BSWDistributionGuide
BSW在AUTOSAR架构中的这里哦
BSW Distribution in Multi-Core Systems
BSW Functional Clusters
BSW功能集群是一组相关功能的模块
BSW functional clusters are groups of functionally coherent BSW modules.
The following types of clusters might be standardized in a later release:
-
Communication cluster通信集群
-
Memory cluster内存集群
-
I/O cluster I/O集群
-
Watchdog cluster 看门狗集群
添加图片注释,不超过 140 字(可选)
Parallel Execution of BSW modules
Core-Dependent Branching
It is possible for example to use the core id for this, i.e. branch the control flow depending on the return value of the OS APIs GetCoreID, or also GetApplicationID.
BSW模块的并行处理,可以通过获取Core ID来进行分支处理
Using Shared Buffers (in systems without memory protection)
添加图片注释,不超过 140 字(可选)
使用共享的buffer,所以需要防止并发访问哦,保持数据一致性
Concurrency safe implementation of modules
并发,可重入/不可重入都是需要考虑的事情
Kernel based Master-Satellite Realization
添加图片注释,不超过 140 字(可选)
添加图片注释,不超过 140 字(可选)
Atomic Operations Library
支持原子操作哦
SchM Interfaces for Parallel BSW execution
用于并行执行的SchM接口
The Basic Software Scheduler (SchM) is responsible for handling the inter-partition communication between BSW modules.
SchM负责BSW分区间的通信
For the distribution of BSW modules across several partitions, the SchM shall implement the methods SchM_Call, SchM_Result, SchM_Send and SchM_Receive
SchM要实现多种方法
-
SchM_Call
-
SchM_Result
-
SchM_Send
-
SchM_Receive
The SchM can use IocSend (a direct call to the OS) to send data in inter-partition communication. Other RTE internal mechanism might not be available during startup.
SchM可以使用IOC去做分区间通信
Configuration of Basic Software in Partitioned Systems
Task Mapping
The parallelization of BSW modules introduces several new subclasses of BswEvent to the AUTOSAR metamodel. These classes are shown in Figure 2.5. Each BswEvent (including instances of subclasses of BswEvent) is assigned to a BswSchedulableEntity, which is started upon occurrence of the event.
添加图片注释,不超过 140 字(可选)
总而言之呢就是通过事件触发函数
General Configuration of Master and Satellites
Modules that shall be available in multiple partitions can be implemented as masters and satellites. In this case, the master and all satellites of the same module share the same code (which may implement core-dependent behavior however) and the same configuration. Hence, a master and its satellites are treated as one module entity w.r.t. their configuration.
主模块和卫星模块共享相同的代码和配置
The communication between master and satellites is not to be standardized. It is considered to be module-internal and it is not visible to other modules. However, since it is recommended to use SchM mechanisms for internal communication, the nonstandardized client-server entries and data accesses in the BSWMD to connect master and satellite need to be configured.
Configuring the BswM (per Partition)
On systems with distributed BSW there is one BSW Mode Manager (BswM) per partition (but one OS and EcuM per core, which is the same as long as we have one BSW partition per core). Each of these BswMs can be configured independently. A BswM mainly interacts with the state managers (ECU state manager and bus state managers, for instance) on the same partition.
每个部分的BswM可以被单独配置
The BswM is also responsible for the initialization and shutdown of BSW modules running in the same partition. Therefore, its configuration depends on the mapping of BSW modules to partitions.
BswM可以响应同分区的initialization和shutdown
Configuring the EcuM (per Core)
On systems with distributed BSW there is one EcuM per core (even if there are multiple BSW partitions on that core). In other words, on every core there shall be one and only one partition that runs the EcuM. The partition running the EcuM is determined by the EcuMFlexEcucPartitionRef, which is specified in the container EcuMFlexUser Config of the EcuM configuration.
每个核都应该只要有一个EcuM,即使这个核上有多个BswM的不同分区。
On architectures with a sequential start of cores, there is one designated master core in which the boot loader starts the master EcuM via EcuM_Init. The EcuM in the master core starts some drivers, determines the Post Build configuration and starts all remaining cores with all their satellite EcuMs
引导程序 -> EcuM_Init -> master core -> remaining cores
MCAL Distribution
Introduction
It shall be noted that the introduction of the multi-core MCAL requires the introduction of asynchronously behaving interfaces to enable non-blocking parallel execution on multiple cores.
要实现异步非阻塞,不能阻塞哦
Furthermore it is assumed that a multi-core microcontroller is used however this is not mandatory as the concept provides an identical set of service API’s regardless whether it is a single- or multi-core implementation. Additionally it is possible to realize mixed ASIL systems with segregation in space and time where the mappable MCAL elements are assigned to the different partitions respecting the safety integrity level of the resulting MCAL implementation.
多核并发+硬件分离解耦
Criteria
-
1 - APIs Availability
-
1a: Local service API’s (executable on one core only)
-
1b: Global (distributed /shared) service API’s (executable on any core)
-
2 - MCAL Kernel Execution Context
-
2a: One Local kernel (executable on one core only)
-
2b: Global (distributed /shared) kernel (executable on any core)
-
HW Elements Mapping
-
3a: One HW element mappable to one core only
-
3b: One HW element mappable to several cores
Com-Stack Distribution
In general, one major job of the PduR is to take care of PDU routings between different networks.
PduR来处理不同的网络间的路由
BSW Distribution in Safety Systems
the main safety mechanisms:
-
Partitioning of SWCs to support the isolation in space.
-
Timing and control flow supervision to monitor executing entities and to detectfaults caused by blocking or wrong execution. In AUTOSAR the Os and the WdgM take care of this issue.
-
A safe communication via end-to-end protection is possible between ECUs (and even inside an ECU). This guarantees e.g. that the data which is send is not modified between the sender and the receiver(s). The responsible module is the E2Elibrary.
简单来说呢三件事:空间隔离、定时保护、E2E端到端
BSWGeneral
Requirements Specification
This chapter describes all requirements driving the work to define the General Requirements on Basic Software Modules.
