Add safety modules

* Add a safeWatchdog for the S32K1 platform
* Add safeMemory
* Add safeMonitor
* Add safeLifecycle (SafeSupervisor, safety logger)

Add a demo SafetySystem to the lifecycle configuration, which
uses these modules.

Change-Id: I191dd1400b70e3216e70135a97c3224bd12036df

doc/Doxyfile

@@ -864,7 +864,7 @@ WARN_LOGFILE           = "DoxygenWarningLog.txt"
 # spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
 # Note: If this tag is empty the current directory is searched.
 
-INPUT                  = DoxygenMainPage.md ../libs/bsw ../libs/bsp
+INPUT                  = DoxygenMainPage.md ../libs/bsw ../libs/bsp ../libs/safety
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses

doc/DoxygenMainPage.md

@@ -5,3 +5,4 @@ This documentation was generated by doxygen from the code in the subdirectories.
 
 * `libs/bsp`
 * `libs/bsw`
+* `libs/safety`

doc/index.rst

@@ -163,6 +163,14 @@ Eclipse OpenBSW is a trademark of the Eclipse Foundation.
 
     ../libs/bsw/**/doc/index
 
+.. toctree::
+    :maxdepth: 1
+    :caption: Safety Modules
+    :glob:
+    :hidden:
+
+    ../libs/safety/**/doc/index
+
 .. toctree::
     :maxdepth: 1
     :caption: BSP Modules

executables/referenceApp/CMakeLists.txt

@@ -59,6 +59,10 @@ if (PLATFORM_SUPPORT_IO)
     add_compile_definitions(PLATFORM_SUPPORT_IO=1)
 endif ()
 
+if (PLATFORM_SUPPORT_WATCHDOG)
+    add_compile_definitions(PLATFORM_SUPPORT_WATCHDOG=1)
+endif ()
+
 include(${OPENBSW_DIR}/Filelists.cmake)
 
 # Configure async and freeRtos libs depending on build type.

executables/referenceApp/application/CMakeLists.txt

@@ -22,6 +22,7 @@ add_executable(
     src/systems/DemoSystem.cpp
     src/systems/RuntimeSystem.cpp
     src/systems/SysAdminSystem.cpp
+    src/systems/SafetySystem.cpp
     ${app.referenceAppExtraSources}
     src/main.cpp)
 
@@ -55,6 +56,7 @@ target_link_libraries(
             util
             udsConfigurationImpl
             runtime
+            safeLifecycle
             socBsp)
 
 if (PLATFORM_SUPPORT_UDS)

executables/referenceApp/application/include/systems/SafetySystem.h

@@ -0,0 +1,35 @@
+// Copyright 2024 Accenture.
+
+#include <console/AsyncCommandWrapper.h>
+#include <lifecycle/AsyncLifecycleComponent.h>
+#include <lifecycle/console/LifecycleControlCommand.h>
+
+namespace systems
+{
+class SafetySystem
+: public ::lifecycle::AsyncLifecycleComponent
+, private ::async::IRunnable
+{
+public:
+    explicit SafetySystem(
+        ::async::ContextType context, ::lifecycle::ILifecycleManager& lifecycleManager);
+    SafetySystem(SafetySystem const&)            = delete;
+    SafetySystem& operator=(SafetySystem const&) = delete;
+
+    void init() override;
+    void run() override;
+    void shutdown() override;
+    void cyclic();
+
+private:
+    void execute() override;
+
+private:
+    ::async::ContextType const _context;
+    ::async::TimeoutType _timeout;
+
+    ::lifecycle::LifecycleControlCommand _lifecycleControlCommand;
+    ::console::AsyncCommandWrapper _asyncCommandWrapperForLifecycleControlCommand;
+};
+
+} // namespace systems

executables/referenceApp/application/src/app/app.cpp

@@ -8,6 +8,7 @@
 #include "reset/softwareSystemReset.h"
 #include "systems/DemoSystem.h"
 #include "systems/RuntimeSystem.h"
+#include "systems/SafetySystem.h"
 #include "systems/SysAdminSystem.h"
 
 #include <app/appConfig.h>
@@ -72,6 +73,7 @@ LifecycleManager lifecycleManager{
 ::estd::typed_mem<::systems::RuntimeSystem> runtimeSystem;
 ::estd::typed_mem<::systems::SysAdminSystem> sysAdminSystem;
 ::estd::typed_mem<::systems::DemoSystem> demoSystem;
+::estd::typed_mem<::systems::SafetySystem> safetySystem;
 
 #ifdef PLATFORM_SUPPORT_UDS
 ::estd::typed_mem<::transport::TransportSystem> transportSystem;
@@ -176,6 +178,9 @@ void run()
                 ),
         8U);
 
+    lifecycleManager.addComponent(
+        "safety", safetySystem.emplace(TASK_SAFETY, lifecycleManager), 8U);
+
     lifecycleManager.transitionToLevel(MaxNumLevels);
 
     runtimeMonitor.start();
@@ -222,6 +227,9 @@ DemoTask demoTask{"demo"};
 using BackgroundTask = AsyncAdapter::Task<TASK_BACKGROUND, 1024 * 2>;
 BackgroundTask backgroundTask{"background"};
 
