6.1.3.3 DIAG_SRAM_MarchPeriodic()
diag_result_t __nopa DIAG_SRAM_MarchPeriodic (void )
Handles nondestructive periodic March testing in overlapping sections of the SRAM used by the application, defined by DIAG_SRAM_DATA_REGION_LEN. This API wrapper is intended to be called periodically to test the next SRAM section as long as DIAG_SRAM_MARCH_PERIODIC_ENABLED is not zero. Each time the function is called, the next SRAM section is backed up in a buffer, tested using the DIAG_SRAM_MarchCMinus() function in SRAM_MARCH_PARTIAL mode and restored from the buffer before the result of the test is returned. This is done on all SRAM sections until it wraps around and starts testing the first SRAM section again. The function also handles testing the stack area by temporarily moving the stack pointer to a reserved temporary stack while performing the march test to return safely. Finally, in compliance with AoU-SRAM_MARCH_TEST-07 in Assumption of Use, the Global Interrupt Enable bit is backed up and disabled when entering the function and restored before returning.
The periodic March test does not give full coverage of the listed fault models. To get full coverage of the listed coupling faults, i.e. detect all possible coupling faults between all bits in the SRAM, the March C minus algorithm must be executed on the entire SRAM used by the application, which is done in the DIAG_SRAM_MarchStartup() API. However, as the March algorithm is destructive, it is not possible to get full fault model coverage periodically unless the application is reset periodically. Thus, this API implements a nondestructive periodic March test diagnostic with reduced coupling fault coverage. This approach gives full coupling fault coverage between all bits a section under test, but no coverage of coupling faults between bits in a section under test and the rest of the SRAM used by the application. To somewhat mitigate this issue, the sections can be configured to overlap each other so that coupling faults between the overlapping parts of two sections are covered. Since coupling faults are more likely to occur on physically neighbouring bits, it is deemed a sufficient solution to periodically detect SRAM faults.
The size of each SRAM section is determined by the value of DIAG_SRAM_MARCH_SEC_SIZE and the overlap between sections is given by DIAG_SRAM_MARCH_SEC_OVERLAP.
The Fault Detection Time Interval (FDTI) is given by: FDTI = N * T, T > t_s where N is the number of SRAM sections (see DIAG_SRAM_MARCH_SEC_SIZE), T is the period between calls to DIAG_SRAM_MarchPeriodic() and t_s is the execution time of DIAG_SRAM_MarchPeriodic() (which will depend on DIAG_SRAM_MARCH_SEC_SIZE, optimization level and the main clock frequency).
The function reserves two buffers at the start of SRAM for doing backup of an SRAM section and creating a temporary stack when calling the DIAG_SRAM_MarchCMinus() function in SRAM_MARCH_PARTIAL mode when the section under test overlaps the current stack. For this reason, it is required to add a linker option to move the BSS section to avoid any data collision during compilation. The required linker options are printed as pragma messages during compile time if DIAG_LINKER_OPTION_MSG_ENABLE is not zero.
The periodic March test assumes that the depth of the application stack never exceeds a value so that one SRAM section will overlap both the temporary and current stack pointer. In this scenario, both stacks would be under test and the March test function will not be able to return correctly or preserve the context of the caller function. Assuming that the stack starts at DIAG_SRAM_END_ADDR, the maximum stack depth value, stack_max, is given by:
tot = DIAG_SRAM_DATA_REGION_LEN sec = DIAG_SRAM_MARCH_SEC_SIZE overlap = DIAG_SRAM_MARCH_SEC_OVERLAP tmp = DIAG_SRAM_TEMP_STACK_SIZE stack_max = tot + (sec + tmp)%(sec - overlap) - 2*sec - tmp, where % is the modulo operator.Procedural Abstraction (PA) optimization is disabled for this function. This assembly optimization can adversely affect the execution by introducing calls to routines that change the content of the stack in the SRAM, and can thus cause the backing up of the stack to fail. This is achieved by using the __nopa directive, which is expanded to __attribute__((nopa, noinline)). This additionally ensures that inlined code is not subject to PA.
| None. |