Compiler Seems to Generate Incorrect Interrupt Handler Code

Go To Last Post
5 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I finally got to the bottom of a very nasty issue that was causing random crashes of my software. With this post I'm hoping to maybe save somebody else a lot of time and aggravation, but I would also appreciate any insights from those with more knowledge of the compiler, FreeRTOS, and just what they are supposed to do with interrupt handlers.

The program I'm working on is a new application for an AT32UC3C1512 CPU, using FreeRTOS.

The problem code looked like this:

#if __GNUC__
__attribute__((__naked__))
#elif __ICCAVR32__
#pragma shadow_registers = full // Naked.
#endif
static void can0_int_tx_handler(void)
{
/* This ISR can cause a context switch, so the first statement must be a
call to the portENTER_SWITCHING_ISR() macro. This must be BEFORE any
variable declarations. */
portENTER_SWITCHING_ISR();

U8 handle;
handle = CANIF_mob_get_mob_txok(0);
...

/* Exit the ISR. Supposed to pass indication of task switch, but no in the FreeRTOS example code. */
portEXIT_SWITCHING_ISR();
}

Here's the listing file showing what the compiler produced for this code segment:

8000ffcc :
static void can0_int_tx_handler(void)
{
/* This ISR can cause a context switch, so the first statement must be a
call to the portENTER_SWITCHING_ISR() macro. This must be BEFORE any
variable declarations. */
portENTER_SWITCHING_ISR();
8000ffcc: eb cd 00 ff pushm r0-r7
8000ffd0: e0 68 00 08 mov r8,8
8000ffd4: ea 18 00 00 orh r8,0x0
8000ffd8: 70 00 ld.w r0,r8[0x0]
8000ffda: 1a d0 st.w --sp,r0
8000ffdc: 7a 90 ld.w r0,sp[0x24]
8000ffde: e1 d0 c2 c3 bfextu r0,r0,0x16,0x3
8000ffe2: 58 10 cp.w r0,1
8000ffe4: e0 8b 00 08 brhi 8000fff4
8000ffe8: e0 68 12 c0 mov r8,4800
8000ffec: ea 18 00 00 orh r8,0x0
8000fff0: 70 00 ld.w r0,r8[0x0]
8000fff2: 81 0d st.w r0[0x0],sp

8000fff4 :
U8 handle;
handle = CANIF_mob_get_mob_txok(0);
8000fff4: fc 78 1c 00 mov r8,-189440
8000fff8: 70 c8 ld.w r8,r8[0x30]
8000fffa: e6 18 00 3f andh r8,0x3f,COH
8000fffe: b1 88 lsr r8,0x10
80010000: ef 68 ff ff st.b r7[-1],r8

Note that the very last line of assembler here uses register R7, but R7 has not been initialized. So this code ends up over-writing one byte on some task's stack, which eventually leads to bad things happening.

I fixed the problem by declaring "handle" as "static".

But why did the compiler generate what appears to be wrong code? And is there a different way to declare an interrupt handler so the compiler will generate correct code even for automatic variables?

Any insights would be appreciated.

--
Bert Menkveld
bert@greentronics.com

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

bmenkveld wrote:

__attribute__((__naked__))
static void can0_int_tx_handler(void)
{
  U8 handle;
  handle = CANIF_mob_get_mob_txok(0);
  ...
}

80010000:	ef 68 ff ff 	st.b	r7[-1],r8

Note that the very last line of assembler here uses register R7, but R7 has not been initialized. So this code ends up over-writing one byte on some task's stack, which eventually leads to bad things happening.


That’s what happens when you declare a function “naked”, declare a local variable and have compiler optimization turned off.

Space for local variables is reserved on function entry, but that code is removed by declaring the function as “naked”. You’re basically telling the compiler to stay away because you will take care of everything.

Here’s a simple test function that you can compile and check the assembly code of:

extern int foo(int i);
extern int bar(int i);
extern int baz(int i);

//__attribute((naked))
int f(int i) {
  int j = foo(i);
  bar(j);
  return baz(j);
}

/* Compile and view:
   avr32-gcc -O0 -g -Wall -Wextra -c test.c
   avr32-objdump -dS test.o
*/

No “naked” and no optimization:

int f(int i) {
   0:   eb cd 40 80     pushm   r7,lr
   4:   1a 97           mov     r7,sp
   6:   20 2d           sub     sp,8
   8:   ef 4c ff f8     st.w    r7[-8],r12
  int j = foo(i);
   c:   ee fc ff f8     ld.w    r12,r7[-8]
  10:   f0 1f 00 09     mcall   34 
  14:   18 98           mov     r8,r12
  16:   ef 48 ff fc     st.w    r7[-4],r8
...

r7 is used the same way EBP is used on x86.

