Move car safety modes to opendbc (#1713)

* move safety tests

* move libsafety

* move safety

* rename imports

* copy over needed (minimalized) board and driver code

* dont test safety here

* add new job for safety tests

fix

* try fix

* ubsan

* ?

?

* missing cffi

* should be final fix

* mac fix

* no mac

* use setup script

* no cd

* this is the correct way to do it

* add misra

* misra fixes

* run

* setup misra

* add missing files

* is this used?

* add that

* Revert "is this used?"

This reverts commit 2f34762.

* need this

* misra mutation test

* fix

* no race conditions

* test

* cache cppcheck

fix

* setup

* good timeouts

* mutation test

* fix

* no

* Revert "no"

This reverts commit 39e10a0.

* already tested

* move Safety Model readme section to opendbc

* fix

* fix

* disable mutation tests for merge

* namespace

* test no cache

* 1m

1m

Author: sshane

.github/workflows/tests.yml

@@ -20,3 +20,86 @@ jobs:
     - uses: commaai/timeout@v1
     - uses: actions/checkout@v4
     - run: ./test.sh
+
+  safety_tests:
+    name: safety
+    runs-on: ${{ ((github.repository == 'commaai/opendbc') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == 'commaai/opendbc'))) && 'namespace-profile-amd64-8x16' || 'ubuntu-latest' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        flags: ['', '--ubsan']
+    steps:
+    - uses: commaai/timeout@v1
+    - uses: actions/checkout@v4
+    - name: Run safety tests
+      run: ./opendbc/safety/tests/test.sh ${{ matrix.flags }}
+
+  misra_linter:
+    name: MISRA C:2012 Linter
+    runs-on: ${{ ((github.repository == 'commaai/opendbc') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == 'commaai/opendbc'))) && 'namespace-profile-amd64-8x16' || 'ubuntu-latest' }}
+    timeout-minutes: 20
+    steps:
+      - name: Set up
+        run: sudo apt-get install -y --no-install-recommends gcc-arm-none-eabi libnewlib-arm-none-eabi
+      - uses: actions/checkout@v4
+      - name: Restore cached cppcheck
+        uses: actions/cache@v4
+        with:
+          path: opendbc/safety/tests/misra/cppcheck/
+          key: cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+          restore-keys: |
+            cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+            cppcheck-cache-${{ runner.os }}-
+      - name: Run MISRA C:2012 analysis
+        timeout-minutes: ${{ ((steps.restore-scons-cache.outputs.cache-hit == 'true') && 1 || 2) }}
+        run: cd opendbc/safety/tests/misra && ./test_misra.sh
+      - name: Save cppcheck cache
+        uses: actions/cache@v4
+        with:
+          path: opendbc/safety/tests/misra/cppcheck/
+          key: cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+
+  misra_mutation:
+    name: MISRA C:2012 Mutation
+    runs-on: ${{ ((github.repository == 'commaai/opendbc') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == 'commaai/opendbc'))) && 'namespace-profile-amd64-8x16' || 'ubuntu-latest' }}
+    timeout-minutes: 20
+    steps:
+      - name: Set up
+        run: sudo apt-get install -y --no-install-recommends gcc-arm-none-eabi libnewlib-arm-none-eabi
+      - uses: actions/checkout@v4
+      - name: Restore cached cppcheck
+        uses: actions/cache@v4
+        with:
+          path: opendbc/safety/tests/misra/cppcheck/
+          key: cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+          restore-keys: |
+            cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+            cppcheck-cache-${{ runner.os }}-
+      - name: MISRA mutation tests
+        timeout-minutes: 1
+        run: |
+          source setup.sh
+          scons -j8
+          cd opendbc/safety/tests/misra
+          ./install.sh  # cppcheck
+          pytest -s -n8 --randomly-seed $RANDOM test_mutation.py
+      - name: Save cppcheck cache
+        uses: actions/cache@v4
+        with:
+          path: opendbc/safety/tests/misra/cppcheck/
+          key: cppcheck-cache-${{ runner.os }}-${{ github.ref }}
+
+#  mutation:
+#    name: Safety mutation tests
+#    runs-on: ${{ ((github.repository == 'commaai/opendbc') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.full_name == 'commaai/opendbc'))) && 'namespace-profile-amd64-8x16' || 'ubuntu-latest' }}
+#    timeout-minutes: 20
+#    steps:
+#      - uses: actions/checkout@v4
+#        with:
+#          fetch-depth: 0  # need master to get diff
+#      - name: Run mutation tests
+#        timeout-minutes: 5
+#        run: |
+#          source setup.sh
+#          scons -j8
+#          GIT_REF=${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && github.event.before || 'origin/master' }} cd opendbc/safety/tests && ./mutation.sh

