Issue #15 : Implement safety weight table

* CRC protected flag weight table. * Currently only filled with dummy values. Has to be finished in issue #5 * Config overrides from safety memor ynot yet implemented
Merge branch 'issue/18-Backup-RAM' into issue/15-safety-controller-hardening
2020-09-06 21:05:00 +02:00 · 2020-09-06 19:54:09 +02:00 · 2020-09-06 19:45:45 +02:00 · 2020-09-06 01:40:10 +02:00 · 2020-09-05 20:31:23 +02:00
4 changed files with 328 additions and 50 deletions
--- a/stm-firmware/include/helper-macros/helper-macros.h
+++ b/stm-firmware/include/helper-macros/helper-macros.h
@ -30,6 +30,7 @@
 #define CONCAT(x,y) x##y
 #define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x])))))
 #define wordsize_of(x) ((sizeof(x) / 4U) / ((sizeof(x) % 4U) ? 0U : 1U))
 #define MIN(a,b) (((a) < (b)) ? (a) : (b))
 #define MAX(a,b) (((a) > (b)) ? (a) : (b))
--- a/stm-firmware/include/reflow-controller/safety/safety-memory.h
+++ b/stm-firmware/include/reflow-controller/safety/safety-memory.h
@ -23,6 +23,10 @@
 #include <stdint.h>
 /** @addtogroup safety-memory
 * @{
 */
 /**
 * @brief Magic number to signal a valid safety memory header.
 */
@ -81,23 +85,37 @@ struct safety_memory_boot_status {
 	uint32_t reset_from_panic;
 };
 /**
 * @brief The state of the safety memory
 *
 * This is returned by certain functions in order to signal, if the header and CRC infos are valid.
 */
 enum safety_memory_state {
-	SAFETY_MEMORY_INIT_FRESH = 0,
+	SAFETY_MEMORY_INIT_FRESH = 0,		/**< @brief Memory header not found */
-	SAFETY_MEMORY_INIT_CORRUPTED = 1,
+	SAFETY_MEMORY_INIT_CORRUPTED = 1,	/**< @brief Header found, but corrupt memory */
-	SAFETY_MEMORY_INIT_VALID_MEMORY = 2,
+	SAFETY_MEMORY_INIT_VALID_MEMORY = 2,	/**< @brief Valid header found and CRC check is valid */
 };
 /**
 * @brief Types of error memory entries
 */
 enum safety_memory_error_entry_type {
-	SAFETY_MEMORY_ERR_ENTRY_FLAG = 1,
+	SAFETY_MEMORY_ERR_ENTRY_FLAG = 1,	/**< @brief Flag error entry. Logs a flag */
-	SAFETY_MEMORY_ERR_ENTRY_NOP = 2,
+	SAFETY_MEMORY_ERR_ENTRY_NOP = 2,	/**< @brief NOP entry. Has no meaning, but will be treated as a valid entry */
 };
 /**
 * @brief Firmware internal representation of an error memory entry.
 */
 struct error_memory_entry {
 	enum safety_memory_error_entry_type type;
 	uint8_t flag_num;
 	uint16_t counter;
 };
 /**
 * @brief Types of conig override entries
 */
 enum config_override_entry_type {
 	SAFETY_MEMORY_CONFIG_OVERRIDE_WEIGHT = 1,
 	SAFETY_MEMORY_CONFIG_OVERRIDE_PERSISTANCE = 2,
@ -106,10 +124,10 @@ enum config_override_entry_type {
 /**
 * @brief Weights of error flags.
 */
-enum config_override_weight {
+enum config_weight {
-	SAFETY_MEMORY_CONFIG_WEIGHT_NONE = 0, /**< @brief This flag has no global error consequence, but might be respected by certain software modules. */
+	SAFETY_FLAG_CONFIG_WEIGHT_NONE = 0, /**< @brief This flag has no global error consequence, but might be respected by certain software modules. */
-	SAFETY_MEMORY_CONFIG_WEIGHT_PID = 1, /**< @brief This flag will force a stop of the temperature PID controller */
+	SAFETY_FLAG_CONFIG_WEIGHT_PID = 1, /**< @brief This flag will force a stop of the temperature PID controller */
-	SAFETY_MEMORY_CONFIG_WEIGHT_PANIC = 2, /**< @brief This flag will trigger the panic mode */
+	SAFETY_FLAG_CONFIG_WEIGHT_PANIC = 2, /**< @brief This flag will trigger the panic mode */
 };
 /**
@ -120,7 +138,7 @@ struct config_override {
 	union {
 		struct {
 			uint8_t flag;
-			uint8_t weight;
+			enum config_weight weight;
 		} weight_override;
 		struct {
 			uint8_t flag;
@ -129,26 +147,104 @@ struct config_override {
 	} entry;
 };
 /**
 * @brief First time init the safety memory. This requests all clocks etc.
