Is `memcpy((void *)dest, src, n)` with a `volatile` array safe?
I have a buffer that I use for UART, which is declared this way:
union Eusart_Buff {
uint8_t b8[16];
uint16_t b9[16];
};
struct Eusart_Msg
-
Is
memcpy((void *)dest, src, n)with avolatilearray safe?No. In the general case,
memcpy()is not specified to work correctly with volatile memory.
OP's case looks OK to cast awayvolatile, yet posted code is insufficient to be certain.If code wants to
memcpy()volatilememory, write the helper function.OP's code has
restrictin the wrong place. Suggestvolatile void *memcpy_v(volatile void *restrict dest, const volatile void *restrict src, size_t n) { const volatile unsigned char *src_c = src; volatile unsigned char *dest_c = dest; while (n > 0) { n--; dest_c[n] = src_c[n]; } return dest; }A singular reason for writing your own
memcpy_v()is the a compiler can "understand"/analyzememcpy()and emit code that is very different than expected - even optimize it out, if the compiler thinks the copy is not needed. Remind oneself that the compiler thinksmemcpy()manipulated memory is non-volatile.
Yet OP is using
volatile struct Eusart eusart;incorrectly. Access toeusartneeds protection thatvolatiledoes not provide.In OP's case, code can drop
volatileon the buffers and then usememcpy()just fine.A remaining issue is in the scant code of how OP is using
eusart. Usingvolatiledoes not solve OP's problem there. OP's does assert "I write to it atomically,", yet without postedatomiccode, that is not certain.
Code like the below benefits with
eusart.tx.msg_lenbeingvolatile, yet that is not sufficient.volatileinsures.tx.msg_lenis not cached and instead re-reads each time.while (eusart.tx.msg_len) ;Yet the read of
.tx.msg_lenis not specified as atomic. When.tx.msg_len == 256and a ISR fires, decrementing.tx.msg_len, the read of the the LSbyte (0 from 256) and MSbyte (0 from 255), the non-ISR code may see.tx.msg_lenas 0, not 255 nor 256, thus ending the loop at the wrong time. The access of.tx.msg_lenneeds to be specified as indivisible (atomic), else, once in a while code fails mysteriously.while (eusart.tx.msg_len);also suffers from being an end-less loop. Should the transmission stop for some reason other than empty, the while loop never exits.Recommend instead to block interrupts while inspecting or changing
eusart.tx.msg_len, eusart.tx.msg_posn. Review your compilers support ofatomicorsize_t tx_msg_len(void) { // pseudo-code interrupt_enable_state = get_state(); disable_interrupts(); size_t len = eusart.tx.msg_len; restore_state(interrupt_enable_state); return len; }
General communication code ideas:
While non-ISR code reads or writes
eusart, make sure the ISR cannot ever changeeusart.Do not block
ISRfor long in step #1.Do not assume underlying
ISR()will chain input/output successfully without a hiccup. Top level code should be prepared to re-start output if it gets stalled.
讨论(0) -
The Standard lacks any means by which programmers can demand that operations that access a region of storage by means of an ordinary pointer are completed before a particular
volatilepointer access is performed, and also lacks any means of ensuring that operations which access a region of storage by means of an ordinary pointer are not carried out until after some particularvolatilepointer access is performed. Since the semantics ofvolatileoperations are Implementation-Defined, the authors of the Standard may have expected that compiler writers would recognize when their customers might need such semantics, and specify their behavior in a fashion consistent with those needs. Unfortunately, that hasn't happened.Achieving the semantics you require will either making use of a "popular extension", such as the
-fms-volatilemode of clang, a compiler-specific intrinsic, or else replacingmemcpywith something that's so horribly inefficient as to swamp any supposed advantage compilers could gain by not supporting such semantics.讨论(0)
加载中...
- 热议问题