Ndtyjky

So, we are experimenting with an approach to perform some matrix math. This is embedded, so memory is limited, and we will have large matrices so it helps us to keep some of them stored in flash rather than RAM.

I've written a matrix structure, two arrays (one const/flash and the other RAM), and a "modify" and "get" function. One matrix, I initialize to the RAM data, and the other matrix I initialize to the flash data, using a cast from const *f32 to *f32.

What I find is that when I run this code on my STM32 embedded processor, the RAM matrix is modifiable, and the matrix pointing to the flash data simply doesn't change (the set to 12.0 doesn't "take", the value remains 2.0).

(before change) a=2, b=2, (after change) c=2, d=12

This is acceptable behavior, by design we will not attempt to modify matrices of flash data, but if we make a mistake we don't want it to crash.

If I run the same code on my windows machine with Visual C++, however, I get an "access violation" when I attempt to run the code below, when I try to modify the const array to 12.0.

This is not surprising that Windows would object, but I'd like to understand the difference in behavior better. This seems related to CPU architecture. Is it safe, on our STM32, to let the code attempt to write to a const array and let it have no effect? Or are there side effects, or reasons to avoid this?

static const f32 constarray[9] = {1,2,3,1,2,3,1,2,3};

static f32 ramarray[9] = {1,2,3,1,2,3,1,2,3};



typedef struct {

     u16 rows;

     u16 cols;

     f32 * mat;

} matrix_versatile;



void modify_versatile_matrix(matrix_versatile * m, uint16_t r, uint16_t c, double new_value)

{

    m->mat[r * m->cols + c] = new_value;    

}



double get_versatile_matrix_value(matrix_versatile * m, uint16_t r, uint16_t c)

{

    return m->mat[r * m->cols + c];

}



double a;

double b;

double c;

double d;



int main(void)

{

    matrix_versatile matrix_with_const_data;

    matrix_versatile matrix_with_ram_data;



    matrix_with_const_data.cols = 3;

    matrix_with_const_data.rows = 3;

    matrix_with_const_data.mat = (f32 *) constarray;



    matrix_with_ram_data.cols = 3;

    matrix_with_ram_data.rows = 3;

    matrix_with_ram_data.mat = ramarray;



    a = get_versatile_matrix_value(&matrix_with_const_data, 1, 1);

    b = get_versatile_matrix_value(&matrix_with_ram_data, 1, 1);

    modify_versatile_matrix(&matrix_with_const_data, 1, 1, 12.0);

    modify_versatile_matrix(&matrix_with_ram_data, 1, 1, 12.0);

    c = get_versatile_matrix_value(&matrix_with_const_data, 1, 1);

    d = get_versatile_matrix_value(&matrix_with_ram_data, 1, 1);    

but if we make a mistake we don't want it to crash.

Attempting to write to ROM will not in itself cause a crash, but the code attempting to write it is by definition buggy and may crash in any case, and will certainly not behave as intended.

It is almost entirely wrong thinking; if you have a bug, you really want it to crash during development, and not after deployment. If it silently does the wrong thing, you may never notice the bug, or the crash might occur somewhere other than in proximity of the bug, so be very hard to find.

Architectures an MMU or MPU may issue an exception if you attempt to write to memory marked as read-only. That is what is happening in Windows. In that case it can be a useful debug aid given an exception handler that reports such errors by some means. In this case the error is reported exactly when it occurs, rather than crashing some time later when some invalid data is accessed or incorrect result acted upon.

Some, but mot all STM32 parts include the MPU (application note)

The answer may depend on the series (STM32F1, STM32F4, STM32L1 etc), as they have somewhat different flash controllers.

I've once made the same mistake on an STM32F429, and investigated a bit, so I can tell what would happen on an STM32F4.

Probably nothing.

The flash is by default protected, in order to be somewhat resilient to those kind of programming errors. In order to modify the flash, one has to write certain values to the FLASH->KEYR register. If the wrong value is written, then the flash will be locked until reset, so nothing really bad can happen unless the program writes 64 bits of correct values. No unexpected interrupts can happen, because the interrupt enable bit is protected by this key too. The attempt will set some error bits in FLASH->SR, so a program can check it and warn the user (preferably the tester).

However if there is some code there (e.g. a bootloader, or logging something into flash) that is supposed to write something in the flash, i.e. it unlocks the flash with the correct keys, then bad things can happen.

If the flash is left unlocked after a preceding write operation, then writing to a previously programmed area will change bits from 1 to 0, but not from 0 to 1. It means that the flash will contain the bitwise AND of the old and the newly written value.

If the failed write attempt occurs first, and unlocked afterwards, then no legitimate write or erase operation would succeed unless the status bits are properly cleared first.

If the intended and unintended accesses occur interleaved, e.g. in interrupt handlers, then all bets are off.

Even if the values are in immutable flash memory, there can still be unexpected result. Consider this code

int foo(int *array) {

  array[0] = 1;

  array[1] = 3;

  array[2] = 5;

  return array[0];

}

An optimizing compiler might recognize that the return value should always be 1, and emit code to that effect. Or it might not, and reload array[0] from wherever it is stored, possibly a different value from flash. It may behave differently in debug and release builds, or when the function is called from different places, as it might be inlined differently.

If the pointer points to an unmapped area, neither RAM nor FLASH nor some memory mapped register, then a a fault will occur, and as the default fault handlers contain just an infinite loop, the program will hang unless it has a fault handler installed that can deal with the situation. Needless to say, overwriting random RAM areas or registers can result in barely predictable behaviour.

UPDATE

I've tried your code on actual hardware. When I ran it verbatim, the compiler (gcc-arm-none-eabi-7-2018-q2-update -O3 -lto) optimized away everything, since the variables were not used afterwards. Marking a, b, c, d as volatile resulted in c=2 and d=12, it was still considering the first array const, and no accesses to the arrays were generated. constarray did not show up in the map file at all, the linker had eliminated it completely.

So I've tried a few things one at a time to force the optimizer to generate code that would actually access the arrays.

• Disablig optimization (-O0)


• Making all variables volatile
  


• Inserting a couple of compile-time memory barriers (asm volatile("":::"memory");
  


• Doing some complex calculations in the middle

Any of these has produced varying effects on different MCUs, but they were always consistent on a single platform.

• 
  STM32F103: Hard Fault. Only halfword (16 bit) write accesses are allowed to the flash, 8 or 32 bits always result in a fault. When I've changed the data types to short, the code ran, of course without any effect on the flash.


• 
  STM32F417: Code runs, with no effects on the flash contents, but bits 6 and 7, PGPERR and PGSERR in FLASH->SR were set a few cycles after the first write attempt to constarray.


• 
  STM32L151: Code runs, with no effects on the flash controller status.