AP_ESC_Telem: fix RPM timeout race

[robertlong13]

Alternative approach to #28987.

We don't need to worry about explicitly checking the timestamp in most places; they can just use the data_valid flag directly. This eliminates the race without harming the performance of get_rpm at all (in fact, it improves it, even if just barely). The only places that need to actually check the timestamp are update, where the data_valid gets cleared on timeout, and are_motors_running, which has a stricter timeout than data_valid does. These two run much less frequently than get_rpm, so the extra copying shouldn't be a problem.

This might change the timing of when the data is considered stale by a few microseconds, since it's checking the timestamp at 100Hz instead of every time we get RPM, but that should be absolutely fine. The other change you might notice is that previously rpm_data_within_timeout explicitly checked if last_update_us was zero and I don't. That check was unnecessary in there though, because data_valid cannot possibly be true if last_update_us is zero.

I actually really like this approach. I'll probably do something similar to solve the TelemetryData::stale race. And if we don't mind the signed-int stuff in my other PR, then I'll take this idea over to that PR.

This approach does not solve the potential race in the slew calculation, but I'm guessing that's probably fine. If it was a problem, we probably would have noticed by now. My other approach didn't fully fix the slew calculation either (if you interrupted the backend after it updated prev_rpm and rpm, but before it updates last_update_us, then you'll get a little jump; that should be very rare though).

[andyp1per]

@robertlong13 I am happier with this approach, but I need to point out that this code is very, very subtle with all sorts of bad things happening (crashed aircraft) if we get it wrong. @magicrub originally did the rpm_data_within_timeout() changes which fundamentally relies on the 0 value for the timeout so we should get him to review and also check his PR. We should also be striving for the smallest change possible that is demonstrable correct.

[andyp1per]

We also need a comment about the 100Hz update in AP_Vehicle as we are now heavily reliant on that. Probably also needs a comment in AP_Vehicle.

[robertlong13]

We also need a comment about the 100Hz update in AP_Vehicle as we are now heavily reliant on that. Probably also needs a comment in AP_Vehicle.

I wouldn't say we're heavily reliant on 100Hz. It definitely needs to be faster than 0.0002Hz, but even if it was called as slow as 10Hz (which is what it used to be, but I doubt we're going back to that, and we definitely won't be going slower than it), our arbitrary 1s timeout would be worst-case 1.1s, and average 1.05s.

I'll chuck a comment in AP_Vehicle anyway.

[robertlong13]

@magicrub originally did the rpm_data_within_timeout() changes which fundamentally relies on the 0 value for the timeout so we should get him to review and also check his PR.

Really? I only saw the PR from @WickedShell, which is why I marked him for review (though I forgot to mark him for this second one, thanks for reminding me).

[andyp1per]

Really? I only saw the PR from @WickedShell, which is why I marked him for review (though I forgot to mark him for this second one, thanks for reminding me).

Sorry my mistake - yes @WickedShell - there were issues with motors in transition IIRC

[andyp1per]

This looks ok to me, but I would like @WickedShell to verify

[WickedShell]

It's been awhile since I've dove through this, so I'm not 100% confident, but it generally seems fine.

It's worth noting that all the other accessors (get_active_esc_mask/get_max_rpm_esc etc) all got more expensive as they are now all getting their own copy of time. (I know getting the timestamp in milliseconds was surprisingly expensive, I'm not sure if the micros one is as expensive though).

As an aside all of the time management stuff is a here be dragons area, I don't think this makes it any worse then it was.

[andyp1per]

Given the sensitivity of the code I think we will need to fly before merging

[robertlong13]

It's worth noting that all the other accessors (get_active_esc_mask/get_max_rpm_esc etc) all got more expensive as they are now all getting their own copy of time.

It's the other way around. Those accessors got less expensive, as now they don't need a copy of time, they just check the data_valid flag.

The only functions that got any more expensive are are_motors_running and update

[WickedShell]

It's worth noting that all the other accessors (get_active_esc_mask/get_max_rpm_esc etc) all got more expensive as they are now all getting their own copy of time.

It's the other way around. Those accessors got less expensive, as now they don't need a copy of time, they just check the data_valid flag.

The only functions that got any more expensive are are_motors_running and update

Right, I was referring to anything leaning against rpm_data_within_timeout but then I managed to get confused while jumping around through things here, and thought it had been left in more places then it was. Sorry!