Functional Overview
BSW涵盖了以下几个区域
The requirements on Basic Software cover the following domains:
-
Body
-
Powertrain
-
Chassis
-
Safety (assumption: covered, because hardware and system infrastructure are similar to the domains above)
有下面几种ECU
The ECU application experience is taken from the following concrete applications:
-
Sunroof and power window ECU
-
Diesel engine ECU
-
ESP ECU
-
BMW, DC and VW standard software packages (’Standard Core’, ’Standard Software Platform’, ’Standard Software Core’) including ISO 17356-3 OS [3], communication modules, bootloader, basic diagnostic functions for the domains listed above
-
Infotainment control ECU
Functional Requirements
Configuration
[SRS_BSW_00344] BSW Modules shall support link-time configuration [SRS_BSW_00404] BSW Modules shall support post-build configuration [SRS_BSW_00405] BSW Modules shall support multiple configuration sets [SRS_BSW_00345] BSW Modules shall support pre-compile configuration [SRS_BSW_00159] All modules of the AUTOSAR Basic Software shall support a tool based configuration
支持各种配置
[SRS_BSW_00167] All AUTOSAR Basic Software Modules shall provide configuration rules and constraints to enable plausibility checks [SRS_BSW_00171] Optional functionality of a Basic-SW component that is not required in the ECU shall be configurable at pre-compile-time
支持一些检查
[SRS_BSW_00170] The AUTOSAR SW Components shall provide information about their dependency from faults, signal qualities, driver demands
SWC应该提供有关故障、信号质量、驱动的依赖
[SRS_BSW_00380] Configuration parameters being stored in memory shall be placed into separate c-files
配置的参数应该在一个单独的c文件中
[SRS_BSW_00419] If a pre-compile time configuration parameter is implemented as const it should be placed into a separate c-file
如果是const类型,也需要单独放在一个c文件中
[SRS_BSW_00383] The Basic Software Module specifications shall specify which other configuration files from other modules they use at least in the description
应该至少描述出需要用到的其他模块的哪些配置文件
[SRS_BSW_00384] The Basic Software Module specifications shall specify at least in the description which other modules they require
应该说明要使用哪些模块
[SRS_BSW_00388] Containers shall be used to group configuration parameters that are defined for the same object
对配置进行分组
[SRS_BSW_00389] Containers shall have names [SRS_BSW_00390] Parameter content shall be unique within the module [SRS_BSW_00392] Parameters shall have a type [SRS_BSW_00393] Parameters shall have a range [SRS_BSW_00394] The Basic Software Module specifications shall specify the scope of the configuration parameters [SRS_BSW_00395] The Basic Software Module specifications shall list all configuration parameter dependencies [SRS_BSW_00396] The Basic Software Module specifications shall specify the supported configuration classes for changing values and multiplicities for each parameter/container [SRS_BSW_00403] The Basic Software Module specifications shall specify foreach parameter/container whether it supports different values or multiplicity indifferent configuration sets [SRS_BSW_00397] The configuration parameters in pre-compile time are fixed before compilation starts [SRS_BSW_00398] The link-time configuration is achieved on object code basis in the stage after compiling and before linking
一些乱七八糟的,懒得解释哈哈哈
[SRS_BSW_00399] Parameter-sets shall be located in a separate segment and shall be loaded after the code
给代码划个段
[SRS_BSW_00400] Parameter shall be selected from multiple sets of parameters after code has been loaded and started [SRS_BSW_00438] Configuration data shall be defined in a structure [SRS_BSW_00402] Each module shall provide version information
Wake-Up
[SRS_BSW_00375] Basic Software Modules shall report wake-up reasons
应该提供一个唤醒原因
Initialization
[SRS_BSW_00101] The Basic Software Module shall be able to initialize variables and hardware in a separate initialization function
在初始化函数中初始化变量和硬件
[SRS_BSW_00416] The sequence of modules to be initialized shall be configurable
初始化顺序支持配置
[SRS_BSW_00406] A static status variable denoting if a BSW module is initialized shall be initialized with value 0 before any APIs of the BSW module is called
静态状态变量应该被初始化为0在调用任何API之前
[SRS_BSW_00467] The init / deinit services shall only be called by BswM or EcuM
初始化函数只能由BswM或EcuM调用
[SRS_BSW_00437] Memory mapping shall provide the possibility to define RAM segments which are not to be initialized during startup
支持定义地址映射中的RAM段是否要初始化
Normal Operation
[SRS_BSW_00168] SW components shall be tested by a function defined in a common API in the Basis-SW
有一些测试的函数
[SRS_BSW_00407] Each BSW module shall provide a function to read out the version information of a dedicated module implementation
支持读模块信息,版本信息
[SRS_BSW_00423] BSW modules with AUTOSAR interfaces shall be describable with the means of the SW-C Template
不知道啥意思,应该是有一些对SWC的适配和依赖
[SRS_BSW_00424] BSW module main processing functions shall not be allowed to enter a wait state
Bsw模块的主处理函数不允许进入等待状态
[SRS_BSW_00425] The BSW module description template shall provide means to model the defined trigger conditions of schedulable objects
定义可调度对象的触发条件
[SRS_BSW_00426] BSW Modules shall ensure data consistency of data which is shared between BSW modules There are two possible scenarios
-
Scenario 1: the data is defined and managed within one BSW Module. In this case, Exclusive Areas shall be defined and documented in the BSW module description template of the managing module and used in the implementation. The exclusive areas shall be defined with a name and the accessing maifunctions, API services, callback functions and ISR functions.
-
Scenario 2: the data is not managed by a BSW Module. This is only possible in case of special hardware resources like registers. In this case, the accessing modules need to disable and enable interrupts to ensure data consistency
要保证数据一致性
[SRS_BSW_00427] ISR functions shall be defined and documented in the BSW module description template [SRS_BSW_00428] A BSW module shall state if its main processing function(s) has to be executed in a specific order or sequence [SRS_BSW_00429] Access to OS is restricted BSW modules shall only be allowed to use certain OS services. The services and their access shall be defined in SWS_BSW_General.
BSW应该只能访问特定的OS服务
[SRS_BSW_00432] Modules should have separate main processing functions for read/receive and write/transmit data path
BSW模块要有自己的专门的读写发送接收函数
[SRS_BSW_00433] Main processing functions are only allowed to be called from task bodies provided by the BSW Scheduler
主处理函数只允许在BSW调度器调用
[SRS_BSW_00450] A Main function of a un-initialized module shall return immediately
未初始化的模块要立即返回
[SRS_BSW_00461] Modules called by generic modules shall satisfy all interfaces requested by the generic module
应该提供所有的接口,若是不支持就提供空的实现
[SRS_BSW_00451] Hardware registers shall be protected if concurrent access to these registers occur
如果并发访问硬件寄存器,那应该加一些保护
[SRS_BSW_00478] Timing limits of main functions
Shutdown Operation
[SRS_BSW_00336] Basic SW module shall be able to shutdown
应该能去死
Fault Operation and Error Detection
[SRS_BSW_00337] Classification of development errors
给开发错误分类
[SRS_BSW_00369] All AUTOSAR Basic Software Modules shall not return specific development error codes via the API
返回值是开发错误代码
[SRS_BSW_00339] Reporting of production relevant error status AUTOSAR Basic Software Modules shall report all production errors and extended production errors to the Dem (Diagnostic Event Manager)
报给DEM去集中处理错误
[SRS_BSW_00422] Pre-de-bouncing of error status information is done within the Dem
添加图片注释,不超过 140 字(可选)
[SRS_BSW_00417] Software which is not part of the SW-C shall report error events only after the Dem is fully operational.
为了简化处理,除了SWC其他的软件在DEM完全运行之后才进行处理
[SRS_BSW_00323] All AUTOSAR Basic Software Modules shall check passed API parameters for validity
检查参数
[SRS_BSW_00004] All Basic SW Modules shall perform a pre-processor check of the versions of all imported include files
在包含头文件时要检查版本信息是否兼容
[SRS_BSW_00409] All production code error ID symbols are defined by the Dem module and shall be retrieved by the other BSW modules from Dem configuration
错误码在DEM中定义
[SRS_BSW_00385] List possible error notifications
应该列出可能的错误提醒
[SRS_BSW_00386] The BSW shall specify the configuration and conditions for detecting an error [SRS_BSW_00452] Classification of runtime errors [SRS_BSW_00458] Classification of production errors [SRS_BSW_00466] Classification of extended production errors [SRS_BSW_00488]{DRAFT} Classification of security events [SRS_BSW_00489]{DRAFT} Reporting of security events AUTOSAR Basic Software Modules shall report the configured security events to the IdsM (Intrusion Detection System Manager). [SRS_BSW_00490]{DRAFT} List possible security events [SRS_BSW_00491]{DRAFT} Specification of trigger conditions and context data [SRS_BSW_00492]{DRAFT} Reporting of security events during startup [SRS_BSW_00493]{DRAFT} Definition of security event ID symbols [SRS_BSW_00469] Fault detection and healing of production errors and extended production errors [SRS_BSW_00470] Execution frequency of production error detection [SRS_BSW_00471] Do not cause dead-locks on detection of production errors - the ability to heal from previously detected production errors [SRS_BSW_00472] Avoid detection of two production errors with the same root cause [SRS_BSW_00473] Classification of transient faults
Non-Functional Requirements (Qualities)
Software Architecture Requirements
[SRS_BSW_00161] The AUTOSAR Basic Software shall provide a microcontroller abstraction layer which provides a standardized interface to higher software layers
要提供标准的MCAL接口给上层
[SRS_BSW_00162] The AUTOSAR Basic Software shall provide a hardware abstraction layer
要提供标准的硬件抽象层接口
[SRS_BSW_00005] Modules of the µC Abstraction Layer (MCAL) may not have hard coded horizontal interfaces Necessary interactions (e.g. GPT triggered ADC conversion) shall be implemented by using statically configurable notifications (callbacks).
