Feature/First iteration on MC failsafe #5863
Conversation
|
Nice! |
|
@kd0aij Can you test? |
|
What is rc_loss_mode supposed to do? I guess this should fix the flight termination bug I mentioned in the RC loss PR... need to reference it from here. |
|
what about #5388? |
|
Rc_loss_mode is enum that's is not used right now, but it should define behavior of RC loss failsafe action. With current code it switches to "land" mode, and there is no way to force termination |
| @@ -2881,7 +2881,7 @@ int commander_thread_main(int argc, char *argv[]) | |||
| _mission_result.stay_in_failsafe, | |||
| &status_flags, | |||
| land_detector.landed, | |||
| (rc_loss_enabled > 0), | |||
| rc_loss_mode, | |||
There was a problem hiding this comment.
I like this change but does it change the behaviour at all like this?
There was a problem hiding this comment.
Note that the same param is used again in the navigator which is really quite ugly:
https://github.com/PX4/Firmware/blob/master/src/modules/commander/commander.cpp#L1276
https://github.com/PX4/Firmware/blob/master/src/modules/navigator/navigator_main.cpp#L162
There was a problem hiding this comment.
No, it doesn't, yet.
I have never seen Navigator before. What is it used for?
It looks like it has very similar logic as commander for data/rc links and GPS, but handles it in its own way.
There was a problem hiding this comment.
In my opinion, the handling of RC and DL loss should move back from the navigator to the state machine (as done here with offboard actions: #4655)
There was a problem hiding this comment.
The navigation states itself can still implement complex logic as it is the case for things that got added for OBC 2014, but no separate/duplicate state switching
There was a problem hiding this comment.
I read more commander and navigator code and now feel the difference of their responsibilities.
(Please correct me if I am wrong)
Navigator simply performs 'pieces' of the autonomous navigation, it doesn't make a decision.
Commander is that one that maintains the global state of the vehicle based on params, user and sensor inputs and makes all the decisions of what action to take in particular situation.
If my understanding is correct then I am 100% agree that rc_loss_mode should be handled in commander (SM helper), not navigator.
My only concern is that SM helper keeps growing and already has a big chunk of copy-pasted code. I feel a bit worried of breaking things by doing change to RC loss like this without having really good understanding and having unit tests covering the logic.
There was a problem hiding this comment.
@anton-matosov I think you got it right, that's very much the way it was designed. If you're concerned about breaking the state machine helper the way to resolve that would be to add tests to and then extend or refactor it.
|
Ok. I think that's what I am going to do then. I will write tests at least for code I am going to modify for SM Helper and navigator. Are there any existing tests? |
|
@anton-matosov state machine tests here - https://github.com/PX4/Firmware/blob/master/src/modules/commander/commander_tests/state_machine_helper_test.cpp Nothing really for navigator, unless you can fit it into a mission test. https://github.com/PX4/Firmware/tree/4453e4201b7a245cff52beeb38a293161aea4c48/integrationtests/python_src/px4_it/mavros |
|
@anton-matosov what do you plan to change in the state machine helper? Because I'm reworking this at the moment and implemented a different way of how the failures are handled (more comprehensive), also adding unit tests. |
|
@AndreasAntener I am planning to refactor RC and Datalink loss code to get rid of the copy-paste and migrate RC/Data loss mode switching to commander out from Navigator the same way offboard loss modes are handled. |
1 similar comment
|
@AndreasAntener I am planning to refactor RC and Datalink loss code to get rid of the copy-paste and migrate RC/Data loss mode switching to commander out from Navigator the same way offboard loss modes are handled. |
|
@AndreasAntener are you done with your refactoring of the commander's SM? |
|
@anton-matosov I think we should separate the refactoring from your functionality change (termination handling). I'll push a branch in a sec that contains the move from navigator, after I can build upon that again. |
|
@anton-matosov added a PR for you (#5884), please have a look. You can integrate the changes from there into your branch and delete it, or whatever is easier for you |
anton-matosov
force-pushed
the
feature/MC-Failsafe-part1
branch
from
dd2a622
to
a1cfc1a
Compare
|
@AndreasAntener @LorenzMeier @kd0aij @Tumbili @julianoes PR is ready for review |
|
Thanks! I did a first pass and it overall looks good. A couple of questions:
Please try to describe this in general when submitting a PR, since those are changes that need context. Thanks! |
If you have kill switch configured on RC,
I was using manual RC for the RC loss testing and I made it off by default (configurable in CMakeLists). I will also need it for RC expo rates code testing in simulator.
