panda/board/safety_declarations.h

// sample struct that keeps 3 samples in memory
struct sample_t {
  int values[6];
  int min;
  int max;
} sample_t_default = {{0}, 0, 0};

// safety code requires floats
struct lookup_t {
  float x[3];
  float y[3];
};

typedef struct {
  int addr;
  int bus;
} AddrBus;

void safety_rx_hook(CAN_FIFOMailBox_TypeDef *to_push);
int safety_tx_hook(CAN_FIFOMailBox_TypeDef *to_send);
int safety_tx_lin_hook(int lin_num, uint8_t *data, int len);
uint32_t get_ts_elapsed(uint32_t ts, uint32_t ts_last);
int to_signed(int d, int bits);
void update_sample(struct sample_t *sample, int sample_new);
bool max_limit_check(int val, const int MAX, const int MIN);
bool dist_to_meas_check(int val, int val_last, struct sample_t *val_meas,
  const int MAX_RATE_UP, const int MAX_RATE_DOWN, const int MAX_ERROR);
bool driver_limit_check(int val, int val_last, struct sample_t *val_driver,
  const int MAX, const int MAX_RATE_UP, const int MAX_RATE_DOWN,
  const int MAX_ALLOWANCE, const int DRIVER_FACTOR);
bool rt_rate_limit_check(int val, int val_last, const int MAX_RT_DELTA);
float interpolate(struct lookup_t xy, float x);
bool addr_allowed(int addr, int bus, const AddrBus addr_list[], int len);

typedef void (*safety_hook_init)(int16_t param);
typedef void (*rx_hook)(CAN_FIFOMailBox_TypeDef *to_push);
typedef int (*tx_hook)(CAN_FIFOMailBox_TypeDef *to_send);
typedef int (*tx_lin_hook)(int lin_num, uint8_t *data, int len);
typedef int (*fwd_hook)(int bus_num, CAN_FIFOMailBox_TypeDef *to_fwd);

typedef struct {
  safety_hook_init init;
  rx_hook rx;
  tx_hook tx;
  tx_lin_hook tx_lin;
  fwd_hook fwd;
} safety_hooks;

// This can be set by the safety hooks
bool controls_allowed = false;
bool relay_malfunction = false;
bool gas_interceptor_detected = false;
int gas_interceptor_prev = 0;

// This is set by USB command 0xdf
bool long_controls_allowed = true;

// time since safety mode has been changed
uint32_t safety_mode_cnt = 0U;
// allow 1s of transition timeout after relay changes state before assessing malfunctioning
const uint32_t RELAY_TRNS_TIMEOUT = 1U;

// avg between 2 tracks
#define GET_INTERCEPTOR(msg) (((GET_BYTE((msg), 0) << 8) + GET_BYTE((msg), 1) + ((GET_BYTE((msg), 2) << 8) + GET_BYTE((msg), 3)) / 2 ) / 2)
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`// sample struct that keeps 3 samples in memory`
			`struct sample_t {`
			`int values[6];`
			`int min;`
			`int max;`
			`} sample_t_default = {{0}, 0, 0};`

			`// safety code requires floats`
			`struct lookup_t {`
			`float x[3];`
			`float y[3];`
			`};`

tx_hook shall have a white-list of messages (#381) * Started whitelisting messages * Also toyota and cadilalc fix * bug fixes and better checks. Need to figure out a solution for honda * Whitelist also for subaru * Added Chrysler as well to whitelist * And Hyundai too * now all supported cars should have a whitelist of messages * Fix linter * This should fix process replay * Honda too is now whitelisted * struct typedef * Had forgot GM * had a wrong addr for GM whitelist * This should fix all the tests * bump panda 2019-11-17 01:24:19 -07:00			`typedef struct {`
			`int addr;`
			`int bus;`
			`} AddrBus;`

Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`void safety_rx_hook(CAN_FIFOMailBox_TypeDef *to_push);`
			`int safety_tx_hook(CAN_FIFOMailBox_TypeDef *to_send);`
			`int safety_tx_lin_hook(int lin_num, uint8_t *data, int len);`
			`uint32_t get_ts_elapsed(uint32_t ts, uint32_t ts_last);`
			`int to_signed(int d, int bits);`
			`void update_sample(struct sample_t *sample, int sample_new);`
All 14.4 violations are gone (#213) 2019-06-12 21:12:48 -06:00			`bool max_limit_check(int val, const int MAX, const int MIN);`
			`bool dist_to_meas_check(int val, int val_last, struct sample_t *val_meas,`
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`const int MAX_RATE_UP, const int MAX_RATE_DOWN, const int MAX_ERROR);`
All 14.4 violations are gone (#213) 2019-06-12 21:12:48 -06:00			`bool driver_limit_check(int val, int val_last, struct sample_t *val_driver,`
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`const int MAX, const int MAX_RATE_UP, const int MAX_RATE_DOWN,`
			`const int MAX_ALLOWANCE, const int DRIVER_FACTOR);`
All 14.4 violations are gone (#213) 2019-06-12 21:12:48 -06:00			`bool rt_rate_limit_check(int val, int val_last, const int MAX_RT_DELTA);`
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`float interpolate(struct lookup_t xy, float x);`
tx_hook shall have a white-list of messages (#381) * Started whitelisting messages * Also toyota and cadilalc fix * bug fixes and better checks. Need to figure out a solution for honda * Whitelist also for subaru * Added Chrysler as well to whitelist * And Hyundai too * now all supported cars should have a whitelist of messages * Fix linter * This should fix process replay * Honda too is now whitelisted * struct typedef * Had forgot GM * had a wrong addr for GM whitelist * This should fix all the tests * bump panda 2019-11-17 01:24:19 -07:00			`bool addr_allowed(int addr, int bus, const AddrBus addr_list[], int len);`
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00
			`typedef void (*safety_hook_init)(int16_t param);`
			`typedef void (rx_hook)(CAN_FIFOMailBox_TypeDef to_push);`
			`typedef int (tx_hook)(CAN_FIFOMailBox_TypeDef to_send);`
			`typedef int (tx_lin_hook)(int lin_num, uint8_t data, int len);`
			`typedef int (fwd_hook)(int bus_num, CAN_FIFOMailBox_TypeDef to_fwd);`

			`typedef struct {`
			`safety_hook_init init;`
			`rx_hook rx;`
			`tx_hook tx;`
			`tx_lin_hook tx_lin;`
			`fwd_hook fwd;`
			`} safety_hooks;`

WIP: Relay malfunction (#384) * relay malfunction handling. WIP * more cars to relay_malfunctions * fixed safety tests * minor change * Fix linter * all cars now have a relay_malfunction safety check * added relay_malfunction safety test for fwd hooks * added proper regression tests for relay malfunction to all cars * temp patch to not fail regression in honda bosch * also addr 0x194 is some nidec honda is steer control * proper relay check for honda bosch too 2019-11-15 01:32:45 -07:00			`// This can be set by the safety hooks`
			`bool controls_allowed = false;`
			`bool relay_malfunction = false;`
			`bool gas_interceptor_detected = false;`
Fix Misra 20.1 violations: Moved safety declarations in its own header and qdded optional input to run misra tests for safety code only. 2019-06-12 07:35:47 -06:00			`int gas_interceptor_prev = 0;`

			`// This is set by USB command 0xdf`
WIP: Relay malfunction (#384) * relay malfunction handling. WIP * more cars to relay_malfunctions * fixed safety tests * minor change * Fix linter * all cars now have a relay_malfunction safety check * added relay_malfunction safety test for fwd hooks * added proper regression tests for relay malfunction to all cars * temp patch to not fail regression in honda bosch * also addr 0x194 is some nidec honda is steer control * proper relay check for honda bosch too 2019-11-15 01:32:45 -07:00			`bool long_controls_allowed = true;`
Pedal: use avg between tracks (#253) 2019-07-15 14:15:22 -06:00
add a safety mode counter 2019-11-26 22:19:54 -07:00			`// time since safety mode has been changed`
			`uint32_t safety_mode_cnt = 0U;`
Fix Misra 2019-11-27 01:19:41 -07:00			`// allow 1s of transition timeout after relay changes state before assessing malfunctioning`
			`const uint32_t RELAY_TRNS_TIMEOUT = 1U;`
add a safety mode counter 2019-11-26 22:19:54 -07:00
Pedal: use avg between tracks (#253) 2019-07-15 14:15:22 -06:00			`// avg between 2 tracks`
			`#define GET_INTERCEPTOR(msg) (((GET_BYTE((msg), 0) << 8) + GET_BYTE((msg), 1) + ((GET_BYTE((msg), 2) << 8) + GET_BYTE((msg), 3)) / 2 ) / 2)`