QP/C 8.1.1
Real-Time Event Framework
Loading...
Searching...
No Matches
qsafe.h File Reference

QP Functional Safety (FuSa) Subsystem. More...

Go to the source code of this file.

Macros

#define QF_CRIT_STAT
#define QF_CRIT_ENTRY()
#define QF_CRIT_EXIT()
#define QF_CRIT_EST()
#define Q_ASSERT_INCRIT(id_, expr_)
 General-purpose assertion with user-specified ID number (in critical section).
#define Q_ERROR_INCRIT(id_)
 Assertion with user-specified ID for a wrong path through the code (in critical section).
#define Q_ASSERT_ID(id_, expr_)
 General-purpose assertion (with user-specified ID number).
#define Q_ERROR_ID(id_)
 Assertion for a wrong path through the code (with user-specified ID).
#define Q_ASSERT_LOCAL(id_, expr_)
 General-purpose assertion with user-specified ID number (local critical section).
#define Q_ASSERT(expr_)
 General-purpose assertion (with ID provided in LINE).
#define Q_ERROR()
 Assertion for a wrong path through the code (with ID provided in LINE).
#define Q_REQUIRE(expr_)
 Assertion for checking a precondition (with ID provided in LINE).
#define Q_REQUIRE_ID(id_, expr_)
 Assertion for checking a precondition (with user-specified ID number).
#define Q_REQUIRE_INCRIT(id_, expr_)
 Assertion for checking a precondition (in critical section).
#define Q_REQUIRE_LOCAL(id_, expr_)
 Assertion for checking a precondition (local critical section).
#define Q_ENSURE(expr_)
 Assertion for checking a postcondition.
#define Q_ENSURE_ID(id_, expr_)
 Assertion for checking a postcondition (with user-specified ID number).
#define Q_ENSURE_INCRIT(id_, expr_)
 Assertion for checking a postcondition (in critical section).
#define Q_ENSURE_LOCAL(id_, expr_)
 Assertion for checking a postcondition (local critical section).
#define Q_INVARIANT(expr_)
 Assertion for checking an invariant.
#define Q_INVARIANT_ID(id_, expr_)
 Assertion for checking an invariant (with user-specified ID number).
#define Q_INVARIANT_INCRIT(id_, expr_)
 Assertion for checking a postcondition (in critical section).
#define Q_INVARIANT_LOCAL(id_, expr_)
 Assertion for checking a postcondition (local critical section).
#define Q_ERROR_LOCAL(id_)
 Assertion with user-specified ID for a wrong path through the code (local critical section).
#define Q_ASSERT_STATIC(expr_)
#define Q_DIM(array_)

Functions

Q_NORETURN Q_onError (char const *const module, int_t const id)
 Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety (FuSa) Subsystem).

Detailed Description

QP Functional Safety (FuSa) Subsystem.

This header file is part of the QP Functional Safety (FuSa) Subsystem and contains the following facilities:

  • Software assertions (Failure Assertion Programming (FAP) in IEC 61508)
  • Software Self-Monitoring (SSM) techniques:
    • Duplicate Inverse Storage for critical variables
    • Fixed Upper Loop Bound for all loops
    • Invalid Control Flow for all unreachable code paths
    • Hardware Memory Isolation using Memory Protection Unit (MPU)
    • High Watermark in event queues
    • High Watermark in event pools
    • Stack Overflow detection in QP Applications
    • Stack Painting in QP Applications
    • NULL-Pointer Dereferencing protection in QP Applications
Note
This header file can be used in C, C++, and mixed C/C++ programs.
Attention
The preprocessor switch Q_UNSAFE disables the QP Functional Safety System. However, it is generally NOT RECOMMENDED, especially in the production code. Instead, the failure callback Q_onError() should be very carefully designed, implemented, and tested in various failure modes.

Definition in file qsafe.h.

Macro Definition Documentation

◆ QF_CRIT_STAT

#define QF_CRIT_STAT

Definition at line 36 of file qsafe.h.

