Add watchdog lower limit timeout test

[Tharazi97]

Description

Currently there is no test that checks if watchdog on the device meets the assumption specified in docs: "The watchdog should trigger at or after the timeout value.".
This PR adds one to the base of watchdog reset tests.
It checks whether the watchdog did not restart the device before the window left to the end of timeout. If watchdog restarted the device, the test will time out.

Targets with not calibrated watchdog clock won't pass this test. This is the case for some STM MCU, default calibration is not accurate at all, so we should probably:

1. Change the watchdog API of these targets so it meets assumptions specified in docs.
2. Make this test optional (specify that these targets won't have their watchdog trigger at or after timeout, but in between half value of timeout to 2 times timeout value).
3. Relax assumptions.

Pull request type

[ ] Fix
[ ] Refactor
[ ] Target update
[X] Functionality change
[ ] Docs update
[ ] Test update
[ ] Breaking change

Reviewers

@fkjagodzinski @0xc0170 @maciejbocianski @jamesbeyond

Release Notes

watchdog_features_t extended by two uint32_t members: clock_typical_frequency and clock_max_frequency. These values can be used to determine the accuracy of an uncalibrated watchdog clock.

[ciarmcom]

@Tharazi97, thank you for your changes.
@maciejbocianski @jamesbeyond @fkjagodzinski @0xc0170 @ARMmbed/mbed-os-core @ARMmbed/mbed-os-hal @ARMmbed/mbed-os-test @ARMmbed/mbed-os-maintainers please review.

[0xc0170]

STM targets won't pass this test, so we should probably:
Change the STM watchdog API so it meets assumptions specified in docs.
Make this test optional (specify that STM targets won't have their watchdog trigger at or after timeout, but in between half value of timeout to 2 times timeout value).
Relax assumptions.

@Tharazi97 if we can fix it, would be great. Just need more details.
@ARMmbed/team-st-mcd Please review

[0xc0170]

I reduced reviewers. Please review

[Tharazi97]

@0xc0170
According to documentation watchdog should trigger at or after timeout value. (https://os.mbed.com/docs/mbed-os/v5.13/porting/watchdog-port.html)
STM targets have their watchdog clocked by LSI oscillator and its frequency may vary very much. So if we program watchdog to trigger at, or after 100 ms timeout it may physically trigger i. e. even after 70ms. So assumption that "The watchdog should trigger at or after the timeout value." is incorrect.

Test that I added checks if watchdog is physically triggering after the timeout value, if not it chcecks how close we are to this value.

[Tharazi97]

We can change the assumption to: "The watchdog should trigger at or after the 75% timeout value.", or: "The watchdog should trigger at or after the timeout value (not applicable STM devices)."

[jeromecoutant]

STM targets won't pass this test

I would prefer to change this line...
Targets with not calibrated watchdog clock won't pass this test.
This is the case for some STM MCU, default calibration is not accurate at all.

Thx

[jeromecoutant]

Maybe we could add some frequency accuracy parameter in watchdog_features_t that test can check ?

[Tharazi97]

@jeromecoutant
I think that could work. Add this parameter, change the test and change the assumption to: The watchdog should trigger at or after the timeout value times frequency accuracy. Or something like that. What do you think @jamesbeyond @fkjagodzinski?

[fkjagodzinski]

Is there any reason to duplicate this test for the driver layer? As I see it, this test simply checks the actual hardware performance, right? Both HAL and driver APIs are verified by other test cases.

[Tharazi97]

Done

[fkjagodzinski]

Since this is a timing test, I think it should be moved to TESTS/mbed_hal/watchdog_timing.

[Tharazi97]

Done

[fkjagodzinski]

Please keep the convention of adding a unit suffix.

Suggested change

	#define TIMEOUT_LOWER_LIMIT 1000UL
	#define TIMEOUT_LOWER_LIMIT_MS 1000UL

[Tharazi97]

Done

[fkjagodzinski]

As we know, for some targets these tests will fail for sure if the watchdog clock is left uncalibrated. I think we should add #if MBED_EXTENDED_TESTS here, to skip these tests on the CI.

[fkjagodzinski]

Currently this produces an ERROR test case result instead of FAIL. Could you update that?

[fkjagodzinski]

Maybe we could add some frequency accuracy parameter in watchdog_features_t that test can check ?

That seems useful; would help the user to determine the watchdog timing capabilities. @donatieng, @0xc0170, what do you think?

