From 094d9ac909ece372615285fc05f0de20f5fd3f9b Mon Sep 17 00:00:00 2001 From: mjrgh Date: Tue, 21 Mar 2017 12:02:33 -0700 Subject: [PATCH 1/3] Fix crash with events in the past ticker_insert_event() can crash on KLXX (and probably other platforms) if an event is inserted with a timestamp before the current real time. The problem is easy to trigger: you just need to set up a Ticker object, and then disable interrupts for slightly longer than the Ticker object's interval. It's generally bad practice to disable interrupts for too long, but there are some cases where it's unavoidable, and anyway it would be better for the core library function not to crash. The case where I had an unavoidably long interrupts-off interval was writing flash with the FTFA. The FTFA hardware prohibits flash reads while an FTFA command is in progress, so interrupts must be disabled for the whole duration of each command to ensure that there are no instruction fetches from flash-resident ISRs in the course of the execution. An FTFA "erase sector" command takes a fairly long time (milliseconds), and I have a fairly high frequency Ticker (1ms). The problem and the fix are pretty straightforward. ticker_insert_event() searches the linked list to figure out where to insert the new event, looking for a spot earlier than any event currently queued. If the event is in the past, it'll usually end up at the head of the list. When the routine sees that the new event belongs at the head of the list, it calls data->interface->set_interrupt() to schedule the interrupt for the event, since it's the new soonest event. The KLXX version of us_ticker_set_interrupt() then looks to see if the event is in the past, which we've stipulated that it is, so rather than actually setting the interrupt, it simply calls the handler directly. The first thing the Ticker interrupt handler does is re-schedule itself, so we re-enter ticker_insert_event() at this point. This is where the problem comes in: we didn't finish updating the linked list before we called set_interrupt() and thus before we recursed back into ticker_insert_event(). We set the head of the list to the new event but we didn't set the new event's 'next' pointer. The fix is simply to finish updating the list before we call set_interrupt(), which we can do by moving the obj->next initialization ahead of the head pointer update. --- hal/mbed_ticker_api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hal/mbed_ticker_api.c b/hal/mbed_ticker_api.c index f1cf3cc9a9d..e3d61883dbe 100644 --- a/hal/mbed_ticker_api.c +++ b/hal/mbed_ticker_api.c @@ -74,6 +74,10 @@ void ticker_insert_event(const ticker_data_t *const data, ticker_event_t *obj, t prev = p; p = p->next; } + + /* if we're at the end p will be NULL, which is correct */ + obj->next = p; + /* if prev is NULL we're at the head */ if (prev == NULL) { data->queue->head = obj; @@ -81,8 +85,6 @@ void ticker_insert_event(const ticker_data_t *const data, ticker_event_t *obj, t } else { prev->next = obj; } - /* if we're at the end p will be NULL, which is correct */ - obj->next = p; core_util_critical_section_exit(); } From 72ccf0b2b51dfd33c939d3ebecdb0bf72a8cde68 Mon Sep 17 00:00:00 2001 From: mjrgh Date: Tue, 21 Mar 2017 15:51:09 -0700 Subject: [PATCH 2/3] Force events into the future --- targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c b/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c index c29c624552f..80137b5f1b5 100644 --- a/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c +++ b/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c @@ -185,13 +185,14 @@ static void lptmr_isr(void) { } void us_ticker_set_interrupt(timestamp_t timestamp) { - int delta = (int)((uint32_t)timestamp - us_ticker_read()); + uint32_t tcur = us_ticker_read(); + int delta = (int)((uint32_t)timestamp - tcur); if (delta <= 0) { - // This event was in the past: - us_ticker_irq_handler(); - return; - } - + // This event was in the past. Force it into the very near + // future instead. + timestamp = tcur + 2; + } + us_ticker_int_counter = (uint32_t)(delta >> 16); us_ticker_int_remainder = (uint16_t)(0xFFFF & delta); if (us_ticker_int_counter > 0) { From 15c740f8cb43d9f005b5d198099ee4efd2b648e9 Mon Sep 17 00:00:00 2001 From: mjrgh Date: Tue, 21 Mar 2017 15:52:52 -0700 Subject: [PATCH 3/3] Update us_ticker.c --- targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c b/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c index 80137b5f1b5..8aee691985c 100644 --- a/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c +++ b/targets/TARGET_Freescale/TARGET_KLXX/us_ticker.c @@ -185,12 +185,11 @@ static void lptmr_isr(void) { } void us_ticker_set_interrupt(timestamp_t timestamp) { - uint32_t tcur = us_ticker_read(); - int delta = (int)((uint32_t)timestamp - tcur); + int delta = (int)((uint32_t)timestamp - us_ticker_read()); if (delta <= 0) { // This event was in the past. Force it into the very near // future instead. - timestamp = tcur + 2; + delta = 1; } us_ticker_int_counter = (uint32_t)(delta >> 16);