value of the
+ * element to insert.
+ *
+ * If there are no NOPs or fitting entries in the error memory, error memory is expanded until it hits the memory
+ * boundary.
+ *
+ * @param entry Error entry to insert
+ * @returns 0 if successful, -3 if out of memory, and other negative error codes
+ */
+int safety_memory_insert_error_entry(struct error_memory_entry *entry);
+
+/**
+ * @brief Insert a config override entry at the first free location.
+ *
+ * Free locations are entries containing 0x00000000
+ *
+ * @param config_override Config to write
+ * @return 0 if successful
+ */
+int safety_memory_insert_config_override(struct config_override *config_override);
+
+/**
+ * @brief Get count of config overrides
+ * @param[out] count Number of overrides
+ * @return 0 if successful
+ */
+int safety_memory_get_config_override_count(uint32_t *count);
+
+/**
+ * @brief Get a config ovveide entry
+ * @param idx Index of the requested entry
+ * @param[out] config_override READ override
+ * @return 0 if successful
+ */
+int safety_memory_get_config_override(uint32_t idx, struct config_override *config_override);
+
+/**
+ * @brief Get a base64 dump of the whole safety memory.
+ * @param[out] buffer Buffer to write the base 64 dump into.
+ * @param buffsize Size of buffer. Must be large enough to hold the data plus a '\0' terminator
+ * @param[out] used_size Number of written bytes including the '\0' terminator. May be NULL.
+ * @return 0 if successful
+ */
+int safety_memory_dump_base64(char *buffer, size_t buffsize, size_t *used_size);
+
+#endif /* __SAFETY_MEMORY_H__ */
+
+/** @} */

stm-firmware/include/reflow-controller/safety/stack-check.h

@@ -0,0 +1,97 @@
+/* Reflow Oven Controller
+*
+* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+*
+* This file is part of the Reflow Oven Controller Project.
+*
+* The reflow oven controller is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License version 2 as
+* published by the Free Software Foundation.
+*
+* GDSII-Converter is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with the reflow oven controller project.
+* If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __STACK_CHECK_H__
+#define __STACK_CHECK_H__
+
+#include <stdint.h>
+
+#define STACK_CHECK_MIN_HEAP_GAP 16UL
+
+/**
+ * @brief Get usage of the stack
+ * @return Usage of the stack in bytes
+ */
+int32_t stack_check_get_usage();
+
+/**
+ * @brief Get free stack space
+ * @return free stack space in bytes. If negative, a stack overflow occured
+ */
+int32_t stack_check_get_free();
+
+/**
+ * @brief Check if the current free stack space is bigger than @ref STACK_CHECK_MIN_HEAP_GAP
+ * @return 0: enough space available, -1: stack space low
+ */
+static inline int stack_check_collision()
+{
+	int ret = 0;
+	int32_t free_space = stack_check_get_free();
+
+	if ((unsigned int)free_space < STACK_CHECK_MIN_HEAP_GAP) {
+			ret = -1;
+	}
+
+	return ret;
+}
+
+/**
+ * @brief Get the current stack pointer value
+ * @return
+ */
+static inline uint32_t read_stack_pointer()
+{
+	uint32_t stack_pointer;
+
+	__asm__ __volatile__ ("mov %0, sp\n\t" : "=r"(stack_pointer) : : );
+
+	return stack_pointer;
+}
+
+/**
+ * @brief Init the stack corruption detection area.
+ *
+ * This function initializes the memory area between heap and stack with random values generated by the
+ * STM's random number generator. A 32 bit CRC generated by the CRC unit of the STM is appended for verification of the
+ * area.
+ *
+ *
+ * @return 0 if successful, else an error has occured in generating a random number. This should never happen
+ * @note This function turns on the CRC unit but does not disable it afterwards. Therefore, the CRC unit does not have
+ * to be explicitly initialized before calling @ref stack_check_corruption_detect_area.
+ */
+int stack_check_init_corruption_detect_area(void);
+
+/**
+ * @brief Check the CRC of the stack corruption detection area
+ *
+ * This function checks the stack corruption detection area, which must be initialized by
+ * @ref stack_check_init_corruption_detect_area beforehand.
+ *
+ * The CRC unit must be enabled for this function to work properly.
+ * After calling @stack_check_init_corruption_detect_area, this is the case.
+ *
+ * @return 0 if no error is detected, all other values are an error.
+ * @note Make sure CRC unit is enabled.
+ */
+int stack_check_corruption_detect_area(void);
+
+#endif /* __STACK_CHECK_H__ */

stm-firmware/include/reflow-controller/safety/watchdog.h

@@ -42,8 +42,8 @@ int watchdog_ack(uint32_t magic);
 
 /**
  * @brief Check if reset was generated by the watchdog.
- * @note This also clears the relevant flag, so the function will reutrn false when called a second time
- * @return
+ * @note This also clears the relevant flag, so the function will return false when called a second time
+ * @return true, if reset was generated by the watchdog
  */
 bool watchdog_check_reset_source(void);
 

stm-firmware/include/reflow-controller/shell-uart-config.h

@@ -12,7 +12,7 @@
 #define SHELL_UART_RX_DMA_TRIGGER 4U
 #define SHELL_UART_TX_DMA_TRIGGER 4U
 
-#ifdef DEBUGBUILD
+#if defined(DEBUGBUILD) || defined(UART_ON_DEBUG_HEADER)
 
 #define SHELL_UART_PORT GPIOA
 #define SHELL_UART_PORT_RCC_MASK RCC_AHB1ENR_GPIOAEN

stm-firmware/include/reflow-controller/stack-check.h

@@ -1,53 +0,0 @@
-/* Reflow Oven Controller
-*
-* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
-*
-* This file is part of the Reflow Oven Controller Project.
-*
-* The reflow oven controller is free software: you can redistribute it and/or modify
-* it under the terms of the GNU General Public License version 2 as
-* published by the Free Software Foundation.
-*
-* GDSII-Converter is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with the reflow oven controller project.
-* If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#ifndef __STACK_CHECK_H__
-#define __STACK_CHECK_H__
-
-#include <stdint.h>
-
-#define STACK_CHECK_MIN_HEAP_GAP 16UL
-
-int32_t stack_check_get_usage();
-
-int32_t stack_check_get_free();
-
-static inline int stack_check_collision()
-{
-	int ret = 0;
-	int32_t free_space = stack_check_get_free();
-
-	if ((unsigned int)free_space < STACK_CHECK_MIN_HEAP_GAP) {
-			ret = -1;
-	}
-
-	return ret;
-}
-
-static inline uint32_t read_stack_pointer()
-{
-	uint32_t stack_pointer;
-
-	__asm__ __volatile__ ("mov %0, sp\n\t" : "=r"(stack_pointer) : : );
-
-	return stack_pointer;
-}
-
-#endif /* __STACK_CHECK_H__ */

stm-firmware/include/stm-periph/backup-ram.h

@@ -19,33 +19,41 @@
  */
 
 #include <stdint.h>
+#include <stdbool.h>
 
 /**
  * @brief Init the backup ram and make it accesible
+ * @param use_backup_regulator Enable the Backup VBAT regulator. It will be used, when VDD is powered off
  */
-void backup_ram_init();
+void backup_ram_init(bool use_backup_regulator);
 
 /**
  * @brief Disable access to the backup RAM. This saves power
  */
-void backup_ram_disable();
+void backup_ram_disable(void);
 
 /**
- * @brief Whis function overwrites the backup RAM with 0x00
+ * @brief Whis function overwrites the backup RAM with 0x00000000
  */
-void backup_ram_wipe();
+void backup_ram_wipe(void);
 
 /**
  * @brief Read data from the backup RAM
  * @param addr Address offset inside memory
- * @param data read 32bit data
+ * @param data Read data
+ * @param count amount of 32 bit words to read
+ * @return 0 if successful
  */
-int backup_ram_get_data(uint32_t addr, uint32_t *data);
+int backup_ram_get_data(uint32_t addr, uint32_t *data, uint32_t count);
 
 /**
  * @brief Write data structure to backup RAM
- * @param data
- * @return
+ * @param[in] data Data to write.
+ * @param count Count of 32 bit words to write
+ * @return 0 if successful
  */
-int backup_ram_write_data(uint32_t addr, uint32_t data);
+int backup_ram_write_data(uint32_t addr, const uint32_t *data, uint32_t count);
 
+uint32_t backup_ram_get_size_in_words(void);
+
+volatile void *backup_ram_get_base_ptr(void);

stm-firmware/include/stm-periph/crc-unit.h

@@ -0,0 +1,38 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * GDSII-Converter is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __CRC_UNIT_H__
+#define __CRC_UNIT_H__
+
+#include <stdint.h>
+
+void crc_unit_init(void);
+
+void crc_unit_deinit(void);
+
+void crc_unit_reset(void);
+
+uint32_t crc_unit_get_crc(void);
+
+void crc_unit_input(uint32_t data);
+
+void crc_unit_input_array(const uint32_t *data, uint32_t len);
+
+#endif /* __CRC_UNIT_H__ */

stm-firmware/include/stm-periph/rng.h

@@ -0,0 +1,42 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * GDSII-Converter is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __STM_RNG_H__
+#define __STM_RNG_H__
+
+#include <stdint.h>
+#include <stdbool.h>
+
+enum random_number_error {
+	RNG_ERROR_OK = 0,
+	RNG_ERROR_INACT,
+	RNG_ERROR_INTERNAL_ERROR,
+	RNG_ERROR_NOT_READY
+};
+
+void random_number_gen_init(bool int_enable);
+
+void random_number_gen_deinit();
+
+void random_number_gen_reset(bool int_en);
+
+enum random_number_error random_number_gen_get_number(uint32_t *random_number, bool wait_for_valid_value);
+
+#endif /* __STM_RNG_H__ */

stm-firmware/main.c

@@ -51,7 +51,9 @@ static void setup_nvic_priorities(void)
 
 	/* Setup Priorities */
 	NVIC_SetPriority(ADC_IRQn, 2);
+	/* Measurement ADC DMA */
 	NVIC_SetPriority(DMA2_Stream0_IRQn, 1);
+	/* Shelmatta UART TX */
 	NVIC_SetPriority(DMA2_Stream7_IRQn, 3);
 }
 