MCAL不推荐硬编码,必要的接口用回调函数实现
软编码:相对地,软编码实践鼓励将这些固定值抽象出来,通过外部配置文件、数据库或环境变量等方式管理,使得程序在不同环境或需要调整时更加灵活。
[SRS_BSW_00415] Interfaces which are provided exclusively for one module shall be separated into a dedicated header file
专门给一个模块提供的接口需要放在一个单独的头文件里
Software Integration Requirements
[SRS_BSW_00164] The Implementation of interrupt service routines shall be done by the Operating System, complex drivers or modules
[SRS_BSW_00325] The runtime of interrupt service routines and functions that are running in interrupt context shall be kept short
中断应该占用时间短,如果用时较长就使用OS Task来替代
[SRS_BSW_00342] It shall be possible to create an AUTOSAR ECU out of modules provided as source code and modules provided as object code, even mixed Some simple drivers could be provided as object code. More complex and configurable modules could be provided as source code or even generated code.
可以拆出配置代码
[SRS_BSW_00343] The unit of time for specification and configuration of Basic SW modules shall be preferably in physical time unit [SRS_BSW_00160] Configuration files of AUTOSAR Basic SW module shall be readable for human beings
配置文件因该具有可读性
[SRS_BSW_00453] BSW Modules shall be harmonized [SRS_BSW_00456] A Header file shall be defined in order to harmonize BSW Modules
如果这个类型定义需要被多个模块引用
那需要在<Module Abbreviation>_GeneralTypes.h头文件中声明
[SRS_BSW_00457] Callback functions of Application software components shall be invoked by the Basis SW
ASW的回调是被BSW调用
[SRS_BSW_00479] Interfaces for handling request from external devices
外部设备同样要符合规范
[SRS_BSW_00483] BSW Modules shall handle buffer alignments internally
BSW模块应该在内部处理Buffer对齐
Software Module Design Requirements
[SRS_BSW_00007] All Basic SW Modules written in C language shall conform to the MISRA C 2012 Standard.
要符合MISRA C规范,违反规范要注明
[SRS_BSW_00413] An index-based accessing of the instances of BSW modules shall be done
基于索引的BSW模块
[SRS_BSW_00347] A Naming seperation of different instances of BSW drivers shall be in place Driver modules shall be named according to the following rules (only for implementation, not for the software specification):
-
First the module name has to be listed: <Module Abbreviation>
-
After that the vendor Id defined in the AUTOSAR vendor list has to be given <Vendor Id
-
At last a vendor specific name (the vendor API infix) follows <Vendor APIinfix>
-
Only for API names, last name shall be <API Service name>
-
All parts shall be separated by underscores "_".
-
This naming extension applies to the following externally visible elements of the module:
-
File names
-
API names
-
Published parameters
-
Memory allocation keyword
-
For API names, <Vendor specific name> should be followed by "_" and the <API Service Name>.
-
For the creation of file names, no trailing underscore shall be added.
-
For Published parameters and Memory allocation keyword names, <Vendor Specific name> shall have a trailing underscores.
Examples:
-
EEPROM (LD): Eep_21_LDExtEepDriver.c
-
Published parameters: EEP_21_LDEXT_SW_MAJOR_VERSION
-
API: Eep_21_LDExt_Init
一些命名规范啦
[SRS_BSW_00441] Naming convention for type, macro and function All AUTOSAR Basic Software Modules shall label enumeration literals and #defines according to the following scheme:
-
Composition: <Module Abbreviation>_<Specific name>
-
<Module Abbreviation> shall be written in UPPERCASE
-
<Specific name> shall be written in UPPERCAS
-
<Module Abbreviation> and <Specific name> shall be separated by underscore
-
If <Specific name> consists of several words, they shall be separated by underscore
The #define E_OK and E_NOT_OK are exceptions to this.
Example #define:
#define EEP_PARAM_CONFIG #define EEP_SIZE
Example enumeration literals:
typedef enum { EEP_DRA_CONFIG = 0, EEP_ARE = 1, EEP_EV = 2 } Eep_NotificationType;
类型、宏、函数的命名约定
[SRS_BSW_00305] Data types naming convention All AUTOSAR Basic Software Modules shall label data types according to the following scheme:
-
Composition of type: <Module name>_<Type name>Type
-
Only one underscore between module name and type name
-
< Type name > shall be written in UpperCamelCase.
数据类型的命名约束
[SRS_BSW_00307] Global variables naming convention
-
All AUTOSAR Basic Software Modules shall label global variables according to the following scheme:
-
Composition of name: <Module name>_<Variable name>
-
Only one underscore between module name and variable name
-
Spelling of name: First letter of each word upper case, consecutive letters lower case
全局变量命名约定
[SRS_BSW_00310] API naming convention All AUTOSAR Basic Software Modules shall implement an API based on the following naming rules:
-
Composition of API: <Module name>_ServiceName()
<Mip>_<Sn>
-
Where <Mip> is the Module implementation prefix and <Sn> is the API Service name Module name: 2..8 letters, derived from [7]
-
Only one underscore between module name and service name
-
Spelling of API: First letter of each word upper case, consecutive letter lower case
例子:
-
Can_TransmitFrame()
-
Nm_RequestBusCommunication()
-
Adc_Init()
-
Eep_Write(
-
Nvm_GetState()
[SRS_BSW_00494] ServiceInterface argument with a pointer datatype A ServiceInterface argument with a pointer datatype (DATA_REFERENCE) shall have a Ptr postfix in its argument type and -name. No other argument type shall use this postfix in its argument type or -name. The argument direction of a pointer datatype is always IN.
服务接口的参数是一个指针
[SRS_BSW_00373] The main processing function of each AUTOSAR Basic Software Module shall be named according the defined convention The main processing function of each AUTOSAR Basic Software Module shall be named according to the following rule: <Module name>_MainFunction_<module specific extension> () Module specific extension shall be used to distinguish between multiple mainprocessing functions of one module (e.g. Cluster index, Rx /Tx . . . ). If only one main processing function exists in one module no module specific extension is required. It is responsibility of the modules to either define one main processing function and handle all the processing internally or define multiple main processing functions with appropriate module specific extensions. This depends on Module requirements. Main processing functions shall have no parameters and no return value. Main processing functions shall not be re-entrant.
用例
Possible main processing function of EEPROM driver: void Eep_MainFunction(void) Possible main processing functions of FlexRay driver: void Fr_MainFunction_TxClst1(void) void Fr_MainFunction_TxClst2(void) void Fr_MainFunction_RxClst1(void) void Fr_MainFunction_RxClst2(void) Please Note: The Use case is no recommendation for the particular Module, it just illustrates Main processing function possibilities.
