mirror of
https://github.com/infiniteCable2/panda.git
synced 2026-02-18 17:23:52 +08:00
4c2ccd7fe5
* alternative experience * safety init * fix * more update * not really * misra * Add Custom MIT License (#38) * brake check was not handled * revert * alt -> lkas * explicit checks * support toyota and ford * rename * hyundai can-fd support * only allow lkas if enabled * hyundai: main button handling * revert * hyundai: main button heartbeat * add logging for controls allowed lateral * fix panda safety * ford btn * toyota btn * fca btn * honda btn * mads safety tests * more tests * safety misra * safety mutation * misra * mutation experiment * fix * ford test main button * ford test lkas button * more ford test * hyundai lkas and main * more ford * hyundai canfd * rename * rename * cleaner * more fixes * more hyundai tests * no longer needed * thanks for tests! * more tests for lat * more explicit * make sure to reset * try this out * probably needed * move * misra * not needed * move to safety_mads * not really needed * remove * MADS: Refactor MADS safety with improved state management (pull request #46) Refactor MADS safety with improved state management This commit introduces a major refactoring of the MADS safety module, improving state management and control flow. Key changes include: Core Changes: - Introduced a MADSState struct to centralize state management - Removed global state variables in favor of structured state - Implemented button transition handling with explicit state tracking (PRESSED/RELEASED/NO_CHANGE) - Added state flags for button availability detection - Simplified lateral control permission logic Button Handling: - Separated main button and LKAS button state tracking - Added independent engagement states for each button - Improved button press detection across multiple platforms - Added support for main and LKAS buttons on Hyundai platforms - Modified ACC main state handling Testing: - Added comprehensive test coverage for MADS state transitions - Added new MADS-specific test base class for consistent testing across platforms - Added mutation testing for state management - Extended timeout for mutation tests from 5 to 8 minutes - Added extensive button press validation tests - Enhanced debugging output in replay drive tests The refactored code provides a more organized implementation of MADS safety features while maintaining compatibility with existing safety checks. * adding note * adding ford (WIP) * adding honda (WIP) * adding toyota (WIP) * adding chrysler (WIP) * Standardize Button State Handling Across Platforms Refactor button state handling by replacing integer constants with an enumerated `ButtonState` type and updating logic to improve readability and maintainability. This change affects button press detection in Ford, Honda, Hyundai, and Toyota safety modules and aligns them with a unified MADS button state approach. Enums provide a clearer understanding of button states and transitions, facilitating easier maintenance and future enhancements. * Disable LKAS button press logic in Honda and Toyota safety. The code for processing LKAS button presses has been commented out in both Honda and Toyota safety implementations. This change aims to investigate or temporarily halt the button press effects without removing the logic altogether. It will be important to test for any impacts this may have on vehicle control functionality. * Remove commented out code in toyota_rx_hook function This commit cleans up the toyota_rx_hook function by removing unnecessary commented-out code that checks for LKAS button presses on bus 2. This helps improve code readability and maintainability without altering the existing functionality. * GM, mazda, nissan, subaru (global & preglobal) * Honda LKAS * Revert "Remove commented out code in toyota_rx_hook function" This reverts commit d6b012c01a08118d91fad56c9f6ac2f92b671968. * Toyota, Subaru Global LKAS * nissan fix * gm fix * use speed msg to force rx * im bored * misra * subaru/toyota/honda * nope * attempt * go through all buttons * try nissan * more nissan * nissan tests passed! * subaru lkas test (not sure why it's not passing 2 and 3 values) * Improved code organization in safety_subaru.h and test_subaru.py This commit includes a minor restructuring in safety_subaru.h and test_subaru.py for better readability and flow. The condition check in safety_subaru.h for lkas_hud now has explicit parentheses. With regard to test_subaru.py, an unnecessary import was removed, and the sequence of steps in the test was reordered - now enabling mads and cleaning up mads_states happens before each subtest. * Refactor tests to use _speed_msg instead of _user_brake_msg. Updated the MADS safety tests to utilize the _speed_msg(0) function call in place of _user_brake_msg(False). * Reworking the tests a little for clarity * disabling lkas again on toyota temporarily * fix mads condition to engage * hyundai and honda good with new tests * Redoing more tests * update for safety tick ensuring mads control is exited while lagging * Updating tests for toyota * cleaning up tests on hkg * commenting out temp_debug for future use * revert * constants * cleanup * format! * match yota * Apply suggestions from code review * force * explicit checks * revert --------- Co-authored-by: Jason Wen <haibin.wen3@gmail.com>
Welcome to panda
panda speaks CAN and CAN FD, and it runs on STM32F413 and STM32H725.
Directory structure
.
├── board # Code that runs on the STM32
├── drivers # Drivers (not needed for use with Python)
├── python # Python userspace library for interfacing with the panda
├── tests # Tests and helper programs for panda
Safety Model
When a panda powers up, by default it's in SAFETY_SILENT mode. While in SAFETY_SILENT mode, the CAN buses are forced to be silent. In order to send messages, you have to select a safety mode. Some of safety modes (for example SAFETY_ALLOUTPUT) are disabled in release firmwares. In order to use them, compile and flash your own build.
Safety modes optionally support controls_allowed, which allows or blocks a subset of messages based on a customizable state in the board.
Code Rigor
The panda firmware is written for its use in conjunction with openpilot. The panda firmware, through its safety model, provides and enforces the
openpilot safety. Due to its critical function, it's important that the application code rigor within the board folder is held to high standards.
These are the CI regression tests we have in place:
- A generic static code analysis is performed by cppcheck.
- In addition, cppcheck has a specific addon to check for MISRA C:2012 violations. See current coverage.
- Compiler options are relatively strict: the flags
-Wall -Wextra -Wstrict-prototypes -Werrorare enforced. - The safety logic is tested and verified by unit tests for each supported car variant. to ensure that the behavior remains unchanged.
- A hardware-in-the-loop test verifies panda's functionalities on all active panda variants, including:
- additional safety model checks
- compiling and flashing the bootstub and app code
- receiving, sending, and forwarding CAN messages on all buses
- CAN loopback and latency tests through USB and SPI
The above tests are themselves tested by:
- a mutation test on the MISRA coverage
- 100% line coverage enforced on the safety unit tests
In addition, we run the ruff linter and mypy on panda's Python library.
Usage
Setup dependencies:
# Ubuntu
sudo apt-get install dfu-util gcc-arm-none-eabi python3-pip libffi-dev git clang-17
# macOS
brew install --cask gcc-arm-embedded
brew install python3 dfu-util gcc@13
Clone panda repository and install:
git clone https://github.com/commaai/panda.git
cd panda
# install dependencies
pip install -e .[dev]
# install panda
python setup.py install
See the Panda class for how to interact with the panda.
For example, to receive CAN messages:
>>> from panda import Panda
>>> panda = Panda()
>>> panda.can_recv()
And to send one on bus 0:
>>> panda.set_safety_mode(Panda.SAFETY_ALLOUTPUT)
>>> panda.can_send(0x1aa, b'message', 0)
Note that you may have to setup udev rules for Linux, such as
sudo tee /etc/udev/rules.d/11-panda.rules <<EOF
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddcc", MODE="0666"
SUBSYSTEM=="usb", ATTRS{idVendor}=="bbaa", ATTRS{idProduct}=="ddee", MODE="0666"
EOF
sudo udevadm control --reload-rules && sudo udevadm trigger
The panda jungle uses different udev rules. See the repo for instructions.
Software interface support
As a universal car interface, it should support every reasonable software interface.
Licensing
panda software is released under the MIT license unless otherwise specified.