@@ -65,7 +67,7 @@ static inline void uart_gpio_config(void)
 	 * else the Pins on the DIGIO header are configured in the digio module
 	 */
 
-#ifdef DEBUGBUILD
+#if defined(DEBUGBUILD) || defined(UART_ON_DEBUG_HEADER)
 	rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(SHELL_UART_PORT_RCC_MASK));
 	SHELL_UART_PORT->MODER &=  MODER_DELETE(SHELL_UART_TX_PIN) & MODER_DELETE(SHELL_UART_RX_PIN);
 	SHELL_UART_PORT->MODER |= ALTFUNC(SHELL_UART_RX_PIN) | ALTFUNC(SHELL_UART_TX_PIN);
@@ -147,6 +149,7 @@ static void setup_unused_pins(void)
 	GPIOE->MODER = 0UL;
 	for (i = 0; i < 16; i++)
 		GPIOE->PUPDR |= PULLDOWN(i);
+	rcc_manager_disable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_GPIOEEN));
 }
 
 static inline void setup_system(void)
@@ -154,14 +157,12 @@ static inline void setup_system(void)
 	setup_nvic_priorities();
 	systick_setup();
 
-
 	oven_driver_init();
 	digio_setup_default_all();
 	led_setup();
 	loudspeaker_setup();
 	reflow_menu_init();
 
-
 	uart_gpio_config();
 	setup_shell_uart(&shell_uart);
 
@@ -222,8 +223,8 @@ int main(void)
 		menu_wait_request = reflow_menu_handle();
 		handle_shell_uart_input(shell_handle);
 
-
 		safety_controller_handle();
+		/* Todo: Remove this */
 		oven_driver_set_power(0);
 		oven_driver_apply_power_level();
 
@@ -243,6 +244,9 @@ void sdio_wait_ms(uint32_t ms)
 	systick_wait_ms(ms);
 }
 
+/**
+ * @brief Handles the TX of UART1 (Shellmatta)
+ */
 void DMA2_Stream7_IRQHandler(void)
 {
 	uint32_t hisr = DMA2->HISR;

stm-firmware/oven-driver.c

@@ -118,6 +118,12 @@ void oven_pid_stop(void)
 	safety_controller_enable_timing_mon(ERR_TIMING_PID, false);
 }
 
+void oven_pid_abort(void)
+{
+	oven_pid_aborted = true;
+	oven_pid_stop();
+}
+
 enum oven_pid_status oven_pid_get_status(void)
 {
 	enum oven_pid_status ret = OVEN_PID_ABORTED;

stm-firmware/pid-controller.c

@@ -73,12 +73,13 @@ float pid_sample(struct pid_controller *pid, float deviation)
 	float output;
 
 	if (!pid)
-		return 0.0;
+		return 0.0f;
 
 	output = deviation * pid->k_p;
 
-	if (!(deviation > 0.0f && pid->control_output > pid->output_sat_max - 0.5) &&
-	    !(deviation < 0.0f && pid->control_output < pid->output_sat_min + 0.5)) {
+	/* PID runaway compensation */
+	if (!(deviation > 0.0f && pid->control_output > pid->output_sat_max - 0.5f) &&
+	    !(deviation < 0.0f && pid->control_output < pid->output_sat_min + 0.5f)) {
 		calculate_integral(pid, deviation);
 	}
 

stm-firmware/reflow-menu.c

@@ -109,6 +109,7 @@ static void reflow_menu_about(struct lcd_menu *menu, enum menu_entry_func_entry
 	static void *my_parent;
 	static bool button_ready;
 	static int page = 0;
+	static int last_page = -1;
 	static uint32_t uptime_secs;
 	uint32_t new_uptime_secs;
 	uint32_t uptime_mins;
@@ -121,6 +122,7 @@ static void reflow_menu_about(struct lcd_menu *menu, enum menu_entry_func_entry
 	if (entry_type == MENU_ENTRY_FIRST_ENTER) {
 		uptime_secs = 0ULL;
 		page = 0;
+		last_page = -1;
 		my_parent = parent;
 		button_ready = false;
 		menu_display_clear(menu);
@@ -144,12 +146,18 @@ static void reflow_menu_about(struct lcd_menu *menu, enum menu_entry_func_entry
 
 	switch (page) {
 	case 0:
+		if (last_page == 0)
+			break;
+		last_page = 0;
 		menu_lcd_output(menu, 0, LCD_SHIMATTA_STRING "    Shimatta");
 		menu_lcd_output(menu, 1, "Oven Controller");
 		menu_lcd_output(menu, 2, "(c) Mario H\xF5ttel");
 		menu_lcd_output(menu, 3, "Page 1/5");
 		break;
 	case 1:
+		if (last_page == 1)
+			break;
+		last_page = 1;
 		menu_lcd_output(menu, 0, "Version Number:");
 		menu_lcd_outputf(menu, 1, "%.*s", LCD_CHAR_WIDTH, xstr(GIT_VER));
 		if (strlen(xstr(GIT_VER)) > LCD_CHAR_WIDTH) {
@@ -162,12 +170,18 @@ static void reflow_menu_about(struct lcd_menu *menu, enum menu_entry_func_entry
 #endif
 		break;
 	case 2:
+		if (last_page == 2)
+			break;
+		last_page = 2;
 		menu_lcd_output(menu, 0, "Compile Info");
 		menu_lcd_output(menu, 1, __DATE__);
 		menu_lcd_output(menu, 2, __TIME__);
 		menu_lcd_output(menu, 3, "Page 3/5");
 		break;
 	case 3:
+		if (last_page == 3)
+			break;
+		last_page = 3;
 		unique_id_get(&ser1, &ser2, &ser3);
 
 		menu_lcd_outputf(menu, 0, "Serial: %08X", ser1);
@@ -187,6 +201,7 @@ static void reflow_menu_about(struct lcd_menu *menu, enum menu_entry_func_entry
 		break;
 	default:
 		page = 0;
+		last_page = -1;
 		break;
 	}
 
@@ -206,7 +221,7 @@ static void reflow_menu_root_entry(struct lcd_menu *menu, enum menu_entry_func_e
 	(void)parent;
 	static struct menu_list list;
 	static bool button_valid;
-	static bool menu_changed = true;
+	bool menu_changed = false;
 	static const char * const root_entry_names[] = {
 		"About",
 		"Monitoring",

stm-firmware/safety/fault.c

@@ -21,29 +21,42 @@
 #include <reflow-controller/oven-driver.h>
 #include <reflow-controller/digio.h>
 #include <reflow-controller/safety/fault.h>
+#include <reflow-controller/safety/safety-memory.h>
+#include <helper-macros/helper-macros.h>
 
 void HardFault_Handler(void)
 {
-	/* This is a non recoverable fault. Hang here */
+	/* This is a non recoverable fault. Stop the oven */
 
 	oven_driver_set_power(0);
 	oven_driver_apply_power_level();
 
+	/* Set the error led */
 	led_set(0, 1);
 
-	while (1);
+	/* Try the real panic mode */
+	panic_mode();
+}
+
+/* Overwrite default handler. Go to panic mode */
+void __int_default_handler(void)
+{
+	panic_mode();
 }
 
 void panic_mode(void)
 {
-	/* Panic mode is esentially the same as a hardfault,
-	 * but it can be expected, that more functionality is still usable
-	 */
+	/* This variable is static, because I don't want it to be on the stack */
+	static struct safety_memory_boot_status IN_SECTION(.ccm.bss) boot_status;
 
 	oven_driver_set_power(0);
 	oven_driver_apply_power_level();
 
-	/* TODO: implement panic mode */
+	if (!safety_memory_get_boot_status(&boot_status)) {
+		boot_status.reset_from_panic = 0xFFFFFFFF;
+		(void)safety_memory_set_boot_status(&boot_status);
+	}
 
+	/* Let the watchdog do the rest */
 	while (1);
 }

stm-firmware/safety/safety-controller.c

@@ -27,86 +27,206 @@
 #include <reflow-controller/safety/safety-config.h>
 #include <reflow-controller/safety/watchdog.h>
 #include <reflow-controller/safety/safety-adc.h>
-#include <reflow-controller/stack-check.h>
+#include <reflow-controller/safety/stack-check.h>
 #include <helper-macros/helper-macros.h>
+#include <stm-periph/crc-unit.h>
 #include <reflow-controller/systick.h>
+#include <reflow-controller/safety/fault.h>
 #include <stm32/stm32f4xx.h>
 #include <cmsis/core_cm4.h>
 #include <stddef.h>
 #include <string.h>
+#include <reflow-controller/safety/safety-memory.h>
+#include <reflow-controller/oven-driver.h>
+#include <helper-macros/helper-macros.h>
+
+#define check_flag_persistent(flag) ((flag)->persistency && (flag)->persistency->persistency)
+#define get_flag_weight(flag) ((flag)->weight ? (flag->weight->weight) : SAFETY_FLAG_CONFIG_WEIGHT_NONE)
+
+struct safety_weight {
+		uint32_t start_dummy;
+		enum config_weight weight;
+		enum safety_flag flag;
+		volatile struct error_flag *flag_ptr;
+		uint32_t end_dummy;
+};
+
+struct safety_persistency {
+		uint32_t start_dummy;
+		bool persistency;
+		enum safety_flag flag;
+		volatile struct error_flag *flag_ptr;
+		uint32_t end_dummy;
+};
 
 struct error_flag {
-	const char *name;
-	enum safety_flag flag;
-	bool error_state;
-	bool persistent;
-	uint32_t key;
+		const char *name;
+		enum safety_flag flag;
+		bool error_state;
+		bool error_state_inv;
+		volatile struct safety_persistency *persistency;
+		volatile struct safety_weight *weight;
+		uint32_t key;
 };
 
 struct timing_mon {
-	const char *name;
-	enum timing_monitor monitor;
-	enum safety_flag associated_flag;
-	uint64_t min_delta;
-	uint64_t max_delta;
-	uint64_t last;
-	uint64_t calculated_delta;
-	bool enabled;
+		const char *name;
+		enum timing_monitor monitor;
+		enum safety_flag associated_flag;
+		uint64_t min_delta;
+		uint64_t max_delta;
+		uint64_t last;
+		uint64_t calculated_delta;
+		bool enabled;
 };
 
 struct analog_mon {
-	const char *name;
-	enum analog_value_monitor monitor;
-	enum safety_flag associated_flag;
-	float min;
-	float max;
-	float value;
-	bool valid;
-	uint64_t timestamp;
+		const char *name;
+		enum analog_value_monitor monitor;
+		enum safety_flag associated_flag;
+		float min;
+		float max;
+		float value;
+		bool valid;
+		uint64_t timestamp;
 };
 
