test-access-public/tasks__pre__startup_8c_source.html

// Standard Library Includes

#include <stdbool.h>

#include <stdint.h>


// Framework Includes

#include <define_error_inject_reset.h>

#include <midware_cpu_manager_diag.h>

#include <midware_error_manager.h>

#include <midware_memory_manager.h>

#include <midware_reset_manager.h>

#include <midware_watchdog_manager_diag.h>

#include <tasks_config.h>

#include <tasks_pre_startup.h>


typedef enum

{

    FSM_STATE_START    = ERRINJ_RESET_NONE,

    FSM_STATE_CONTINUE = ERRINJ_RESET_CPU,

    FSM_STATE_COMPLETE = ERRINJ_RESET_WDT,

    FSM_STATE_CORRUPT  = ERRINJ_RESET_CORRUPT

} fsmState_t;


// Private function prototypes

static errInjectReset_t DetermineErrorInjection(resetReason_t reason);

static fsmState_t DetermineState(void);

static void RunDiagSwdtExpire(void);

static void ResetFsm(void);

static void AbortFsm(void);


void T_EnsureSafeState(void)

{

    errFlag_t flag = MW_CheckIoSafe();


    // I/O Pins not floated (tri-Stated)

    bool isIoUnsafe = (flag != NO_ERROR);

    if (isIoUnsafe)

    {

        MW_EnableForceFloat(); // Force tri-stating of all I/O pins

        MW_StorePersistentFlag(PFLAG_IO_FLOAT_FAULT, isIoUnsafe);

    }

    else

    {

        /* Intentional misra-c2012-2.2/14.3 deviation */

        if (STRICT_SAFE_STATE == ENABLED)

        {

            MW_EnableForceFloat();

        }

    }

}


void T_DetermineResetReason(void)

{

    resetReason_t reason         = MW_GetClearResetReason();

    errInjectReset_t errInjState = DetermineErrorInjection(reason);


    /*

     * Only store the reset reason if it is the true reset reason and not an error injection as part

     * of the pre-startup sequence

     */

    if (errInjState != ERRINJ_RESET_NONE)

    {

        uint8_t errInjStateVal = (uint8_t)errInjState;

        // Store reason for reset due to error injection, to complete the pre-startup sequence

        MW_StorePersistentVal(PVAL_ERRINJ_REASON, errInjStateVal);

    }

    else

    {

        uint8_t reasonVal = (uint8_t)reason;

        // Store device reset reason, for later handling in the startup sequence

        MW_StorePersistentVal(PVAL_RESET_REASON, reasonVal);

    }

}


// Checks the error injection ongoing flag to determine if the reset was due to an error injection

static errInjectReset_t DetermineErrorInjection(resetReason_t reason)

{

    bool isErrInjOngoing                  = MW_GetPersistentFlag(PFLAG_ERRINJ_ONGOING);

    errInjectReset_t errorInjectionReason = ERRINJ_RESET_NONE;


    if (isErrInjOngoing)

    {

        if (reason == RSTRSN_MCHK_DCLS)

        {

            errorInjectionReason = ERRINJ_RESET_CPU;

        }


        if (reason == RSTRSN_WDT_TIMEOUT)

        {

            errorInjectionReason = ERRINJ_RESET_WDT;

        }

    }

    return errorInjectionReason;

}


void T_RunResetDiagnosticFsm(void)

{

    fsmState_t state   = DetermineState(); // Read persistent memory to figure out the FSM state

    bool isDiagFailure = false; // Diagnostics pass by default if the expected reset occured


    // Initial state, perform CPU lockstep error injection

    if (state == FSM_STATE_START)

    {

        // Prevent the system from treating the error injection reset as a real fault

        MW_StorePersistentFlag(PFLAG_ERRINJ_ONGOING, true);

        (void)MW_DiagCpuLockstep(); // Always returns ERROR


        // Diagnostic failed to reset the device: go to the next state and report failure

        isDiagFailure = true;

        state         = FSM_STATE_CONTINUE;

    }


    // After CPU error injection, store result and perform error injection for watchdogs

    if (state == FSM_STATE_CONTINUE)

    {

        MW_StorePersistentFlag(PFLAG_CPU_INJ_FAULT, isDiagFailure);


        RunDiagSwdtExpire(); // Does not reset the device, but will enable the SWDT until next reset


        (void)MW_DiagWdtExpire(); // Always returns ERROR


        // Diagnostic failed to reset the device: go to the next state and report failure

        isDiagFailure = true;

        state         = FSM_STATE_COMPLETE;

    }


    // After WDT error injection, store result and reset FSM

    if (state == FSM_STATE_COMPLETE)

