QP/C++  8.0.3
Real-Time Event Framework
Loading...
Searching...
No Matches
Macros | Functions
qsafe.h File Reference

QP Functional Safety (FuSa) Subsystem. More...

Go to the source code of this file.

Macros

#define QF_CRIT_STAT
 
#define QF_CRIT_ENTRY()
 
#define QF_CRIT_EXIT()
 
#define Q_ASSERT_INCRIT(id_, expr_)
 General-purpose assertion with user-specified ID number (in critical section)
 
#define Q_ERROR_INCRIT(id_)
 Assertion with user-specified ID for a wrong path through the code (in critical section)
 
#define Q_ASSERT_ID(id_, expr_)
 General-purpose assertion (with user-specified ID number)
 
#define Q_ERROR_ID(id_)
 Assertion for a wrong path through the code (with user-specified ID)
 
#define Q_ASSERT(expr_)
 General-purpose assertion (with ID provided in LINE)
 
#define Q_ERROR()
 Assertion for a wrong path through the code (with ID provided in LINE)
 
#define Q_REQUIRE_ID(id_, expr_)
 Assertion for checking a precondition (with user-specified ID number)
 
#define Q_REQUIRE(expr_)
 Assertion for checking a precondition (with ID provided in LINE)
 
#define Q_REQUIRE_INCRIT(id_, expr_)
 Assertion for checking a precondition (in critical section)
 
#define Q_ENSURE_ID(id_, expr_)
 Assertion for checking a postcondition (with user-specified ID number)
 
#define Q_ENSURE(expr_)
 Assertion for checking a postcondition
 
#define Q_ENSURE_INCRIT(id_, expr_)
 Assertion for checking a postcondition (in critical section)
 
#define Q_INVARIANT_ID(id_, expr_)
 Assertion for checking an invariant (with user-specified ID number)
 
#define Q_INVARIANT(expr_)
 Assertion for checking an invariant.
 
#define Q_INVARIANT_INCRIT(id_, expr_)
 
#define Q_ASSERT_STATIC(expr_)
 
#define Q_NORETURN   _Noreturn void
 
#define Q_DIM(array_)
 

Functions

Q_NORETURN Q_onError (char const *const module, int_t const id)
 Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety (FuSa) Subsystem).
 

Detailed Description

QP Functional Safety (FuSa) Subsystem.

This header file is part of the QP Functional Safety (FuSa) Subsystem and contains the following facilities:

  • Software assertions (Failure Assertion Programming (FAP) in IEC 61508)
  • Software Self-Monitoring (SSM) techniques:
    • Duplicate Inverse Storage for critical variables
    • Fixed Upper Loop Bound for all loops
    • Invalid Control Flow for all unreachable code paths
    • Hardware Memory Isolation by means of Memory Protection Unit (MPU)
    • High Watermark in event queues
    • High Watermark in event pools
    • Stack Overflow detection in QP Applications
    • Stack Painting in QP Applications
    • NULL-Pointer Dereferencing protection in QP Applications
Note
This header file can be used in C, C++, and mixed C/C++ programs.
Attention
The preprocessor switch Q_UNSAFE disables the QP Functional Safety System. However, it is generally NOT RECOMMENDED, especially in the production code. Instead, the failure callback Q_onError() should be very carefully designed, implemented, and tested in various failure modes.

Definition in file qsafe.h.

Macro Definition Documentation

◆ QF_CRIT_STAT

#define QF_CRIT_STAT

Definition at line 35 of file qsafe.h.

◆ QF_CRIT_ENTRY

#define QF_CRIT_ENTRY ( )
Value:
((void)0)

Definition at line 39 of file qsafe.h.

◆ QF_CRIT_EXIT

#define QF_CRIT_EXIT ( )
Value:
((void)0)

Definition at line 43 of file qsafe.h.

◆ Q_ASSERT_INCRIT

#define Q_ASSERT_INCRIT ( id_,
expr_ )
Value:
((expr_) ? ((void)0) : Q_onError(&Q_this_module_[0], (id_)))
Q_onError
Q_NORETURN Q_onError(char const *const module, int_t const id)
Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety...

General-purpose assertion with user-specified ID number (in critical section)

Details
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression to check
Attention
This macro must be called inside already established critical section. The evaluation of the expression expr_ as well as calling of Q_onError() happens inside that critical section.
The assertion expression (expr_) must be possibly simple, have no side effects, and quick to evaluate because the evaluation happens inside a critical section. Also, the expression must NOT call any functions that might use critical sections inside (because this would cause nesting of critical sections, which might not be supported).
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 49 of file qsafe.h.