-#ifdef COUNT_OF
-#undef COUNT_OF
-#endif
-
-#define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x])))))
-
-#define ERR_FLAG_ENTRY(errflag, persistency) {.name=#errflag, .flag = (errflag), .error_state = false, .persistent = (persistency), .key = 0UL}
-#define TIM_MON_ENTRY(mon, min, max, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min_delta = (min), .max_delta = (max), .last = 0ULL, .enabled= false}
-#define ANA_MON_ENTRY(mon, min_value, max_value, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min = (min_value), .max = (max_value), .value = 0.0f, .valid = false}
-
-static volatile struct error_flag flags[] = {
-	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_OFF, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_WATCHDOG, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_UNSTABLE, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_OVERFLOW, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_MEAS_ADC, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_PID, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_AMON_UC_TEMP, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_AMON_VREF, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_STACK, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_SAFETY_ADC, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_SYSTICK, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_WTCHDG_FIRED, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_UNCAL, false),
-	ERR_FLAG_ENTRY(ERR_FLAG_DEBUG, true),
-	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_MAIN_LOOP, false),
+static volatile struct error_flag IN_SECTION(.ccm.data) flags[] = {
+	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_OFF),
+	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_WATCHDOG),
+	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_UNSTABLE),
+	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_OVERFLOW),
+	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_MEAS_ADC),
+	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_PID),
+	ERR_FLAG_ENTRY(ERR_FLAG_AMON_UC_TEMP),
+	ERR_FLAG_ENTRY(ERR_FLAG_AMON_VREF),
+	ERR_FLAG_ENTRY(ERR_FLAG_STACK),
+	ERR_FLAG_ENTRY(ERR_FLAG_SAFETY_ADC),
+	ERR_FLAG_ENTRY(ERR_FLAG_SYSTICK),
+	ERR_FLAG_ENTRY(ERR_FLAG_WTCHDG_FIRED),
+	ERR_FLAG_ENTRY(ERR_FLAG_UNCAL),
+	ERR_FLAG_ENTRY(ERR_FLAG_DEBUG),
+	ERR_FLAG_ENTRY(ERR_FLAG_TIMING_MAIN_LOOP),
+	ERR_FLAG_ENTRY(ERR_FLAG_SAFETY_MEM_CORRUPT),
+	ERR_FLAG_ENTRY(ERR_FLAG_SAFETY_TAB_CORRUPT),
 };
 
-static volatile struct timing_mon timings[] = {
+static volatile struct timing_mon IN_SECTION(.ccm.data) timings[] = {
 	TIM_MON_ENTRY(ERR_TIMING_PID, 2, 1000, ERR_FLAG_TIMING_PID),
 	TIM_MON_ENTRY(ERR_TIMING_MEAS_ADC, 0, 50, ERR_FLAG_TIMING_MEAS_ADC),
 	TIM_MON_ENTRY(ERR_TIMING_SAFETY_ADC, 10, SAFETY_CONTROLLER_ADC_DELAY_MS + 1000, ERR_FLAG_SAFETY_ADC),
 	TIM_MON_ENTRY(ERR_TIMING_MAIN_LOOP, 0, 1000, ERR_FLAG_TIMING_MAIN_LOOP),
 };
 
-static volatile struct analog_mon analog_mons[] = {
+static volatile struct analog_mon IN_SECTION(.ccm.data) analog_mons[] = {
 	ANA_MON_ENTRY(ERR_AMON_VREF, SAFETY_ADC_VREF_MVOLT - SAFETY_ADC_VREF_TOL_MVOLT,
-		      SAFETY_ADC_VREF_MVOLT + SAFETY_ADC_VREF_TOL_MVOLT, ERR_FLAG_AMON_VREF),
+	SAFETY_ADC_VREF_MVOLT + SAFETY_ADC_VREF_TOL_MVOLT, ERR_FLAG_AMON_VREF),
 	ANA_MON_ENTRY(ERR_AMON_UC_TEMP, SAFETY_ADC_TEMP_LOW_LIM, SAFETY_ADC_TEMP_HIGH_LIM,
-		      ERR_FLAG_AMON_UC_TEMP),
+	ERR_FLAG_AMON_UC_TEMP),
 };
 
+static const struct safety_weight default_flag_weights[] = { SAFETY_CONFIG_DEFAULT_WEIGHTS };
+static const struct safety_persistency default_flag_persistencies[] = {SAFETY_CONFIG_DEFAULT_PERSIST};
+
+static volatile struct safety_persistency IN_SECTION(.ccm.bss) flag_persistencies[COUNT_OF(default_flag_persistencies)];
+static uint32_t IN_SECTION(.ccm.bss) flag_persistencies_crc;
+
+static volatile struct safety_weight IN_SECTION(.ccm.bss) flag_weights[COUNT_OF(default_flag_weights)];
+static uint32_t IN_SECTION(.ccm.bss) flag_weight_crc;
+
+static int flag_weight_table_crc_check(void)
+{
+	/* Check the flag weight table */
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t *)flag_weights, wordsize_of(flag_weights));
+
+	if (crc_unit_get_crc() != flag_weight_crc)
+		return -1;
+
+	return 0;
+}
+
+static int flag_persistency_table_crc_check(void)
+{
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t*)flag_persistencies, wordsize_of(flag_persistencies));
+
+	if (crc_unit_get_crc() != flag_persistencies_crc)
+		return -1;
+
+	return 0;
+}
+
+static volatile struct error_flag *find_error_flag(enum safety_flag flag)
+{
+	uint32_t i;
+	volatile struct error_flag *ret = NULL;
+
+	for (i = 0; i < COUNT_OF(flags); i++) {
+		if (flags[i].flag == flag)
+			ret = &flags[i];
+	}
+
+	return ret;
+}
+
+/**
+ * @brief This function copies the safety weigths from flash ro RAM and computes the CRC
+ */
+static void init_safety_flag_weight_table_from_default(void)
+{
+	uint32_t index;
+	volatile struct safety_weight *current_weight;
+
+	/* Copy the table */
+	memcpy((void *)flag_weights, default_flag_weights, sizeof(flag_weights));
+
+	/* Fill in the flag pointers */
+	for (index = 0; index < COUNT_OF(flag_weights); index++) {
+		current_weight = &flag_weights[index];
+		current_weight->flag_ptr = find_error_flag(current_weight->flag);
+		if (current_weight->flag_ptr)
+			current_weight->flag_ptr->weight = current_weight;
+	}
+
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t*)flag_weights, wordsize_of(flag_weights));
+	flag_weight_crc = crc_unit_get_crc();
+}
+
+static void init_safety_flag_persistencies_from_default(void)
+{
+	uint32_t index;
+	volatile struct safety_persistency *current_persistency;
+
+	/* Copy values */
+	memcpy((void *)flag_persistencies, default_flag_persistencies, sizeof(flag_persistencies));
+
+	/* Fill in flag pointers */
+	for (index = 0; index < COUNT_OF(flag_persistencies); index++) {
+		current_persistency = &flag_persistencies[index];
+		current_persistency->flag_ptr = find_error_flag(current_persistency->flag);
+		if (current_persistency->flag_ptr)
+			current_persistency->flag_ptr->persistency = current_persistency;
+	}
+
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t *)flag_persistencies, wordsize_of(flag_persistencies));
+	flag_persistencies_crc = crc_unit_get_crc();
+}
+
+static bool error_flag_get_status(const volatile struct error_flag *flag)
+{
+	if (!flag)
+		return true;
+
+	if (flag->error_state == flag->error_state_inv) {
+		return true;
+	} else {
+		return flag->error_state;
+	}
+}
+
 static volatile struct analog_mon *find_analog_mon(enum analog_value_monitor mon)
 {
 	uint32_t i;
@@ -133,19 +253,6 @@ static volatile struct timing_mon *find_timing_mon(enum timing_monitor mon)
 	return ret;
 }
 
-static volatile struct error_flag *find_error_flag(enum safety_flag flag)
-{
-	uint32_t i;
-	volatile struct error_flag *ret = NULL;
-
-	for (i = 0; i < COUNT_OF(flags); i++) {
-		if (flags[i].flag == flag)
-			ret = &flags[i];
-	}
-
-	return ret;
-}
-
 static void safety_controller_process_active_timing_mons()
 {
 	uint32_t i;
@@ -164,7 +271,7 @@ static void safety_controller_process_active_timing_mons()
 	}
 }
 
-static void safety_controller_process_checks()
+static void safety_controller_process_monitor_checks()
 {
 	static bool startup_completed = false;
 	enum analog_monitor_status amon_state;
@@ -180,12 +287,67 @@ static void safety_controller_process_checks()
 		amon_state = safety_controller_get_analog_mon_value(ERR_AMON_UC_TEMP, &amon_value);
 		if (amon_state != ANALOG_MONITOR_OK)
 			safety_controller_report_error(ERR_FLAG_AMON_UC_TEMP);
-
 	}
 
 	safety_controller_process_active_timing_mons();
 }
 
+static uint8_t flag_enum_to_flag_no(enum safety_flag flag)
+{
+	uint32_t flag_mask;
+	uint8_t i;
+
+	if (!is_power_of_two(flag))
+		return 0xFF;
+
+	flag_mask = (uint32_t)flag;
+	for (i = 0; i < 32; i++) {
+		if ((flag_mask >> i) & 0x1U)
+			break;
+	}
+
+	return i;
+}
+
+static enum safety_flag flag_no_to_flag_enum(uint8_t no)
+{
+	if (no >= COUNT_OF(flags))
+		return ERR_FLAG_NO_FLAG;
+
+	return (1U << no);
+}
+
+static int report_error(enum safety_flag flag, uint32_t key, bool prevent_error_mem_enty)
+{
+	uint32_t i;
+	int ret = -1;
+	bool old_state;
+	int res;
+	struct error_memory_entry err_mem_entry;
+
+	for (i = 0; i < COUNT_OF(flags); i++) {
+		if (flags[i].flag & flag) {
+			old_state = flags[i].error_state;
+			flags[i].error_state = true;
+			flags[i].error_state_inv = !flags[i].error_state;
+			flags[i].key = key;
+
+			if (check_flag_persistent(&flags[i]) && !old_state && !prevent_error_mem_enty) {
+				err_mem_entry.counter = 1;
+				err_mem_entry.flag_num = flag_enum_to_flag_no(flags[i].flag);
+				err_mem_entry.type = SAFETY_MEMORY_ERR_ENTRY_FLAG;
+				res = safety_memory_insert_error_entry(&err_mem_entry);
+				if (res)
+					ret = -12;
+			} else {
+				ret = 0;
+			}
+		}
+	}
+
+	return ret;
+}
+
 int safety_controller_report_error(enum safety_flag flag)
 {
 	return safety_controller_report_error_with_key(flag, 0x0UL);
@@ -193,18 +355,7 @@ int safety_controller_report_error(enum safety_flag flag)
 
 int safety_controller_report_error_with_key(enum safety_flag flag, uint32_t key)
 {
-	uint32_t i;
-	int ret = -1;
-
-	for (i = 0; i < COUNT_OF(flags); i++) {
-		if (flags[i].flag & flag) {
-			flags[i].error_state = true;
-			flags[i].key = key;
-			ret = 0;
-		}
-	}
-
-	return ret;
+	return report_error(flag, key, false);
 }
 
 void safety_controller_report_timing(enum timing_monitor monitor)
@@ -245,8 +396,67 @@ void safety_controller_report_analog_value(enum analog_value_monitor monitor, fl
 