README.md

@@ -69,7 +69,7 @@ At its most basic, a car port will control the steering on a car. A "complete" c
 The first step is to get connected to the car with a comma 3X and a car harness.
 The car harness gets you connected to two different CAN buses and splits one of those buses to send our own actuation messages.
 
-If you're lucky, a harness compatible with your car will already be designed and sold on comma.ai/shop. 
+If you're lucky, a harness compatible with your car will already be designed and sold on comma.ai/shop.
 If you're not so lucky, start with a "developer harness" from comma.ai/shop and crimp on whatever connector you need.
 
 ### Structure of a port
@@ -78,11 +78,11 @@ Depending on , most of this basic structure will already be in place.
 
 The entirery of a car port lives in `opendbc/car/<brand>/`:
 * `carstate.py`: parses out the relevant information from the CAN stream using the car's DBC file
-* `carcontroller.py`: outputs CAN messages to control the car 
+* `carcontroller.py`: outputs CAN messages to control the car
 * `<brand>can.py`: thin Python helpers around the DBC file to build CAN messages
 * `fingerprints.py`: database of ECU firmware versions for identifying car models
 * `interface.py`: high level class for interfacing with the car
-* `radar_interface.py`: parses out the radar 
+* `radar_interface.py`: parses out the radar
 * `values.py`: enumerates the brand's supported cars
 
 ### Reverse Engineer CAN messages
@@ -97,7 +97,7 @@ Use the [longitudinal maneuvers](https://github.com/commaai/openpilot/tree/maste
 
 ## Contributing
 
-All opendbc development is coordinated on GitHub and [Discord](https://discord.comma.ai). Check out the `#dev-opendbc-cars` channel and `Vehicle Specific` section. 
+All opendbc development is coordinated on GitHub and [Discord](https://discord.comma.ai). Check out the `#dev-opendbc-cars` channel and `Vehicle Specific` section.
 
 ### Roadmap
 
@@ -116,6 +116,29 @@ Longer term
 
 Contributions towards anything here are welcome.
 
+## Safety Model
+
+When a [panda](https://comma.ai/shop/panda) powers up with [opendbc safety firmware](opendbc/safety), by default it's in `SAFETY_SILENT` mode. While in `SAFETY_SILENT` mode, the CAN buses are forced to be silent. In order to send messages, you have to select a safety mode. Some of safety modes (for example `SAFETY_ALLOUTPUT`) are disabled in release firmwares. In order to use them, compile and flash your own build.
+
+Safety modes optionally support `controls_allowed`, which allows or blocks a subset of messages based on a customizable state in the board.
+
+## Code Rigor
+
+The opendbc safety firmware is written for its use in conjunction with [openpilot](https://github.com/commaai/openpilot) and [panda](https://github.com/commaai/panda). The safety firmware, through its safety model, provides and enforces the
+[openpilot safety](https://github.com/commaai/openpilot/blob/master/docs/SAFETY.md). Due to its critical function, it's important that the application code rigor within the `safety` folder is held to high standards.
+
+These are the [CI regression tests](https://github.com/commaai/opendbc/actions) we have in place:
+* A generic static code analysis is performed by [cppcheck](https://github.com/danmar/cppcheck/).
+* In addition, [cppcheck](https://github.com/danmar/cppcheck/) has a specific addon to check for [MISRA C:2012](https://misra.org.uk/) violations. See [current coverage](opendbc/safety/tests/misra/coverage_table).
+* Compiler options are relatively strict: the flags `-Wall -Wextra -Wstrict-prototypes -Werror` are enforced.
+* The [safety logic](opendbc/safety) is tested and verified by [unit tests](opendbc/safety/tests) for each supported car variant.
+
+The above tests are themselves tested by:
+* a [mutation test](opendbc/safety/tests/misra/test_mutation.py) on the MISRA coverage
+* 100% line coverage enforced on the safety unit tests
+
+In addition, we run the [ruff linter](https://github.com/astral-sh/ruff) and [mypy](https://mypy-lang.org/) on the car interface library.
+
 ### Bounties
 