Now with “naked”, no optimization:

__attribute((naked))
int f(int i) {
   0:   ef 4c ff f8     st.w    r7[-8],r12
  int j = foo(i);
   4:   ee fc ff f8     ld.w    r12,r7[-8]
   8:   f0 1f 00 08     mcall   28 
   c:   18 98           mov     r8,r12
   e:   ef 48 ff fc     st.w    r7[-4],r8
...

r7 is still used the same as before, but uninitialized, because that’s what was requested with “naked”. Note that lr isn’t saved either.

No “naked” but with optimization (-O2):

int f(int i) {
   0:   eb cd 40 40     pushm   r6,lr
  int j = foo(i);
   4:   f0 1f 00 00     mcall   4 
   8:   18 96           mov     r6,r12

r6 is used to hold the variable j, instead of putting it on the stack. r6 is properly saved at the beginning of the function.

Now with “naked” and optimization:

__attribute((naked))
int f(int i) {
  int j = foo(i);
   0:   f0 1f 00 00     mcall   0 
   4:   18 96           mov     r6,r12

r6 is used but not saved, but that’s because I don’t have RTOS and haven’t used portENTER_SWITCHING_ISR(). If you use that, you get a pushm r0-r7, as visible in your code, so you’d be fine... as long as you need only 8 * 4 byte variables saved across function calls. For everything extra, the stack is used and it fails again for you.

bmenkveld wrote:
I fixed the problem by declaring "handle" as "static".

No, you didn’t really “fix” it. You merely told the compiler to turn that variable into a global variable, so it won’t be placed on the stack, working around your problem but making your function not reentrant. This always feels like a Very Bad Idea.

bmenkveld wrote:
But why did the compiler generate what appears to be wrong code?

... because you told it so (by specifying “naked”).

bmenkveld wrote:
And is there a different way to declare an interrupt handler so the compiler will generate correct code even for automatic variables?

Sorry, can’t help you there because I’ve never touched RTOS. You will get correct code for automatic variables by leaving “naked” off, but then your context switch macros will fail.

Have you tried using any compiler optimization level above 0? (1 to 3 or s) That should work within the limits mentioned above.

bmenkveld wrote:
Any insights would be appreciated.

I hope the length of these insights didn’t scare you off. :)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks very much for the detailed explanation. Guess I have never been very comfortable with "naked".... :)

The FreeRTOS docs left me with the impression that the naked attribute simply means the compiler will not save (and restore) registers. I had no idea the compiler would also assume somebody else set up R7 as a local stack variable pointer.

The fact that the FreeRTOS sample code comes with a comment saying that the portENTER_SWITCHING_ISR() must come before any variable declarations rather implies that it's OK to have local variables.

I think I will stay with my solution of declaring the local variable static. I agree it's rather a band-aid solution, but it works and I even understand why. And if that interrupt handler ever gets re-entered mid-stream, I think this application's world has pretty much ended anyway.

Thanks again for helping me to understand this better.

--
Bert Menkveld

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

bmenkveld wrote:
The fact that the FreeRTOS sample code comes with a comment saying that the portENTER_SWITCHING_ISR() must come before any variable declarations rather implies that it's OK to have local variables.

Having local variables is fine... as long as you don’t have more than eight that need to be saved across function calls and none of them is bigger than 32 bit and you have compiler optimization turned on.

You have compiler optimization turned off at the moment, right?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Yes, I have compiler optimization turned off at the moment. I did that during earlier debugging to make it easier to step through the code. Rather ironic that making the code simpler actually introduced a bug.

I asked this question in a FreeRTOS forum as well. There it was suggested that the "naked" interrupt handler should simply call another non-naked function to do the work. That way the compiler will never have a chance to do anything unexpected with local variables in the "naked" function, because there are no local variables. That adds overhead, but it's safer, and after more than a week of chasing this problem, I like safe!