Electronic – Error handling in embedded systems development

cembeddedfirmware

I am developing a Firmware and I am using 3 layers: Driver, Platform and Application. In order to handle the communication between these layers, I am using an approach where each function will return a success/failure flag:

typedef enum {
  FW_ERROR = 0,
  FW_OK    = 1
}FWStatusTypeDef;

Every function in my FW looks like this:

FWStatusTypeDef function1(void)
{
  /* Do some stuff */
  ..
  ..

  if(something_wrong_happens)
    return FW_ERROR;
  return FW_OK;
}


FWStatusTypeDef function2(void)
{
  /* Do some stuff */
  ..
  ..
  if(something_wrong_happens)
    return FW_ERROR;

  return FW_OK;
}

The approach I am using is good for debugging but when running the application, I want to identify which function is sending an error flag. In other words, I want to keep track of errors and display them in a screen

Example:

FWStatusTypeDef OpenTheDoor(void)
{
  if (!KeyIsAvailable())
  {
    return FW_ERROR;
  }
  Door->Open();

  if (!DoorIsOpen())
  {
     return FW_ERROR;
  }

  return FW_OK;
}

FWStatusTypeDef KeyIsAvailable(void)
{
  return GetKeyStatus();
}

FWStatusTypeDef DoorIsOpen(void)
{
  return GetDoorStatus();
}

In this example, when I call OpenTheDoor() and it returns FW_ERROR. I won't be able to know if the problem is that the key is missing or there was another problem while trying to open the door (for example a cow is blocking it because it hates me).

I've been thinking and I came up with this solution: An Error code handler.

typedef enum {
  ERROR_1 = 0,
  ERROR_2 = 1,
  ERROR_k = k, // A cow is blocking the door
  ERROR_n = n  // The key is missing
}ErrorIdTypeDef;

static ErrorIdTypeDef ErrorCode;

// Getter
ErrorIdTypeDef GetErrorCode(void)
{
  return ErrorCode;
}

// Setter
void SetErrorCode(ErrorIdTypeDef code)
{
  ErrorCode = code;
}

Each function will use the error handler exposed Setter.

FWStatusTypeDef OpenTheDoor(void)
{
  if (!KeyIsAvailable())
  {
    SetErrorCode(ERROR_n);
    return FW_ERROR;
  }
  Door->Open();

  if (!DoorIsOpen())
  {
     SetErrorCode(ERROR_k);
     return FW_ERROR;
  }

  return FW_OK;
}

FWStatusTypeDef KeyIsAvailable(void)
{
  return GetKeyStatus();
}

FWStatusTypeDef DoorIsOpen(void)
{
  return GetDoorStatus();
}

In the application layer, I read the error code using the exposed getter API if an error occurs:

if (!OpenTheDoor())
{
  ErrorIdTypeDef theError;
  theError = GetErrorCode();
  switch(theError)
  {
    case ERROR_k:
      DisplayOnTheScreen("A cow is blocking the door.");
      break;

    case ERROR_n:
      DisplayOnTheScreen("You don't have a key.");
      break;

    ...
    ...

    default:
      break;
  }
}
else
{
  DisplayOnTheScreen("Door is open");
}

Now, my questions are not about the syntax, they're more about "good practices". Does this approach have any limitation ? Is there another known practice to get the same result ? In other words, Am I complicating things here ?

Best Answer

Using enums for error codes is common practice. The whole purpose of using enum over for example bool is to get more information.

The pattern you suggest with a common "last error" handler is not recommended though. This has been tried historically many times, never with good results. Must infamously the Windows API GetLastError() function.

The problem with "last error" handlers are several: they are not thread/interrupt safe and they only remember the last error. If you set FW_ERROR_KEY from a function, from the time that happens until you print the error, another error could have happened. You then print the wrong reason and get the wrong diagnostic.

The common way to handle errors is instead rather something like this:

for(;;)
{
  kick_watchdog();

  result = state_machine[state]();

  if(result != OK)
  {
    error_handler(result);
  }
}

That's what the main loop looks like in many bare metal MCU projects. All errors are passed down from drivers up to the application layer, and error handling is centralized.

The application layer might then make the call to ignore certain errors, or handle them, or replace their error codes with another code. Etc.

Related Solutions

Electronic – FreeRTOS queues and IPC confusion

Comms stacks :(

Comms stacks in plain C :((

This is a summary of how I do it, though it's surely not the only way:

The app starts by by creating a 'generalPool' array of buffer structs, (BS:), of a fixed size. No more buffers are ever allocated and no buffers are ever freed during the run. The BS has space for data, data len, next/prev index bytes and a 'command' enum that describes what the buffer is, (and other stuff, but that clouds the issue). Indexes to this array are used for all inter-thread and driver comms, (I use byte-size indexes, rather than pointers, because there are less than 256 BS and I have RAM constraints). The next/prev bytes are initialized to form a double-linked list, and the calls to get/put an index are protected by a mutex.

