[ISSUE 617] ProtectionManager Without Ethernet / Fault Runtime Redesign by jorgesg82 · Pull Request #628 · Hyperloop-UPV/ST-LIB

jorgesg82 · 2026-04-22T19:05:06Z

Summary

Closes #617

This PR removes the protection subsystem's dependency on Ethernet and redesigns protections, diagnostics, and global fault handling around a compile-time Board integration model.

Protections are now declared as compile-time board request objects and are evaluated through the board-specific Board::ProtectionEngine. The global fault runtime remains owned by FaultController, with fixed top-level states: OPERATIONAL and FAULT.

Main Changes

Replace the old ProtectionManager model with a compile-time ProtectionEngine.
Declare protections with Protections::protection<"name", source>(...).
Pass protection declarations directly to Board<Policy, ...> alongside hardware requests.
Expose protection evaluation through Board::evaluate_protections().
Remove runtime protection registration and mutable protection registry behavior.
Remove the low/high protection split and the old boundary-driven integration model.
Make FaultController the owner of the global fault runtime.
Move real bootstrap wiring to Board::init().
Install diagnostics sinks and the fault runtime early during bootstrap so early faults are latched and not lost.
Unify runtime reporting through diagnostics with PANIC(...), FAULT(...), WARNING(...), and INFO(...).
Separate FaultCause from DiagnosticRecord.
Make protection time accumulation use Scheduler::get_global_tick() instead of loop-frequency assumptions.
Add compile-time coverage for the Board + Protections contract.
Update tests, changeset, and documentation to match the new integration model.

Breaking Changes

Board now requires the fault policy type as its first template argument.
Protections are no longer registered at runtime with ProtectionEngine::create_protection(...).
Protection rules are no longer added dynamically with ProtectionHandle::add_rule(...).
Protection declarations must be compile-time board request objects.
The user no longer programs transitions to the global FAULT state.
The user no longer owns the top-level runtime state machine.
The intended bootstrap path is Board::init(), not legacy STLIB::* or STLIB_LOW/HIGH::* entry points.

New Board API

using AppFaultPolicy = ST_LIB::FaultPolicy<app_machine, on_fault_enter>;
using AppBoard = ST_LIB::Board<AppFaultPolicy, led, pwm, adc>;

If the application does not need a nested machine:

using AppBoard = ST_LIB::Board<ST_LIB::FaultPolicyNoMachine<on_fault_enter>, led, pwm, adc>;

If the application needs neither a nested machine nor a fault-entry callback:

using AppBoard = ST_LIB::Board<ST_LIB::DefaultFaultPolicy, led, pwm, adc>;

New Protection API

float bus_voltage = 0.0f;

inline constexpr auto bus_voltage_protection =
    Protections::protection<"bus_voltage", bus_voltage>(
        Protections::Rules::below(350.0f, 370.0f),
        Protections::Rules::time_accumulation(20.0f, 15.0f, 0.5f)
    );

using AppBoard = ST_LIB::Board<
    ST_LIB::DefaultFaultPolicy,
    bus_voltage_protection,
    led,
    adc>;

Runtime Loop

AppBoard::init();

while (1) {
    FaultController::check_transitions();
    AppBoard::evaluate_protections();
    Diagnostics::Hub::flush();
}

Fault Entry Contract

Protections enter global fault through FaultController::request_fault(...) internally.
PANIC(...) and FAULT(...) also map to FaultController::request_fault(...).
WARNING(...) and INFO(...) publish diagnostics only and do not enter global fault.
User code should prefer PANIC(...) and FAULT(...) over direct FaultController::request_fault(...) usage.

Migration Guide

Replace legacy board declarations with Board<YourFaultPolicy, ...>.
Move any operational user machine under FaultPolicy<app_machine, on_fault_enter>.
Stop programming direct transitions to global FAULT.
Replace old protection registration with compile-time Protections::protection<"name", source>(...) declarations.
Pass protection declarations to Board<Policy, ...>.
Replace old reporter usage with PANIC(...), FAULT(...), WARNING(...), and INFO(...).
Ensure bootstrap happens through Board::init().
Drive protections through Board::evaluate_protections() in the main loop.