 *
 * The error memory is always vlaid after this function. At least, if it returns without error.
 * The \p found_state output tells the caller, in which state the memory was found. If it was uninitialized,
 * or corrupted, it is completely wiped and a fresh memory structure is written.
 *
 * @param[out] found_state State the error memory was found in
 * @return 0 if successful
 * @warning Also check @ref safety_memory_reinit
 */
 int safety_memory_init(enum safety_memory_state *found_state);
 /**
 * @brief Same as @ref safety_memory_init, but without specifically requesting the clock modules.
 *
 * Use this, if a call to @ref safety_memory_init has already been done.
 *
 * @param[out] found_state State the error memory was found in
 * @return 0 if successful
 */
 int safety_memory_reinit(enum safety_memory_state *found_state);
 /**
 * @brief Get the boot status structure from safety memory
 * @param[out] status Status read from memory.
 * @return 0 if successful
 */
 int safety_memory_get_boot_status(struct safety_memory_boot_status *status);
 /**
 * @brief Write the boot status structure to safety memory
 * @param[in] status Status to write
 * @return 0 if successful
 */
 int safety_memory_set_boot_status(const struct safety_memory_boot_status *status);
 /**
 * @brief Get the amout of error entries in the error memory. This also includes NOP entries.
 * @param[out] count Count
 * @return 0 if successful
 */
 int safety_memory_get_error_entry_count(uint32_t *count);
 /**
 * @brief Check the header and CRC of the safety memory.
 * @return 0 if all checks pass
 */
 int safety_memory_check(void);
 /**
 * @brief Read an error entry from the error memory
 * @param idx Index of the entry
 * @param[out] entry Error entry
 * @return 0 if successful
 */
 int safety_memory_get_error_entry(uint32_t idx, struct error_memory_entry *entry);
 /**
 * @brief Insert an error entry
 *
 * This function inserts an error entry on the first NOP entry found in the error memory.
 * If an entry is found with the same flag number, its counter is incremented by the counter value of the
 * element to insert.
 *
 * If there are no NOPs or fitting entries in the error memory, error memory is expanded until it hits the memory
 * boundary.
 *
 * @param entry Error entry to insert
 * @returns 0 if successful, -3 if out of memory, and other negative error codes
 */
 int safety_memory_insert_error_entry(struct error_memory_entry *entry);
 /**
 * @brief Insert a config override entry at the first free location.
 *
 * Free locations are entries containing 0x00000000
 *
 * @param config_override Config to write
 * @return 0 if successful
 */
 int safety_memory_insert_config_override(struct config_override *config_override);
 /**
 * @brief Get count of config overrides
 * @param[out] count Number of overrides
 * @return 0 if successful
 */
 int safety_memory_get_config_override_count(uint32_t *count);
 /**
 * @brief Get a config ovveide entry
 * @param idx Index of the requested entry
 * @param[out] config_override READ override
 * @return 0 if successful
 */
 int safety_memory_get_config_override(uint32_t idx, struct config_override *config_override);
 #endif /* __SAFETY_MEMORY_H__ */
 /** @} */
--- a/stm-firmware/safety/safety-controller.c
+++ b/stm-firmware/safety/safety-controller.c
@ -29,6 +29,7 @@
 #include <reflow-controller/safety/safety-adc.h>
 #include <reflow-controller/stack-check.h>
 #include <helper-macros/helper-macros.h>
 #include <stm-periph/crc-unit.h>
 #include <reflow-controller/systick.h>
 #include <reflow-controller/safety/fault.h>
 #include <stm32/stm32f4xx.h>
@ -36,7 +37,7 @@
 #include <stddef.h>
 #include <string.h>
 #include <reflow-controller/safety/safety-memory.h>
-#include <helper-macros/helper-macros.h>s
+#include <helper-macros/helper-macros.h>
 struct error_flag {
 	const char *name;
@ -70,20 +71,17 @@ struct analog_mon {
 };
 struct safety_weight {
-	enum config_override_weight weight;
+	uint32_t start_dummy;