 }
 
+/**
+ * @brief Return the flags, which are set in the error memory
+ * @param flags Flags read from error memory
+ * @return 0 if ok, != 0 if error
+ */
+static enum safety_flag get_safety_flags_from_error_mem(enum safety_flag *flags)
+{
+	uint32_t count;
+	uint32_t idx;
+	int res;
+	enum safety_flag return_flags = 0;
+	struct error_memory_entry entry;
+
+	if (!flags)
+		return -1001;
+
+	res = safety_memory_get_error_entry_count(&count);
+	if (res)
+		return -1;
+
+	for (idx = 0; idx < count; idx++) {
+		res = safety_memory_get_error_entry(idx, &entry);
+		if (entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG) {
+			return_flags |= flag_no_to_flag_enum(entry.flag_num);
+		}
+	}
+
+	*flags = return_flags;
+	return 0;
+}
+
 void safety_controller_init()
 {
+	enum safety_memory_state found_memory_state;
+	enum safety_flag flags_in_err_mem = ERR_FLAG_NO_FLAG;
+	int res;
+
+	/* Init the safety memory */
+	if (safety_memory_init(&found_memory_state)) {
+		/* Trigger panic mode! */
+		panic_mode();
+	}
+
+	/* This is usually done by the safety memory already. But, since this module also uses the CRC... */
+	crc_unit_init();
+
+	stack_check_init_corruption_detect_area();
+
+	init_safety_flag_weight_table_from_default();
+	init_safety_flag_persistencies_from_default();
+
+	if (found_memory_state == SAFETY_MEMORY_INIT_CORRUPTED)
+		safety_controller_report_error(ERR_FLAG_SAFETY_MEM_CORRUPT);
+	else if (found_memory_state == SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		/* restore the corrupt flag flag */
+		res = get_safety_flags_from_error_mem(&flags_in_err_mem);
+		if (res)
+			panic_mode();
+		if (flags_in_err_mem & ERR_FLAG_SAFETY_MEM_CORRUPT)
+			report_error(ERR_FLAG_SAFETY_MEM_CORRUPT, 0, true);
+	}
 
 	/* Init default flag states */
 	safety_controller_report_error_with_key(ERR_FLAG_MEAS_ADC_OFF | ERR_FLAG_MEAS_ADC_UNSTABLE,
@@ -270,6 +480,10 @@ static void safety_controller_check_stack()
 	free_stack = stack_check_get_free();
 	if (free_stack < SAFETY_MIN_STACK_FREE)
 		safety_controller_report_error(ERR_FLAG_STACK);
+
+	if (stack_check_corruption_detect_area()) {
+		safety_controller_report_error(ERR_FLAG_STACK);
+	}
 }
 
 static void safety_controller_handle_safety_adc()
@@ -316,17 +530,45 @@ static void safety_controller_handle_safety_adc()
 	}
 }
 
-int safety_controller_handle()
+/**
+ * @brief Check the memory structures.
+ */
+static void safety_controller_handle_memory_checks(void)
+{
+	static uint64_t ts = 0;
+	enum safety_memory_state found_state;
+
+	if (systick_ticks_have_passed(ts, 250)) {
+		ts = systick_get_global_tick();
+
+		/* Check the safety memory */
+		if (safety_memory_check()) {
+			(void)safety_memory_reinit(&found_state);
+			if (found_state != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+				safety_controller_report_error(ERR_FLAG_SAFETY_MEM_CORRUPT);
+			}
+		}
+
+		/* If flag weight table is broken, reinit to default and set flag */
+		if (flag_weight_table_crc_check()) {
+			safety_controller_report_error(ERR_FLAG_SAFETY_TAB_CORRUPT);
+			init_safety_flag_weight_table_from_default();
+		}
+
+		/* If persistency table is broken, reinit to default and set flag */
+		if(flag_persistency_table_crc_check()) {
+			safety_controller_report_error(ERR_FLAG_SAFETY_TAB_CORRUPT);
+			init_safety_flag_persistencies_from_default();
+		}
+	}
+}
+
+static void safety_controller_do_systick_checking()
 {
 	static uint64_t last_systick;
 	static uint32_t same_systick_cnt = 0UL;
 	uint64_t systick;
 
-	int ret = 0;
-
-	safety_controller_check_stack();
-	safety_controller_handle_safety_adc();
-
 	systick = systick_get_global_tick();
 	if (systick == last_systick) {
 		same_systick_cnt++;
@@ -336,9 +578,43 @@ int safety_controller_handle()
 		same_systick_cnt = 0UL;
 	}
 	last_systick = systick;
+}
 
-	safety_controller_process_checks();
-	/* TODO: Check flags for PID and HALT */
+static void safety_controller_handle_weighted_flags()
+{
+	uint32_t weight_index;
+	volatile struct safety_weight *current_weight;
+
+	for (weight_index = 0; weight_index < COUNT_OF(flag_weights); weight_index++) {
+		current_weight = &flag_weights[weight_index];
+		if (error_flag_get_status(current_weight->flag_ptr)) {
+			switch (current_weight->weight) {
+			case SAFETY_FLAG_CONFIG_WEIGHT_NONE:
+				break;
+			case SAFETY_FLAG_CONFIG_WEIGHT_PID:
+				oven_pid_abort();
+				break;
+			case SAFETY_FLAG_CONFIG_WEIGHT_PANIC:
+				/* Expected fallthrough */
+			default:
+				oven_pid_abort();
+				panic_mode();
+				break;
+			}
+		}
+	}
+}
+
+int safety_controller_handle()
+{
+	int ret = 0;
+
+	safety_controller_check_stack();
+	safety_controller_handle_safety_adc();
+	safety_controller_handle_memory_checks();
+	safety_controller_do_systick_checking();
+	safety_controller_process_monitor_checks();
+	safety_controller_handle_weighted_flags();
 
 	ret |= watchdog_ack(WATCHDOG_MAGIC_KEY);
 
@@ -404,13 +680,15 @@ int safety_controller_get_flag(enum safety_flag flag, bool *status, bool try_ack
 
 	found_flag = find_error_flag(flag);
 	if (found_flag) {
-		*status = found_flag->error_state;
-		if (try_ack && !found_flag->persistent) {
+		*status = error_flag_get_status(found_flag);
+		if (try_ack && !check_flag_persistent(found_flag)) {
 			/* Flag is generally non persistent
 			 * If key is set, this function cannot remove the flag
 			 */
-			if (found_flag->key == 0UL)
+			if (found_flag->key == 0UL) {
 				found_flag->error_state = false;
+				found_flag->error_state_inv = !found_flag->error_state;
+			}
 		}
 	}
 
@@ -433,8 +711,9 @@ int safety_controller_ack_flag_with_key(enum safety_flag flag, uint32_t key)
 
 	found_flag = find_error_flag(flag);
 	if (found_flag) {
-		if (!found_flag->persistent && (found_flag->key == key || !key)) {
+		if (!check_flag_persistent(found_flag) && (found_flag->key == key || !found_flag->key)) {
 			found_flag->error_state = false;
+			found_flag->error_state_inv = true;
 			ret = 0;
 		} else {
 			ret = -2;
@@ -450,7 +729,7 @@ bool safety_controller_get_flags_by_mask(enum safety_flag mask)
 	bool ret = false;
 
 	for (i = 0; i < COUNT_OF(flags); i++) {
-		if ((flags[i].flag & mask) && flags[i].error_state) {
+		if ((flags[i].flag & mask) && error_flag_get_status(&flags[i])) {
 			ret = true;
 			break;
 		}
@@ -525,7 +804,7 @@ int safety_controller_get_flag_by_index(uint32_t index, bool *status, enum safet
 
 	if (index < COUNT_OF(flags)) {
 		if (status)
-			*status = flags[index].error_state;
+			*status = error_flag_get_status(&flags[index]);
 		if (flag_enum)
 			*flag_enum = flags[index].flag;
 