Validation

Simulator build passes.
Simulator test suite passes.
board-debug build passes.
Compile-time Board + Protections contract check passes.
Repeated time_accumulation evaluation test passes.

github-actions · 2026-04-22T19:05:18Z

ST-LIB Release Plan

Current version: 5.2.0
Pending changesets: 8
Highest requested bump: major
Next version if merged now: 6.0.0

Pending changes

minor add an ethernet connected check (.changesets/add_check_ethernet.md)
patch Fix incorrect usage of non-volatile buffers in peripherals. This wrong usage was causing undefined behaviour, since the compiler could optimize out reads and writes that should have been going directly to memory. (.changesets/fix-volatiles.md)
patch MPUDomain dynamic regions were configured using the linker symbol values instead of their addresses (that is the correct way of using linker symbols). That made non-cached regions cached, and caused harware undefined behaviour. (.changesets/hotfix-mpu-synamic-regions-linker-symbols.md)
patch fix pwm channel 4 config in TimerWrapper (.changesets/hotfix-pwm-channel4.md)
patch fix prescaler calculation in scheduler (.changesets/hotfix-sched-prescaler.md)
minor move initialization outside constructor in PWM, DualPWM, Encoder and InputCapture (.changesets/init_timer.md)
major Redesign fault handling, protections, and Board bootstrap around explicit fault policies (.changesets/pm-no-eth-major.md)
minor Small refactor of some spi and timerwrapper functionality (.changesets/refactor-spi-timerwrapper.md)

Copilot

Pull request overview

Redesigns protections + fault handling to remove Ethernet dependency and centralize the global fault runtime under FaultController, with unified diagnostics reporting via PANIC/FAULT/WARNING/INFO and a new Board<Policy,...> bootstrap contract.

Changes:

Introduces FaultController + ProtectionEngine and updates protection evaluation/reporting to drive global fault via FaultController::request_fault(...).
Adds a diagnostics hub (records, sinks, formatter, timestamps) and migrates legacy ErrorHandler / InfoWarning call sites to diagnostics + fault runtime.
Updates Board API/contract, bootstrap path, CMake wiring, and tests/docs to match the new integration model.

