Mitig: add TMR error counter, check that TMR logic actually works

By corrupting one of the three copies of the adc_ch variable using asm
code we test that the TMR logic actually works (it works).

main_fw/build/Makefile

@@ -5,6 +5,7 @@
 USE_CLANG = true
 USE_CLANG_OPT = true
 USE_CLANG_COAST = true
+TEST_TMR =
 STACK_PROTECTOR = true
 PRINTF_FLOAT =
 USB_ENABLE =
@@ -23,6 +24,10 @@ ifdef STACK_PROTECTOR
 CLANG_CFLAGS += -DUSE_STACK_PROTECTOR -fstack-protector-all
 endif
 
+ifdef TEST_TMR
+CLANG_CFLAGS += -DTEST_TMR
+endif
+
 ifdef PRINTF_FLOAT
 PRINTF_FLOAT_FLAG= -u _printf_float
 endif
@@ -206,7 +211,7 @@ ifdef USE_CLANG_COAST
 	@echo Invoking: Clang -O1 pass
 	$(CLANG_BIN_PATH)opt -S -O1 $(OUTPUT_FILE_NAME).bc -o $(OUTPUT_FILE_NAME).o1.bc
 	@echo Invoking: Clang COAST passes
-	$(CLANG_BIN_PATH)opt -S -load $(CLANG_COAST_PATH)/DebugStatements.so -load $(CLANG_COAST_PATH)/ExitMarker.so -load $(CLANG_COAST_PATH)/CFCSS.so -load $(CLANG_COAST_PATH)/DataflowProtection.so -load $(CLANG_COAST_PATH)/DWC.so -load $(CLANG_COAST_PATH)/TMR.so -TMR -verbose -configFile=functions.config $(CFCSS_skipFns) $(OUTPUT_FILE_NAME).o1.bc -o $(OUTPUT_FILE_NAME).opt.bc
+	$(CLANG_BIN_PATH)opt -S -load $(CLANG_COAST_PATH)/DebugStatements.so -load $(CLANG_COAST_PATH)/ExitMarker.so -load $(CLANG_COAST_PATH)/CFCSS.so -load $(CLANG_COAST_PATH)/DataflowProtection.so -load $(CLANG_COAST_PATH)/DWC.so -load $(CLANG_COAST_PATH)/TMR.so -TMR -countErrors -verbose -configFile=functions.config $(CFCSS_skipFns) $(OUTPUT_FILE_NAME).o1.bc -o $(OUTPUT_FILE_NAME).opt.bc
 else # (no USE_CLANG_COAST)
 	@echo Invoking: Clang -Os pass
 	$(CLANG_BIN_PATH)opt -S -Os $(EXTRA_OPT_ARGS) $(OUTPUT_FILE_NAME).bc -o $(OUTPUT_FILE_NAME).opt.bc

main_fw/src/i2c_impl.c

@@ -32,6 +32,8 @@ extern uint16_t currs_lin[3];
 extern uint16_t powrs_lin[3];
 extern uint16_t frpms_lin[3];
 
+uint32_t TMR_ERROR_CNT;
+
 static int8_t cmd_data_lengths[] = {
         1,                         // 0x00
         -1,                        // 0x1A
@@ -79,12 +81,14 @@ void uc_reset();
 void boot_new_fw();
 
 static int8_t ext_cmd_data_lengths[] = {
-        1,  // 5
-        1}; // 6
+        1,  // 0x05
+        1,  // 0x06
+        4}; // 0xA0
 
 static cmd_t ext_cmds_cmds[] = (cmd_t[]){
-        {5, &ext_cmd_data_lengths[0], (uint8_t *)NULL, (fp_t)NULL, &boot_new_fw,         (fp_t)NULL},
-        {6, &ext_cmd_data_lengths[1], (uint8_t *)NULL, (fp_t)NULL, &uc_reset,            (fp_t)NULL}};
+        {0x05, &ext_cmd_data_lengths[0], (uint8_t *)NULL, (fp_t)NULL, &boot_new_fw,         (fp_t)NULL},
+        {0x06, &ext_cmd_data_lengths[1], (uint8_t *)NULL, (fp_t)NULL, &uc_reset,            (fp_t)NULL},
+        {0xA0, &ext_cmd_data_lengths[2], (uint8_t *)&TMR_ERROR_CNT, (fp_t)NULL, (fp_t)NULL, (fp_t)NULL}};
 
 cmd_space_t ext_cmds = {
         sizeof(ext_cmds_cmds)/sizeof(cmd_t),

main_fw/src/main.c

@@ -141,6 +141,23 @@ void __xMR adc_cb(const struct adc_async_descriptor *const descr, const uint8_t
         // AIN11: v3
         // any scaling is applied here
         // prototype board only has 1 pin of [t, v, i] connected, write some value to the other two
+
+#ifdef USE_COAST
+#ifdef TEST_TMR
+        // Test TMR by trying to corrupt the adc_ch variable. By using
+        // assembly we trick the TMR logic: it just sees one of the
+        // three copies be corrupted, fixes it when it's accessed in
+        // the switch statement below (ADC readout remains unaffected)
+        // and increments the TMR_ERROR_CNT variable (implemented and
+        // exposed in i2c_impl.c).
+        asm volatile("movs	r4, 0x12;"
+                     "lsls	r4, r4, 8;"
+                     "adds	r4, 0x34;"
+                     "strh	r4, [%0]"
+                     ::"r"(&adc_ch):"r4");
+#endif
+#endif
+
         switch (adc_ch) {
         case 0:
                 temps[0] = (VREF*(adc_vals[adc_ch] / ADC_MAX) - temp_coeff_a[0])*temp_coeff_b[0];