    {

        MW_StorePersistentFlag(PFLAG_WDT_INJ_FAULT, isDiagFailure);

        ResetFsm(); // Clear error injection reason and error injection flag

    }


    // If the FSM is corrupted, abort execution to avoid infinite reset loops.

    if (state == FSM_STATE_CORRUPT)

    {

        AbortFsm(); // Set error injection reason to corrupted

    }

}


/*

 * Reads the error injection reset reason to determine which state the T_RunResetDiagnosticFsm is

 * in. It is assumed that the reason is stored in persistent memory by another part of the system

 * during determination of the reset reason if the PFLAG_ERRINJ_ONGOING flag is set. The persistent

 * memory can store data between resets, except for POR / BOR resets, in which the FSM is set back

 * to the initial state automatically.

 */

static fsmState_t DetermineState(void)

{

    const uint8_t errInjReasonVal = MW_GetPersistentVal(PVAL_ERRINJ_REASON);


    /* Intentional misra-c2012-10.5 deviation */

    const errInjectReset_t errInjReason = (errInjectReset_t)errInjReasonVal;


    /* Intentional misra-c2012-10.5 deviation */

    fsmState_t state = (fsmState_t)errInjReason;


    const bool invalidReasonVal = (errInjReason > ERRINJ_RESET_CORRUPT);

    const bool flagsCorrupted   = MW_IsPersistentFlagsCorrupt();


    // Check if a single bit flip has occured in the reset reason data

    const bool errInjOngoing  = MW_GetPersistentFlag(PFLAG_ERRINJ_ONGOING);

    const bool stateCorrupted = ((errInjOngoing == false) && (state != FSM_STATE_START));


    // If persistent data used by the FSM is corrupted, the FSM state itself is corrupted

    if (invalidReasonVal || flagsCorrupted || stateCorrupted)

    {

        state = FSM_STATE_CORRUPT;

    }


    return state;

}


// Performs the Syncronous Watchdog Expire diagnostic and stores the result in persistent memory.

static void RunDiagSwdtExpire(void)

{

    errFlag_t result   = MW_DiagSwdtExpire(PRE_STARTUP_SWDT_RESET_VAL);

    bool isDiagFailure = true;


    if (result == NO_ERROR)

    {

        isDiagFailure = false;

    }


    MW_StorePersistentFlag(PFLAG_SWDT_INJ_FAULT, isDiagFailure);

}


// Reset FSM by clearing the reason and error injection flag

static void ResetFsm(void)

{

    const errInjectReset_t fsmReset = ERRINJ_RESET_NONE;

    const uint8_t fsmResetVal       = (uint8_t)fsmReset;

    MW_StorePersistentVal(PVAL_ERRINJ_REASON, fsmResetVal);

    MW_StorePersistentFlag(PFLAG_ERRINJ_ONGOING, false);

}


/*

 * Report that the FSM was aborted for later handling by setting the error injection reason to

 * corrupt, indicating that the stored true reset reason cannot be trusted, since it is not possible

 * to know if it is the true reset reason or if it was overwritten by an error injection reset.

 */

static void AbortFsm(void)

{

    const errInjectReset_t fsmAborted = ERRINJ_RESET_CORRUPT;

    const uint8_t fsmAbortedVal       = (uint8_t)fsmAborted;

    MW_StorePersistentVal(PVAL_ERRINJ_REASON, fsmAbortedVal);

}

errFlag_t
errFlag_t
Defines the error flag used by Middleware services to indicate error detection.
Definition define_error_flags.h:42

NO_ERROR
@ NO_ERROR
Definition define_error_flags.h:43

define_error_inject_reset.h
Defines type for storing the reason of a device reset caused by an error injection.

errInjectReset_t
errInjectReset_t
Defines possible reasons for a device reset due to an error injection.
Definition define_error_inject_reset.h:45

ERRINJ_RESET_CPU
@ ERRINJ_RESET_CPU
Definition define_error_inject_reset.h:47

ERRINJ_RESET_CORRUPT
@ ERRINJ_RESET_CORRUPT
Definition define_error_inject_reset.h:49

ERRINJ_RESET_NONE
@ ERRINJ_RESET_NONE
Definition define_error_inject_reset.h:46

ERRINJ_RESET_WDT
@ ERRINJ_RESET_WDT
Definition define_error_inject_reset.h:48

MW_DiagCpuLockstep
errFlag_t MW_DiagCpuLockstep(void)
Performs error injection diagnostic to detect faults in the CPU lockstep mechanism.
Definition midware_cpu_manager_diag.c:33

MW_CheckIoSafe
errFlag_t MW_CheckIoSafe(void)
Checks if all I/O pins are floated (tri-stated).
Definition midware_error_manager.c:105