Reviewed changes

Copilot reviewed 110 out of 110 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
docs/st-lib-board-contract.md	Documents `Board<Policy,...>` contract and policy requirements
Tests/spi2_test.cpp	Updates tests to new panic reporter namespace
Tests/dma2_test.cpp	Updates tests to new panic reporter namespace
Tests/adc_test.cpp	Updates tests to new panic reporter namespace
Tests/Time/encoder_test.cpp	Updates tests to new panic reporter namespace
Tests/Time/common_tests.cpp	Provides test panic/fault reporters integrated with `FaultController`
Tests/TestAccess.hpp	Adds test-only accessors to reset diagnostics/fault/protection runtime
Tests/CMakeLists.txt	Links new diagnostics + protection runtime sources into test executable
Src/ST-LIB_LOW/Sensors/Sensor/Sensor.cpp.old	Removes legacy/old sensor file
Src/ST-LIB_LOW/Sd/Sd.cpp	Migrates SD error paths to `PANIC(...)`
Src/ST-LIB_LOW/ST-LIB_LOW.cpp	Removes legacy `STLIB_LOW::start()` entry point
Src/ST-LIB_LOW/HalfBridge/HalfBridge.cpp.old	Removes legacy/old half-bridge file
Src/ST-LIB_LOW/ErrorHandler/ErrorHandler.cpp	Replaces legacy error handler transport with panic/fault reporters + diagnostics
Src/ST-LIB_LOW/Clocks/Stopwatch.cpp.old	Removes legacy/old stopwatch implementation
Src/ST-LIB_HIGH/ST-LIB_HIGH.cpp	Removes legacy `STLIB_HIGH::start()` entry point
Src/ST-LIB_HIGH/Protections/ProtectionManager.cpp	Removes legacy `ProtectionManager` implementation
Src/ST-LIB_HIGH/Protections/ProtectionEngine.cpp	Adds new protection evaluation/publishing engine
Src/ST-LIB_HIGH/Protections/FaultController.cpp	Adds new global fault runtime controller and cause→diagnostic mapping
Src/ST-LIB_HIGH/Protections/Boundary.cpp	Removes legacy boundary formatting lookup
Src/ST-LIB.cpp	Removes legacy `STLIB::start()` / `STLIB::update()` entry points
Src/HALAL/Services/Time/Scheduler.cpp	Fixes prescaler programming; removes out-of-line `get_global_tick()`
Src/HALAL/Services/Time/RTC.cpp	Makes RTC data storage consistent and adds no-RTC stubs + `is_started()`
Src/HALAL/Services/PWM/PhasedPWM/PhasedPWM.cpp.old	Removes legacy/old phased PWM implementation
Src/HALAL/Services/PWM/DualPhasedPWM/DualPhasedPWM.cpp.old	Removes legacy/old dual phased PWM implementation
Src/HALAL/Services/InputCapture/InputCapture.cpp.old	Removes legacy/old input capture implementation
Src/HALAL/Services/InfoWarning/InfoWarning.cpp	Replaces legacy warning transport with diagnostics-based reporting
Src/HALAL/Services/Flash/Flash.cpp	Migrates flash error paths to `PANIC(...)`
Src/HALAL/Services/FMAC/FMAC.cpp	Migrates FMAC error paths to `PANIC(...)`
Src/HALAL/Services/DigitalOutputService/DigitalOutputService.cpp	Migrates digital output errors to `PANIC(...)`
Src/HALAL/Services/DigitalInputService/DigitalInputService.cpp	Migrates digital input errors to `PANIC(...)`
Src/HALAL/Services/Diagnostics/DiagnosticsHub.cpp	Adds diagnostics hub (history/pending queues, publishing, flushing)
Src/HALAL/Services/Diagnostics/DiagnosticTimestampProvider.cpp	Adds timestamp capture via RTC or scheduler uptime
Src/HALAL/Services/Diagnostics/DiagnosticSinks.cpp	Adds UART + Ethernet transport sinks and default sink install
Src/HALAL/Services/Diagnostics/DiagnosticFormatter.cpp	Adds record→human-readable formatting (runtime/protection)
Src/HALAL/Services/Communication/UART/UART.cpp	Migrates UART inscription error to `PANIC(...)`
Src/HALAL/Services/Communication/SPI/SPI.cpp	Migrates SPI service errors to `PANIC(...)`
Src/HALAL/Services/Communication/I2C/I2C.cpp	Migrates I2C service errors to `PANIC(...)`
Src/HALAL/Services/Communication/FDCAN/FDCAN.cpp	Migrates FDCAN errors to `PANIC(...)`
Src/HALAL/Services/Communication/Ethernet/LWIP/UDP/DatagramSocket.cpp	Migrates UDP socket errors to `PANIC(...)`
Src/HALAL/Services/Communication/Ethernet/LWIP/TCP/Socket.cpp	Migrates TCP socket errors to `PANIC(...)`
Src/HALAL/Services/Communication/Ethernet/LWIP/TCP/ServerSocket.cpp	Migrates TCP server errors to `PANIC(...)`
Src/HALAL/Services/Communication/Ethernet/LWIP/Ethernet.cpp	Migrates Ethernet start/update errors to `PANIC(...)`
Src/HALAL/Models/TimerPeripheral/TimerPeripheral.cpp.old	Removes legacy/old timer peripheral model
Src/HALAL/Models/TimerDomain/TimerDomain.cpp	Fixes input-capture info table initialization
Src/HALAL/Models/SPI/SPI2.cpp	Migrates SPI2 domain IRQ/error paths to `PANIC(...)`
Src/HALAL/Models/PinModel/Pin.cpp	Migrates pin double-inscribe error to `PANIC(...)`
Src/HALAL/Models/MDMA/MDMA.cpp	Migrates MDMA errors to `PANIC(...)` and fixes formatting
Src/HALAL/Models/LowPowerTimer/LowPowerTimer.cpp	Migrates LPTIM init errors to `PANIC(...)`
Src/HALAL/Models/HALconfig/Halconfig.cpp	Migrates clock config errors to `PANIC(...)`
Src/HALAL/Models/DMA/DMA.cpp	Migrates DMA errors to `PANIC(...)`
Src/HALAL/HALAL.cpp	Removes legacy `HALAL::start(...)` bootstrap entry points
README.md	Links new protections/diagnostics + board contract docs