主处理函数的命名
[SRS_BSW_00327] Error values naming convention All AUTOSAR Basic Software Modules shall apply the following naming rules for all error values:
-
Error values shall have only CAPITAL LETTERS
-
Naming convention: <MODULENAME>E<ERRORNAME>
-
If <ERRORNAME> consists of several words, they shall be separated by underscores
例子
The EEPROM driver has the following error values: • EEP_E_BUSY • EEP_E_PARAM_ADDRESS • EEP_E_PARAM_LENGTH • EEP_E_WRITE_FAILED
[SRS_BSW_00335] Status values naming convention All AUTOSAR Basic Software Modules shall apply the following naming rules for status values that are visible outside of the module:
-
Status values shall have only CAPITAL LETTERS
-
If <STATUSNAME> consists of several words, they shall be separated by underscores
例子
The Eeprom driver has the following status values: • EEP_UNINIT • EEP_IDLE • EEP_BUSY
[SRS_BSW_00350] All AUTOSAR Basic Software Modules shall allow the enabling/disabling of detection and reporting of development errors.
In Eep.h: #define EEP_DEV_ERROR_DETECT STD_ON /* detection module wide enabled */ In source Eep.c: #include "Eep.h" . . . #if ( EEP_DEV_ERROR_DETECT == STD_ON ) .. .. development errors to be detected .. #endif /* EEP_DEV_ERROR_DETECT */
可以用使能/使能检测和报告开发错误
[SRS_BSW_00408] All AUTOSAR Basic Software Modules configuration parameters shall be named according to a specific naming rule All AUTOSAR Basic Software Modules configuration parameters shall be named according to the following naming rules:
-
Naming convention: <Module Abbreviation><ParameterName>
< Module Abbreviation > is the prefix derived from [7]. < ParameterName > may consist of several words which may or may not be separated by underscore. The configuration parameter name can either be in UpperCamelCase or Uppercase
Example: CanIfTxConfirmation
配置参数的命名规范
[SRS_BSW_00410] Compiler switches shall have defined values
Example: Do : #if ( EEP_DEV_ERROR_DETECT == STD_ON ) .. Don’t: #ifdef EEP_DEV_ERROR_DETECT ..
宏定义要有值
[SRS_BSW_00411] All AUTOSAR Basic Software Modules shall apply a naming rule for enabling/disabling the existence of the API
所有AUTOSAR的API都应该用宏定义来开关
[SRS_BSW_00463] Naming convention of callout prototypes
Each callout function shall be mapped to its own memory section and memory class. These memory classes will then be mapped to the actually implemented memory classes at integration time. The following naming convention shall be used: — Start section definition: — \#define MSN_START_SEC_CBN_CODE — Stop section definition: — \#define MSN_STOP_SEC_CBN_CODE — Function prototype definition: — void MSN_Cbn (void); Where: MSN: Module Short Name as officially defined in AUTOSAR (see supporting material). CBN: Call Back Name, which shall have the same spelling of the Callback name including module reference but using only capital letters. Cbn: Callback name using the conventional Camel Case notation for API names.
Callback的命名约定
[SRS_BSW_00464] File names shall be considered case sensitive regardless of the filesystem in which they are used [SRS_BSW_00465] It shall not be allowed to name any two files so that they only differ by the cases of their letters
文件名字要区分大小写,不允许两个文件名只有大小写不一致
[SRS_BSW_00480] Null pointer errors shall follow a naming rule <MIP>_E_PARAM_POINTER
空指针错误
[SRS_BSW_00487] Errors for module initialization shall follow a naming rule <MIP>_E_UNINIT
初始化错误
[SRS_BSW_00481] Invalid configuration set selection errors shall follow a naming rule [SRS_BSW_00482] Get version information function shall follow a naming rule [SRS_BSW_00346] All AUTOSAR Basic Software Modules shall provide at least a basic set of module files [SRS_BSW_00314] All internal driver modules shall separate the interrupt frame definition from the service routine All internal driver modules shall separate the interrupt frame definition from the service routine in the following way:
-
<Module name>_Irq.c: implementation of interrupt frame
-
<Module name>.c: implementation of service routine called from interrupt frame
中断要单独出一个文件
[SRS_BSW_00447] Standardizing Include file structure of BSW Modules Implementing Autosar Service [SRS_BSW_00348] All AUTOSAR standard types and constants shall be placed and organized in a standard type header file [SRS_BSW_00353] All integer type definitions of target and compiler specific scope shall be placed and organized in a single type header [SRS_BSW_00301] All AUTOSAR Basic Software Modules shall only import the necessary information [SRS_BSW_00302] All AUTOSAR Basic Software Modules shall only export information needed by other modules [SRS_BSW_00328] All AUTOSAR Basic Software Modules shall avoid the duplication of code
都是一些头文件的结构啊说明啊什么的
[SRS_BSW_00312] Shared code shall be reentrant
代码可重入
[SRS_BSW_00006] The source code of software modules above the µC Abstraction Layer (MCAL) shall not be processor and compiler dependent.
硬件抽象
[SRS_BSW_00439] Enable BSW modules to handle interrupts [SRS_BSW_00448] Module SWS shall not contain requirements from other modules
没看懂
[SRS_BSW_00449] BSW Service APIs used by Autosar Application Software shall return a Std_ReturnType [SRS_BSW_00357] For success/failure of an API call a standard return type shall be defined [SRS_BSW_00377] A Basic Software Module can return a module specific types
要有返回值
[SRS_BSW_00304] All AUTOSAR Basic Software Modules shall use only AUTOSAR data types instead of native C data types
要使用 AUTOSAR定义的类型来代替原生C数据类型
[SRS_BSW_00378] AUTOSAR shall provide a boolean type
bool类型
[SRS_BSW_00306] AUTOSAR Basic Software Modules shall be compiler and platform independent
要独立于编译器和平台
[SRS_BSW_00308] AUTOSAR Basic Software Modules shall not define global data in their header files, but in the C file
不要在头文件中定义全局数据,在C文件中定义
[SRS_BSW_00309] All AUTOSAR Basic Software Modules shall indicate all global data with read-only purposes by explicitly assigning the const keyword
只读的要加const
[SRS_BSW_00484] Input parameters of scalar and enum types shall be passed as a value.
枚举类型应该作为值传递
[SRS_BSW_00485] Input parameters of structure type shall be passed as a reference to a constant structure
结构体的参数要使用指针来引用
[SRS_BSW_00486] Input parameters of array type shall be passed as a reference to the constant array base type
数组的参数要作为一个常数数组指针类型传入
[SRS_BSW_00358] The return type of init() functions implemented by AUTOSAR Basic Software Modules shall be void
init函数返回值为空
[SRS_BSW_00414] Init functions shall have a pointer to a configuration structure as single parameter
init函数应有单一一个指向配置的指针传入
[SRS_BSW_00359] All AUTOSAR Basic Software Modules callback functions shall avoid return types other than void if possible
回调函数的返回值都是void
[SRS_BSW_00360] AUTOSAR Basic Software Modules callback functions are allowed to have parameters
允许回调函数有参数
[SRS_BSW_00440] The callback function invocation by the BSW module shall follow the signature provided by RTE to invoke servers via Rte_Call API [SRS_BSW_00330] It shall be allowed to use macros instead of functions where source code is used and runtime is critical It shall be allowed to use macros instead of functions where source code is used and runtime is critical. It shall be allowed to use inline functions for the same purpose. Inline functions have the advantage (compared to macros) that the compiler can do type checking of function parameters and return values.