 	enum config_weight weight;
 	enum safety_flag flag;
 	volatile struct error_flag *flag_ptr;
 	uint32_t end_dummy;
 };
 #ifdef COUNT_OF
 #undef COUNT_OF
 #endif
 #define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x])))))
 #define ERR_FLAG_ENTRY(errflag, persistency) {.name=#errflag, .flag = (errflag), .error_state = false, .error_state_inv = true, .persistent = (persistency), .key = 0UL}
 #define TIM_MON_ENTRY(mon, min, max, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min_delta = (min), .max_delta = (max), .last = 0ULL, .enabled= false}
 #define ANA_MON_ENTRY(mon, min_value, max_value, flag) {.name=#mon, .monitor = (mon), .associated_flag=(flag), .min = (min_value), .max = (max_value), .value = 0.0f, .valid = false}
-#define ERR_FLAG_WEIGTH()
+#define ERR_FLAG_WEIGHT_ENTRY(_flag, _weight) {.flag = (_flag), .flag_ptr = NULL, .weight = (_weight), .start_dummy = 0x11823344, .end_dummy = 0xAABBCCFD}
 static volatile struct error_flag IN_SECTION(.ccm.data) flags[] = {
 	ERR_FLAG_ENTRY(ERR_FLAG_MEAS_ADC_OFF, false),
@ -118,8 +116,73 @@ static volatile struct analog_mon IN_SECTION(.ccm.data) analog_mons[] = {
 		      ERR_FLAG_AMON_UC_TEMP),
 };
-static volatile struct safety_weight IN_SECTION(.ccm.data) flag_weigths[] = {
+static const struct safety_weight default_flag_weights[] = {
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_OFF, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_WATCHDOG, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_UNSTABLE, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_MEAS_ADC_OVERFLOW, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_MEAS_ADC, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_PID, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_AMON_UC_TEMP, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_AMON_VREF, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_STACK, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SAFETY_ADC, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SYSTICK, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_WTCHDG_FIRED, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_UNCAL, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_DEBUG, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_TIMING_MAIN_LOOP, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 	ERR_FLAG_WEIGHT_ENTRY(ERR_FLAG_SAFETY_MEM_CORRUPT, SAFETY_FLAG_CONFIG_WEIGHT_NONE),
 };
 static volatile struct safety_weight IN_SECTION(.ccm.bss) flag_weights[COUNT_OF(default_flag_weights)];
 static uint32_t IN_SECTION(.ccm.data) flag_weight_crc;
 static int flag_weight_table_crc_check(void)
 {
 	/* Check the flag weight table */
 	crc_unit_reset();
 	crc_unit_input_array((uint32_t *)flag_weights, wordsize_of(flag_weights));
 	if (crc_unit_get_crc() != flag_weight_crc)
 		return -1;
 	return 0;
 }
 static volatile struct error_flag *find_error_flag(enum safety_flag flag)
 {
 	uint32_t i;
 	volatile struct error_flag *ret = NULL;
 	for (i = 0; i < COUNT_OF(flags); i++) {
 		if (flags[i].flag == flag)
 			ret = &flags[i];
 	}
 	return ret;
 }
 /**
 * @brief This function copies the safety weigths from flash ro RAM and computes the CRC
 */
 static void init_safety_flag_weight_table_from_default(void)
 {
 	uint32_t index;
 	volatile struct safety_weight *current_weight;
 	/* Copy the table */
 	memcpy((void *)flag_weights, default_flag_weights, wordsize_of(flag_weights));
 	/* Fill in the flag pointers */
 	for (index = 0; index < COUNT_OF(flag_weights); index++) {
 		current_weight = &flag_weights[index];
 		current_weight->flag_ptr = find_error_flag(current_weight->flag);
 	}
 	crc_unit_reset();
 	crc_unit_input_array((uint32_t*)flag_weights, wordsize_of(flag_weights));
 	flag_weight_crc = crc_unit_get_crc();
 }
 static bool error_flag_get_status(const volatile struct error_flag *flag)
@ -157,19 +220,6 @@ static volatile struct timing_mon *find_timing_mon(enum timing_monitor mon)
 	return ret;
 }