◆ QF_CRIT_ENTRY

#define QF_CRIT_ENTRY ( )
Value:
((void)0)

Definition at line 40 of file qsafe.h.

◆ QF_CRIT_EXIT

#define QF_CRIT_EXIT ( )
Value:
((void)0)

Definition at line 44 of file qsafe.h.

◆ QF_CRIT_EST

#define QF_CRIT_EST ( )
Value:
((void)0)

Definition at line 48 of file qsafe.h.

◆ Q_ASSERT_INCRIT

#define Q_ASSERT_INCRIT ( id_,
expr_ )
Value:
((expr_) ? (void)0 : Q_onError(&Q_this_module_[0], (id_)))
Q_onError
Q_NORETURN Q_onError(char const *const module, int_t const id)
Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety...

General-purpose assertion with user-specified ID number (in critical section).

Details

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression to check
Attention
This macro must be called inside an already established critical section. The evaluation of the expression expr_ as well as calling of Q_onError() happens inside that critical section.
The assertion expression (expr_) must be possibly simple, have no side effects, and quick to evaluate because the evaluation happens inside a critical section. Also, the expression must NOT call any functions that might use critical sections inside (because this would cause nesting of critical sections, which might not be supported).

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 54 of file qsafe.h.

◆ Q_ERROR_INCRIT

#define Q_ERROR_INCRIT ( id_)
Value:
(Q_onError(&Q_this_module_[0], (id_)))

Assertion with user-specified ID for a wrong path through the code (in critical section).

Details

Parameters
[in]id_ID number (unique within the module) of the assertion
Attention
This macro must be called inside a critical section.

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)
  • DVR_QP_MC5_R2_1: MISRA-C:2025 Rule 2.1(Required): A project shall not contain unreachable code

Definition at line 57 of file qsafe.h.

◆ Q_ASSERT_ID

#define Q_ASSERT_ID ( id_,
expr_ )
Value:
do { \
QF_CRIT_STAT \
QF_CRIT_ENTRY(); \
((expr_) ? (void)0 : Q_onError(&Q_this_module_[0], (id_))); \
QF_CRIT_EXIT(); \
} while (false)

General-purpose assertion (with user-specified ID number).

Details
Evaluates the Boolean expression expr_ and does nothing else when it evaluates to 'true'. However, when expr_ evaluates to 'false', the Q_ASSERT_ID() macro calls the no-return function Q_onError().

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression to check
Attention
This macro uses a critical section, and the evaluation of the expression expr_ as well as calling of Q_onError() happens inside the critical section.
The assertion expression (expr_) must be possibly simple, have no side effects, and quick to evaluate because the evaluation happens inside a critical section. Also, the expression must NOT call any functions that might use critical sections inside (because this would cause nesting of critical sections, which might not be supported).

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 60 of file qsafe.h.

◆ Q_ERROR_ID

#define Q_ERROR_ID ( id_)
Value:
do { \
QF_CRIT_EST(); \
Q_onError(&Q_this_module_[0], (id_)); \
} while (false)

Assertion for a wrong path through the code (with user-specified ID).

Details
Calls the Q_onError() callback if ever executed. This assertion takes the user-supplied parameter id_ to identify the location of this assertion within the file. This avoids the volatility of using line numbers, which change whenever a line of code is added or removed upstream from the assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)
  • DVR_QP_MC5_R2_1: MISRA-C:2025 Rule 2.1(Required): A project shall not contain unreachable code

Definition at line 67 of file qsafe.h.

◆ Q_ASSERT_LOCAL

#define Q_ASSERT_LOCAL ( id_,
expr_ )
Value:
do { \
if (!(expr_)) { \
QF_CRIT_EST(); \
Q_onError(&Q_this_module_[0], (id_)); \
} \
} while (false)

General-purpose assertion with user-specified ID number (local critical section).