 Every car port is eligible for a bounty:
@@ -137,7 +160,7 @@ In addition to the standard bounties, we also offer higher value bounties for mo
 
 ***How does this work?*** In short, we designed hardware to replace your car's built-in lane keep and adaptive cruise features. See [this talk](https://www.youtube.com/watch?v=FL8CxUSfipM) for an in-depth explanation.
 
-***Is there a timeline or roadmap for adding car support?*** No, most car support comes from the community, with comma doing final safety and quality validation. The more complete the community car port is and the more popular the car is, the more likely we are to pick it up as the next one to validate. 
+***Is there a timeline or roadmap for adding car support?*** No, most car support comes from the community, with comma doing final safety and quality validation. The more complete the community car port is and the more popular the car is, the more likely we are to pick it up as the next one to validate.
 
 ### Terms
 
@@ -163,7 +186,7 @@ In addition to the standard bounties, we also offer higher value bounties for mo
 * [*How to Port a Car*](https://www.youtube.com/watch?v=XxPS5TpTUnI&t=142s&pp=ygUPamFzb24gY29tbWEgY29u) by [@jyoung8607](https://github.com/jyoung8607) from COMMA_CON 2023
 * [commaCarSegments](https://huggingface.co/datasets/commaai/commaCarSegments): a massive dataset of CAN data from 300 different car models
 * [cabana](https://github.com/commaai/openpilot/tree/master/tools/cabana#readme): our tool for reverse engineering CAN messages
-* [can_print_changes.py](https://github.com/commaai/openpilot/blob/master/selfdrive/debug/can_print_changes.py): diff the whole CAN bus across two drives, such as one without any LKAS and one with LKAS 
+* [can_print_changes.py](https://github.com/commaai/openpilot/blob/master/selfdrive/debug/can_print_changes.py): diff the whole CAN bus across two drives, such as one without any LKAS and one with LKAS
 * [longitudinal maneuvers](https://github.com/commaai/openpilot/tree/master/tools/longitudinal_maneuvers): a tool for evaluating and tuning longitudinal control
 * [opendbc data](https://commaai.github.io/opendbc-data/): a repository of longitudinal maneuver evaluations
 

SConscript

@@ -2,3 +2,7 @@ Import("env")
 
 SConscript(['opendbc/can/SConscript'], exports={'env': env})
 SConscript(['opendbc/dbc/SConscript'], exports={'env': env})
+
+# test files
+if GetOption('extras'):
+  SConscript('opendbc/safety/tests/libsafety/SConscript')

SConstruct

@@ -25,6 +25,19 @@ AddOption('--asan',
           action='store_true',
           help='turn on ASAN')
 