Inc/ST-LIB_LOW/StateMachine/StateOrder.hpp	Migrates state order errors to `PANIC(...)`
Inc/ST-LIB_LOW/StateMachine/StateMachine.hpp	Migrates state machine runtime/validation errors to `PANIC(...)`
Inc/ST-LIB_LOW/StateMachine/StackStateOrder.hpp	Migrates stack state order errors to `PANIC(...)`
Inc/ST-LIB_LOW/StateMachine/HeapStateOrder.hpp	Migrates heap state order errors to `PANIC(...)`
Inc/ST-LIB_LOW/Sensors/Sensor/Sensor.hpp.old	Removes legacy/old sensor header
Inc/ST-LIB_LOW/Sensors/PWMSensor/PWMSensor.hpp.old	Removes legacy/old PWM sensor header
Inc/ST-LIB_LOW/Sd/Sd.hpp	Migrates SD API errors to `PANIC(...)`
Inc/ST-LIB_LOW/ST-LIB_LOW.hpp	Removes legacy `STLIB_LOW` class API
Inc/ST-LIB_LOW/HalfBridge/HalfBridge.hpp.old	Removes legacy/old half-bridge header
Inc/ST-LIB_LOW/ErrorHandler/ErrorHandler.hpp	Replaces legacy error handler API with `PANIC`/`FAULT` macros + reporters
Inc/ST-LIB_LOW/Clocks/Stopwatch.hpp.old	Removes legacy/old stopwatch header
Inc/ST-LIB_HIGH/ST-LIB_HIGH.hpp	Exposes new protections API headers; removes `ProtectionManager` include
Inc/ST-LIB_HIGH/Protections/SampleSource.hpp	Adds typed sample source wrapper for protections
Inc/ST-LIB_HIGH/Protections/Rules.hpp	Adds validated rule constructors (`Protections::Rules::*`)
Inc/ST-LIB_HIGH/Protections/ProtectionTypes.hpp	Adds shared protection runtime types (events/snapshots/encoding)
Inc/ST-LIB_HIGH/Protections/ProtectionManager.hpp	Removes legacy `ProtectionManager` header and macros
Inc/ST-LIB_HIGH/Protections/ProtectionErrors.hpp	Adds error enums for rule/protection configuration/registration
Inc/ST-LIB_HIGH/Protections/ProtectionEngine.hpp	Adds `ProtectionEngine` public API and handle type
Inc/ST-LIB_HIGH/Protections/ProtectionConcepts.hpp	Adds concepts for supported samples and readable sources
Inc/ST-LIB_HIGH/Protections/Notification.hpp	Removes legacy notification order type
Inc/ST-LIB_HIGH/Protections/FaultController.hpp	Adds `FaultController` API + fault policy runtime installation
Inc/ST-LIB_HIGH/Control/Blocks/Zeroing.hpp	Migrates zeroing overflow error to `PANIC(...)`
Inc/ST-LIB_HIGH/Control/Blocks/MeanCalculator.hpp	Migrates mean calculator error to `PANIC(...)`
Inc/ST-LIB.hpp	Introduces fault policy types + `Board<Policy,...>` bootstrap installing diagnostics/fault runtime
Inc/HALAL/Services/Watchdog/Watchdog.hpp	Migrates watchdog interval errors to `PANIC(...)`
Inc/HALAL/Services/Time/Scheduler.hpp	Inlines `get_global_tick()` implementation
Inc/HALAL/Services/Time/RTC.hpp	Makes RTC API always available; adds `is_started()`
Inc/HALAL/Services/PWM/PhasedPWM/PhasedPWM.hpp.old	Removes legacy/old phased PWM header
Inc/HALAL/Services/PWM/PWM.hpp	Migrates PWM channel-not-ready error to `PANIC(...)`
Inc/HALAL/Services/PWM/DualPhasedPWM/DualPhasedPWM.hpp.old	Removes legacy/old dual phased PWM header
Inc/HALAL/Services/PWM/DualPWM.hpp	Migrates dual PWM errors to `PANIC(...)`
Inc/HALAL/Services/InputCapture/InputCapture.hpp.old	Removes legacy/old input capture header
Inc/HALAL/Services/InputCapture/InputCapture.hpp	Migrates channel-not-ready errors to `PANIC(...)`
Inc/HALAL/Services/InfoWarning/InfoWarning.hpp	Replaces legacy `InfoWarning` with diagnostics reporter + `WARNING/INFO` macros
Inc/HALAL/Services/FMAC/FMAC.hpp	Updates comment to match new bootstrap wording
Inc/HALAL/Services/Encoder/Encoder.hpp	Migrates encoder errors to `PANIC(...)`
Inc/HALAL/Services/Diagnostics/Diagnostics.hpp	Adds diagnostics public API (records, sinks, hub, runtime install)
Inc/HALAL/Services/DFSDM/DFSDM.hpp	Migrates DFSDM errors to `PANIC(...)`
Inc/HALAL/Services/Communication/FDCAN/FDCAN.hpp	Migrates FDCAN inscription error to `PANIC(...)`
Inc/HALAL/Services/Communication/Ethernet/NewEthernet.hpp	Removes legacy error/warning update hooks from Ethernet domain update
Inc/HALAL/Services/ADC/ADC.hpp	Migrates ADC DMA/init/channel/start errors to `PANIC(...)`
Inc/HALAL/Models/TimerPeripheral/TimerPeripheral.hpp.old	Removes legacy/old timer peripheral header
Inc/HALAL/Models/TimerDomain/TimerDomain.hpp	Migrates timer-domain errors to `PANIC(...)`
Inc/HALAL/Models/SPI/SPI2.hpp	Migrates SPI2 domain errors to `PANIC(...)`
Inc/HALAL/Models/Packets/SPIOrder.hpp	Migrates SPI order validation errors to `PANIC(...)`
Inc/HALAL/Models/MPUManager/MPUManager.hpp	Migrates MPU heap overflow error to `PANIC(...)`
Inc/HALAL/Models/MDMA/MDMA.hpp	Migrates MDMA node/link errors to `PANIC(...)`
Inc/HALAL/Models/DMA/DMA2.hpp	Migrates DMA init errors to `PANIC(...)`
Inc/HALAL/HALAL.hpp	Removes legacy `HALAL::start(...)` declarations
Inc/C++Utilities/StaticVector.hpp	Migrates capacity exceeded error to `PANIC(...)`
Inc/C++Utilities/CppUtils.hpp	Adds std::byte/expected/optional/variant utilities to common imports
Inc/C++Utilities/CppImports.hpp	Adds missing standard headers for new C++23 utilities
CMakeLists.txt	Wires diagnostics + new protections runtime into build; removes legacy entrypoint sources
.changesets/pm-no-eth-major.md	Adds major release notes + migration guidance