MW_EnableForceFloat
void MW_EnableForceFloat(void)
Enables forced floating (tri-stating) of all I/O pins.
Definition midware_error_manager.c:120

MW_StorePersistentVal
void MW_StorePersistentVal(persistentVal_t valueType, uint8_t value)
Stores a value in General Purpose Registers (GPR) for perserving data between resets.
Definition midware_memory_manager.c:437

MW_StorePersistentFlag
void MW_StorePersistentFlag(persistentFlag_t flagType, bool flag)
Stores two redundant boolean flags in General Purpose Registers (GPR) for perserving data between res...
Definition midware_memory_manager.c:416

MW_GetPersistentFlag
bool MW_GetPersistentFlag(persistentFlag_t flagType)
Reads two redundant bits for each boolean flags in General Purpose Registers (GPR) that is stored for...
Definition midware_memory_manager.c:475

MW_IsPersistentFlagsCorrupt
bool MW_IsPersistentFlagsCorrupt(void)
Compares two redundant bits for each boolean flags in General Purpose Registers (GPR) and checks if a...
Definition midware_memory_manager.c:536

MW_GetPersistentVal
uint8_t MW_GetPersistentVal(persistentVal_t valueType)
Reads a value in General Purpose Registers (GPR) that is stored for preserving data between resets.
Definition midware_memory_manager.c:504

PVAL_RESET_REASON
@ PVAL_RESET_REASON
Definition midware_memory_manager.h:78

PVAL_ERRINJ_REASON
@ PVAL_ERRINJ_REASON
Definition midware_memory_manager.h:79

PFLAG_WDT_INJ_FAULT
@ PFLAG_WDT_INJ_FAULT
Definition midware_memory_manager.h:53

PFLAG_ERRINJ_ONGOING
@ PFLAG_ERRINJ_ONGOING
Definition midware_memory_manager.h:51

PFLAG_IO_FLOAT_FAULT
@ PFLAG_IO_FLOAT_FAULT
Definition midware_memory_manager.h:55

PFLAG_CPU_INJ_FAULT
@ PFLAG_CPU_INJ_FAULT
Definition midware_memory_manager.h:52

PFLAG_SWDT_INJ_FAULT
@ PFLAG_SWDT_INJ_FAULT
Definition midware_memory_manager.h:54

T_DetermineResetReason
void T_DetermineResetReason(void)
Determines the reason for the last device reset and stores it for later handling.
Definition tasks_pre_startup.c:78

T_RunResetDiagnosticFsm
void T_RunResetDiagnosticFsm(void)
Implements an FSM for performing error injection diagnostics leading to device resets.
Definition tasks_pre_startup.c:122

T_EnsureSafeState
void T_EnsureSafeState(void)
Ensures the device is in a Safe State by making sure io pins are floated.
Definition tasks_pre_startup.c:57

MW_GetClearResetReason
resetReason_t MW_GetClearResetReason(void)
Reads and clears the reset flag registers.
Definition midware_reset_manager.c:47

resetReason_t
resetReason_t
Type defines for all possible reset sources.
Definition midware_reset_manager.h:40

RSTRSN_WDT_TIMEOUT
@ RSTRSN_WDT_TIMEOUT
Definition midware_reset_manager.h:51

RSTRSN_MCHK_DCLS
@ RSTRSN_MCHK_DCLS
Definition midware_reset_manager.h:72

STRICT_SAFE_STATE
#define STRICT_SAFE_STATE
Configures whether to use a strict Safe State to Mission Mode transition in TM_PreStartup and TM_Star...
Definition tasks_config.h:66

PRE_STARTUP_SWDT_RESET_VAL
#define PRE_STARTUP_SWDT_RESET_VAL
Configures the new SWDT reset value after performing the SWDT Expire diagnostic in T_RunResetDiagnost...
Definition tasks_config.h:1301

ENABLED
#define ENABLED
Used to enable optional Task features through macro configurations.
Definition define_tasks_config.h:45

MW_DiagWdtExpire
errFlag_t MW_DiagWdtExpire(void)
Performs error injection diagnostic to detect faults in the Watchdog Timer (WDT) Expire mechanism.
Definition midware_watchdog_manager_diag.c:167

MW_DiagSwdtExpire
errFlag_t MW_DiagSwdtExpire(uint32_t newReset)
Performs error injection diagnostic to detect faults in the Synchronous Watchdog Timer (SWDT) Expire ...
Definition midware_watchdog_manager_diag.c:78

midware_cpu_manager_diag.h

midware_error_manager.h

midware_memory_manager.h

midware_reset_manager.h

midware_watchdog_manager_diag.h
Contains API prototypes for the Watchdog Manager diagnostics.

tasks_config.h

tasks_pre_startup.h