bootfault: add support for recovery from init failures

After 3 failed warm start attempts, the init sequence
will force the RAM version of the HWSettings object
to its defaults.  This should allow a user to regain
connectivity to a board that is continually faulting
during init.

This is accomplished by:
 - Incrementing a boot counter that is stored in the
   STM32 BKP registers.  These registers survive a
   warm start but are cleared on a cold start (ie. powerup).
 - On multiple failures, force hwsettings to defaults
   and raise the (new) BootFault alarm to prevent arming.
 - Resetting the boot counter whenever the system manages
   to successfully run the System Module task.

NOTE: This does not actually change the hwsettings object in
      flash.  That's up to the user.

This is intended to catch ONLY faults during early initialization.
It should not be used to recover from faults after the application
is up and running.

flight/CopterControl/System/pios_board.c

@@ -1052,15 +1052,32 @@ void PIOS_Board_Init(void) {
 	UAVObjInitialize();
 
 	HwSettingsInitialize();
-	
-#if defined(PIOS_INCLUDE_RTC)
-	/* Initialize the real-time clock and its associated tick */
-	PIOS_RTC_Init(&pios_rtc_main_cfg);
+
+#ifndef ERASE_FLASH
+	/* Initialize watchdog as early as possible to catch faults during init */
+	PIOS_WDG_Init();
 #endif
 
 	/* Initialize the alarms library */
 	AlarmsInitialize();
 
+	/* Check for repeated boot failures */
+	PIOS_IAP_Init();
+	uint16_t boot_count = PIOS_IAP_ReadBootCount();
+	if (boot_count < 3) {
+		PIOS_IAP_WriteBootCount(++boot_count);
+		AlarmsClear(SYSTEMALARMS_ALARM_BOOTFAULT);
+	} else {
+		/* Too many failed boot attempts, force hwsettings to defaults */
+		HwSettingsSetDefaults(HwSettingsHandle(), 0);
+		AlarmsSet(SYSTEMALARMS_ALARM_BOOTFAULT, SYSTEMALARMS_ALARM_CRITICAL);
+	}
+
+#if defined(PIOS_INCLUDE_RTC)
+	/* Initialize the real-time clock and its associated tick */
+	PIOS_RTC_Init(&pios_rtc_main_cfg);
+#endif
+
 	/* Initialize the task monitor library */
 	TaskMonitorInitialize();
 
@@ -1450,7 +1467,7 @@ void PIOS_Board_Init(void) {
 	pios_rcvr_group_map[MANUALCONTROLSETTINGS_CHANNELGROUPS_GCS] = pios_gcsrcvr_rcvr_id;
 #endif	/* PIOS_INCLUDE_GCSRCVR */
 
-	/* Remap AFIO pin */
+	/* Remap AFIO pin for PB4 (Servo 5 Out)*/
 	GPIO_PinRemapConfig( GPIO_Remap_SWJ_NoJTRST, ENABLE);
 
 #ifndef PIOS_DEBUG_ENABLE_DEBUG_PINS
@@ -1471,10 +1488,6 @@ void PIOS_Board_Init(void) {
 	
 	PIOS_ADC_Init();
 	PIOS_GPIO_Init();
-	PIOS_IAP_Init();
-#ifndef ERASE_FLASH
-	PIOS_WDG_Init();
-#endif
 }
 
 /**

flight/Modules/System/systemmod.c

@@ -48,6 +48,7 @@
 #include "taskinfo.h"
 #include "watchdogstatus.h"
 #include "taskmonitor.h"
+#include "pios_iap.h"
 
 
 // Private constants
@@ -137,7 +138,18 @@ static void systemTask(void *parameters)
 	portTickType lastSysTime;
 
 	/* create all modules thread */
-	MODULE_TASKCREATE_ALL
+	MODULE_TASKCREATE_ALL;
+
+	if (mallocFailed) {
+		/* We failed to malloc during task creation,
+		 * system behaviour is undefined.  Reset and let
+		 * the BootFault code recover for us.
+		 */
+		PIOS_SYS_Reset();
+	}
+
+	/* Record a successful boot */
+	PIOS_IAP_WriteBootCount(0);
 
 	// Initialize vars
 	idleCounter = 0;

shared/uavobjectdefinition/systemalarms.xml

@@ -2,7 +2,7 @@
     <object name="SystemAlarms" singleinstance="true" settings="false">
         <description>Alarms from OpenPilot to indicate failure conditions or warnings.  Set by various modules.</description>
         <field name="Alarm" units="" type="enum" options="Uninitialised,OK,Warning,Error,Critical"
-        elementnames="OutOfMemory,StackOverflow,CPUOverload,EventSystem,SDCard,Telemetry,ManualControl,Actuator,Attitude,Stabilization,Guidance,AHRSComms,Battery,FlightTime,I2C,GPS" defaultvalue="Uninitialised"/>
+        elementnames="OutOfMemory,StackOverflow,CPUOverload,EventSystem,SDCard,Telemetry,ManualControl,Actuator,Attitude,Stabilization,Guidance,AHRSComms,Battery,FlightTime,I2C,GPS,BootFault" defaultvalue="Uninitialised"/>
         <access gcs="readwrite" flight="readwrite"/>
         <telemetrygcs acked="true" updatemode="onchange" period="0"/>
         <telemetryflight acked="true" updatemode="onchange" period="0"/>