Practical Tips for Creating Layouts Animations in Safety-Critical UI

C

Output Verification

The purpose of the output verification is to ensure the integrity of display content for safe items. The integrity check is based on the CRC (Cyclic Redundancy Check) values comparison between offline calculated and the graphics output.

Qt Safe Renderer provides a mechanism for generating the expected CRC and reading the actual output CRC value from the hardware. The actions when a failure is detected are not in the scope of Qt Safe Renderer but are a part of the system logic.

Output verification is supported from Qt Safe Renderer 2.0 onwards.

Using fillColor Property

In a UI, several graphics buffers are blended in a display processor to form final display content. The output CRC values are calculated from that data. Therefore, the background color of safe items cannot be transparent. Instead, you should use a solid background color.

Define the background color for safe items using the fillColor property in SafeImage, SafePicture, or SafeText.

Also, the solid background color is used when the output verification is done for a hidden safe item. When a safe item is hidden, its icon area in the UI is cleared with a solid color defined in the fillColor property. The output verification for a hidden safe item verifies that the clearing works as expected.

Note: If the background fill color is almost solid, it can make the safety-critical element pass through the contrast check. It is still possible that the CRC output verification fails as the non-safe background can be seen through a partially transparent element, which affects the CRC calculation.

Alpha Pixel Bypass for Transparent Backgrounds

From Qt Safe Renderer 2.2 onwards, the Alpha Pixel bypass feature is available for Snapdragon Generation 4 hardware (Qualcomm Snapdragon 8295). This feature enables output verification for safe items with transparent backgrounds by excluding pixels with alpha values from the CRC calculations.

Overview

In previous generation hardware (Gen3), safe items required an opaque background color defined using the fillColor property. With the Alpha Pixel bypass feature on Generation 4 hardware, only opaque pixels are taken into account during CRC calculations. This allows safe items to have transparent backgrounds without affecting the integrity of the output verification.

This feature provides more flexibility in UI design by removing the requirement for solid background colors while still maintaining the same level of safety verification.

Enabling the Feature

The Alpha Pixel bypass feature must be enabled both at build time and at runtime.

Build-Time Configuration

When building the Qt Safe Renderer runtime, enable the feature by setting the build-time constraint Constraints::ENABLE_ALPHA_CRC_BYPASS to 1U in your adaptation. This constraint controls whether the alpha channel bypass is available in the runtime.

For more information about the constraint, see SafeRenderer::Constraints and Runtime API Changes.

Runtime Configuration

At runtime, the Alpha Pixel bypass is configured through the SafeRenderer::MISRVerifier class. The verifier must be initialized with the alpha bypass mode enabled.

When initializing the OutputVerifier using the OutputVerifier_initVerifierDevice() C API function, the MISR bypass feature is automatically configured based on the SafeRenderer::Constraints::ENABLE_ALPHA_CRC_BYPASS constraint value. This provides a convenient way to enable the bypass feature without additional configuration.

For detailed information about the runtime API, see SafeRenderer::MISRVerifier and OutputVerifier_initVerifierDevice() in the Qt Safe Renderer Runtime C++ API documentation.

Generating Golden CRC Values with Alpha Bypass

When using the Alpha Pixel bypass feature, you must generate the golden CRC values with the bypass algorithm enabled. Qt Safe Layout Tool provides the snap-misr-bypass algorithm for this purpose.

Use the --crcgen option with the snap-misr-bypass algorithm:

qtsafelayouttool --crcgen snap-misr-bypass [other-options] source.ui.qml

In CMake projects, specify the CRC algorithm in the QSR_ADD_SAFE_LAYOUT command using the CRC_ALGORITHM parameter:

QSR_ADD_SAFE_LAYOUT(
    ...
    CRC_ALGORITHM snap-misr-bypass
)

For more information, see Qt Safe Layout Tool and QSR_ADD_SAFE_LAYOUT.

Supported Hardware

The Alpha Pixel bypass feature is supported on:

Qualcomm Snapdragon 8295 (Generation 4) with QNX 7.1 and INTEGRITY

For older generation Snapdragon hardware (SA8155P and SA6155P), continue to use the fillColor property with opaque backgrounds as described in Using fillColor Property.