+using SafetyTask = AsyncAdapter::Task<TASK_SAFETY, 1024 * 2>;
+SafetyTask safetyTask{"safety"};
+
 AsyncContextHook contextHook{runtimeMonitor};
 
 } // namespace app

executables/referenceApp/application/src/logger/logger.cpp

@@ -6,6 +6,7 @@
 
 #include <lifecycle/LifecycleLogger.h>
 #include <logger/ConsoleLogger.h>
+#include <safeLifecycle/SafetyLogger.h>
 #ifdef PLATFORM_SUPPORT_CAN
 #include <can/CanLogger.h>
 #include <docan/common/DoCanLogger.h>
@@ -20,6 +21,7 @@ DEFINE_LOGGER_COMPONENT(BSP);
 DEFINE_LOGGER_COMPONENT(COMMON);
 DEFINE_LOGGER_COMPONENT(DEMO);
 DEFINE_LOGGER_COMPONENT(GLOBAL);
+DEFINE_LOGGER_COMPONENT(SAFETY);
 DEFINE_LOGGER_COMPONENT(UDS);
 
 #include <async/AsyncBinding.h>
@@ -37,6 +39,7 @@ LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, DEMO, ::util::format::Color::DEFAULT_COLOR
 LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, GLOBAL, ::util::format::Color::DEFAULT_COLOR)
 LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, LIFECYCLE, ::util::format::Color::DARK_GRAY)
 LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, CONSOLE, ::util::format::Color::DEFAULT_COLOR)
+LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, SAFETY, ::util::format::Color::DEFAULT_COLOR)
 #ifdef PLATFORM_SUPPORT_CAN
 LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, CAN, ::util::format::Color::LIGHT_BLUE)
 LOGGER_COMPONENT_MAPPING_INFO(_DEBUG, DOCAN, ::util::format::Color::LIGHT_GRAY)

executables/referenceApp/application/src/systems/SafetySystem.cpp

@@ -0,0 +1,55 @@
+// Copyright 2024 Accenture.
+
+#include "systems/SafetySystem.h"
+
+#include <safeLifecycle/SafetyLogger.h>
+#include <safeLifecycle/SafetyManager.h>
+
+::safety::SafetyManager safetyManager;
+
+namespace
+{
+constexpr uint32_t SYSTEM_CYCLE_TIME = 10;
+}
+
+namespace systems
+{
+using ::util::logger::Logger;
+using ::util::logger::SAFETY;
+
+SafetySystem::SafetySystem(
+    ::async::ContextType const context, ::lifecycle::ILifecycleManager& lifecycleManager)
+: _context(context)
+, _timeout()
+, _lifecycleControlCommand(lifecycleManager)
+, _asyncCommandWrapperForLifecycleControlCommand(_lifecycleControlCommand, context)
+{
+    setTransitionContext(context);
+}
+
+void SafetySystem::init()
+{
+    safetyManager.init();
+    transitionDone();
+}
+
+void SafetySystem::run()
+{
+    ::async::scheduleAtFixedRate(
+        _context, *this, _timeout, SYSTEM_CYCLE_TIME, ::async::TimeUnit::MILLISECONDS);
+
+    transitionDone();
+}
+
+void SafetySystem::shutdown()
+{
+    _timeout.cancel();
+
+    transitionDone();
+}
+
+void SafetySystem::execute() { cyclic(); }
+
+void SafetySystem::cyclic() { safetyManager.cyclic(); }
+
+} // namespace systems

executables/referenceApp/asyncCoreConfiguration/include/async/Config.h

@@ -26,6 +26,7 @@ enum
     TASK_DEMO,
     TASK_CAN,
     TASK_SYSADMIN,
+    TASK_SAFETY,
     // --------------------
     ASYNC_CONFIG_TASK_COUNT,
 };

executables/referenceApp/platforms/s32k148evb/main/CMakeLists.txt

@@ -27,6 +27,9 @@ target_link_libraries(
             freeRtosCm4SysTick
             lifecycle
             startUp
+            watchdogManager
+            safeLifecycle
+            safeMemory
     PUBLIC bspInputManager bspOutputManager)
 
 add_library(osHooks src/osHooks.cpp)

