Bug fix: race condition in I2C cr1 read-modify-write #662
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
The `modify` method executes a read-modify-write operation on the `cr1` control register, as can be verified with the following disassembly code. Notably, the `read` variable is assigned a constant `true` within the example, which results in the elimination of the if comparison due to compiler optimization. ``` 8004a5e: f645 4400 movw r4, #23552 @ 0x5c00 8004a62: 4605 mov r5, r0 8004a64: f2c4 0400 movt r4, #16384 @ 0x4000 // r4 holds cr1 address 8004a68: 4688 mov r8, r1 8004a6a: 6820 ldr r0, [r4, #0] // read cr1 [first read] 8004a6c: 466e mov r6, sp 8004a6e: f440 7080 orr.w r0, r0, stm32-rs#256@ 0x100 // modify start bit 8004a72: 6020 str r0, [r4, #0] // write cr1 [first write] 8004a74: 6820 ldr r0, [r4, #0] // read cr1 [second read] /* Code breaks if IRQ here */ 8004a76: f440 6080 orr.w r0, r0, #1024 @ 0x400 // modify ack bit /* Code breaks if IRQ here */ 8004a7a: 6020 str r0, [r4, #0] // write cr1 [second write] ``` The issue arises when an IRQ occurs between the second read and write operations. Due to the CPU's faster execution speed compared to the peripheral, it is highly likely that the second read operation will still observe the `cr1` register with the `start` bit set. However, if an IRQ is serviced, the peripheral may have sufficient time to complete generating the start condition, resulting in the hardware clearing the `start` bit in the peripheral's `cr1` register. Nonetheless, the copy of the `cr1` register stored in `r0` during the second read operation will still retain the `start` bit set. Consequently, when the second write operation is executed on `cr1`, the `start` bit is once again set. As a result, the peripheral attempts to generate a second start condition, leading to a situation where the I²C peripheral becomes unresponsive in my specific case. The solution is to swap the two method calls. Once the `ack` bit is set, it will not be automatically cleared, thus we are safe even if being interrupted in between.
Member
| I think there should be comment with link to this PR. And add this to changelog. |
Member
| What about: if read { I2C.cr1.modify(|_, w| w.ack().set_bit().start().set_bit()); } else { I2C.cr1.modify(|_, w| w.start().set_bit()); }? |
Contributor Author
Your suggestion is definitely better. It's combined into a single read-modify-write. Should I update the pull request? |
Member
| Yes, please. |
Contributor Author
| Updated. |
burrbull approved these changes Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Buggy code:
The
modifymethod executes a read-modify-write operation on thecr1control register, as can be verified with the following disassembly code. Notably, thereadvariable is assigned a constanttruewithin the example, which results in the elimination of the if comparison due to compiler optimization.The issue arises when an IRQ occurs between the second read and write operations. Due to the CPU's faster execution speed compared to the peripheral, it is highly likely that the second read operation will still observe the
cr1register with thestartbit set. However, if an IRQ is serviced, the peripheral may have sufficient time to complete generating the start condition, resulting in the hardware clearing thestartbit in the peripheral'scr1register. Nonetheless, the copy of thecr1register stored inr0during the second read operation will still retain thestartbit set. Consequently, when the second write operation is executed oncr1, thestartbit is once again set. As a result, the peripheral attempts to generate a second start condition, leading to a situation where the I²C peripheral becomes unresponsive in my specific case.The solution is to swap the two method calls. Once the
ackbit is set, it will not be automatically cleared, thus we are safe even if being interrupted in between.Attached is the bug captured on a logic analyzer.
