Updates and feature additions to failsafe system.

- Added failsafe flightmode and rc control box.

To make failsafe procedure a separate flight mode and make it possible
to trigger failsafe with an AUX switch.

- Failsafe mode is activated when failsafe is active.

RC link lost is simulated with the failsafe AUX switch.
When NOT armed: failsafe switch to failsafe mode is shown in GUI (mode
tab).

- Activate failsafe mode with AUX switch.

- Prevent arming when failsafe via AUX switch is active (safety issue).

- Make failsafe disarm if motors armed and throttle was LOW (2D & 3D)
for `failsafe_throttle_low_delay` time (__JustDisarmEvent__).

Applied code changes to effectively add pull request: Make failsafe
disarm if motors armed and throttle low #717.

- Use failsafeIsMonitoring() to actually start monitoring.

- Added `failsafe_kill_switch` to code.

When set to 1 (0 is default), the failsafe switch will instantly disarm
(__KillswitchEvent__) instead of executing the landings procedure.
Arming is NOT locked after
this, so the craft could be re-armed if needed.
This is intended for racing quads where damage and danger must be
minimized in case of a pilot error.

- Added `failsafe_throttle_low_delay`, adapted documentation.

Used to adjust the time throttle level must have been LOW
to _only disarm_ instead of _full failsafe procedure_
(__JustDisarmEvent__).

- Updated the failsafe documentation.

- Re-enable arming at end of failsafe procedure.

At the end of a handled failsafe event, that means: auto-landing,
__JustDisarmEvent__ or __KillswitchEvent__, the RX link is monitored for
valid data.
Monitoring is a part of the failsafe handling, which means the craft is
still in failsafe mode while this is done.
Arming is re-enabled (allowed) when there is a valid RX link for more
then XX seconds, where XX depends on the handled event like this:
1. XX = 30 seconds after auto landing.
2. XX = 3 seconds after __JustDisarmEvent__.
3. XX = 0 seconds after __KillswitchEvent__.

NOTE: When armed via an AUX switch, you will have to switch to the
disarmed position at the very end to be able to re-arm.
The failsafe mode will not end until you do.

- __KillswitchEvent__ has now priority over __JustDisarmEvent__

- Apply rxfail values instantly when failsafe switch is ON

- Added missing cases to display.c

Show M when failsafe is monitoring for RX recovery (AND disarming when
armed with a switch).

===

Reworked the code from counter-based to time-based.

- AUX failsafe switch now has identical behavior to RX loss.

- Added RX failure and RX recovery timing.

- __KillswitchEvent__ skips RX failure detection delay (direct disarm).

===

[UNIT TESTS]

Adapted failsafe related unittests from counter-based to time-based

- Added failsafeOnValidDataFailed() to some tests

- Removed duplicate test setup from rc_controls_unittest.cc

- Removed magic numbers from rx_ranges_unittest.cc and rx_rx_unittest.cc

- Reworked all test-cases for flight_failsafe_unittest.cc

src/test/unit/rx_rx_unittest.cc

@@ -25,6 +25,8 @@ extern "C" {
 
     #include "rx/rx.h"
 
+    uint32_t rcModeActivationMask;
+
     void rxInit(rxConfig_t *rxConfig);
     void rxResetFlightChannelStatus(void);
     bool rxHaveValidFlightChannels(void);
@@ -35,6 +37,8 @@ extern "C" {
 #include "unittest_macros.h"
 #include "gtest/gtest.h"
 
+#define DE_ACTIVATE_ALL_BOXES   0
+
 typedef struct testData_s {
     bool isPPMDataBeingReceived;
     bool isPWMDataBeingReceived;
@@ -46,6 +50,7 @@ TEST(RxTest, TestValidFlightChannels)
 {
     // given
     memset(&testData, 0, sizeof(testData));
+    rcModeActivationMask = DE_ACTIVATE_ALL_BOXES;   // BOXFAILSAFE must be OFF
 
     // and
     rxConfig_t rxConfig;
@@ -131,7 +136,7 @@ TEST(RxTest, TestInvalidFlightChannels)
 // STUBS
 
 extern "C" {
-    void failsafeOnRxCycleStarted() {}
+    void failsafeOnValidDataFailed() {}
     void failsafeOnValidDataReceived() {}
 
     bool feature(uint32_t mask) {