2 Assumption of Use

This section contains the Assumption of Use (AoU) for this implementation of SW_SRAM_MARCH_TEST_01. These AoUs cover both the use of the March C- diagnostic function, referred to as the March test function, and the start-up and periodic API wrappers which call this function. Note that the March test function can be called with two modes, Start-up or Partial, which are used by the start-up and periodic API wrappers.

AoU-SRAM_MARCH_TEST-01: The March test function shall be called with the Start-up mode before any initialization, configuration or self-test functions executed prior to the the main function. Reason: As the test is destructive, any data placed in SRAM before the test will be lost. Calling the test before any other functions are executed ensures that no data is lost. Exception: A bootloader may run before the SRAM March test, if it does not depend on data passed from the application in SRAM.  

AoU-SRAM_MARCH_TEST-02: The March test function shall be executed with the Start-up mode on all the SRAM memory used by the application, including the stack area of the application. Reason: This is required to ensure full test coverage of the fault models covered by the algorithm.  

AoU-SRAM_MARCH_TEST-03: The used SRAM shall be allocated as a continuous block and shall include the lowest address (start address) in SRAM. Reason: If the application requires less SRAM resources than available, it is possible to restrict the SRAM size through the use of linker flags and only test this section to reduce the Worst-Case Execution Time (WCET) of the SRAM March test.  

AoU-SRAM_MARCH_TEST-04: The value of the DIAG_SRAM_DATA_REGION_LEN macro shall correspond to the size of the SRAM area used by the application. Reason: The SRAM March test function uses DIAG_SRAM_DATA_REGION_LEN to verify that the input parameters are correct. In Start-up mode, it uses the value of the DIAG_SRAM_DATA_REGION_LEN macro to calculate the start of the stack. The periodic March test API uses DIAG_SRAM_DATA_REGION_LEN to calculate the number of overlapping SRAM sections to test.  

AoU-SRAM_MARCH_TEST-05: The Stack Pointer (SP) shall be set to the highest address in the SRAM area used by the application before calling the March test function in Start-up mode. If the size of the SRAM is restricted to a smaller size than physically available on the device through a linker option, an additional linker option to configure the SP to point at the new end address must be used. Reason: When the SRAM March test function is called, the two-byte return address is pushed to stack. Since the test is destructive and the entire SRAM used by the application is tested in Start-up mode, the SRAM March test stores the return address in two CPU registers and restores it to stack after the test is completed to return correctly after the test. The SRAM March test requires that the return address is stored at the two highest SRAM addresses used by the application, defined by the DIAG_SRAM_DATA_REGION_LEN macro value. However, since the linker flag option that points the SP to the highest address in the SRAM area used by the application will only take effect after the SRAM March test has been executed (in a later .init section), the SP must, additionally, be set to the end address in code before calling the SRAM March test in Start-up mode.  

AoU-SRAM_MARCH_TEST-06: The March test function shall only be used for devices with 128 kB of Flash memory or less. Reason: For devices with a Flash larger than 128 kB, the Program Counter (PC) is extended to three bytes and, subsequently, a function call will involve pushing three bytes to the stack, which has not been accounted for in the current implementation.  

AoU-SRAM_MARCH_TEST-07: The March test function shall be called with all interrupts disabled. Reason: Interrupting the SRAM March test can lead to undefined behavior and cause the test to return an incorrect test result.  

AoU-SRAM_MARCH_TEST-08A: The system integrator shall ensure that the Watchdog Timer (WDT) does not expire, i.e., cause a Reset, during the execution of the SRAM March test in Start-up mode. Reason: If the worst-case minimum duration of the WDT time-out is longer than the WCET of the SRAM March test function call, WDT Reset instructions can be issued after the test is completed.  

AoU-SRAM_MARCH_TEST-08B: If the WDT time-out cannot be selected to be longer than the WCET of the SRAM March test in Start-up mode, the system integrator may insert appropriate WDT Reset instructions in the SRAM March test function itself. This ensures timely resets of the WDT and avoids a system Reset during the SRAM March test. Reason: Executing WDT Reset instructions (by using the macro wdt_reset() defined in avr/wdt.h) does not interfere with the March C- test.  

AoU-SRAM_MARCH_TEST-09: The March test shall only be performed in Start-up mode if the WDT Reset Flag bit is not set. All other Reset sources trigger the execution of the March test after a Reset. It is the responsibility of the system integrator to ensure that the SRAM March test is executed upon a Reset after an unintentional WDT Reset is detected. Reason: As the WDT diagnostic test involves issuing WDT Resets intentionally, the SRAM March test must not run again while the WDT test is being executed. One way to ensure that the March test is run, is checking for WDT resets in the application code, clearing the flag and issuing a software reset.  

AoU-SRAM_MARCH_TEST-10: The system shall operate correctly even if the March test exits early. Reason: The SRAM March test returns earlier than the WCET if a memory fault is detected, which can affect the timing of a WDT Reset instruction.  

AoU-SRAM_MARCH_TEST-11: The system integrator shall ensure that the DIAG_SRAM_MARCH_ALT_CLK_FRQ macro is defined so that the device operates within the data sheet specification. Reason: The SRAM March start-up test uses the DIAG_SRAM_MARCH_ALT_CLK_FRQ macro to set the main clock frequency when executing the March algorithm in Start-up mode which supports the reduction of the WCET of the test, if DIAG_SRAM_MARCH_ALT_CLK_FRQ_ENABLED is not zero. The main clock frequency is restored to the default value upon completion of the test. However, for some devices, the maximum main clock frequency is limited by the supply voltage and temperature range of the device. Refer to the Electrical Characteristics chapter of the respective device data sheet for more information.  

AoU-SRAM_MARCH_TEST-12: The system integrator shall ensure that the stack depth is kept sufficiently small so that one SRAM section cannot overlap both the temporary stack and the current stack pointer when using the periodic March test. Reason: The periodic March test assumes that the depth of the application stack never exceeds a value such that one SRAM section overlaps both the temporary and current pointer. In this scenario, both stacks would be under test and the March test function will not be able to return correctly or preserve the context of the caller function. A formula for calculating the maximum stack depth is provided in the documentation for the DIAG_SRAM_MarchPeriodic() API function. The AoU is provided for completeness, even though this scenario is unlikely to occur in a normal application, given that the stack starts at the highest SRAM address used by the application and the temporary stack is located directly after the backup buffer at the SRAM start address.