Inter-thread comms are performed by getting a BS index from the generalPool, loading it up as required, setting the enum and then pushing the index onto a producer-consumer queue. The thread at the other end dequeues the index and, typically, switches on the enum to handle the BS message. Once handled, the consumer thread can repool the BS or queue it on somewhere else for further handling, (logger, say).

Because the BS has those next/prev bytes, the producer-consumer queue class does not need any storage space of its own - it has first and last bytes and so can link together the BS in a similar manner to the pool.

OK, now drivers:

I have interrupt-nesting disabled so that only one interrupt can run at a time. This enables me to make a BS index 'DriverQueue'. The DriverQueue has actual storage space for the index bytes - it does not use the next/prev links. This allows BS indexes to be safely added at one end, and removed at the other, by any one interrupt and one thread.

I have one 'CommsPool' DriverQueue. This is pre-filled on startup with some BS extracted from the generalPool. These BS are used for received data.

I have one 'commsTx' DriverQueue for each tx interrupt. Outgoing data is queued on them.

I have one 'commsRx' DriverQueue for all rx interrupts. Incoming data is queued on it.

One 'commsThread' handles the higher-level comms by initializing and operating a state machine, similar to your idea. When idle, it waits on a 'CommsEvent' semaphore.

The rx interrupts get BS from the CommsPool, load them up with data from the hardware, set the command enum to 'RxX', (X is the comms channel/interrupt ID number), push the BS index onto the common commsRx queue and signal CommsEvent.

The tx interrupts get BS from their own, private commsTx, load the data into the hardware, set the command enum to 'TxUsed', push the BS index onto the common commsRx queue and signal CommsEvent.

The commsThread is responsible for managing all the I/O. It has a 'commsRq' input queue for comms request BS from other threads. This is not, however a blocking queue - just thread-safe. It is not blocking because the commsThread has to handle the commsEvent signals from the interrupt-handlers as well.

Any thread that wants to communicate stuff loads up a BS with appropriate data and command, queues it to commsRq and signals CommsEvent, so waking the commsThread.

The commsthread does not know why it has been woken, so it polls the commsRx queue first to see if there is a BS in it. If there is, it handles it - if an 'RxX', it processes it through its state-engine code/data, if a 'TxUsed', it checks the CommsPool first, to see if it needs 'topping up', and pushes it there if there is need, else it pushes it back onto the generalPool for re-use elsewhere.

Once the commsThread has handled the driver queues appropriately, it polls the commsRq queue to see if there are any new comms requests from other threads. If there are, it dequeues and handles the request thorough it's state-machine code/data.

After that, the commsThread checks again to see if any CommsPool 'topping up' is required and, if the CommsPool is not full, tops it off with more BS from the generalPool.

The commsThread then loops back to wait on the semaphore again. The semaphore ensures that the commsThread runs exactly as many times as are requried to handle all input from other threads and the interrupt-handlers, no more, no less. If the thread ever wakes up and finds nothing to do, it's an error.

That's how I do it, anyway:) It provides good throughput and efficient use of RAM. Inter-thread producer-consumer queues need no internal storage. Only one thread, (and so only one RAM-consuming stack:), is required for all interrupt-management and Tx/Rx data handling. No mallocs/frees required after initialization. There is no busy-waiting or any need for periodic checking of any flags. No copying of the data is required, (except in/out of hardware - unavoidable). Timeout actions can be handled by either a timed wait on the semaphore, (preferable, if your OS supports it), or by the periodic'injection' of a 'TimeTick' BS on the inputQueue from some other thread. Returned BS can easily be 'diverted' to, say, a logger or terminal, for debug display before returning them to the generalPool.

However you do this, you should consider moving to C++. C just gets messy for anything other than simple straight-line code. C++ allows, for instance the BS to be implemented as class instances with methods for streaming in data and for 'auto-extending' a BS by getting and linking another BS if one BS gets full, so generating a 'compound' data message.

I've left some stuff out. For example, perhaps you already know the misery of tx interrupts - after the tx has been idle, they often have to be 'primed' by having the first bytes loaded into a FIFO to get the TX interrupt to start again :(

Also hint: my UART debug terminal prompt looks like 'A:96>'. The number, (96 here), is the current count of BS in the general pool. If this number starts dropping, I know I have a leak:)

Electronic – Best practice to keep main() in embedded systems

If you're concerned that code for a simple switch() based state machine (SM) will become untidy, you can split it into smaller subroutines.

void do_state_s1() {
    // stuff
    if ( /* certain  contidition */ ) {
        g_iState = STATE_S2;  // transition to another state
    }
}

void do_state_s2()  {
    // other stuff
    if ( /* some other condition */ ) {
        g_iState = STATE_S1;
    }
}

void do_state_machine() {
    switch (g_iState) {
    case STATE_S1:
        do_state_s1();
        break;

    case STATE_S2:
        do_state_s2();
        break;
    };
}

void main() {
    g_iState = STATE_S1;        // initialize the SM

    while (1) {
        do_state_machine();
    }
}

Best Answer

Related Solutions

Electronic – FreeRTOS queues and IPC confusion

Electronic – Best practice to keep main() in embedded systems

Related Topic