 static volatile struct error_flag *find_error_flag(enum safety_flag flag)
 {
 	uint32_t i;
 	volatile struct error_flag *ret = NULL;
 	for (i = 0; i < COUNT_OF(flags); i++) {
 		if (flags[i].flag == flag)
 			ret = &flags[i];
 	}
 	return ret;
 }
 static void safety_controller_process_active_timing_mons()
 {
 	uint32_t i;
@ -188,7 +238,7 @@ static void safety_controller_process_active_timing_mons()
 	}
 }
-static void safety_controller_process_checks()
+static void safety_controller_process_monitor_checks()
 {
 	static bool startup_completed = false;
 	enum analog_monitor_status amon_state;
@ -218,15 +268,30 @@ int safety_controller_report_error_with_key(enum safety_flag flag, uint32_t key)
 {
 	uint32_t i;
 	int ret = -1;
 	bool old_state;
 	int res;
 	struct error_memory_entry err_mem_entry;
 	for (i = 0; i < COUNT_OF(flags); i++) {
 		if (flags[i].flag & flag) {
 			old_state = flags[i].error_state;
 			flags[i].error_state = true;
 			flags[i].error_state_inv = !flags[i].error_state;
 			flags[i].key = key;
 			if (flags[i].persistent && !old_state) {
 				err_mem_entry.counter = 1;
 				err_mem_entry.flag_num = i;
 				err_mem_entry.type = SAFETY_MEMORY_ERR_ENTRY_FLAG;
 				res = safety_memory_insert_error_entry(&err_mem_entry);
 				if (res) {
 					ret = -12;
 				}
 			} else {
 				ret = 0;
 			}
 		}
 	}
 	return ret;
 }
@ -278,6 +343,12 @@ void safety_controller_init()
 		/* Trigger panic mode! */
 		panic_mode();
 	}
 	/* This is usually done by the safety memory already. But, since this module also uses the CRC... */
 	crc_unit_init();
 	init_safety_flag_weight_table_from_default();
 	if (found_memory_state == SAFETY_MEMORY_INIT_CORRUPTED)
 		safety_controller_report_error(ERR_FLAG_SAFETY_MEM_CORRUPT);
@ -349,35 +420,39 @@ static void safety_controller_handle_safety_adc()
 	}
 }
-static void safety_controller_handle_safety_memory_check(void)
+/**
 * @brief Check the memory structures.
 * @return 0 if okay, != 0 when an error was detected. PANIC mode shall be entered in this case.
 */
 static int safety_controller_handle_memory_checks(void)
 {
 	static uint64_t ts = 0;
 	enum safety_memory_state found_state;
 	int panic_request = 0;
-	if (systick_ticks_have_passed(ts, 5000)) {
+	if (systick_ticks_have_passed(ts, 1000)) {
 		ts = systick_get_global_tick();
 		/* Check the safety memory */
 		if (safety_memory_check()) {
-			safety_memory_reinit(&found_state);
+			(void)safety_memory_reinit(&found_state);
 			if (found_state != SAFETY_MEMORY_INIT_VALID_MEMORY) {
 				safety_controller_report_error(ERR_FLAG_SAFETY_MEM_CORRUPT);
 			}
 		}
 		panic_request = flag_weight_table_crc_check();
 	}
 	return panic_request;
 }
-int safety_controller_handle()
+static void safety_controller_do_systick_checking()
 {
 	static uint64_t last_systick;
 	static uint32_t same_systick_cnt = 0UL;
 	uint64_t systick;
 	int ret = 0;
 	safety_controller_check_stack();
 	safety_controller_handle_safety_adc();
 	safety_controller_handle_safety_memory_check();
 	systick = systick_get_global_tick();
 	if (systick == last_systick) {
 		same_systick_cnt++;
@ -387,8 +462,24 @@ int safety_controller_handle()
 		same_systick_cnt = 0UL;
 	}
 	last_systick = systick;
 }
-	safety_controller_process_checks();
+int safety_controller_handle()
 {
 	int panic_requested;
 	int ret = 0;
 	safety_controller_check_stack();
 	safety_controller_handle_safety_adc();
 	panic_requested = safety_controller_handle_memory_checks();
 	/* Panic here. If our internal structures are broken, we cannot be sure of anything anymore */
 	if (panic_requested)
 		panic_mode();
 	safety_controller_do_systick_checking();
 	safety_controller_process_monitor_checks();
 	/* TODO: Check flags for PID and HALT */
 	ret |= watchdog_ack(WATCHDOG_MAGIC_KEY);
--- a/stm-firmware/safety/safety-memory.c
+++ b/stm-firmware/safety/safety-memory.c
@ -19,11 +19,10 @@
 */
 #include <reflow-controller/safety/safety-memory.h>
 #include <helper-macros/helper-macros.h>
 #include <stm-periph/crc-unit.h>