+# safety options
+AddOption('--ubsan',
+          action='store_true',
+          help='turn on UBSan')
+
+AddOption('--coverage',
+          action='store_true',
+          help='build with test coverage options')
+
+AddOption('--mutation',
+          action='store_true',
+          help='generate mutation-ready code')
+
 ccflags_asan = ["-fsanitize=address", "-fno-omit-frame-pointer"] if GetOption('asan') else []
 ldflags_asan = ["-fsanitize=address"] if GetOption('asan') else []
 

opendbc/safety/__init__.py

@@ -1,3 +1,8 @@
+# constants from panda/python/__init__.py
+DLC_TO_LEN = [0, 1, 2, 3, 4, 5, 6, 7, 8, 12, 16, 20, 24, 32, 48, 64]
+LEN_TO_DLC = {length: dlc for (dlc, length) in enumerate(DLC_TO_LEN)}
+
+
 class Safety:
   # matches opendbc.structs.CarParams.SafetyModel
   # TODO: just use SafetyModel in panda repo

opendbc/safety/board/can.h

@@ -0,0 +1,4 @@
+#pragma once
+#include "can_declarations.h"
+
+static const unsigned char dlc_to_len[] = {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 12U, 16U, 20U, 24U, 32U, 48U, 64U};

opendbc/safety/board/can_declarations.h

@@ -0,0 +1,27 @@
+#pragma once
+
+#define CANPACKET_HEAD_SIZE 6U
+
+// TODO: this is always CANFD
+#if !defined(STM32F4)
+  #define CANFD
+  #define CANPACKET_DATA_SIZE_MAX 64U
+#else
+  #define CANPACKET_DATA_SIZE_MAX 8U
+#endif
+
+typedef struct {
+  unsigned char fd : 1;
+  unsigned char bus : 3;
+  unsigned char data_len_code : 4;  // lookup length with dlc_to_len
+  unsigned char rejected : 1;
+  unsigned char returned : 1;
+  unsigned char extended : 1;
+  unsigned int addr : 29;
+  unsigned char checksum;
+  unsigned char data[CANPACKET_DATA_SIZE_MAX];
+} __attribute__((packed, aligned(4))) CANPacket_t;
+
+#define GET_BUS(msg) ((msg)->bus)
+#define GET_LEN(msg) (dlc_to_len[(msg)->data_len_code])
+#define GET_ADDR(msg) ((msg)->addr)

opendbc/safety/board/drivers/can_common.h

@@ -0,0 +1,18 @@
+#include "can_common_declarations.h"
+
+uint8_t calculate_checksum(const uint8_t *dat, uint32_t len) {
+  uint8_t checksum = 0U;
+  for (uint32_t i = 0U; i < len; i++) {
+    checksum ^= dat[i];
+  }
+  return checksum;
+}
+
+void can_set_checksum(CANPacket_t *packet) {
+  packet->checksum = 0U;
+  packet->checksum = calculate_checksum((uint8_t *) packet, CANPACKET_HEAD_SIZE + GET_LEN(packet));
+}
+
+bool can_check_checksum(CANPacket_t *packet) {
+  return (calculate_checksum((uint8_t *) packet, CANPACKET_HEAD_SIZE + GET_LEN(packet)) == 0U);
+}

opendbc/safety/board/drivers/can_common_declarations.h

@@ -0,0 +1,4 @@
+#pragma once
+
+uint8_t calculate_checksum(const uint8_t *dat, uint32_t len);
+void can_set_checksum(CANPacket_t *packet);

opendbc/safety/board/fake_stm.h

@@ -0,0 +1,29 @@
+// minimal code to fake a panda for tests
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "utils.h"
+
+#define ALLOW_DEBUG
+#define PANDA
+
+void print(const char *a) {
+  printf("%s", a);
+}
+
+void puth(unsigned int i) {
+  printf("%u", i);
+}
+
+typedef struct {
+  uint32_t CNT;
+} TIM_TypeDef;
+
+TIM_TypeDef timer;
+TIM_TypeDef *MICROSECOND_TIMER = &timer;
+uint32_t microsecond_timer_get(void);
+
+uint32_t microsecond_timer_get(void) {
+  return MICROSECOND_TIMER->CNT;
+}

