AP_IOMCU: fixed an issue with double reset of IOMCU #22899
Conversation
I have a number of use cases that have actually strongly depended upon the current behavior of that. Everything from usage of a physical button to IOMCU on a hand launch plane allowing operators to abort, scripts and features using soft armed to control ignition lines to gas engines, and then a number of essential things like quadplanes not outputting to the motors while the IOMCU isn't outputting. Basically I'd be very concerned by a change in behavior here, and think we would need to preserve the current behavior in many of the call sites (although not necessarily all of them). |
indeed, and your use cases is why I didn't make that change in this PR. |
if the IOMCU resets twice in quick succession then the code that restores the safety state while flying can fail, leading to the aircraft trying to continue flying with safety on This results from two issues: - a race in handling the last_safety_off variable - the fact that plane sets the soft_armed state based on safety state
this allows testing of either watchdog or hard-fault reset
tridge
force-pushed
the
pr-safety-iomcu
branch
from
0d9836f
to
bc34bc3
Compare
if IOMCU stops responding completely or stops giving status update then give an internal error to help with diagnostics
tridge
force-pushed
the
pr-safety-iomcu
branch
from
bc34bc3
to
02df6aa
Compare
if the IOMCU resets twice in quick succession then the code that restores the safety state while flying can fail, leading to the aircraft trying to continue flying with safety on
This results from two issues:
issue reported here: https://discuss.ardupilot.org/t/plane-4-3-stable-release/91727/107
we could change the behaviour of plane so it doesn't set soft armed based on safety by removing this line of code:
https://github.com/ArduPilot/ardupilot/blob/master/ArduPlane/AP_Arming.cpp#L383
we would then need to carefully check the consequences of that for takeoff delays etc when safety is on
tested on CubeOrange quadplane and in bench testing