 #include <stm-periph/backup-ram.h>
 #define wordsize_of(x) ((sizeof(x) / 4U) / ((sizeof(x) % 4U) ? 0U : 1U))
 static int word_to_error_memory_entry(uint32_t entry_data, struct error_memory_entry *out)
 {
 	int ret = 0;
@ -107,6 +106,11 @@ return_val:
 	return ret;
 }
 static void safety_memory_write_header(const struct safety_memory_header *header)
 {
 	backup_ram_write_data(0UL, (uint32_t *)header, wordsize_of(*header));
 }
 static void safety_memory_write_new_header(void)
 {
 	struct safety_memory_header header;
@ -120,7 +124,7 @@ static void safety_memory_write_new_header(void)
 	header.magic_i = ~SAFETY_MEMORY_MAGIC;
 	backup_ram_wipe();
-	backup_ram_write_data(0UL, (uint32_t *)&header, wordsize_of(header));
+	safety_memory_write_header(&header);
 }
 static int safety_memory_check_crc()
@ -371,7 +375,93 @@ return_value:
 	return ret;
 }
-int safety_memory_insert_error_entry(struct error_memory_entry *entry);
+int safety_memory_insert_error_entry(struct error_memory_entry *entry)
 {
 	int res;
 	int ret = -0xFFFF;
 	uint32_t addr;
 	uint32_t data;
 	bool found;
 	uint32_t input_data;
 	struct error_memory_entry current_entry;
 	struct safety_memory_header header;
 	input_data = error_memory_entry_to_word(entry);
 	if (safety_memory_get_header(&header) != SAFETY_MEMORY_INIT_VALID_MEMORY) {
 		return -2000;
 	}
 	if (entry->type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
 		/* Append to end */
 		if ((header.err_memory_end + 1U) < backup_ram_get_size_in_words()) {
 			/* Still fits in memory */
 			backup_ram_write_data(header.err_memory_end, &input_data, 1UL);
 			header.err_memory_end++;
 			safety_memory_write_header(&header);
 			safety_memory_gen_crc();
 			ret = 0;
 		}
 	} else if (entry->type == SAFETY_MEMORY_ERR_ENTRY_FLAG) {
 		found = false;
 		for (addr = header.err_memory_offset; addr < header.err_memory_end; addr++) {
 			res = backup_ram_get_data(addr, &data, 1UL);
 			if (res) {
 				ret = -1;
 				goto return_value;
 			}
 			res = word_to_error_memory_entry(data, &current_entry);
 			if (res) {
 				ret = -2;
 				goto return_value;
 			}
 			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_FLAG &&
 					current_entry.flag_num == entry->flag_num) {
 				found = true;
 				break;
 			}
 			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
 				found = true;
 				break;
 			}
 		}
 		if (!found) {
 			/* No suitable place found in memory. Append */
 			if ((addr + 1) < backup_ram_get_size_in_words()) {
 				backup_ram_write_data(addr, &input_data, 1UL);
 				header.err_memory_end++;
 				safety_memory_write_header(&header);
 			} else {
 				ret = -3;
 				goto return_value;
 			}
 		} else {
 			if (current_entry.type == SAFETY_MEMORY_ERR_ENTRY_NOP) {
 				backup_ram_write_data(addr, &input_data, 1UL);
 			} else {
 				current_entry.counter += entry->counter;
 				if (current_entry.counter < entry->counter)
 					current_entry.counter = 0xFFFF;
 				data = error_memory_entry_to_word(&current_entry);
 				backup_ram_write_data(addr, &data, 1UL);
 			}
 		}
 		safety_memory_gen_crc();
 		ret = 0;
 	} else {
 		ret = -1001;
 	}
 return_value:
 	return ret;
 }
 int safety_memory_insert_config_override(struct config_override *config_override);
Author	SHA1	Message	Date
Mario Hüttel	403786e0c6	Issue #15 : Implement safety weight table * CRC protected flag weight table. * Currently only filled with dummy values. Has to be finished in issue #5 * Config overrides from safety memor ynot yet implemented	2020-09-06 21:05:00 +02:00
Mario Hüttel	192bcf01f6	Merge branch 'issue/18-Backup-RAM' into issue/15-safety-controller-hardening	2020-09-06 19:54:09 +02:00
Mario Hüttel	910037a562	Issue #18 : Write doxygen headers for safety memory	2020-09-06 19:45:45 +02:00
Mario Hüttel	6232e2f330	Issue #18 : Store permanent errors in safety backup RAM	2020-09-06 01:40:10 +02:00
Mario Hüttel	7ea0e73869	Merge branch 'issue/15-safety-controller-hardening' into issue/18-Backup-RAM	2020-09-05 20:31:23 +02:00