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-22T19:44:04Z

+        visit(
+            [](auto& protection) {
+                const Protections::ProtectionEvaluation evaluation = protection.evaluate();
+                publish_edge_events(protection, evaluation);
+
+                if (evaluation.has_active_fault) {
+                    request_fault_if_due(protection, evaluation);
+                }


publish_edge_events(...) and request_fault_if_due(...) are static member templates of ProtectionEngine, but they’re called unqualified from inside a lambda passed to visit. Unqualified lookup inside the lambda won’t find class members, so this should fail to compile on standard-conforming compilers. Qualify the calls (e.g., ProtectionEngine::publish_edge_events(...) / ProtectionEngine::request_fault_if_due(...)) or move these helpers into the surrounding anonymous namespace as free functions.

Copilot

Pull request overview

Copilot reviewed 111 out of 111 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-22T20:08:40Z

+RuntimeFatalMessage format_runtime_fatal_message(const char* format, va_list arguments) {
+    RuntimeFatalMessage message{};
+    const int32_t written = vsnprintf(message.buffer, sizeof(message.buffer), format, arguments);
+    message.truncated = written < 0 || static_cast<size_t>(written) >= sizeof(message.buffer);
+    return message;


format_runtime_fatal_message consumes a va_list passed by value via vsnprintf. On some platforms va_list is a mutable type, so consuming it in a helper can leave the caller’s va_list in an indeterminate state before va_end, which is undefined behavior. Make a local copy with va_copy inside the helper (or pass a va_list* and copy there) and call vsnprintf on the copy, then va_end the copy in the helper.