[0xc0170]

What would this number define and how it would be used? Illustration might help

[Tharazi97]

So for example this is the documentation of STM32L073RZ. As we can see typical frequency is 38 kHz, but it may vary from 26 to 56 kHz. In its implementation of the watchdog LSI value is defined as 38 kHz, so ratio of defined value to max value is equal to 67% (rounding down).

I would name this parameter clock_accuracy and it would mean how accurate is not calibrated watchdog clock. The bigger value, the watchdog clock is more precise.

Practical use of this value would be to determine when to kick watchdog when it is not calibrated, so the device would not restart when not expected.

With this value, the test would look something like this:

void test_timeout()
{
    watchdog_features_t features = hal_watchdog_get_platform_features();
    if (TIMEOUT_LOWER_LIMIT_MS > features.max_timeout) {
        TEST_IGNORE_MESSAGE("Requested timeout value not supported for this target -- ignoring test case.");
        return;
    }

    // Phase 2. -- verify the test results.
    if (current_case.received_data != CASE_DATA_INVALID) {
        TEST_ASSERT_EQUAL(CASE_DATA_PHASE2_OK, current_case.received_data);
        current_case.received_data = CASE_DATA_INVALID;
        return;
    }

    // Phase 1. -- run the test code.
    watchdog_config_t config = { TIMEOUT_LOWER_LIMIT_MS };
    TEST_ASSERT_EQUAL(WATCHDOG_STATUS_OK, hal_watchdog_init(&config));

    // Kick watchdog before timeout.
    // Watchdog should not trigger before timeout * clock accuracy.
    // If device restarts while waiting for the kick, test fails.
    wait_ms(TIMEOUT_LOWER_LIMIT_MS * features.clock_accuracy / 100);
    hal_watchdog_kick();

    if (send_reset_notification(&current_case, 2 * TIMEOUT_MS) == false) {
        TEST_ASSERT_MESSAGE(0, "Dev-host communication error.");
        return;
    }
    hal_watchdog_kick();

    // Watchdog should fire before twice the timeout value.
    wait_ms(2 * TIMEOUT_LOWER_LIMIT_MS);

    // Watchdog reset should have occurred during that wait() above;

    hal_watchdog_kick();  // Just to buy some time for testsuite failure handling.
    TEST_ASSERT_MESSAGE(0, "Watchdog did not reset the device as expected.");
}

[0xc0170]

clock accuracy - is this in percentage (0-100) ? Not documented in hal header file

[0xc0170]

we should not be touching these device files as they get updated from upstream. This could be defined in our codebase (config for instance), and used in the watchdog HAL

[0xc0170]

@ARMmbed/team-st-mcd please review

[jeromecoutant]

I agree, don't patch files in device directory (except bugs)
Thx

[0xc0170]

@ARMmbed/team-st-mcd Please review

[fkjagodzinski]

Silabs build errors are fixed now. As for the release notes -- I couldn't edit the original PR description. @adbridge, @0xc0170, could you paste this note there?:

Release Notes

watchdog_features_t extended by two uint32_t members: clock_typical_frequency and clock_max_frequency. These values can be used to determine the accuracy of an uncalibrated watchdog clock.

[fkjagodzinski]

Minor Watchdog docs update in ARMmbed/mbed-os-5-docs#1155.

[Tharazi97]

Hi, sorry for not responding. Thank you @fkjagodzinski for taking care of this functionality.

[0xc0170]

👍 for the update, will schedule CI soon

[0xc0170]

CI started

[mbed-ci]

Test run: FAILED

Summary: 1 of 11 test jobs failed
Build number : 2
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_greentea-test

[0xc0170]

Failures related, tests-mbed_hal-watchdog_timing failing

[0xc0170]

@Tharazi97 Any update?

[fkjagodzinski]

@0xc0170, I'm looking into this failure right now. Will post an update shortly.

[0xc0170]

CI restarted

[fkjagodzinski]

I updated the new test case (added in this PR) so that sleep or deepsleep mode will not be active during the wait for the watchdog reset.

Testing a watchdog performance in both sleep modes is taken care of in a different test suite. As for the K64F, I've created an issue for the deepsleep watchdog case -- #11774.

[mbed-ci]

Test run: SUCCESS

Summary: 11 of 11 test jobs passed
Build number : 3
Build artifacts

[0xc0170]

Travis has not reported back, I restarted it