opendbc/safety/board/faults.h

@@ -0,0 +1,25 @@
+#include "faults_declarations.h"
+
+uint8_t fault_status = FAULT_STATUS_NONE;
+uint32_t faults = 0U;
+
+void fault_occurred(uint32_t fault) {
+  if ((faults & fault) == 0U) {
+    if ((PERMANENT_FAULTS & fault) != 0U) {
+      print("Permanent fault occurred: 0x"); puth(fault); print("\n");
+      fault_status = FAULT_STATUS_PERMANENT;
+    } else {
+      print("Temporary fault occurred: 0x"); puth(fault); print("\n");
+      fault_status = FAULT_STATUS_TEMPORARY;
+    }
+  }
+  faults |= fault;
+}
+
+void fault_recovered(uint32_t fault) {
+  if ((PERMANENT_FAULTS & fault) == 0U) {
+    faults &= ~fault;
+  } else {
+    print("Cannot recover from a permanent fault!\n");
+  }
+}

opendbc/safety/board/faults_declarations.h

@@ -0,0 +1,18 @@
+#pragma once
+
+#define FAULT_STATUS_NONE 0U
+#define FAULT_STATUS_TEMPORARY 1U
+#define FAULT_STATUS_PERMANENT 2U
+
+// Fault types, excerpt from cereal.log.PandaState.FaultType for safety tests
+#define FAULT_RELAY_MALFUNCTION             (1UL << 0)
+// ...
+
+// Permanent faults
+#define PERMANENT_FAULTS 0U
+
+extern uint8_t fault_status;
+extern uint32_t faults;
+
+void fault_occurred(uint32_t fault);
+void fault_recovered(uint32_t fault);

opendbc/safety/board/utils.h

@@ -0,0 +1,47 @@
+// cppcheck-suppress-macro misra-c2012-1.2; allow __typeof__ extension
+#define MIN(a, b) ({ \
+  __typeof__ (a) _a = (a); \
+  __typeof__ (b) _b = (b); \
+  (_a < _b) ? _a : _b; \
+})
+
+// cppcheck-suppress-macro misra-c2012-1.2; allow __typeof__ extension
+#define MAX(a, b) ({ \
+  __typeof__ (a) _a = (a); \
+  __typeof__ (b) _b = (b); \
+  (_a > _b) ? _a : _b; \
+})
+
+// cppcheck-suppress-macro misra-c2012-1.2; allow __typeof__ extension
+#define CLAMP(x, low, high) ({ \
+  __typeof__(x) __x = (x); \
+  __typeof__(low) __low = (low);\
+  __typeof__(high) __high = (high);\
+  (__x > __high) ? __high : ((__x < __low) ? __low : __x); \
+})
+
+// cppcheck-suppress-macro misra-c2012-1.2; allow __typeof__ extension
+#define ABS(a) ({ \
+  __typeof__ (a) _a = (a); \
+  (_a > 0) ? _a : (-_a); \
+})
+
+#ifndef NULL
+// this just provides a standard implementation of NULL
+// in lieu of including libc in the panda build
+// cppcheck-suppress [misra-c2012-21.1]
+#define NULL ((void*)0)
+#endif
+
+// STM32 HAL defines this
+#ifndef UNUSED
+#define UNUSED(x) ((void)(x))
+#endif
+
+#define COMPILE_TIME_ASSERT(pred) ((void)sizeof(char[1 - (2 * (!(pred) ? 1 : 0))]))
+
+// compute the time elapsed (in microseconds) from 2 counter samples
+// case where ts < ts_last is ok: overflow is properly re-casted into uint32_t
+uint32_t get_ts_elapsed(uint32_t ts, uint32_t ts_last) {
+  return ts - ts_last;
+}

opendbc/safety/main.c

@@ -0,0 +1,12 @@
+#include "safety.h"
+
+// this file is checked by cppcheck
+
+// Ignore misra-c2012-8.7 as these functions are only called from panda and libsafety
+UNUSED(heartbeat_engaged);
+
+UNUSED(safety_rx_hook);
+UNUSED(safety_tx_hook);
+UNUSED(safety_fwd_hook);
+UNUSED(safety_tick);
+UNUSED(set_safety_hooks);