I have added wrapper for px4 that includes paths originally provided via the command line by
Sure. I will definitely do this next time |
|
@LorenzMeier any updates? |
|
@anton-matosov will review this weekend, thanks for your work. |
|
Thanks @julianoes |
| @@ -135,6 +135,15 @@ then | |||
| elif [ "$debugger" == "valgrind" ] | |||
| then | |||
| valgrind $sitl_command | |||
| elif [ "$debugger" == "ide" ] | |||
There was a problem hiding this comment.
Make sure to document this somewhere.
There was a problem hiding this comment.
Any suggestions on where to put docs for this?
| /* overwrite outputs in case of force_failsafe */ | ||
| if (_failsafe) { | ||
| for (size_t i = 0; i < num_outputs; i++) { | ||
| outputs.output[i] = 600; |
There was a problem hiding this comment.
Why 600? That seems very low. Usually we have 900 in that case, and there should be a define.
There was a problem hiding this comment.
I chose 600 as a magic for PWM Simulator failsafe as it doesn't read values from settings (might need to add this instead) and I needed some distinguishable value from disarmed to easily debug failsafe and not confuse with other states.
There was a problem hiding this comment.
I have moved 600 and 900 to named constants.
It doesn't make sense to read params as they are not configured for any simulator
| FILES ${CMAKE_CURRENT_BINARY_DIR}/${APP_NAME} | ||
| ${PX4_SOURCE_DIR}/posix-configs/eagle/flight/mainapp.config | ||
| DEPENDS ${APP_NAME} | ||
| DEST /home/linaro) |
There was a problem hiding this comment.
I'll need to test this on Snapdragon to make sure there are no regressions.
| offboard_loss_act, | ||
| offboard_loss_rc_act); | ||
| /* now set navigation state according to failsafe and main state */ | ||
| bool nav_state_changed = set_nav_state(&status, |
There was a problem hiding this comment.
Strange, so here the indent has changed but I think it was correct before.
There was a problem hiding this comment.
Ok, will fix that
There was a problem hiding this comment.
make format doesn't catch this.
There was a problem hiding this comment.
Indent have changed from tabs to spaces.
Many files have mixed formatting...
What does the coding standard for px4 says about tab/spaces and what is the tab size used on the project (needed for mixed lines)?
There was a problem hiding this comment.
Everything has to be tabs and default is 8 width (if you use Sublime, you get a decent default). Anything having mixed formatting is the result of style checking not being enforced yet (e.g. in the commander). We're cleaning up module-by-module and probably should enforce style when this PR is in.
| } | ||
| } else { | ||
| /* armed, solid */ | ||
| led_on(LED_BLUE); |
There was a problem hiding this comment.
Am I right that LED_GREEN is undefined in the non failsafe case and left at whatever it was toggled to last?
There was a problem hiding this comment.
Most likely you are right. I will double check and fix. Good catch!
There was a problem hiding this comment.
Added missing led_off(LED_GREEN);
| @@ -1040,6 +1040,63 @@ MulticopterAttitudeControl::task_main() | |||
| _controller_status_pub = orb_advertise(ORB_ID(mc_att_ctrl_status), &_controller_status); | |||
| } | |||
| } | |||
|
|
|||
| if (_v_control_mode.flag_control_termination_enabled) { | |||
There was a problem hiding this comment.
Shouldn't this be taken care off in the drivers instead of the controllers?
There was a problem hiding this comment.