◆ Q_ERROR_INCRIT

#define Q_ERROR_INCRIT ( id_)
Value:
(Q_onError(&Q_this_module_[0], (id_)))

Assertion with user-specified ID for a wrong path through the code (in critical section)

Details
Parameters
[in]id_ID number (unique within the module) of the assertion
Attention
This macro must be called inside already established critical section. The call to Q_onError() happens inside that critical section.
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 52 of file qsafe.h.

◆ Q_ASSERT_ID

#define Q_ASSERT_ID ( id_,
expr_ )
Value:
do { \
QF_CRIT_STAT \
QF_CRIT_ENTRY(); \
(expr_) ? ((void)0) : Q_onError(&Q_this_module_[0], (id_)); \
QF_CRIT_EXIT(); \
} while (false)

General-purpose assertion (with user-specified ID number)

Details
Evaluates the Boolean expression expr_ and does nothing else when it evaluates to 'true'. However, when expr_ evaluates to 'false', the Q_ASSERT_ID() macro calls the no-return function Q_onError().
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression to check
Attention
This macro uses critical section and the evaluation of the expression expr_ as well as calling of Q_onError() happens inside the critical section.
The assertion expression (expr_) must be possibly simple, have no side effects, and quick to evaluate because the evaluation happens inside a critical section. Also, the expression must NOT call any functions that might use critical sections inside (because this would cause nesting of critical sections, which might not be supported).
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 55 of file qsafe.h.

◆ Q_ERROR_ID

#define Q_ERROR_ID ( id_)
Value:
do { \
QF_CRIT_STAT \
QF_CRIT_ENTRY(); \
Q_onError(&Q_this_module_[0], (id_)); \
QF_CRIT_EXIT(); \
} while (false)

Assertion for a wrong path through the code (with user-specified ID)

Details
Calls the Q_onError() callback if ever executed. This assertion takes the user-supplied parameter id_ to identify the location of this assertion within the file. This avoids the volatility of using line numbers, which change whenever a line of code is added or removed upstream from the assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 62 of file qsafe.h.

◆ Q_ASSERT

#define Q_ASSERT ( expr_)
Value:
Q_ASSERT_ID(__LINE__, (expr_))
Q_ASSERT_ID
#define Q_ASSERT_ID(id_, expr_)
General-purpose assertion (with user-specified ID number)
Definition qsafe.h:55

General-purpose assertion (with ID provided in LINE)

Details
Equivalent to Q_ASSERT_ID(), except it uses LINE to identify the assertion within a file.
Parameters
[in]expr_Boolean expression to check
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)

Definition at line 82 of file qsafe.h.

◆ Q_ERROR

#define Q_ERROR ( )
Value:
Q_ERROR_ID(__LINE__)
Q_ERROR_ID
#define Q_ERROR_ID(id_)
Assertion for a wrong path through the code (with user-specified ID)
Definition qsafe.h:62

Assertion for a wrong path through the code (with ID provided in LINE)

Details
Calls the Q_onError() callback if ever executed.
Note
This macro identifies the problem location with the line number, which might change as the code is modified.
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)

Definition at line 83 of file qsafe.h.

◆ Q_REQUIRE_ID

#define Q_REQUIRE_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking a precondition (with user-specified ID number)

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 84 of file qsafe.h.

◆ Q_REQUIRE

#define Q_REQUIRE ( expr_)
Value:
Q_ASSERT(expr_)
Q_ASSERT
#define Q_ASSERT(expr_)
General-purpose assertion (with ID provided in LINE)
Definition qsafe.h:82

Assertion for checking a precondition (with ID provided in LINE)

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 85 of file qsafe.h.

◆ Q_REQUIRE_INCRIT

#define Q_REQUIRE_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))
Q_ASSERT_INCRIT
#define Q_ASSERT_INCRIT(id_, expr_)
General-purpose assertion with user-specified ID number (in critical section)
Definition qsafe.h:49

Assertion for checking a precondition (in critical section)

Details
Equivalent to Q_ASSERT_INCRIT(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 86 of file qsafe.h.

◆ Q_ENSURE_ID

#define Q_ENSURE_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking a postcondition (with user-specified ID number)

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression
Forward Traceability

Definition at line 87 of file qsafe.h.

