What is the worst case IO behavior in case of a MCU crash?

Discussion about SAM7 Series and ARM7TDMI based products.

Moderator: nferre

t.bohler@unitechenergy.no
Posts: 24
Joined: Wed Jun 25, 2014 8:47 am

What is the worst case IO behavior in case of a MCU crash?

Wed Dec 21, 2016 10:24 pm

Hello.

We use a AT91SAM7X512 in one of our embedded "APPs".
I wonder, what is the “Worst case IO-behavior” in case of a MCU crash?
In case my program try to:
- Access non-existing memory (RAM/FLASH …)
- Fetch OP-code from non-existing program memory address
- Execute illegal OP-code
- Stack is overwritten
- Executing non-existing exception vectors
- perform other even more exotic hazardous operations …


Q-1: Could it be cases where MCU randomly may lose track and generate random or changing signals (during the crash-phase) out from it's PIO’s to my target-HW?

Q-2: If a WDT is used/programmed, will it force a proper MCU restart in case the MCU get lost in such a way?

Best Regards
Terje Bøhler
blue_z
Location: USA
Posts: 1507
Joined: Thu Apr 19, 2007 10:15 pm

Re: What is the worst case IO behavior in case of a MCU cras

Fri Dec 23, 2016 3:07 am

t.bohler@unitechenergy.no wrote:In case my program try to:
- Access non-existing memory (RAM/FLASH …)
- Fetch OP-code from non-existing program memory address
- Execute illegal OP-code
- Stack is overwritten
- Executing non-existing exception vectors
- perform other even more exotic hazardous operations …
If you have a program that is prone to do any of these things, then learn to design/write better code, and perform more testing.
t.bohler@unitechenergy.no wrote:Q-1: Could it be cases where MCU randomly may lose track and generate random or changing signals (during the crash-phase) out from it's PIO’s to my target-HW?
Not unlikely IMO, unless you have a poorly designed and implemented system.
From my experience, misbehaving systems in projects were more often caused by a HW issue than SW/FW.
But then I know how to write "defensive" code, e.g. in one project it was my code that inadvertently revealed an intermittent HW flaw that affected all code by a team of ~20 programmers.

You have a synchronous state machine.
Even if the processor jumps to a garbage location (undetected) and executes garbage values as instructions (undetected), it's still only software, and can only perform what any normal program can do.
If you're paranoid, then design a robust HW interface, e.g. a sequence more complex than a simple write to a register to launch the missile.
t.bohler@unitechenergy.no wrote:Q-2: If a WDT is used/programmed, will it force a proper MCU restart in case the MCU get lost in such a way?
Depends on how you implement the WDT.

Regards

Return to “SAM7 ARM7TDMI MCU”

Who is online

Users browsing this forum: No registered users and 1 guest