可以使用宏和内联函数
[SRS_BSW_00331] All Basic Software Modules shall strictly separate error and status information [SRS_BSW_00462] All Standardized Autosar Interfaces shall have unique requirement Id / number [SRS_BSW_00454] An alternative interface without a parameter of category DATA_REFERENCE shall be available. [SRS_BSW_00477] The functional interfaces of AUTOSAR BSW modules shall be specified in C99 [SRS_BSW_00459] It shall be possible to concurrently execute a service offered by a BSW module in different partitions [SRS_BSW_00460] Reentrancy Levels
Software Documentation Requirements
[SRS_BSW_00009] All Basic SW Modules shall be documented according to a common standard.
所有的模块都应该标准文档化
The module documentation shall contain at least the following items: • Cover sheet with title, version number, date, author, document status, document name • Change history with version number, date, author, change description, document status • Table of contents (navigable) • Functional overview • Source file list and description • Module requirements • Used resources (interrupts, µC peripherals etc.) • Integration description (OS, interface to other modules etc.) • Configuration description with parameter, description, unit, validrange, default value, relation to other parameters The module documentation shall also contain examples for • the correct usage of the API • the configuration of the module
[SRS_BSW_00401] Documentation of multiple instances of configuration parameters shall be available [SRS_BSW_00172] The scheduling strategy that is built inside the Basic Software Modules shall be compatible with the strategy used in the system [SRS_BSW_00010] The memory consumption of all Basic SW Modules shall be documented for a defined configuration for all supported platforms.
文档记录参数配置还有ROM/RAM的消耗
[SRS_BSW_00333] For each callback function it shall be specified if it is called from interrupt context or not
应该指出是否可以在中断中调用
[SRS_BSW_00374] All Basic Software Modules shall provide a readable module vendor identification
应该可读供应商标识
[SRS_BSW_00379] All software modules shall provide a module identifier in the header file and in the module XML description file.
头文件中有模块ID
[SRS_BSW_00003] All software modules shall provide version and identification information
提供软件版本信息
[SRS_BSW_00318] Each AUTOSAR Basic Software Module file shall provide version numbers in the header file [SRS_BSW_00321] The version numbers of AUTOSAR Basic Software Modules shall be enumerated according specific rules
也要有规范的版本号
[SRS_BSW_00341] Module documentation shall contains all needed informations [SRS_BSW_00334] All Basic Software Modules shall provide an XML file that contains the meta data [SRS_BSW_00351] Encapsulation of compiler specific methods to map objects
ErrorDescription
Generic Mechanisms
Report to the Diagnostic Event Manager (DEM)
添加图片注释,不超过 140 字(可选)
Diagnostic Event Manager
添加图片注释,不超过 140 字(可选)
DET
The DET (Default Error Tracer) provides access to the DEM and RTE(SW-C) over integrator specific code. The occurrence of a runtime error (signaled by calling Det_ReportRuntimeError API) or transient fault (signaled by calling the Det_ReportTransientFault API) triggers the execution of a corresponding error handler which may be implemented as callout within the Det by an integrator of a particular ECU and may only include the storage of the corresponding error event to a memory, a call to the module Dem or the execution of short and reasonable actions.
默认错误追踪
Function Inhibition Manager
添加图片注释,不超过 140 字(可选)
RTE
The RTE provides access to the DEM and FIM operations for the SWCs. It executes the runnables associated to the DEM monitors (DEM callbacks) when information is required from a SWC or when a SWC must be notified. No specific functionalities are provided for the DEM by the RTE.
RTE为上层SWC提供了这些接口
Communication related errors
Overview
Error handling mechanisms
添加图片注释,不超过 140 字(可选)
Error list for CAN stack
添加图片注释,不超过 140 字(可选)
Mappings of EH mechanisms to hardware failure modes
添加图片注释,不超过 140 字(可选)
Loss of communication channel
CAN Bus Off
Summary
添加图片注释,不超过 140 字(可选)
Note: The AUTOSAR COM module (or other modules like CANNM or CANTP) will react on a BusOff indirectly because of the loss of the communication channel, but it is not aware of the specific kind of error. For this reason, these modules are not considered in this section.
COM模块将会间接反应在BussOff,因此不考虑
Roles of the modules
CAN controller (peripheral)
添加图片注释,不超过 140 字(可选)
CAN Driver
添加图片注释,不超过 140 字(可选)
CAN Interface
添加图片注释,不超过 140 字(可选)
CAN State Manager
添加图片注释,不超过 140 字(可选)
Communication Manager
添加图片注释,不超过 140 字(可选)
BSW State Manager
添加图片注释,不超过 140 字(可选)
CAN Controller Hardware Timeout
添加图片注释,不超过 140 字(可选)
Roles of the modules
CAN Driver
添加图片注释,不超过 140 字(可选)
CAN Interface
添加图片注释,不超过 140 字(可选)
CAN State Manager
添加图片注释,不超过 140 字(可选)
Communication Manager
添加图片注释,不超过 140 字(可选)
BSW State Manager
添加图片注释,不超过 140 字(可选)
Signal error
CAN Transmission buffer full
添加图片注释,不超过 140 字(可选)
Roles of the modules
CAN Driver
添加图片注释,不超过 140 字(可选)
CAN Interface
添加图片注释,不超过 140 字(可选)
See also the COM TX Deadline Monitoring, which provide a mechanism to detect and react (from SWC) in case of such an error. This error may also impact a TP (Transport Protocol) communication; in that case, this will be detected as a CAN Transport Protocol error during transmission.
CAN Reception DLC error
添加图片注释,不超过 140 字(可选)
Note: the CAN Reception DLC error can be used in combination with the COM RX Deadline Monitoring mechanism. Also, the reception of a wrong DLC does not necessarily indicate a malfunction in the ECU, but can be caused by the ECU’s environment.
Roles of the modules
CAN Interface
添加图片注释,不超过 140 字(可选)
See also theCOM RX Deadline Monitoring, which provide a mechanism to detect and react (from SWC) in case of such an error. This error may also affect the CAN Transport or Network Management protocols; in these cases, the error will also be detected by the CAN Transport Protocol error during reception mechanism or by the Network Management protocol.
COM RX Deadline Monitoring
添加图片注释,不超过 140 字(可选)
Roles of the modules
AUTOSAR COM
添加图片注释,不超过 140 字(可选)
RTE
添加图片注释,不超过 140 字(可选)
SWC
添加图片注释,不超过 140 字(可选)
COM TX Deadline Monitoring
添加图片注释,不超过 140 字(可选)
CAN Transport Protocol error during transmission
添加图片注释,不超过 140 字(可选)
Note: In the figure above, the DCM represents the CANTP user. Other users of CANTP should react similarly (they will receive the indication of failures, and are responsible for initiating a recovery). Another user could be a SWC, with the communication routed to AUTOSAR COM by the PDU Router, or a Complex Driver.
CAN Transport Protocol error during reception
添加图片注释,不超过 140 字(可选)
Note: In the figure above, the DCM represent the CANTP user. Other users of CANTP should react similarly (they will receive the indication of failures, and are responsible for initiating a recovery). Another user could be a SWC, with the communication routed to AUTOSAR COM by the PDU Router, or a Complex Driver.
Client / Server timeout
添加图片注释,不超过 140 字(可选)
NVRAM related errors
Overview
Error handling mechanisms
添加图片注释,不超过 140 字(可选)
On the lower levels of the NVRAM stack, mechanisms are implemented in the drivers to detect hardware access problems. Detection mechanisms are harmonized between EEPROM and Flash drivers.
在NVRAM中驱动实现了检测硬件的机制
On the upper layers of the NVRAM stack (mainly in the NVRAM manager), mechanisms are implemented to detect data corruption, memory address corruption and loss of redundancy. All the recovery mechanisms for the detected errors in the NVRAM stack are handled by the NVRAM Manager.
