Safety improvements: Periodically check the port configuration registers

[uhi22]

Discussed here: https://openinverter.org/forum/viewtopic.php?p=58345#p58345

Goal: If a safety relevant port configuration changes unintentionally (e.g. the digital input for brake is changed to output), the software shall be able to detect this. If detected, the action needs to be defined (e.g. MIL and/or limp mode with reduced torque).

Steps:

1. Identify the digital and analog ports, which may carry safety relevant information.
2. Identify the related configuration registers (e.g. port direction register)
3. Create a piece of software which periodically compares the register content to configured target values.
4. Define and implement the action which shall be taken in case of mismatch.

[jsphuebner]

Relevant peripherals:

• GPIOA to GPIOD
• TIM1 (main PWM timer)
• TIM2 (scheduler)
• TIM3 (position sensing)
• TIM4 (over current threshold)
• ADC1
• DMA?

Now we could either have one centralized register check module that receives a list of addresses that it should monitor. If it detects a change it will signal this (resulting in MIL light) and return the register to its saved state.
Or we could have this functionality built into the respective modules like anain.cpp and digio.cpp

[uhi22]

I propose a centralized approach. A module "RegisterMonitoring", containing a const table, with the elements "address", "value" and "mask". The mask allows to selectively check bits, even if other bits in the same register are dynamically changing. Not sure whether different sizes (uint8, uint16, uint32) need separate tables or can be handled in one.
Also needs to be discussed whether immediate correction is the best approach, or maybe a restart.
And for debugging a kind of developer message on CAN, which contains the address and value of the failed check.

[jsphuebner]

I think we don't need to worry about different sizes as all registers are 32 bit, even if some bits remain unused:

I think there should be a function such as RegMon::TakeSnapshot() that is called whenever we intentionally modify a register. The RegMon::CheckRegister(index) might take an argument so we only check one register per call to reduce system load. If called in the 10ms task I reckon we scan all registers in less than a second.

If I understand correctly you'd rather hard-code certain important bits and check against them. That would certainly add to robustness at the cost of flexibility and coverage.

As always, I would not want an inverter to restart mid-drive because it may have detected an error. A developer CAN message sounds useful and maybe we should open another issue for the ErrorMessage module to contain e.g. uint32_t userdata to each error and also store a number of errors to flash.

[uhi22]

I'm used to the hardcoded variant, but the TakeSnapshot is quite elegant. With a little drawback: If a bit in a register is corrupted, and then a normal functionality writes an other bit and calls TakeSnapShot, we would take the bad content as "good reference" and never detect the issue. Bad.