Using of OutputVerifier Class

The output verifier is enabled by creating an instance of the SafeRenderer::OutputVerifier class. The reference is passed to the SafeRenderer::SafeWindow and SafeRenderer::EventHandler as follows:

static OutputVerifier outputVerifier;
static QSafeLayoutResourceReader layout("/layoutData/MainForm/MainForm.ui.srl");
SafeWindow telltaleWindow(layout.size(), QSafePoint(0U, 0U), outputVerifier);
static SafeRenderer::StateManager stateManager(telltaleWindow, layout, background);
EventHandler msgHandler(stateManager, telltaleWindow, outputVerifier);

Alternatively, the OutputVerifier can be initialized using the OutputVerifier_initVerifierDevice() C API function, which automatically configures platform-specific features such as the MISR bypass based on the constraint values.

SafeWindow implementation reads the output CRC value after rendering for the changed items. The result values are stored in the SafeRenderer::OutputVerificationQueue.

The maximum number of regions of interest (ROI) that can be verified simultaneously is controlled by the SafeRenderer::Constraints::MAX_NUM_ROI constraint. The default value is 8, which allows verifying up to 8 ROIs concurrently. This value can be changed in qsafeconstraints.h, but must not exceed the maximum supported ROI count in the target hardware.

The results can be read from the safe renderer process using the SafeRenderer::QSafeEventOutputVerificationStatusRequest event. The output CRC values are packed to the SafeRenderer::QSafeEventOutputVerificationStatusReply event.

The Golden CRC Values

Qt Safe Layout Tool calculates the Golden CRC values for each QML item for the visible and hidden state. The values are stored in the layout file, and you can read them using SafeRenderer::QSafeLayout class. With the --crcgen <algorithm> command, you can choose the algorithm you need.

Golden CRC Example

The following code snippet can be used in the external process to read the golden CRC values for comparison.

struct ExpectedCRCValues {
    quint32 drawCRC;
    quint32 clearCRC;
};

bool getExpectedCRC(const char*const filenameArg, const quint32 idArg, ExpectedCRCValues &crcValues)
{
    bool found = false;
    crcValues = {0U, 0U};
    //Initialize the resource
    const QSafeResource res;
    size_t sizeOfData = 0U;
    //Get the resource structure for the layout file
    const quchar *const data = res.data(filenameArg, sizeOfData);
    const QSafeByteArray layoutData(data, sizeOfData);
    //Validate the layout data file
    const quint32 itemCount = QSafeLayout::validateLayout(layoutData);
    size_t offsetInWords = Constraints::LAYOUTDATA_HEADER_SIZE;
    const quint32 layoutDataSize = QSafeLayout::layoutDataSize(QSafeLayout::layoutVersion(layoutData));
    if (data) {
        //Go through the layoutdata file
         for (quint32 i=0U; i<itemCount; i++) {
            const quint32 itemIDOffset = offsetInWords + QSafeLayout::ItemIDOffset;
            const quint32 id = layoutData.readUInt32ValueConst(itemIDOffset);
            //If item is found get the CRC values.
            if (id == idArg) {
                const quint32 drawCRCOffset = offsetInWords + QSafeLayout::OutputCRCDrawOffset;
                const quint32 clearCRCOffset = offsetInWords + QSafeLayout::OutputCRCClearOffset;
                crcValues.drawCRC = layoutData.readUInt32ValueConst(drawCRCOffset);
                crcValues.clearCRC = layoutData.readUInt32ValueConst(clearCRCOffset);
                found = true;
                break;
            }
            offsetInWords += layoutDataSize;
        }
    }
    return found;
}

Updating Output CRC Values

The output CRC value is read after every rendering operation for the dirty region. It is also possible to read the CRC value for an individual item manually. The CRC value of the single item can be updated using the SafeRenderer::QSafeEventOutputVerificationVerifyItem event.

Reading Output CRC Values

The output CRC values are stored in the SafeRenderer::OutputVerificationQueue class. The values from the queue can be read using the SafeRenderer::QSafeEventOutputVerificationStatusRequest event. The SafeRenderer::QSafeEventOutputVerificationStatusReply event contains the list of the ID and CRC pairs.

Monitoring Output Verification

You can monitor the results of output verification from an external process. The Monitor example demonstrates how you can verify the rendering output of the Indicators example from the external Monitor process.

Limitations

Verifying the dynamic text output is not supported.

Supported Hardware

The functionality is supported with the following reference hardware configurations:

Qualcomm Snapdragon SA8155P with QNX 7.1 and INTEGRITY
Qualcomm Snapdragon SA6155P with QNX 7.1 and INTEGRITY

Output Verification API

The following classes and events provide API for output verification and monitoring:

Practical Tips for Creating Layouts Animations in Safety-Critical UI

Available under certain Qt licenses.
Find out more.