在NVRAM堆栈的上层(主要在NVRAM管理器中),实现了检测数据损坏、内存地址损坏和冗余丢失的机制。NVRAM堆栈中检测到的所有错误恢复机制都由NVRAM管理器处理。
The error can be reported in polling or interrupt mode. The whole memory stack must be configured consistently with the usage done by SWC and BSW users.
添加图片注释,不超过 140 字(可选)
添加图片注释,不超过 140 字(可选)
Driver level errors
Flash write job error
添加图片注释,不超过 140 字(可选)
Write job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. A recovery mechanism is present in the NVM module which permits to retry a write job in case of failure (3). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
Flash erase job error
添加图片注释,不超过 140 字(可选)
Erase job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. If the erase driver job is part of a write operation, write retries are initiated by the NVRAM manager (3) as soon as the error is reported to this layer. If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
Flash read job error
添加图片注释,不超过 140 字(可选)
Read job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. Recovery is initiated by the NVRAM manager (3): one or more read attempts shall be made before continuing to read the redundant block or ROM data. If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
Flash compare job error
添加图片注释,不超过 140 字(可选)
Note: Flash compare function is an internal mechanism for the Flash EEPROM Emulation to determine whether erasing / writing is needed or not. Compare job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to the Flash EEPROM Emulation (2) which have to reset some internal states in order to accept new requests.
External Flash Hardware ID Mismatch
添加图片注释,不超过 140 字(可选)
During the initialization of the external flash driver, the FLS module checks if there is a mismatch between the hardware ID of the external flash device and the corresponding published parameter (1). If there is a mismatch, the module stays uninitialized. An error is reported to the DEM and error status can also be forwarded to upper layers viapolling (2). No further reaction is described (error not taken into account at the NVRAM manager level). There is no recovery action.
EEPROM write job error
添加图片注释,不超过 140 字(可选)
Write job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. A recovery mechanism is present in the NVM module which permits to retry a write job in case of failure (3). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
EEPROM erase job error
添加图片注释,不超过 140 字(可选)
Erase job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. If the erase driver job is part of a write operation, write retries are initiated by the NVRAM manager (3) as soon as the error is reported to this layer. If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5),see NVM API request failure.
EEPROM read job error
添加图片注释,不超过 140 字(可选)
Read job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. Recovery is initiated by the NVRAM manager (3): one or more read attempts shall be made before continuing to read the redundant block or ROM data. If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
EEPROM compare job error
添加图片注释,不超过 140 字(可选)
Note: EEPROM compare function is an internal mechanism for the EEPROM Abstrac tion to determine whether erasing / writing is needed or not. Compare job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to the Flash EEPROM Emulation (2) which have to reset some internal states in order to accept new requests.
EEPROM Abstraction / Flash Emulation level errors
FEE consistency check error
添加图片注释,不超过 140 字(可选)
The Flash EEPROM Emulation checks the consistency of the read data (1). If a con sistency error is detected, error status is forwarded to the NVRAM manager (2). The NVRAM manager reports NVM_E_INTEGRITY_FAILED to the DEM (3). Recovery is also initiated: "read retry", "read redundant block" and "read ROM block", if configured (4).If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (5), the job result is set to NVM_REQ_INTEGRITY_FAILED (6).
EA consistency check error
添加图片注释,不超过 140 字(可选)
The EEPROM Abstraction checks the consistency of the read data (1). If a consistency error is detected, error status is forwarded to the NVRAM manager (2). The NVRAM manager reports NVM_E_INTEGRITY_FAILED to the DEM and recovery is initiated: "read retry", "read redundant block" and "read ROM block", if configured (3). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (4), the job result is set to NVM_REQ_INTEGRITY_FAILED (5).
NVRAM manager level errors
NVM CRC check
添加图片注释,不超过 140 字(可选)
If the NV block is configured with CRC, the NVRAM Manager checks if there is a CRC mismatch on the RAM block at the end of the reading operation (1). If so, NVM_E_INTEGRITY_FAILED error is reported to the DEM. Recovery is also initiated: "read retry", "read redundant block" and "read ROM block", if configured (2). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (3), the job result is set to NVM_REQ_INTEGRITY_FAILED (4).
NVM write verification error
添加图片注释,不超过 140 字(可选)
The NVRAM Block written to NV memory is immediately read back and compared with the original content in RAM (1). If the verification fails, NVM_E_VERIFY_FAILED error is reported to the DEM, and recovery is initiated with write retries if configured (2). If the recovery fails (3), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4), see NVM API request failure.
Static block check error
添加图片注释,不超过 140 字(可选)
The Static Block ID check mechanism located in the NVRAM manager provides means to detect if the wrong block has been read from the NV memory due to an addressing problem. The NVRAM Manager stores the NV Block Header including the Static Block ID in the NV Block each time the block is written to NV memory. During read operation, the NV header is compared to the requested block ID (1). If the static block ID check fails then the failure NVM_E_WRONG_BLOCK_ID is reported to DEM and read recovery is initiated ("read retry", "read redundant block" and "read ROM block" if configured) (1). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (3), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4), see NVM API request failure.
Loss of redundancy
添加图片注释,不超过 140 字(可选)
In case one redundant block is invalid during read or write (1), an attempt is made by the NVRAM manager to immediately recover the NV Block using data from the incorrupt NV Block (2). If the recovery fails (3), the error code NVM_E_LOSS_OF_REDUNDANCY is reported to the DEM and the NVRAM manager sets the job result to NVM_REQ_REDUNDANCY_FAILED (4).
NVM API request failure
添加图片注释,不超过 140 字(可选)
The NVRAM manager is notified of an error detected by the subsequent layers during the process of a NVM function or by an internal detection mechanism, write verification static block check, or config ID mismatch (1). Different recovery mechanisms are available at the NVRAM manager level de pending on the type of function involved, writing or reading (2). If the available recovery mechanisms fail (3), the NVM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4).
ApplicationLevelErrorHandling
Error model
Design of dependable systems is based on a systematic analysis of potential faults (fault models) i.e., a set of postulated faults, derived from the operating environment of the system, which helps the designer or user to predict the consequences of these fault and define mechanisms for handling (detect, recover from etc.) those particular faults.
可靠性系统的设计,假定一些可能出现的错误并实现错误处理。
添加图片注释,不超过 140 字(可选)
Error handling mechanisms
-
Plausibility checks
-
合理性检查,变量的值的合理性
-
Substitute Values
-
替代值
-
Voting
-
构建冗余,去3选2
-
Agreement
-
The difference between agreement and voting mechanisms is that when using agreement components interact to reach a decision, whereas in voting it is left to the voter to decide. Agreement protocols could be compared with closed loop systems, where the feedback consists of the sent messages received by all other parties.
-
闭环有feedback
-
Voting 开环
-
Checksums/Codes
-
校验和
-
Execution sequence monitoring
-
执行顺序监控
-
Aliveness monitoring
-
活力监测
-
Status and Mode Management
-
信号质量
-
信号时间戳
-
信号序列号
-
更新信息
-
Signal quality: This indicates the quality of the value, such as nominal value, modelled value, replacement value, and default value. The receiver of the signal may react differently depending on the quality of the signal.
-
Signal timestamp: This indicates when the value was created and can be used to check the age of a signal. If a calculation uses several input signals, one can check that all input signals are created within a tolerable time window.
-
Signal sequence number: It may be of interest to check that signal values are received in a certain order, and that no values or lost between reads. Also, sequence numbers can be used in a similar fashion as timestamps in that they allow a check that all values in a group are from a particular creation window (same sequence number, or with a minimum/maximum deviation).
-
Update information: A consumer of a signal may want to know whether a signal has been updated since the last read or not.