Details

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression to check
Attention
This macro must be called without a critical section. The evaluation of the expression expr_ occurs outside the critical section. However, the critical section is established right before calling of Q_onError().
The assertion expression (expr_) must be of the "local" nature, meaning that it should consists of automatic variables only, which cannot be changed by interrupts or other concurrent threads. Also, the expression must NOT call any functions that might use critical sections inside (because this would cause nesting of critical sections, which might not be supported).
See also
QF_CRIT_EST()

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 72 of file qsafe.h.

◆ Q_ASSERT

#define Q_ASSERT ( expr_)
Value:
Q_ASSERT_ID(__LINE__, (expr_))
Q_ASSERT_ID
#define Q_ASSERT_ID(id_, expr_)
General-purpose assertion (with user-specified ID number).
Definition qsafe.h:60

General-purpose assertion (with ID provided in LINE).

Details
Equivalent to Q_ASSERT_ID(), except it uses LINE to identify the assertion within a file.

Parameters
[in]expr_Boolean expression to check

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 93 of file qsafe.h.

◆ Q_ERROR

#define Q_ERROR ( )
Value:
Q_ERROR_ID(__LINE__)
Q_ERROR_ID
#define Q_ERROR_ID(id_)
Assertion for a wrong path through the code (with user-specified ID).
Definition qsafe.h:67

Assertion for a wrong path through the code (with ID provided in LINE).

Details
Calls the Q_onError() callback if ever executed.

Note
This macro identifies the problem location with the line number, which might change as the code is modified.

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)
  • DVR_QP_MC5_R2_1: MISRA-C:2025 Rule 2.1(Required): A project shall not contain unreachable code

Definition at line 94 of file qsafe.h.

◆ Q_REQUIRE

#define Q_REQUIRE ( expr_)
Value:
Q_ASSERT(expr_)
Q_ASSERT
#define Q_ASSERT(expr_)
General-purpose assertion (with ID provided in LINE).
Definition qsafe.h:93

Assertion for checking a precondition (with ID provided in LINE).

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 96 of file qsafe.h.

◆ Q_REQUIRE_ID

#define Q_REQUIRE_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking a precondition (with user-specified ID number).

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 97 of file qsafe.h.

◆ Q_REQUIRE_INCRIT

#define Q_REQUIRE_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))
Q_ASSERT_INCRIT
#define Q_ASSERT_INCRIT(id_, expr_)
General-purpose assertion with user-specified ID number (in critical section).
Definition qsafe.h:54

Assertion for checking a precondition (in critical section).

Details
Equivalent to Q_ASSERT_INCRIT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 98 of file qsafe.h.

◆ Q_REQUIRE_LOCAL

#define Q_REQUIRE_LOCAL ( id_,
expr_ )
Value:
Q_ASSERT_LOCAL((id_), (expr_))
Q_ASSERT_LOCAL
#define Q_ASSERT_LOCAL(id_, expr_)
General-purpose assertion with user-specified ID number (local critical section).
Definition qsafe.h:72

Assertion for checking a precondition (local critical section).

Details
Equivalent to Q_ASSERT_LOCAL(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 99 of file qsafe.h.

◆ Q_ENSURE

#define Q_ENSURE ( expr_)
Value:
Q_ASSERT(expr_)

Assertion for checking a postcondition.

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 101 of file qsafe.h.

◆ Q_ENSURE_ID

#define Q_ENSURE_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking a postcondition (with user-specified ID number).

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 102 of file qsafe.h.

◆ Q_ENSURE_INCRIT

#define Q_ENSURE_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))

Assertion for checking a postcondition (in critical section).

Details
Equivalent to Q_ASSERT_INCRIT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 103 of file qsafe.h.

◆ Q_ENSURE_LOCAL

#define Q_ENSURE_LOCAL ( id_,
expr_ )
Value:
Q_ASSERT_LOCAL((id_), (expr_))

Assertion for checking a postcondition (local critical section).

Details
Equivalent to Q_ASSERT_LOCAL(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 104 of file qsafe.h.

◆ Q_INVARIANT

#define Q_INVARIANT ( expr_)
Value:
Q_ASSERT(expr_)

Assertion for checking an invariant.

