Hello.
We use a AT91SAM7X512 in one of our embedded "APPs".
I wonder, what is the “Worst case IO-behavior” in case of a MCU crash?
In case my program try to:
- Access non-existing memory (RAM/FLASH …)
- Fetch OP-code from non-existing program memory address
- Execute illegal OP-code
- Stack is overwritten
- Executing non-existing exception vectors
- perform other even more exotic hazardous operations …
Q-1: Could it be cases where MCU randomly may lose track and generate random or changing signals (during the crash-phase) out from it's PIO’s to my target-HW?
Q-2: If a WDT is used/programmed, will it force a proper MCU restart in case the MCU get lost in such a way?
Best Regards
Terje Bøhler
What is the worst case IO behavior in case of a MCU crash?
Moderator: nferre
- blue_z
- Location: USA
Post
From my experience, misbehaving systems in projects were more often caused by a HW issue than SW/FW.
But then I know how to write "defensive" code, e.g. in one project it was my code that inadvertently revealed an intermittent HW flaw that affected all code by a team of ~20 programmers.
You have a synchronous state machine.
Even if the processor jumps to a garbage location (undetected) and executes garbage values as instructions (undetected), it's still only software, and can only perform what any normal program can do.
If you're paranoid, then design a robust HW interface, e.g. a sequence more complex than a simple write to a register to launch the missile.
Regards
Re: What is the worst case IO behavior in case of a MCU cras
If you have a program that is prone to do any of these things, then learn to design/write better code, and perform more testing.t.bohler@unitechenergy.no wrote:In case my program try to:
- Access non-existing memory (RAM/FLASH …)
- Fetch OP-code from non-existing program memory address
- Execute illegal OP-code
- Stack is overwritten
- Executing non-existing exception vectors
- perform other even more exotic hazardous operations …
Not unlikely IMO, unless you have a poorly designed and implemented system.t.bohler@unitechenergy.no wrote:Q-1: Could it be cases where MCU randomly may lose track and generate random or changing signals (during the crash-phase) out from it's PIO’s to my target-HW?
From my experience, misbehaving systems in projects were more often caused by a HW issue than SW/FW.
But then I know how to write "defensive" code, e.g. in one project it was my code that inadvertently revealed an intermittent HW flaw that affected all code by a team of ~20 programmers.
You have a synchronous state machine.
Even if the processor jumps to a garbage location (undetected) and executes garbage values as instructions (undetected), it's still only software, and can only perform what any normal program can do.
If you're paranoid, then design a robust HW interface, e.g. a sequence more complex than a simple write to a register to launch the missile.
Depends on how you implement the WDT.t.bohler@unitechenergy.no wrote:Q-2: If a WDT is used/programmed, will it force a proper MCU restart in case the MCU get lost in such a way?
Regards
Who is online
Users browsing this forum: No registered users and 2 guests