stm-firmware/safety/safety-memory.c

@@ -0,0 +1,510 @@
+/* Reflow Oven Controller
+*
+* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+*
+* This file is part of the Reflow Oven Controller Project.
+*
+* The reflow oven controller is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License version 2 as
+* published by the Free Software Foundation.
+*
+* The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with the reflow oven controller project.
+* If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <reflow-controller/safety/safety-memory.h>
+#include <helper-macros/helper-macros.h>
+#include <stm-periph/crc-unit.h>
+#include <stm-periph/backup-ram.h>
+#include <base64-lib/base64-lib.h>
+
+static int word_to_error_memory_entry(uint32_t entry_data, struct error_memory_entry *out)
+{
+	int ret = 0;
+
+	if (!out)
+		return -1002;
+
+	if (entry_data == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+		out->flag_num = 0U;
+		out->type = SAFETY_MEMORY_ERR_ENTRY_NOP;
+		out->counter = 0U;
+	} else if ((entry_data & 0xFFU) == 0x51U) {
+		out->flag_num = (uint8_t)((entry_data >> 8U) & 0xFFU);
+		out->type = SAFETY_MEMORY_ERR_ENTRY_FLAG;
+		out->counter = (uint16_t)((entry_data >> 16U) & 0xFFFF);
+	} else {
+		/* Invalid entry */
+		ret = -1;
+	}
+
+	return ret;
+}
+
+static uint32_t error_memory_entry_to_word(const struct error_memory_entry *entry)
+{
+	uint32_t word = 0;
+
+	switch (entry->type) {
+	case SAFETY_MEMORY_ERR_ENTRY_NOP:
+		word = SAFETY_MEMORY_NOP_ENTRY;
+		break;
+	case SAFETY_MEMORY_ERR_ENTRY_FLAG:
+		word = 0x51UL | ((uint32_t)entry->flag_num << 8U) |
+				((uint32_t)entry->counter << 16U);
+		break;
+	}
+
+	return word;
+}
+
+static enum safety_memory_state safety_memory_get_header(struct safety_memory_header *header)
+{
+
+	int res;
+	enum safety_memory_state ret;
+
+	if (!header)
+		return SAFETY_MEMORY_INIT_CORRUPTED;
+
+	res = backup_ram_get_data(0UL, (uint32_t *)header, wordsize_of(struct safety_memory_header));
+	if (res)
+		return SAFETY_MEMORY_INIT_CORRUPTED;
+
+	/* Check magic */
+	if (header->magic != SAFETY_MEMORY_MAGIC) {
+		/* Magic invalid */
+		ret = SAFETY_MEMORY_INIT_FRESH;
+		goto return_val;
+	}
+
+	/* Check the header crc */
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t *)header, wordsize_of(struct safety_memory_header));
+	if (crc_unit_get_crc() != 0UL) {
+		ret = SAFETY_MEMORY_INIT_CORRUPTED;
+		goto return_val;
+	}
+
+	res = 0;
+	if (header->boot_status_offset < wordsize_of(struct safety_memory_header))
+		res++;
+	if (header->config_overrides_offset < header->boot_status_offset + wordsize_of(struct safety_memory_boot_status))
+		res++;
+	if (header->config_overrides_len > SAFETY_MEMORY_CONFIG_OVERRIDE_COUNT)
+		res++;
+	if (header->err_memory_offset < header->config_overrides_offset + header->config_overrides_len)
+		res++;
+	if (header->err_memory_end >= backup_ram_get_size_in_words() || header->err_memory_end < header->err_memory_offset)
+		res++;
+
+	if (res) {
+		/* Error detected: Write new header */
+		ret = SAFETY_MEMORY_INIT_CORRUPTED;
+	} else {
+		ret = SAFETY_MEMORY_INIT_VALID_MEMORY;
+	}
+
+return_val:
+	return ret;
+}
+
+static void safety_memory_write_and_patch_header(struct safety_memory_header *header)
+{
+	/* Patch the CRC */
+	crc_unit_reset();
+	crc_unit_input_array((uint32_t *)header, wordsize_of(struct safety_memory_header) - 1U);
+	header->crc = crc_unit_get_crc();
+
+	/* Write to memory */
+	backup_ram_write_data(0UL, (uint32_t *)header, wordsize_of(*header));
+}
+
+static void safety_memory_write_new_header(void)
+{
+	struct safety_memory_header header;
+
+	header.boot_status_offset = wordsize_of(struct safety_memory_header);
+	header.config_overrides_len = SAFETY_MEMORY_CONFIG_OVERRIDE_COUNT;
+	header.config_overrides_offset = header.boot_status_offset + wordsize_of(struct safety_memory_boot_status);
+	header.err_memory_offset = header.config_overrides_offset + SAFETY_MEMORY_CONFIG_OVERRIDE_COUNT;
+	header.err_memory_end = header.err_memory_offset;
+	header.magic = SAFETY_MEMORY_MAGIC;
+
+	backup_ram_wipe();
+	safety_memory_write_and_patch_header(&header);
+}
+
+static int safety_memory_check_crc()
+{
+	struct safety_memory_header header;
+	enum safety_memory_state state = safety_memory_get_header(&header);
+	uint32_t crc_offset;
+	uint32_t data;
+	uint32_t addr;
+	int res;
+
+	if (state != SAFETY_MEMORY_INIT_VALID_MEMORY)
+		return -1;
+
+	crc_offset = header.err_memory_end;
+
+	crc_unit_reset();
+
+	for (addr = 0; addr < crc_offset; addr++) {
+		res = backup_ram_get_data(addr, &data, 1UL);
+		if (res)
+			return -2000;
+		crc_unit_input(data);
+	}
+
+	res = backup_ram_get_data(crc_offset, &data, 1UL);
+	if (res)
+		return -2001;
+
+	if (crc_unit_get_crc() != data)
+		return -3000;
+	else
+		return 0;
+}
+
+static int safety_memory_gen_crc()
+{
+	struct safety_memory_header header;
+	uint32_t word_addr;
+	uint32_t data;
+	int res;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY)
+		return -1;
+
+	crc_unit_reset();
+	for (word_addr = 0; word_addr < header.err_memory_end; word_addr++) {
+		res = backup_ram_get_data(word_addr, &data, 1);
+		if (res)
+			return -2;
+		crc_unit_input(data);
+	}
+
+	/* Write CRC */
+	data = crc_unit_get_crc();
+	res = backup_ram_write_data(header.err_memory_end, &data, 1UL);
+	if (res)
+		return -3;
+
+	return 0;
+}
+
+int safety_memory_reinit(enum safety_memory_state *found_state)
+{
+	struct safety_memory_header header;
+	int res;
+	int ret = -1;
+
+	if (!found_state)
+		return -1001;
+
+	*found_state = safety_memory_get_header(&header);
+
+	switch (*found_state) {
+	case SAFETY_MEMORY_INIT_VALID_MEMORY:
+		/* Valid memory detected. Check CRC and error entries */
+		res = safety_memory_check();
+		if (res)
+			*found_state = SAFETY_MEMORY_INIT_CORRUPTED;
+		break;
+	case SAFETY_MEMORY_INIT_FRESH:
+		break;
+	case SAFETY_MEMORY_INIT_CORRUPTED:
+		break;
+	default:
+		*found_state = SAFETY_MEMORY_INIT_CORRUPTED;
+		break;
+	}
+
+	/* Check if memory header has to be written */
+	if (*found_state != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		safety_memory_write_new_header();
+		/* If yes, generate new CRC checksum */
+		res = safety_memory_gen_crc();
+		if (res)
+			ret = -100;
+		else
+			ret = 0;
+	} else {
+		ret = 0;
+	}
+
+	return ret;
+}
+
+int safety_memory_init(enum safety_memory_state *found_state)
+{
+
+	crc_unit_init();
+	backup_ram_init(true);
+
+	return safety_memory_reinit(found_state);
+}
+
+int safety_memory_get_boot_status(struct safety_memory_boot_status *status)
+{
+	struct safety_memory_header header;
+	int res;
+
+	if (!status)
+		return -1001;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	if (safety_memory_check_crc())
+		return -2001;
+
+	res = backup_ram_get_data(header.boot_status_offset, (uint32_t *)status, wordsize_of(*status));
+	if (res)
+		return -3000;
+	return 0;
+}
+
+int safety_memory_set_boot_status(const struct safety_memory_boot_status *status)
+{
+	struct safety_memory_header header;
+	int res;
+
+	if (!status)
+		return -1001;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	if (safety_memory_check_crc())
+		return -2001;
+
+	res = backup_ram_write_data(header.boot_status_offset, (uint32_t *)status, wordsize_of(*status));
+	res |= safety_memory_gen_crc();
+	if (res)
+		return -3000;
+
+	return 0;
+}
+
+static int safety_memory_check_error_entries()
+{
+	struct safety_memory_header header;
+	uint32_t addr;
+	uint32_t data;
+	int ret = 0;
+	int res;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	for (addr = header.err_memory_offset; addr < header.err_memory_end; addr++) {
+		res = backup_ram_get_data(addr, &data, 1UL);
+		if (res)
+			return -100;
+
+		/* Valid flag entry */
+		if ((data & 0xFF) == 0x51)
+			continue;
+		if (data == SAFETY_MEMORY_NOP_ENTRY)
+			continue;
+
+		ret--;
+	}
+
+	return ret;
+}
+
+int safety_memory_get_error_entry_count(uint32_t *count)
+{
+	struct safety_memory_header header;
+
+	if (!count)
+		return -1001;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	*count = header.err_memory_end - header.err_memory_offset;
+
+	return 0;
+}
+
+int safety_memory_check(void)
+{
+	int res;
+
+	res = safety_memory_check_crc();
+	if (!res) {
+		res |= safety_memory_check_error_entries();
+	}
+
+	return -!!res;
+}
+
+int safety_memory_get_error_entry(uint32_t idx, struct error_memory_entry *entry)
+{
+	struct safety_memory_header header;
+	uint32_t err_mem_count;
+	int ret = -1;
+	int res;
+	uint32_t data;
+
+	if (!entry)
+		return -1001;
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	err_mem_count = header.err_memory_end - header.err_memory_offset;
+	if (idx < err_mem_count && err_mem_count > 0) {
+		res = backup_ram_get_data(header.err_memory_offset + idx, &data, 1UL);
+		if (res)
+			goto return_value;
+
+		res = word_to_error_memory_entry(data, entry);
+		if (res)
+			goto return_value;
+		ret = 0;
+
+	} else {
+		/* out of range */
+		ret = -1001;
+	}
+
+return_value:
+	return ret;
+}
+
+int safety_memory_insert_error_entry(struct error_memory_entry *entry)
+{
+	int res;
+	int ret = -0xFFFF;
+	uint32_t addr;
+	uint32_t data;
+	bool found;
+	uint32_t input_data;
+	struct error_memory_entry current_entry;
+
+	struct safety_memory_header header;
+
+	input_data = error_memory_entry_to_word(entry);
+
+	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
+		return -2000;
+	}
+
+	if (entry->type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+		/* Append to end */
+		if ((header.err_memory_end + 1U) < backup_ram_get_size_in_words()) {
+			/* Still fits in memory */
+			backup_ram_write_data(header.err_memory_end, &input_data, 1UL);
+			header.err_memory_end++;
+			safety_memory_write_and_patch_header(&header);
+			safety_memory_gen_crc();
+			ret = 0;
+		}
+	} else if (entry->type == SAFETY_MEMORY_ERR_ENTRY_FLAG) {
+		found = false;
+		for (addr = header.err_memory_offset; addr < header.err_memory_end; addr++) {
+			res = backup_ram_get_data(addr, &data, 1UL);
+			if (res) {
+				ret = -1;
+				goto return_value;
+			}
+			res = word_to_error_memory_entry(data, &current_entry);
+			if (res) {
+				ret = -2;
+				goto return_value;
+			}
+
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG &&
+					current_entry.flag_num == entry->flag_num) {
+				found = true;
+				break;
+			}
+
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+				found = true;
+				break;
+			}
+		}
+
+		if (!found) {
+			/* No suitable place found in memory. Append */
+
+			if ((addr + 1) < backup_ram_get_size_in_words()) {
+				backup_ram_write_data(addr, &input_data, 1UL);
+				header.err_memory_end++;
+				safety_memory_write_and_patch_header(&header);
+			} else {
+				ret = -3;
+				goto return_value;
+			}
+		} else {
+			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
+				backup_ram_write_data(addr, &input_data, 1UL);
+			} else {
+				current_entry.counter += entry->counter;
+				if (current_entry.counter < entry->counter)
+					current_entry.counter = 0xFFFF;
+				data = error_memory_entry_to_word(&current_entry);
+				backup_ram_write_data(addr, &data, 1UL);
+			}
+		}
+
+		safety_memory_gen_crc();
+		ret = 0;
+
+	} else {
+		ret = -1001;
+	}
+
+return_value:
+	return ret;
+}
+
+int safety_memory_insert_config_override(struct config_override *config_override);
+
+int safety_memory_get_config_override_count(uint32_t *count);
+
+int safety_memory_get_config_override(uint32_t idx, struct config_override *config_override);
+
+int safety_memory_dump_base64(char *buffer, size_t buffsize, size_t *used_size)
+{
+	uint32_t safety_mem_size;
+	size_t output_size;
+	const char *backup_mem_ptr;
+	int res;
+
+	if (!buffer)
+		return -1000;
+
+	safety_mem_size = backup_ram_get_size_in_words() * 4U;
+	output_size = base64_calculate_encoded_size(safety_mem_size);
+
+	if (output_size + 1 > buffsize)
+		return -1001;
+
+	backup_mem_ptr = (const char *)backup_ram_get_base_ptr();
+	res = base64_encode(backup_mem_ptr, buffer, safety_mem_size, buffsize, &output_size);
+	if (res)
+		return -1;
+	buffer[output_size] = '\0';
+	if (used_size)
+		*used_size = output_size + 1u;
+	return 0;
+}

