I want to be robust to power drops at least. I'm interested in robustness to interrupts as well (see below).
what I have now is a system with three bytes per byte of data: copy_a, copy_b, and valid_copy (0x00 means a, other means b).
Writes work like this:
1. check valid_copy
2. write into the other copy
3. read it back and check, if ok means both copies are currently valid (one at old value, one at new), else return fail
4. write valid_copy to point to newly written copy
5. read back valid_copy, if ok write can be reported as successful, else return fail
After a fail at least the old copy is ok. write to valid_copy cannot fail in such a way that it doesn't point to one copy or other.
after fail it isn't known whether at old value or new, clients must check
Multi-byte write just use a single valid copy byte (corresponding to first byte), and write it after all other bytes written and read back ok
Is this approach safe against power drops? The datasheet says incorrect CPU instructions can happen as well at power drop, so I guess the
readback check could manage to fail in such a way that a corrupted write gets missed. But if this is used together with brown-out detection
(as described in Preventing EEPROM Corruption section of datasheet) is it entirely safe?
Is it safe against interrupts during EEPROM write, or must ATOMIC_BLOCK() be used? Note that I'm not interested in doing any other EEPROM
activity from the interrupt context so maybe interrupts aren't even a problem, I'm not clear on this.