◆ Q_ENSURE

#define Q_ENSURE ( expr_)
Value:
Q_ASSERT(expr_)

Assertion for checking a postcondition

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 88 of file qsafe.h.

◆ Q_ENSURE_INCRIT

#define Q_ENSURE_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))

Assertion for checking a postcondition (in critical section)

Details
Equivalent to Q_ASSERT_INCRIT(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 89 of file qsafe.h.

◆ Q_INVARIANT_ID

#define Q_INVARIANT_ID ( id_,
expr_ )
Value:
Q_ASSERT_ID((id_), (expr_))

Assertion for checking an invariant (with user-specified ID number)

Details
Equivalent to Q_ASSERT_ID(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]id_ID number (unique within the module) of the assertion
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)

Definition at line 90 of file qsafe.h.

◆ Q_INVARIANT

#define Q_INVARIANT ( expr_)
Value:
Q_ASSERT(expr_)

Assertion for checking an invariant.

Details
Equivalent to Q_ASSERT(), except the name provides a better documentation of the intention of this assertion.
Parameters
[in]expr_Boolean expression
Backward Traceability
  • DVP_QP_MC4_D04_09A: Directive 4.9(Advisory): A function should be used in preference to a function-like macro where they are interchangeable (FALSE-POSITIVE diagnosis) (false-positive)
Forward Traceability

Definition at line 91 of file qsafe.h.

◆ Q_INVARIANT_INCRIT

#define Q_INVARIANT_INCRIT ( id_,
expr_ )
Value:
Q_ASSERT_INCRIT((id_), (expr_))

Definition at line 92 of file qsafe.h.

◆ Q_ASSERT_STATIC

#define Q_ASSERT_STATIC ( expr_)
Value:
extern char Q_static_assert_[(expr_) ? 1 : -1]

Static (compile-time) assertion.

This type of assertion deliberately causes a compile-time error when the expr_ Boolean expression evaluates to FALSE. The macro exploits the fact that in C/C++ a dimension of an array cannot be negative. The compile-time assertion has no runtime side effects.

Parameters
[in]expr_Compile-time Boolean expression
Note
The static assertion macro is provided for backwards compatibility with older C standards. Newer C11 supports _Static_assert(), which should be used instead of Q_ASSERT_STATIC().
Backward Traceability
  • DVP_QP_MC4_D04_09A (false-positive)

Definition at line 95 of file qsafe.h.

◆ Q_NORETURN

#define Q_NORETURN   _Noreturn void

Definition at line 99 of file qsafe.h.

◆ Q_DIM

#define Q_DIM ( array_)
Value:
(sizeof(array_) / sizeof((array_)[0U]))

Definition at line 104 of file qsafe.h.

Function Documentation

◆ Q_onError()

Q_NORETURN Q_onError ( char const *const module,
int_t const id )

Custom error handler Callback function invoked after detecting an error (part of QP Functional Safety (FuSa) Subsystem).

Details
This callback function needs to be defined in the application to perform any corrective action after an unrecoverable error has been detected. The Q_onError() function is the last line of defense after the system failure and its implementation should be very carefully designed and tested under various fault conditions, including but not limited to: stack overflow/corruption, calling Q_onError() from an ISR or other hardware exception, etc.
Parameters
[in]modulename of the file/module in which the assertion failed (constant, zero-terminated C string)
[in]idID of the assertion within the module. This could be a line number or a user-specified ID-number.
Returns
This callback function should not return (see Q_NORETURN), as continuation after an unrecoverable error makes no sense.
Attention
Q_onError() must be called within a critical section (typically with interrupts disabled).
Note
During debugging, Q_onError() is an ideal place to put a breakpoint. For deployment, it is NOT RECOMMENDED to implement Q_onError() as an endless loop that ties up the CPU (denial of service).

Called by the following: Q_ASSERT_ID(), Q_ERROR_ID(), Q_REQUIRE_ID(), Q_ENSURE_ID(), Q_INVARIANT_ID() as well as: Q_ASSERT(), Q_ERROR(), Q_REQUIRE(), Q_ENSURE(), and Q_INVARIANT().

Backward Traceability
  • FMEDA_QA_00: Failure Mode: Fault detection and self-monitoring are inactive.
  • FMEDA_QA_01: Failure Mode: Software resumes normal operation after detecting a fault.
  • FMEDA_QA_02: Failure Mode: Custom Error Handler fails to reach Safe State due to already compromised system.
Forward Traceability