stm-firmware/safety/stack-check.c

@@ -0,0 +1,110 @@
+/* Reflow Oven Controller
+*
+* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+*
+* This file is part of the Reflow Oven Controller Project.
+*
+* The reflow oven controller is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License version 2 as
+* published by the Free Software Foundation.
+*
+* The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with the reflow oven controller project.
+* If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <reflow-controller/safety/stack-check.h>
+#include <stdint.h>
+#include <stm-periph/rng.h>
+#include <stm-periph/crc-unit.h>
+
+extern char __ld_top_of_stack;
+extern char __ld_end_stack;
+
+int32_t stack_check_get_usage()
+{
+	uint32_t stack_top;
+	uint32_t stack_ptr;
+
+	stack_ptr = read_stack_pointer();
+	stack_top = (uint32_t)&__ld_top_of_stack;
+
+	return stack_top - stack_ptr;
+}
+
+int32_t stack_check_get_free()
+{
+	uint32_t upper_heap_boundary;
+	uint32_t stack_ptr;
+
+	stack_ptr = read_stack_pointer();
+	upper_heap_boundary = (uint32_t)&__ld_end_stack;
+
+	return stack_ptr - upper_heap_boundary;
+}
+
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Warray-bounds"
+
+extern uint32_t __ld_start_stack_corruption_detect_area;
+extern uint32_t __ld_end_stack_corruption_detect_area;
+
+int stack_check_init_corruption_detect_area(void)
+{
+	uint32_t *ptr = &__ld_start_stack_corruption_detect_area;
+	uint32_t *end_ptr = &__ld_end_stack_corruption_detect_area;
+	const uint32_t area_size_in_words = &__ld_end_stack_corruption_detect_area -
+						&__ld_start_stack_corruption_detect_area;
+	enum random_number_error rng_stat;
+	uint32_t rng_number;
+	uint32_t crc_val;
+	int ret = 0;
+
+	random_number_gen_init(false);
+
+	while (ptr < &end_ptr[-1]) {
+		rng_stat = random_number_gen_get_number(&rng_number, true);
+
+		if (rng_stat != RNG_ERROR_OK) {
+			ret = -1;
+			goto exit_deinit_rng;
+		}
+
+		*ptr = rng_number;
+		ptr++;
+	}
+
+	/* Init CRC unit and leave it on */
+	crc_unit_init();
+	crc_unit_reset();
+
+	crc_unit_input_array(&__ld_start_stack_corruption_detect_area, area_size_in_words - 1);
+	crc_val = crc_unit_get_crc();
+	end_ptr[-1] = crc_val;
+
+exit_deinit_rng:
+	random_number_gen_deinit();
+
+	return ret;
+}
+
+#pragma GCC diagnostic pop
+
+int stack_check_corruption_detect_area(void)
+{
+	const uint32_t area_size_in_words = &__ld_end_stack_corruption_detect_area -
+						&__ld_start_stack_corruption_detect_area;
+	crc_unit_reset();
+	crc_unit_input_array(&__ld_start_stack_corruption_detect_area, area_size_in_words);
+	if (crc_unit_get_crc() == 0UL) {
+		return 0;
+	} else {
+		return -1;
+	}
+}

stm-firmware/safety/watchdog.c

@@ -52,17 +52,17 @@ int watchdog_setup(uint8_t prescaler)
 	/** - Wait for the oscillator to be ready */
 	while (!(RCC->CSR & RCC_CSR_LSIRDY));
 
-	if (prescaler == 4)
+	if (prescaler == 4U)
 		prescaler_reg_val = 0UL;
-	else if (prescaler == 8)
+	else if (prescaler == 8U)
 		prescaler_reg_val = 1UL;
-	else if (prescaler == 16)
+	else if (prescaler == 16U)
 		prescaler_reg_val = 2UL;
-	else if (prescaler == 32)
+	else if (prescaler == 32U)
 		prescaler_reg_val = 3UL;
-	else if (prescaler == 64)
+	else if (prescaler == 64U)
 		prescaler_reg_val = 4UL;
-	else if (prescaler == 128)
+	else if (prescaler == 128U)
 		prescaler_reg_val = 5UL;
 	else
 		prescaler_reg_val = 6UL;

stm-firmware/settings/settings-sd-card.c

@@ -25,6 +25,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <config-parser/config-parser.h>
+
+static char workbuff[256];
 
 static void get_controller_folder_path(char *path, size_t size)
 {
@@ -46,7 +49,7 @@ static void get_controller_settings_path(char *path, size_t size, const char *se
 	char folder[48];
 
 	get_controller_folder_path(folder, sizeof(folder));
-	snprintf(path, size, "%s/%s.dat", folder, setting);
+	snprintf(path, size, "%s/%s.conf", folder, setting);
 }
 
 /**
@@ -79,104 +82,82 @@ static int create_controller_folder(void)
 	return ret;
 }
 
-static int read_settings_file_float(const char *path, float *value)
-{
-	FRESULT res;
-	FIL file;
-	int ret = 0;
-	char buff[32];
-	UINT read_count;
 
-	if (!value)
-		return -1002;
-
-	res = f_open(&file, path, FA_READ);
-	if (res == FR_OK) {
-		memset(buff, 0, sizeof(buff));
-		res = f_read(&file, buff, sizeof(buff)-1, &read_count);
-		if (res != FR_OK) {
-			ret = -1;
-			goto close_file;
-		}
-		*value = strtof(buff, NULL);
-close_file:
-		f_close(&file);
-	} else {
-		ret = -2;
-	}
-
-	return ret;
-}
 
 int sd_card_settings_save_calibration(float sens_deviation, float offset, bool active)
 {
-	int status;
-	char path[128];
-	char buff[64];
-	UINT bw;
-	FIL file;
-	FRESULT res;
+	char path[200];
+	FRESULT res = FR_OK;
 	int ret = 0;
+	FIL file;
 
-	status = create_controller_folder();
-	if (status < 0)
+	get_controller_settings_path(path, sizeof(path), "calibration");
+
+	if (create_controller_folder() < 0)
 		return -2;
 
-	get_controller_settings_path(path, sizeof(path), "offset");
-	if (active) {
-		res = f_open(&file, path, FA_CREATE_ALWAYS | FA_WRITE);
-		if (res != FR_OK) {
-			ret = -2;
-			goto exit_offset;
-		}
-
-		status = snprintf(buff, sizeof(buff), "%f\n", offset);
-		f_write(&file, buff, status, &bw);
-		f_close(&file);
-	} else {
-		f_unlink(path);
+	if (!active) {
+		res = f_unlink(path);
+		goto check_fresult;
 	}
-exit_offset:
-	get_controller_settings_path(path, sizeof(path), "sens");
-	if (active) {
-		res = f_open(&file, path, FA_CREATE_ALWAYS | FA_WRITE);
-		if (res != FR_OK) {
-			ret = -2;
-			goto exit_sens;
-		}
 
-		status = snprintf(buff, sizeof(buff), "%f\n", sens_deviation);
-		f_write(&file, buff, status, &bw);
-		f_close(&file);
-	} else {
-		f_unlink(path);
-	}
-exit_sens:
+	res = f_open(&file, path, FA_CREATE_ALWAYS | FA_WRITE);
+	if (res != FR_OK)
+		goto check_fresult;
+
+	snprintf(path, sizeof(path), "offset = %f\nsensitivity = %f\n", offset, sens_deviation);
+	ret = f_puts(path, &file);
+	if (ret < 0)
+		goto close_file;
+
+	ret = 0;
+
+close_file:
+	res = f_close(&file);
+check_fresult:
+	if (res != FR_OK)
+		return -2;
 	return ret;
 }
 
 int sd_card_settings_try_load_calibration(float *sens_deviation, float *offset)
 {
 	char path[128];
-	int status;
-	int ret = 0;
+	int status = -1;
+	struct config_parser parser;
+	config_parser_handle_t p;
+	enum config_parser_ret res;
+	struct config_parser_entry entry;
+	bool sens_loaded = false;
+	bool offset_loaded = false;
 
 	if (!sens_deviation || !offset)
 		return -1000;
 