-
状态和模式管理
-
Status and mode management deals with meta information for signals, applications, devices, etc. This meta information can be used to analyse the state of the system in order to isolate a faulty subsystem/component and modify its behaviour accordingly.
-
状态和模式管理用来处理信号、应用、设备等的元信息。
-
Signal status: In addition to the value, a signal may have meta information as sociated with it, such as
-
Device status: An application may want to know the status of the devices it uses, such as sensors and actuators. If a device is not in normal operation, applications may want to choose to deliver some form of degraded service.
-
Application status/mode: An application can also have a status, or a mode, which indicates the overall health or operating situation of the application. This status/mode can be used for recovery purposes, both internally in the said application and externally by other application.
-
Vehicle mode: A vehicle may be in a number of different modes (e.g. normal operation, parked, limp-home) and the applications will have to behave accordingly.
-
ECU Mode: An ECU may be in different states, such as sleeping, running, powered down, and transitional states between such states.
-
信号状态
-
设备状态
-
应用状态/模式
-
车辆模式
-
ECU模式
-
Reconfiguration
-
A technique for building fault-tolerant systems is to detect and isolate faults and then reconfigure the system to no longer use the faulty component, or to reconfigure to provide only a degraded set of services (or level of service).
-
Reset
-
Error Filtering
-
Memory Protection
-
Memory protection is used to protect against errors propagating from one protection domain (partition) to another.
-
内存保护防止了从一个内存保护区传播到另一个内存保护区。不同的功能有不同不内存,不能使用不是本功能的内存。
-
Timing Protection
-
Timing protection refers to protecting the system against activities requiring too much time to complete, such as an executing component taking too much execution time on the processor and thereby hindering the execution of other components, communication delays, peripheral units not responding in time, etc.
-
For activities, one may define time budgets providing an upper limit on how much time a given acitivy may use. For example, one may choose to set execution time budgets for components, or a maximum response times for communication.
-
对于活跃的任务,设定时间预算。
Terminating and restarting partitions
The main focus is on handling faults which lead to one of the following:
-
Protection violation caused by erroneous memory access. This is detected by the OS (with support from an MMU).
-
Protection violation caused by exceeding of allocated execution time budget. This is detected by the OS.
-
Detection of application states which do not trigger a protection violation but require termination or restart of a partition.
主要聚焦处理下面几种错误
-
内存访问错误
-
超出时间预算
-
检测不触发保护但需要终止或重启的冲突
Rationale - Use Cases
Terminating and restarting an application is a basic approach to minimizing error propagation and performing error recovery (mainly the restart functionality). Two main usecases have been identified for AUTOSAR error handling and are presented in this section.
终止和重新启动应用程序时减少错误传播的基本原理
Use Case 1: Software Partitioning [UC1]
软件分区
Use Case 2: Application-level Error Handling [UC2]
应用级别错误处理
Error handling of distributed automotive applications
An application-level error manager (ALEM) would deal with issues that arise from such distribution. For example, if the termination of a partition leads to a need to terminate other partitions (not necessarily on the same ECU), this would be triggered by the ALEM.
OEM-specific error handling
原厂描述的错误状态处理
Application-level Error Managers
添加图片注释,不超过 140 字(可选)
Approach for Terminating and Restarting Partitions
In the subsequent sections, the text describes the support in AUTOSAR OS, BSW and RTE.
就是介绍遇到错误时的终止和重启的机制
OS features
An OS Application is a set of OS objects, such as
-
tasks,
-
interrupt service routines,
-
alarms,
-
schedule tables
For instance application specific hook functions can be defined, such as startup and shutdown hook functions.
可以定义startup或shutdown的钩子函数
For OS controlled objects, there are a number of protection mechanisms available (see[14]). The mechanisms relevant for the termination/restart approach are memory protection and timing protection. Memory protection covers stack and data and, optionally,code of OS-Applications. Timing protection is based on execution time budgets and arrival rates.
对于OS控制的对象
| 保护类型 | 保护内容 |
|---|---|
| 内存保护 | 栈,数据,代码(可选) |
| 时间保护 | 时间预算,到达率 |
OS-Applications are divided into i) trusted OS-Applications and ii) non-trusted OSApplications (see [14]).
| OS APP | 类型 | |
|---|---|---|
| Trusted OS-Applications | 信任 | 特权模式(不受监控) |
| Non-trusted OS-Applications | 不信任 | 非特权模式(被内存保护和时间保护监控) |
Protection Hook
The system has a single global Protection Hook.
-
这个钩子如果没有配置就ShutdownOS();
-
配置了的话根据返回值来处理(函数的实现是可自行决定如何处理的)
-
PRO_IGNORE: Do nothing
-
PRO_TERMINATETASK: Forcibly terminate the faulty Task/Category 2 OsIsr
-
PRO_TERMINATEAPPL: Forcibly terminate the faulty OS-Application
-
PRO_TERMINATEAPPL_RESTART: Forcibly terminate the faulty OS-Application and trigger the execution of the OSRestartTask.
-
PRO_SHUTDOWN: Call ShutdownOS().
TerminateApplication() API
有这么一个函数可以终止OS-Application
也可以通过参数去重启
OSRestartTask
这个函数执行时他会是当前分区的唯一任务,也有一个决策决定终止/重启OS-Application
OS-Application state machine
-
APPLICATION_ACCESSIBLE
-
APPLICATION_RESTARTING
-
APPLICATION_TERMINATED
添加图片注释,不超过 140 字(可选)
Partition state machine
添加图片注释,不超过 140 字(可选)
Error handling strategy in the Protection Hook
当OS发现违反保护时,一下信息需要要收集
-
Partition ID
-
Error type
-
Partition restart counter
-
OS-Application State
Based on the input the Protection Hook needs to decide what to do:
-
Do nothing
-
Restart the partition
-
Terminate the partition
-
Shutdown OS/ECU
Clean-up activities in the OSRestartTask
当发生OSRestartTask时,各个模块有一些必要的处理。
【AUTOSAR_CP_EXP_ApplicationLevelErrorHandling.pdf】P61页
Support for Use Cases
UC1: SW Partitioning
By placing each application requiring protection in an OS-Application, partitioning between applications is achieved. Possible reactions to errors include terminating and restarting of the affected partition. UC1 is therefore fully covered.
把SW放在不同的OS-Application可以实现软件分区
Integrator Responsibility
大白话就是拆分sw-c分不同的区,设定好保护的规则和钩子,设定好cleanup的行为。
CDDDesignAndIntegrationGuideline
Introduction to CDD
-
A CDD may need to interface to modules of the layered software architecture
-
A module of the layered software architecture may need to interface to a CDD
-
A CDD may need to interface SW-Cs via Rte
-
都是简单的单词,很好理解,我就懒得翻译了略略略
添加图片注释,不超过 140 字(可选)
CDD design recommendations
CDD的设计建议
Documentations
User’s Manual
CDD designer shall provide a User’s Manual to ease the integration and provide information to customers:
要提供手册,手册里要有这些内容哦
-
CDD introduction and overviewCDD
-
简介和概述
-
Description of the functional operations (initialisation, normal, shutdown, fault operation...)
-
功能操作描述
-
Description of the relationship with and need from other BSW Modules, SchM and Rte; e.g. memory blocks from NvM, critical sections to configure.
-
描述与其他BSW模块、SchM和Rte的关系
-
Files structure and dependencies
-
文件结构和依赖关系
-
Description of the interfaces (including services): name, description, re-entrancy, parameters (names, types, ranges, values), return value (name, type, range, values), configuration class.
-
Description of the non-functional requirements: timing and behaviour requirements, resource usage, behaviour with other BSW modules or SW-C...