executables/referenceApp/platforms/s32k148evb/main/linkerscript/application.dld

@@ -176,11 +176,34 @@ SECTIONS
   }
   > Application = 0xffffffff
 
-  /* Initialized data */
-
   __etext = .;    /* end of code */
-  __DATA_ROM = .; /* start of initialized data */
-
+  __DATA_ROM = .;
+
+  .mpudata :
+  {
+    . = ALIGN(32);
+    __MPU_DATA_START = .;
+    KEEP("*libsafe*:*"(.data))
+    KEEP("*libsafe*:*"(.data*))
+    . = ALIGN(32);
+    __MPU_DATA_END = .;
+    . = ALIGN(32);
+  } > Data
+  .mpuBss :
+  {
+    . = ALIGN(32);
+    __MPU_BSS_START = .;
+    "*libsafe*:*"(.bss)
+    "*libsafe*:*"(.bss*)
+  } > Data
+  .mpuEnd :
+  {
+    . = ALIGN(32);
+    __MPU_BSS_END = .;
+  } > Data
+
+   /* Initialized data */
+
   .data : AT(__DATA_ROM)
   {
     . = ALIGN(4);
@@ -275,3 +298,4 @@ __FLASH_END = FLASH_END;
 __USED_FLASH_SIZE = __USED_FLASH_END - __FLASH_START;
 __FREE_FLASH_SIZE = __FLASH_END - __USED_FLASH_END;
 __FLASH_OVERFLOW_SIZE = __USED_FLASH_END - __FLASH_END;
+ASSERT(__MPU_DATA_START == __MPU_DATA_END, "safety code must not have preinitialized data");

executables/referenceApp/platforms/s32k148evb/main/src/main.cpp

@@ -12,6 +12,8 @@
 #include "lifecycle/StaticBsp.h"
 
 #include <lifecycle/LifecycleManager.h>
+#include <safeLifecycle/SafeSupervisor.h>
+#include <watchdogManager/watchdogManager.h>
 
 #include <estd/indestructible.h>
 #include <estd/optional.h>
@@ -85,8 +87,20 @@ ::can::ICanSystem& getCanSystem() { return *::platform::canSystem; }
 
 int main()
 {
-    // StaticBsp::init() will disable the watchdog, this must be the first function call in main()!
+    /* StaticBsp::init() disables the watchdog for the startup checks. The watchdog is then enabled
+     by the method SafeWatchdog::init(), which is called later during the startup phase.*/
     ::platform::staticBsp.init();
+    auto& safeSupervisor = safety::SafeSupervisor::getInstance();
+    safeSupervisor.enterLimpHome();
+    bool watchdogTest = safety::WatchdogManager::startTest();
+    if (watchdogTest)
+    {
+        safeSupervisor.leaveLimpHome();
+    }
+    else
+    {
+        safeSupervisor.watchdogStartupCheckMonitor.trigger();
+    }
     printf("main(RCM::SRS 0x%lx)\r\n", *reinterpret_cast<uint32_t volatile*>(0x4007F008));
     app_main(); // entry point for the generic part
     return (1); // we never reach this point

libs/CMakeLists.txt

@@ -1,3 +1,4 @@
+add_subdirectory(safety)
 add_subdirectory(bsw)
 add_subdirectory(bsp)
 add_subdirectory(3rdparty)

libs/safety/CMakeLists.txt

@@ -0,0 +1,36 @@
+option(PLATFORM_SUPPORT_WATCHDOG "Turn WATCHDOG support on or off" OFF)
+option(PLATFORM_SUPPORT_MPU "Turn MPU support on or off" OFF)
+
+if (BUILD_TARGET_PLATFORM STREQUAL "S32K148EVB")
+    set(PLATFORM_SUPPORT_WATCHDOG
+        ON
+        CACHE BOOL "Turn ON Watchdog support" FORCE)
+    set(PLATFORM_SUPPORT_MPU
+        ON
+        CACHE BOOL "Turn ON MPU support" FORCE)
+else ()
+    set(PLATFORM_SUPPORT_WATCHDOG
+        OFF
+        CACHE BOOL "Turn OFF Watchdog support" FORCE)
+    set(PLATFORM_SUPPORT_MPU
+        OFF
+        CACHE BOOL "Turn OFF MPU support" FORCE)
+endif ()
+
+if (PLATFORM_SUPPORT_WATCHDOG)
+    add_compile_definitions(PLATFORM_SUPPORT_WATCHDOG=1)
+endif ()
+if (PLATFORM_SUPPORT_MPU)
+    add_compile_definitions(PLATFORM_SUPPORT_MPU=1)
+endif ()
+
+add_subdirectory(safeLifecycle EXCLUDE_FROM_ALL)
+add_subdirectory(safeMemory EXCLUDE_FROM_ALL)
+add_subdirectory(safeMonitor EXCLUDE_FROM_ALL)
+add_subdirectory(safeWatchdog EXCLUDE_FROM_ALL)
+add_subdirectory(watchdogManager EXCLUDE_FROM_ALL)
+
+if (BUILD_UNIT_TESTS)
+    add_subdirectory(safeLifecycle/test/gtest)
+    add_subdirectory(safeMonitor/test)
+endif ()

libs/safety/safeLifecycle/CMakeLists.txt

@@ -0,0 +1,19 @@
+add_library(safeLifecycle src/safeLifecycle/SafetyManager.cpp
+                          src/safeLifecycle/SafeSupervisor.cpp)
+
+target_include_directories(safeLifecycle PUBLIC include)
+
+target_link_libraries(
+    safeLifecycle
+    PUBLIC safeMonitor
+           safeWatchdog
+           platform
+           util
+           safeMemory)
+
+if (BUILD_UNIT_TESTS)
+
+    target_compile_definitions(safeLifecycle PUBLIC ESTD_HAS_EXCEPTIONS
+                                                    ESTL_ASSERT_MESSAGE_ALL)
+
+endif ()