-	get_controller_settings_path(path, sizeof(path), "offset");
-	status = read_settings_file_float(path, offset);
-	if (status) {
-		ret = status;
-		goto exit;
-	}
+	get_controller_settings_path(path, sizeof(path), "calibration");
+	p = config_parser_open_file(&parser, false, path, workbuff, sizeof(workbuff));
+	status = 0;
+	do {
+		res = config_parser_get_line(p, &entry);
+		if (res == CONFIG_PARSER_OK) {
+			if (!strcmp(entry.name, "offset") && entry.type == CONFIG_PARSER_TYPE_FLOAT) {
+				offset_loaded = true;
+				*offset = entry.value.float_val;
+			} else if (!strcmp(entry.name, "sensitivity") && entry.type == CONFIG_PARSER_TYPE_FLOAT) {
+				sens_loaded = true;
+				*sens_deviation = entry.value.float_val;
+			}
+		}
 
-	get_controller_settings_path(path, sizeof(path), "sens");
-	status = read_settings_file_float(path, sens_deviation);
-	if (status) {
-		ret = status;
-		goto exit;
-	}
-exit:
-	return ret;
+	} while (res != CONFIG_PARSER_END_REACHED &&
+		 res != CONFIG_PARSER_GENERIC_ERR &&
+		 res != CONFIG_PARSER_IOERR &&
+		 res != CONFIG_PARSER_PARAM_ERR);
+
+	config_parser_close_file(p);
+
+	if (sens_loaded && offset_loaded)
+		status = 0;
+
+	return status;
 }

stm-firmware/shell.c

@@ -33,11 +33,13 @@
 #include <reflow-controller/calibration.h>
 #include <reflow-controller/temp-converter.h>
 #include <fatfs/ff.h>
-#include <reflow-controller/stack-check.h>
+#include <reflow-controller/safety/stack-check.h>
 #include <reflow-controller/rotary-encoder.h>
 #include <reflow-controller/safety/safety-controller.h>
 #include <reflow-controller/settings/settings.h>
 #include <reflow-controller/button.h>
+#include <reflow-controller/safety/fault.h>
+#include <reflow-controller/safety/safety-memory.h>
 
 #ifndef GIT_VER
 #define GIT_VER "VERSION NOT SET"
@@ -48,6 +50,28 @@ static shellmatta_instance_t shell;
 static char shell_buffer[512];
 static char IN_SECTION(.ccm.bss) history_buffer[600];
 
+static bool check_opt(const char *args, uint32_t len, const char *opt_to_check)
+{
+	(void)len;
+	char str[128];
+	const char *ptr;
+	static const char * const tokens = "\t ";
+
+	strncpy(str, args, sizeof(str));
+	str[sizeof(str) - 1] = 0;
+
+	/* Tokenize the string */
+	ptr = strtok(str, tokens);
+
+	while (ptr) {
+		if (strcmp(ptr, opt_to_check) == 0)
+			return true;
+		ptr = strtok(NULL, tokens);
+	}
+
+	return false;
+}
+
 static shellmatta_retCode_t shell_cmd_ver(const shellmatta_handle_t   handle,
 					  const char                  *arguments,
 					  uint32_t                    length)
@@ -353,10 +377,15 @@ static shellmatta_retCode_t shell_cmd_read_flags(const shellmatta_handle_t handl
 	uint32_t i;
 	char name[64];
 	bool flag;
+	bool tryack;
 	int status;
+	enum safety_flag flag_enum;
 	struct analog_monitor_info amon_info;
 	struct timing_monitor_info timing_info;
 
+	/* Check for the --ack option */
+	tryack = check_opt(arguments, length, "--ack");
+
 	shellmatta_printf(handle, "Error flags\r\n"
 				  "-----------\r\n");
 
@@ -368,12 +397,15 @@ static shellmatta_retCode_t shell_cmd_read_flags(const shellmatta_handle_t handl
 			continue;
 		}
 
-		status = safety_controller_get_flag_by_index(i, &flag, NULL);
+		status = safety_controller_get_flag_by_index(i, &flag, &flag_enum);
 		if (status) {
 			shellmatta_printf(handle, "Error getting flag value %lu\r\n", i);
 			continue;
 		}
 
+		if (tryack)
+			safety_controller_ack_flag(flag_enum);
+
 		shellmatta_printf(handle, "\t%2lu) %-20s\t[%s]\r\n", i+1, name, (flag ? "\e[1;31mERR\e[m" : "\e[32mOK\e[m"));
 	}
 
@@ -402,7 +434,8 @@ static shellmatta_retCode_t shell_cmd_read_flags(const shellmatta_handle_t handl
 			shellmatta_printf(handle, "Inactive\r\n");
 		} else {
 			shellmatta_printf(handle, " valid from %-8.2f to %-8.2f", amon_info.min, amon_info.max);
-			shellmatta_printf(handle, "\tchecked %llu ms ago\r\n", systick_get_global_tick() - amon_info.timestamp);
+			shellmatta_printf(handle, "\tchecked %llu ms ago\r\n",
+					  systick_get_global_tick() - amon_info.timestamp);
 		}
 	}
 
@@ -501,6 +534,120 @@ static shellmatta_retCode_t shell_cmd_ui_emulation(const shellmatta_handle_t han
 	return SHELLMATTA_CONTINUE;
 }
 
+static shellmatta_retCode_t shell_cmd_panic(const shellmatta_handle_t handle, const char *arguments,
+					    uint32_t length)
+
+{
+	(void)handle;
+	(void)arguments;
+	(void)length;
+
+	panic_mode();
+
+	return SHELLMATTA_OK;
+}
+
+static char *get_safety_mem_dump(size_t *used_bytes)
+{
+	char *buffer;
+	int res;
+
+	buffer = (char *)malloc(5470);
+
+	res = safety_memory_dump_base64(buffer, 5470UL, used_bytes);
+	if (res) {
+		if (buffer)
+			free(buffer);
+		buffer = NULL;
+	}
+
+	return buffer;
+}
+
+static shellmatta_retCode_t shell_cmd_dump_safety_mem(const shellmatta_handle_t handle, const char *arguments,
+						      uint32_t length)
+{
+	static char *buffer;
+	static const char *ptr;
+	size_t used_bytes;
+	static size_t full_lines = 0;
+	static size_t current_line;
+	size_t remainder;
+	static const char *hline = "----------------------------------------------------------------";
+	char string[200];
+	const char *token;
+	const char * const token_delim = "\t ";
+	FRESULT fres;
+	FIL file;
+	UINT bw;
+
+	/* Check if the dump shall be stored to disk */
+	strncpy(string, arguments, MIN(sizeof(string), length+1));
+	string[sizeof(string) - 1] = '\0';
+
+	token = strtok(string, token_delim);
+	token = strtok(NULL, token_delim);
+
+	if (token) {
+		buffer = get_safety_mem_dump(&used_bytes);
+		if (!buffer) {
+			shellmatta_printf(handle, "Error generating dump");
+			return SHELLMATTA_OK;
+		}
+		fres = f_open(&file, token, FA_CREATE_NEW | FA_WRITE);
+		if (fres == FR_EXIST) {
+			free(buffer);
+			shellmatta_printf(handle, "File already esists!\r\n");
+			return SHELLMATTA_OK;
+		} else if (fres != FR_OK) {
+			free(buffer);
+			shellmatta_printf(handle, "Error opening file %s\r\n", token);
+			return SHELLMATTA_OK;
+		}
+
+		fres = f_write(&file, buffer, used_bytes - 1, &bw);
+		if (fres != FR_OK) {
+			shellmatta_printf(handle, "Error writing to file %s\r\n", token);
+		}
+		free(buffer);
+		f_close(&file);
+		return SHELLMATTA_OK;
+	}
+
+	if (full_lines == 0) {
+		shellmatta_printf(handle, "Safety memory content\r\n%s\r\n", hline);
+
+		buffer = get_safety_mem_dump(&used_bytes);
+		if (!buffer) {
+			shellmatta_printf(handle, "Error dumping memory!\r\n");
+			return SHELLMATTA_OK;
+		}
+
+		full_lines = (used_bytes - 1) / 64;
+		remainder = (used_bytes - 1) % 64;
+		if (remainder)
+			full_lines++;
+
+		ptr = buffer;
+		current_line = 0;
+		return SHELLMATTA_BUSY;
+	} else {
+		if (current_line < full_lines) {
+			shellmatta_printf(handle, "%.64s\r\n", ptr);
+			ptr += 64;
+			current_line++;
+		} else {
+			shellmatta_printf(handle, "%s\r\n", hline);
+			full_lines = 0;
+			if (buffer)
+				free(buffer);
+			buffer = NULL;
+			return SHELLMATTA_OK;
+		}
+	}
+	return SHELLMATTA_BUSY;
+}
+
 //typedef struct shellmatta_cmd
 //{
 //    char                    *cmd;       /**< command name                           */
@@ -510,7 +657,7 @@ static shellmatta_retCode_t shell_cmd_ui_emulation(const shellmatta_handle_t han
 //    shellmatta_cmdFct_t     cmdFct;     /**< pointer to the cmd callack function    */
 //    struct shellmatta_cmd   *next;      /**< pointer to next command or NULL        */
 //} shellmatta_cmd_t;
-static shellmatta_cmd_t cmd[16] = {
+static shellmatta_cmd_t cmd[18] = {
 	{
 		.cmd = "version",
 		.cmdAlias = "ver",
@@ -610,8 +757,8 @@ static shellmatta_cmd_t cmd[16] = {
 	{
 		.cmd = "safety-flags",
 		.cmdAlias = "flags",
-		.helpText = "",
-		.usageText = "",
+		.helpText = "Reads and may clear safety flags",
+		.usageText = "flags [--ack]",
 		.cmdFct = shell_cmd_read_flags,
 		.next = &cmd[13],
 	},
@@ -637,6 +784,22 @@ static shellmatta_cmd_t cmd[16] = {
 		.helpText = "",
 		.usageText = "",
 		.cmdFct = shell_cmd_ui_emulation,
+		.next = &cmd[16],
+	},
+	{
+		.cmd = "panic",
+		.cmdAlias = NULL,
+		.helpText = "Panic Mode!",
+		.usageText = "",
+		.cmdFct = shell_cmd_panic,
+		.next = &cmd[17],
+	},
+	{
+		.cmd = "safety-mem-dump",
+		.cmdAlias = NULL,
+		.helpText = "",
+		.usageText = "safety-mem-dump [output-file]",
+		.cmdFct = shell_cmd_dump_safety_mem,
 		.next = NULL,
 	},
 };