Copilot · 2026-04-22T20:08:40Z

+void publish_runtime_diagnostic(
+    Diagnostics::Severity severity,
+    const std::source_location& location,
+    const char* format,
+    va_list arguments
+) {
+    char buffer[Diagnostics::Config::runtime_message_capacity + 1]{};
+    const int32_t written = vsnprintf(buffer, sizeof(buffer), format, arguments);
+


publish_runtime_diagnostic consumes a va_list passed in from the caller. Because va_list may be a mutable type, consuming it in this helper can make the caller’s va_list indeterminate before va_end, which is undefined behavior on some ABIs. Copy the va_list with va_copy in the helper (or in the caller) and pass/consume the copy instead.

victor-Lopez25 · 2026-04-24T10:26:57Z

+    uint64_t tick = global_tick_us_;
+    if (Scheduler_global_timer != nullptr) {
+        tick += Scheduler_global_timer->CNT;
+    }


Scheduler::get_global_tick() assumes the board has been started up so Scheduler_global_timer is not null, this condition is not necessary and will make this function slower for no reason

Copilot

Pull request overview

Copilot reviewed 111 out of 111 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-27T18:33:01Z

+    static void initialize() {
+#if defined(HAL_RTC_MODULE_ENABLED) && !defined(SIM_ON)
+    Global_RTC::ensure_started();
+#endif


ProtectionEngine::initialize() calls Global_RTC::ensure_started() under HAL_RTC_MODULE_ENABLED, but this header doesn’t include the RTC declaration. This will fail to compile in builds where HAL_RTC_MODULE_ENABLED is set unless an unrelated include happens to pull in RTC.hpp. Include HALAL/Services/Time/RTC.hpp here (or otherwise make Global_RTC visible) so the header is self-contained.

victor-Lopez25 · 2026-05-04T18:54:29Z

+    switch (encoding) {
+    case Protections::SampleEncoding::BOOL:
+        snprintf(buffer, buffer_size, "%s", value.bool_value ? "true" : "false");
+        return;


If you know the values are going to be "true" or "false" there's no reason to add this with snprintf you can just memcpy (check bounds)

victor-Lopez25 · 2026-05-04T18:55:28Z

+    switch (encoding) {
+    case Protections::SampleEncoding::BOOL:
+        snprintf(buffer, buffer_size, "%s", value.bool_value ? "true" : "false");
+        return;
+    case Protections::SampleEncoding::SIGNED:
+        snprintf(buffer, buffer_size, "%lld", static_cast<long long>(value.signed_value));
+        return;
+    case Protections::SampleEncoding::UNSIGNED:
+        snprintf(
+            buffer,
+            buffer_size,
+            "%llu",
+            static_cast<unsigned long long>(value.unsigned_value)
+        );
+        return;
+    case Protections::SampleEncoding::FLOAT32:
+        snprintf(buffer, buffer_size, "%.6f", static_cast<double>(value.float32_value));
+        return;
+    case Protections::SampleEncoding::FLOAT64:
+        snprintf(buffer, buffer_size, "%.6f", value.float64_value);
+        return;
+    }


none of the snprintf calls are checked, do we always have buffer size for what we are formatting?

victor-Lopez25 · 2026-05-04T20:46:41Z

+size_t bounded_strnlen(const char* src, size_t max_length) {
+    if (src == nullptr) {
+        return 0;
+    }
+
+    size_t length = 0;
+    while (length < max_length && src[length] != '\0') {
+        length++;
+    }
+    return length;
+}


Is there a reason to use this implementation instead of stdc's strnlen?
strnlen

victor-Lopez25

Looks good, you should check the scheduler comment and the diagnosticformatter comments I added.

Also if you deleted the *.old files, which is fine, you can also remove the directories that now contain no files (if there are any).