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 106 of file qsafe.h.

◆ Q_INVARIANT_ID

#define Q_INVARIANT_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking an invariant (with user-specified ID number).

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Definition at line 107 of file qsafe.h.

◆ Q_INVARIANT_INCRIT

#define Q_INVARIANT_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))

Assertion for checking a postcondition (in critical section).

Details
Equivalent to Q_ASSERT_INCRIT(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 108 of file qsafe.h.

◆ Q_INVARIANT_LOCAL

#define Q_INVARIANT_LOCAL ( id_,
expr_ )
Value:
Q_ASSERT_LOCAL((id_), (expr_))

Assertion for checking a postcondition (local critical section).

Details
Equivalent to Q_ASSERT_LOCAL(), except the name provides a better documentation of the intention of this assertion.

Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)

Definition at line 109 of file qsafe.h.

◆ Q_ERROR_LOCAL

#define Q_ERROR_LOCAL ( id_)
Value:
Q_ERROR_ID(id_)

Assertion with user-specified ID for a wrong path through the code (local critical section).

Details

Parameters
[in]id_ID number (unique within the module) of the assertion
Attention
This macro must be called outside a critical section. The macro establishes critical section right before calling Q_onError().
See also
QF_CRIT_EST()

Forward Traceability

  • DVR_QP_MC5_D4_9A: MISRA-C:2025 Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnostics)
  • DVR_QP_MC5_R2_1: MISRA-C:2025 Rule 2.1(Required): A project shall not contain unreachable code

Definition at line 111 of file qsafe.h.

◆ Q_ASSERT_STATIC

#define Q_ASSERT_STATIC ( expr_)
Value:
extern char Q_static_assert_[(expr_) ? 1 : -1]

Static (compile-time) assertion.

This type of assertion deliberately causes a compile-time error when the expr_ Boolean expression evaluates to FALSE. The macro exploits the fact that in C/C++ a dimension of an array cannot be negative. The compile-time assertion has no runtime side effects.

Parameters
[in]expr_Compile-time Boolean expression
Note
The static assertion macro is provided for backwards compatibility with older C standards. Newer C11 supports _Static_assert(), which should be used instead of Q_ASSERT_STATIC().

Definition at line 114 of file qsafe.h.

◆ Q_DIM

#define Q_DIM ( array_)
Value:
(sizeof(array_) / sizeof((array_)[0U]))

Definition at line 123 of file qsafe.h.

Function Documentation

◆ Q_onError()

Q_NORETURN Q_onError ( char const *const module,
int_t const id )

Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety (FuSa) Subsystem).

Details
This callback function needs to be defined in the application to perform any corrective action after an unrecoverable error has been detected. The Q_onError() function is the last line of defense after the system failure, and its implementation should be very carefully designed and tested under various fault conditions, including but not limited to: stack overflow/corruption, calling Q_onError() from an ISR or other hardware exception, etc.

Attention
The Q_onError() Custom Error Handler is the central error management element of the QP Functional Safety (FuSa) Subsystem. The error handler must establish the Safe State of the system and should not return.
Parameters
[in]modulename of the file/module in which the assertion failed (constant, zero-terminated C string)
[in]idID of the assertion within the module. This could be a line number or a user-specified ID-number.
Returns
This callback function should not return (see Q_NORETURN), as continuation after an unrecoverable error makes no sense.
Attention
Q_onError() must be called within a critical section (typically with interrupts disabled).
Note
During debugging, Q_onError() is an ideal place to put a breakpoint. For deployment, it is NOT RECOMMENDED to implement Q_onError() as an endless loop that ties up the CPU (denial of service).

Backward Traceability

  • FMEDA_QA_00: Failure Mode: Fault detection and self-monitoring are inactive.
  • FMEDA_QA_01: Failure Mode: Software resumes normal operation after detecting a fault.
  • FMEDA_QA_02: Failure Mode: Custom Error Handler fails to reach Safe State due to already compromised system.