stm-firmware/stack-check.c

@@ -1,47 +0,0 @@
-/* Reflow Oven Controller
-*
-* Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
-*
-* This file is part of the Reflow Oven Controller Project.
-*
-* The reflow oven controller is free software: you can redistribute it and/or modify
-* it under the terms of the GNU General Public License version 2 as
-* published by the Free Software Foundation.
-*
-* The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with the reflow oven controller project.
-* If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include <reflow-controller/stack-check.h>
-#include <stdint.h>
-
-extern char __ld_top_of_stack;
-extern char __ld_eheap;
-
-int32_t stack_check_get_usage()
-{
-	uint32_t stack_top;
-	uint32_t stack_ptr;
-
-	stack_ptr = read_stack_pointer();
-	stack_top = (uint32_t)&__ld_top_of_stack;
-
-	return stack_top - stack_ptr;
-}
-
-int32_t stack_check_get_free()
-{
-	uint32_t upper_heap_boundary;
-	uint32_t stack_ptr;
-
-	stack_ptr = read_stack_pointer();
-	upper_heap_boundary = (uint32_t)&__ld_eheap;
-
-	return stack_ptr - upper_heap_boundary;
-}

stm-firmware/stm-periph/backup-ram.c

@@ -21,34 +21,94 @@
 #include <stm-periph/backup-ram.h>
 #include <stm-periph/clock-enable-manager.h>
 #include <stm32/stm32f4xx.h>
+#include <helper-macros/helper-macros.h>
 
-void backup_ram_init()
+#define BACKUP_RAM_BASE BKPSRAM_BASE
+#define BACKUP_RAM_SIZE 4096U
+#define BACKUP_RAM_SIZE_WORDS (BACKUP_RAM_SIZE / 4U)
+#define BACKUP_RAM_END_ADDR (BACKUP_RAM_BASE + BACKUP_RAM_SIZE - 1U)
+
+#define backup_ram ((volatile uint32_t *)BACKUP_RAM_BASE)
+
+#if !is_power_of_two(BACKUP_RAM_SIZE)
+#error "Backup RAM size ahs to be a power of two!"
+#endif
+
+void backup_ram_init(bool use_backup_regulator)
 {
 	rcc_manager_enable_clock(&RCC->APB1ENR, BITMASK_TO_BITNO(RCC_APB1ENR_PWREN));
 
 	/* Enable access to backup RAM register set */
 	PWR->CR |= PWR_CR_DBP;
 
+	if (use_backup_regulator) {
+		/* Enable the backup regulator */
+		PWR->CSR |= PWR_CSR_BRE;
+
+		/* Wait until regulator is ready */
+		while (!(PWR->CSR & PWR_CSR_BRR));
+	}
+
 	/* Enable clock for backup ram interface */
 	rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_BKPSRAMEN));
 }
 
-void backup_ram_disable()
+void backup_ram_disable(void)
 {
+	/* Disable access to backup RAM register set */
+	PWR->CR &= ~PWR_CR_DBP;
 	rcc_manager_disable_clock(&RCC->APB1ENR, BITMASK_TO_BITNO(RCC_APB1ENR_PWREN));
+	rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_BKPSRAMEN));
 }
 
-void backup_ram_wipe()
+void backup_ram_wipe(void)
 {
+	uint32_t i;
 
+	for (i = 0; i < BACKUP_RAM_SIZE_WORDS; i++)
+		backup_ram[i] = 0UL;
 }
 
-int backup_ram_get_data(uint32_t addr, uint32_t *data)
+int backup_ram_get_data(uint32_t addr, uint32_t *data, uint32_t count)
 {
+	volatile uint32_t *ptr;
 
+	if (!data)
+		return -1002;
+	if (addr >= BACKUP_RAM_SIZE_WORDS)
+		return -1001;
+
+	ptr = &backup_ram[addr];
+
+	for (; count > 0; count--)
+		*(data++) = *(ptr++);
+
+	return 0;
 }
 
-int backup_ram_write_data(uint32_t addr, uint32_t data)
+int backup_ram_write_data(uint32_t addr, const uint32_t *data, uint32_t count)
 {
+	volatile uint32_t *ptr;
 
+	if (!data)
+		return -1002;
+	if (addr >= BACKUP_RAM_SIZE_WORDS)
+		return -1001;
+
+	ptr = &backup_ram[addr];
+
+	for (; count > 0; count--)
+		*(ptr++) = *(data++);
+
+	return 0;
+}
+
+uint32_t backup_ram_get_size_in_words(void)
+{
+	return (uint32_t)BACKUP_RAM_SIZE_WORDS;
+}
+
+volatile void *backup_ram_get_base_ptr(void)
+{
+	return backup_ram;
 }

stm-firmware/stm-periph/crc-unit.c

@@ -0,0 +1,59 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * GDSII-Converter is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stm-periph/crc-unit.h>
+#include <stm-periph/clock-enable-manager.h>
+#include <stm32/stm32f4xx.h>
+
+void crc_unit_init(void)
+{
+	rcc_manager_enable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_CRCEN));
+	crc_unit_reset();
+}
+
+void crc_unit_deinit(void)
+{
+	rcc_manager_disable_clock(&RCC->AHB1ENR, BITMASK_TO_BITNO(RCC_AHB1ENR_CRCEN));
+}
+
+void crc_unit_reset(void)
+{
+	CRC->CR = CRC_CR_RESET;
+}
+
+uint32_t crc_unit_get_crc(void)
+{
+	return CRC->DR;
+}
+
+void crc_unit_input(uint32_t data)
+{
+	CRC->DR = data;
+}
+
+void crc_unit_input_array(const uint32_t *data, uint32_t len)
+{
+	uint32_t i;
+
+	if (!data)
+		return;
+	for (i = 0; i < len; i++)
+		crc_unit_input(data[i]);
+}

stm-firmware/stm-periph/rng.c

@@ -0,0 +1,70 @@
+/* Reflow Oven Controller
+ *
+ * Copyright (C) 2020  Mario Hüttel <mario.huettel@gmx.net>
+ *
+ * This file is part of the Reflow Oven Controller Project.
+ *
+ * The reflow oven controller is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * The Reflow Oven Control Firmware is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with the reflow oven controller project.
+ * If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stm-periph/rng.h>
+#include <stm-periph/clock-enable-manager.h>
+#include <stm32/stm32f4xx.h>
+
+void random_number_gen_init(bool int_enable)
+{
+	rcc_manager_enable_clock(&RCC->AHB2ENR, BITMASK_TO_BITNO(RCC_AHB2ENR_RNGEN));
+	__DSB();
+
+	random_number_gen_reset(int_enable);
+}
+
+void random_number_gen_deinit()
+{
+	RNG->CR = 0;
+	__DSB();
+	rcc_manager_disable_clock(&RCC->AHB2ENR, BITMASK_TO_BITNO(RCC_AHB2ENR_RNGEN));
+}
+
+void random_number_gen_reset(bool int_en)
+{
+	RNG->CR = 0;
+	__DSB();
+	RNG->CR = RNG_CR_RNGEN | (int_en ? RNG_CR_IE : 0U);
+}
+
+enum random_number_error random_number_gen_get_number(uint32_t *random_number, bool wait_for_valid_value)
+{
+	bool value_ready;
+
+	if (!(RNG->CR & RNG_CR_RNGEN))
+		return RNG_ERROR_INACT;
+
+	if (RNG->SR & RNG_SR_SEIS || RNG->SR & RNG_SR_CEIS) {
+		/* Error detected */
+		return RNG_ERROR_INTERNAL_ERROR;
+	}
+
+	/* Check if the value is ready. Wait if wait_for_valid_value is true */
+	do {
+		value_ready = !!(RNG->SR & RNG_SR_DRDY);
+	} while (!value_ready && wait_for_valid_value);
+
+	/* If the value is valid, return it */
+	if (value_ready && random_number)
+		*random_number = RNG->DR;
+
+	/* Return from function with proper status */
+	return (value_ready ? RNG_ERROR_OK : RNG_ERROR_NOT_READY);
+}

stm-firmware/stm32f407vet6_flash.ld

@@ -24,7 +24,8 @@
 
 /* USER PARAMETERS */
 __ld_stack_size = 0x3000;
-__ld_heap_size  = 0x2100;
+__ld_heap_size  = 0x4200;
+__stack_corruption_area_size = 128;
 
 /* END OF USER PARAMETERS */
 ENTRY(Reset_Handler)
@@ -150,6 +151,12 @@ SECTIONS
 		__ld_sheap = .;
 		. = . + __ld_heap_size;
 		__ld_eheap = .;
+		. = ALIGN(4);
+		__ld_start_stack_corruption_detect_area = .;
+		. = . + __stack_corruption_area_size;
+		. = ALIGN(4);
+		__ld_end_stack_corruption_detect_area = .;
+		__ld_end_stack = .;
 		. = . + __ld_stack_size;
 		. = ALIGN(4);
 	} >RAM

stm-firmware/ui/menu.c

@@ -86,7 +86,7 @@ void menu_entry_enter(struct lcd_menu *menu, menu_func_t entry, bool handle_imme
 	menu->active_entry = entry;
 
 	if (handle_immediately)
-		menu_handle(menu, menu->inputs.rotary_encoder_delta, menu->inputs.push_button);
+		menu_handle(menu, 0, menu->inputs.push_button);
 }
 
 void menu_lcd_output(struct lcd_menu *menu, uint8_t row_num, const char *text)