-
描述时间啊行为的要求、资源使用情况、与其他BSW模块或SWC的行为
-
Description of the Dem errors, optionally Det errors, debug variables
-
描述Dem错误
-
Description of the configuration parameters (names, types, ranges, values).
-
配置参数的描述
-
Description of the memory mapping needs (Flash, RAM)
-
描述内存映射需求
-
Usage limitations and open issues
-
使用限制和未解决的问题
-
Integration constraints and requirements to other modules
-
集成的制约因素和对其他模块的要求
-
Examples
-
例子
Module ID
Implementation
-
CDD shall respect the input specifications [2], [3], [5], [6], [7], [8], [9], [10].
-
CDD shall protect its critical resources defining critical sections which can be handled by SchM or OS mechanisms.
-
CDD应保护其关键资源,界定可由SchM或OS机制处理的关键部分。
-
CDD mode may be manageable by EcuM and BswM modules.
-
CDD模式可通过EcuM和BswM模块进行管理
-
CDD may handle its memory sections using the memory mapping mechanisms.
-
CDD可以使用内存映射机制来处理其内存部分
-
CDD may report its errors using Det or Dem modules.
-
CDD可使用Det或Dem模块报告其错误
CDD Files
Code file(s)
-
CDD_<MODULENAME>.c
-
CDD<MODULENAME>Irq.c
-
CDD<MODULENAME>Callout.c
-
CDD<MODULENAME>Lcfg.c
-
CDD<MODULENAME>PBcfg.c
Header file(s)
-
CDD_<MODULENAME>.h
-
CDD<MODULENAME>Cbk.h
-
CDD<MODULENAME>Cfg.h
-
CDD<MODULENAME>PBcfg.h
-
CDD<MODULENAME>Lcfg.h
CDD module may include Det.h and/or Dem.h header files to report errors. CDD module may include <Mip>_MemMap.h header file if some memory mapping area have to be defined where <Mip> is the Module Implementation Prefix. CDD module may include Rte_CDD_<MODULENAME>.h header file if interfaces to the Rte are configured.
添加图片注释,不超过 140 字(可选)
文件结构
Behaviour and Interfaces description
Some CDD not only have interfaces to other BSW modules or clusters, but have also more abstract interfaces accessed from application SW-Cs via the Rte.
一些CDD不仅具有与其他BSW模块或集群的接口,而且还具有通过Rte从应用程序SWC访问的更抽象的接口。
-
Description of the CDD services
-
Types and ports interfaces
-
Description of internal behaviour and runnable Entities
-
Description of the required triggered events of runnable Entities
-
Description of exclusive Areas for shared resources protection
-
Memory mapping
Interfacing to other modules
-
Interfacing to Rte and SW-C
-
Interfacing to libraries
-
Interfacing to standard BSW modules
-
CDD shall provide all configuration parameters which are necessary to satisfy other AUTOSAR modules which rely on the information,
-
依赖注入
Interfacing to standard BSW modules
Interfacing with BSW Mode Manager & ECU State Manager
ECU State Manager should be used for:
-
Init and De-Init functions shall be exclusively called by the EcuM and/or the BswM modules.
-
If a CDD handles a wakeup source, it must follow the protocol for handling wakeup events specified in the document [11] Specification of ECU State Manager.
BSW Mode Manager should be used for:
-
CDD modes changed management
Interfacing with Memory Stack
Interfacing with Watchdog Stack
Interfacing with Communication Stack
Several access points are possible:
-
It is possible to interface to the PDU Router module to handle IPDU.
-
It is possible to interface to the <Bus> Interface.
-
It is possible to interface to the NM module.
-
It is possible to interface the TcpIp module.
-
It is possible to directly interface to Com module as it is possible to have signal interface.
Interfacing with XCP module
Interfacing with Diagnostic Log and Trace
Interfacing with Default Error Tracer and Diagnostic Event Manager
Interfacing with OS
Interfacing with StbM module
CDD in multi-cores system
CDD module of the MCAL
StandardTypes
Type definitions
Std_ReturnType
[SWS_Std_00005] Definition of datatype Std_ReturnType
Layout of the Std_ReturnType shall be as stated in the RTE specification. Bit 7 and Bit 8 are reserved and defined by the RTE specification.
添加图片注释,不超过 140 字(可选)
返回值类型Std_ReturnType
也就是说这两个是RTE的哦
添加图片注释,不超过 140 字(可选)
PlatformTypes
Byte Ordering (Memory)
Big Endian byte ordering大端
添加图片注释,不超过 140 字(可选)
Little Endian byte ordering小端
添加图片注释,不超过 140 字(可选)
CommunicationStackTypes
API specification Type definitions
-
PduIdType
-
[SWS_COMTYPE_00005] Definition of datatype PduIdType
-
This type is used within the entire AUTOSAR Com Stack except for bus drivers.
-
PduLengthType
-
[SWS_COMTYPE_00008] Definition of datatype PduLengthType
-
This type shall be used within the entire AUTOSAR Com Stack of an ECU except for bus drivers.
-
PduInfoType
-
[SWS_COMTYPE_00011] Definition of datatype PduInfoType
-
Variables of this type shall be used to store the basic information about a PDU of any type, namely a pointer variable pointing to its SDU (payload), a pointer to Meta Data of the PDU, and the corresponding length of the SDU in bytes.
-
PNCHandleType
-
[SWS_COMTYPE_00036] Definition of datatype PNCHandleType
-
Used to store the identifier of a partial network cluster.
-
TPParameterType
-
[SWS_COMTYPE_00031] Definition of datatype TPParameterType
-
Specify the parameter to which the value has to be changed (BS or STmin).
-
BufReq_ReturnType
-
[SWS_COMTYPE_00012] Definition of datatype BufReq_ReturnType
-
Variables of this type shall be used to store the result of a buffer request.
-
TpDataStateType
-
[SWS_COMTYPE_00027] Definition of datatype TpDataStateType
-
Variables of this type shall be used to store the state of TP buffer
-
RetryInfoType
-
[SWS_COMTYPE_00037] Definition of datatype RetryInfoType
-
Variables of this type shall be used to store the information about Tp buffer handling.
-
NetworkHandleType
-
[SWS_COMTYPE_00037] Definition of datatype RetryInfoType
-
Variables of this type shall be used to store the information about Tp buffer handling.
-
CbkHandleIdType
-
[SWS_COMTYPE_91001]{DRAFT} Definition of datatype CbkHandleIdType
-
Used for the handle Ids of Com and LdCom user callbacks.
-
TimeTupleType
-
the value of the clock used for timestamping of frame
-
and the corresponding value of the adjustable HW clock, derived by cross-timestamping
-
[SWS_COMTYPE_91002]{DRAFT} Definition of datatype TimeTupleType
-
The Time Tuple represents the clock values of two related HW clocks
-
TimeStampType
-
[SWS_COMTYPE_91003]{DRAFT} Definition of datatype TimeStampType
-
TimeStampQualType
-
[SWS_COMTYPE_91004]{DRAFT} Definition of datatype TimeStampQualType
-
Depending on the HW, quality information regarding the evaluated timestamp might be supported. If not supported, the value shall be always Valid. For Uncertain and Invalid values, the upper layer shall discard the time stamp.
-
ListElemStructType
-
[SWS_COMTYPE_91005]{DRAFT} Definition of datatype ListElemStructType
反正是很多类型哈哈哈
结束啦宝!睡觉🛏️
缘落
真的难读啊这规范
裂开啦🫨,一条一条的约定
不过确实很有用
只读规范可能不会感到共鸣
还是需要在工作中实际体会的
加油😋,小柴!
1085
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
