Hey —

A follow up on this, I’ve committed initial support for the Nordic platforms for the watchdog, along with modifying this API a bit.


I made the watchdog expiry a millisecond value (in hal_watchdog_init()), as pretty much every watchdog I’ve seen executes in millisecond resolution. I removed the hal_watchdog_stop() function, as many processors don’t offer the ability to stop the watchdog once started.

I also hooked the watchdog into the OS with two new configuration options:

    SANITY_INTERVAL:
description: 'The interval at which the sanity checks should run, should be at least 200ms prior to watchdog'
        value: 299500
    WATCHDOG_INTERVAL:
description: 'The interval at which the watchdog should reset if not tickled, in ms'
        value: 300000

These are default values, defined by the OS (libs/os/pkg.yml), that can be overridden by the BSP.

By default the OS initializes the watchdog with hal_watchdog_init() when OS start is called. I have removed the sanity task (to save stack space, and make it run by default), and instead, put all sanity related functions within the idle task.

The logic is here (os.c), for reference. os_sanity_run() calls into os_sanity.c, and runs the sanity checks. Code has also been added to make sure that we don’t sleep beyond the sanity interval, and trip up the watchdog in our idle loop.

sanity_itvl_ticks = (MYNEWT_VAL(SANITY_INTERVAL) * OS_TICKS_PER_SEC) / 1000;
    sanity_last = 0;

    hal_watchdog_tickle();

    while (1) {
        ++g_os_idle_ctr;

        now = os_time_get();
        if (OS_TIME_TICK_GT(now, sanity_last + sanity_itvl_ticks)) {
            os_sanity_run();
            /* Tickle the watchdog after successfully running sanity */
            hal_watchdog_tickle();
            sanity_last = now;
        }

        OS_ENTER_CRITICAL(sr);
        now = os_time_get();
        sticks = os_sched_wakeup_ticks(now);
        cticks = os_callout_wakeup_ticks(now);
        iticks = min(sticks, cticks);
        /* Wakeup in time to run sanity as well from the idle context,
         * as the idle task does not schedule itself.
         */
iticks = min(iticks, ((sanity_last + sanity_itvl_ticks) - now));

        if (iticks < MIN_IDLE_TICKS) {
            iticks = 0;
        } else if (iticks > MAX_IDLE_TICKS) {
            iticks = MAX_IDLE_TICKS;
        } else {
            /* NOTHING */
        }
/* Tell the architecture specific support to put the processor to sleep
         * for 'n' ticks.
         */
        os_tick_idle(iticks);
        OS_EXIT_CRITICAL(sr);


For BSPs where hal_watchdog has not been implemented, calling these functions has no effect, and I’ve added stubs to the stm32f4 and native BSPs.

Sterling


On 30 Aug 2016, at 15:01, marko kiiskila wrote:


On Aug 30, 2016, at 12:59 PM, Mathew Calmer <mcal...@exploramednc7.com> wrote:

On August 30, 2016 at 12:28:50 PM, will sanfilippo (wi...@runtime.io<mailto:wi...@runtime.io>) wrote: Sounds reasonable. As I am sure you know, doing it through the sanity task sometimes is an issue getting the time right as you would then need to know the worst-case timing of all the tasks that could be running… but any way you cut it, you have to put some time limit on that… in past lives I have seen some pretty complicated ways to deal with this but this seems reasonable and if developers need something different they can implement it with this hal.



I would consider making the return value of init() be the time or some reference to the time that was actually set. So, for example, if the user asks for 10000 ticks, and the system can only support 2000, it could return 2000 from init, after trying it’s best to support the request.

It could be done in powers of two or some other mechanism, but conceptually using that return value to explain what was actually set would be a nice interface. If watchdog was not implemented on given hardware, default return could be negative (error) or 0, implying watchdog was not set (although 0 also implies success… so…).


I was thinking the same regarding return value from init(), but had not written it down in the
API proposal.

I’m including updated version here.

/*
* Set a recurring watchdog timer to fire no sooner than in 'expire_secs'
 * seconds. Watchdog should be tickled periodically with a frequency
 * smaller than 'expire_secs'. Watchdog needs to be then started with
 * a call to hal_watchdog_enable().
 *
 * @param expire_secs           Watchdog timer expiration time
 *
* @return < 0 on failure; on success return the actual
 *                              expiration time as positive value
 */
int hal_watchdog_init(int expire_secs);

/*
 * Starts the watchdog.
 *
 * @return                      0 on success; non-zero on failure.
 */
int hal_watchdog_enable(void);

/*
 * Stops the watchdog.
 *
 * @return                      0 on success; non-zero on failure.
 */
int hal_watchdog_stop(void);

/*
 * Tickles the watchdog.
 */
void hal_watchdog_tickle(void);

Reply via email to