This where I have stared based on the FW_att_control but I couldn't stop motors from here.
For lockdown we don't really need anything, but for termination it is the a kind of only place to do something.
IMO drivers should not know about flight control modes and take actions based on this.
There was a problem hiding this comment.
@anton-matosov The whole diff / PR makes sense, this is the only section I don't get yet entirely.
Are you trying to prevent an integrator windup here or is this needed to stop the props?
| } else { /* if == 2 or unknown, RTL */ | ||
| _navigation_mode = &_rtl; | ||
| } | ||
| _navigation_mode = &_rcLoss; |
There was a problem hiding this comment.
This is much cleaner and moves the responsibility to the commander. I think that's the right approach.
There was a problem hiding this comment.
Cudos to @AndreasAntener
| @@ -0,0 +1,39 @@ | |||
| /**************************************************************************** | |||
| * | |||
| * Copyright (c) 2016 Anton Matosov. All rights reserved. | |||
There was a problem hiding this comment.
This should be PX4 Development Team, I think.
There was a problem hiding this comment.
Emmm... I am not part of that team, so I don't think I should put your name on my changes.
There was a problem hiding this comment.
It's just the default header in general, not sure.
| @@ -1,6 +1,7 @@ | |||
| /**************************************************************************** | |||
| * | |||
| * Copyright (c) 2015 Mark Charlebois. All rights reserved. | |||
| * Copyright (c) 2016 Anton Matosov. All rights reserved. | |||
There was a problem hiding this comment.
And the same here actually.
| return errno; | ||
| } | ||
| const char *argsOverride[] = {argv[0], "@SITL_RUNNER_SOURCE_DIR@", "@SITL_RUNNER_MODEL_FILE@"}; | ||
| return SITL_MAIN(sizeof(argsOverride) / sizeof(argsOverride[0]), (char**)argsOverride); |
There was a problem hiding this comment.
I'm gonna push back on this change, I think it conflicts heavily with upcoming changes in #5162.
There was a problem hiding this comment.
I don't see any conflicts with your PR (on logic/behavior level, didn't dive in code yet)
But to make it cleaner I will separate build system/debugging changes from failsafe code and submit them as separate PR
There was a problem hiding this comment.
That would be better, thanks.
| set_link_loss_nav_state(status, armed, status_flags, link_loss_act, vehicle_status_s::NAVIGATION_STATE_AUTO_RTGS); | ||
| } | ||
|
|
||
| void set_link_loss_nav_state(struct vehicle_status_s* status, |
There was a problem hiding this comment.
Oh I realize now what you are doing here. It seems quite complicated, in my opinion we need to simplify this all.
There was a problem hiding this comment.
What exactly looks complicated here? This is mostly port of the link loss code from the navigator to commander + 2 new action types.
I have introduced enum for actions instead of using magic numbers and merged handlers for RC and data loss as the are the same except 1 nav state.
There was a problem hiding this comment.
Got it. Were you already able to test most/all the cases?
There was a problem hiding this comment.
I have not tested all the cases.
|
@julianoes can you please take a look at the latest changes that address your comments? |
|
@LorenzMeier @julianoes I have applied suggested changes. Please review again. |
Move RC and DL failsafe actions handling from navigator to commander (credits to @AndreasAntener) Separate manual kill switch handling via manual_lockdown to prevent override and release of software lockdown by RC switch Other changes: Add failsafe tune Fix LED blinking for Pixracer Return back support for rc inputs in simulator but now it is configurable via cmake
anton-matosov
force-pushed
the
feature/MC-Failsafe-part1
branch
from
0cecdfa
to
d3fce07
Compare
|
@anton-matosov Thanks, much appreciated! I'm going to try to get this in tomorrow. |
|
Awesome! This is ready to go, one last question. @anton-matosov Great work! |
|
Rebased and continuing here: |
Add failsafe tune
Fix LED blinking for Pixracer
Pass rc_loss_mode instead of simple bool flag
Add setting of failsafe PWM outputs in case of force_failsafe