StefanCostea · 2026-05-04T20:52:47Z

 };

-#define ErrorHandler(x, ...)                                                                       \
+#define PANIC(x, ...)                                                                              \


Deberiais tener algun nvic lock para esto, lo usais por todos lados, si el main loop esta haciendo un panic y de repente salta un interrupt que tambien hace un panic por lo que sea al escribir en pending_records hay una race condition

Y si tienes una race condition al hacer panic y por lo que sea hard fault, no propagas

O sabe dios que otro unintended behaviour

Yo creo q simplemente no se debería de hacer panic en una interrupción

Es que si no haces panic en una interrupción entonces cuando te llega una interrupción de error qué haces? xd

En qué caso tienes una 'interrupción de error'?
Yo he visto interrupción de fallo pero no sería equivalente a un panic, sería más como añadir uno al contador de fallos e ignorarlo en el main si la frecuencia de fallos es baja.

StefanCostea · 2026-05-04T21:39:26Z

+};
+
+template <ProtectionSample T>
+using RuleDefinition = variant<


Watchout with this being a variant as evaluating it might need runtime std::visit calls that are costly

FoniksFox

The default ethernet sink doesn't work properly (working on it)

- FaultController: decouple FaultCause from DiagnosticRecord; add early-fault bootstrap so faults before start() are latched and the runtime starts directly in FAULT; remove FaultRuntime (superseded) - Diagnostics::Hub: fixed-capacity history ring and pending queue; flush_urgent() drains urgent records first; no heap in publish/flush - RecordFactory: explicit conversion FaultCause -> DiagnosticRecord via FaultDiagnosticMapper; runtime_panic / runtime_fault / runtime_warning / runtime_info factories with RuntimeSourceMetadata - Runtime reporters: PANIC/FAULT use std::source_location, format into fixed stack buffer, no shared mutable metadata (ISR-safe); WARNING/INFO go through RuntimeDiagnosticReporter; ErrorHandler/InfoWarning are now thin compatibility aliases - ProtectionEngine: evaluate() throttles fault notifications via notify_delay_in_microseconds; non-fatal rule edges published to Hub

Replace direct ErrorHandler / InfoWarning calls with the new macro facade (PANIC, FAULT, WARNING, INFO) across all HALAL peripheral drivers, Ethernet/TCP/UDP stacks, and service implementations. Fixes MDMA callsite that was using invalid string concatenation with a printf-style API: PANIC("MDMA Transfer Error, code: %lu", error_code).

- CMakeLists: remove FaultRuntime from build, add DiagnosticSinks - ST-LIB.hpp: update includes after FaultRuntime removal - StaticVector, MeanCalculator, Zeroing, StateOrder variants: minor include and compatibility fixes - README: update status notes

- DiagnosticsHub tests: history when no sinks, per-sink retry, bounded pending queue, reinstall clears latch, fault transitions once, delegation to nested operational machine, early-fault bootstrap (fault before start), source location captured in runtime reporters, invalid rule config rejected without side effects - PANIC/FAULT enter global FAULT and publish URGENT diagnostic record - WARNING/INFO publish without entering FAULT - ProtectionEngine: evaluate triggers fault and publishes protection event - TestAccess: white-box accessors for DiagnosticsHub and ProtectionEngine - Update adc_test, spi2_test, dma2_test, encoder_test, common_tests for new reporter API

Documents the current model: FaultController ownership, FaultPolicy nesting, PANIC/FAULT/WARNING/INFO semantics, early-fault bootstrap, FaultCause vs DiagnosticRecord separation, Diagnostics Hub memory policy, and C++23 design choices.

…happy

jorgesg82 self-assigned this Apr 22, 2026

jorgesg82 requested a review from Copilot April 22, 2026 19:39

Copilot started reviewing on behalf of jorgesg82 April 22, 2026 19:40 View session

Copilot AI reviewed Apr 22, 2026

View reviewed changes

jorgesg82 requested a review from Copilot April 22, 2026 20:01

Copilot started reviewing on behalf of jorgesg82 April 22, 2026 20:01 View session

Copilot AI reviewed Apr 22, 2026

View reviewed changes