1. Главная
  2. Книги
  3. authors Collective of
  4. The Embedded Rust Book
  5. Страница 22
Выбрать главу

It's worth noting that while a critical section guarantees no interrupts will fire, it does not provide an exclusivity guarantee on multi-core systems! The other core could be happily accessing the same memory as your core, even without interrupts. You will need stronger synchronisation primitives if you are using multiple cores.

Atomic Access

On some platforms, special atomic instructions are available, which provide guarantees about read-modify-write operations. Specifically for Cortex-M: thumbv6 (Cortex-M0, Cortex-M0+) only provide atomic load and store instructions, while thumbv7 (Cortex-M3 and above) provide full Compare and Swap (CAS) instructions. These CAS instructions give an alternative to the heavy-handed disabling of all interrupts: we can attempt the increment, it will succeed most of the time, but if it was interrupted it will automatically retry the entire increment operation. These atomic operations are safe even across multiple cores.

use core::sync::atomic::{AtomicUsize, Ordering};

static COUNTER: AtomicUsize = AtomicUsize::new(0);

#[entry]

fn main() -> ! {

set_timer_1hz();

let mut last_state = false;

loop {

let state = read_signal_level();

if state && !last_state {

// Use `fetch_add` to atomically add 1 to COUNTER

COUNTER.fetch_add(1, Ordering::Relaxed);

}

last_state = state;

}

}

#[interrupt]

fn timer() {

// Use `store` to write 0 directly to COUNTER

COUNTER.store(0, Ordering::Relaxed)

}

This time COUNTER is a safe static variable. Thanks to the AtomicUsize type COUNTER can be safely modified from both the interrupt handler and the main thread without disabling interrupts. When possible, this is a better solution — but it may not be supported on your platform.

A note on Ordering: this affects how the compiler and hardware may reorder instructions, and also has consequences on cache visibility. Assuming that the target is a single core platform Relaxed is sufficient and the most efficient choice in this particular case. Stricter ordering will cause the compiler to emit memory barriers around the atomic operations; depending on what you're using atomics for you may or may not need this! The precise details of the atomic model are complicated and best described elsewhere.

For more details on atomics and ordering, see the nomicon.

Abstractions, Send, and Sync

None of the above solutions are especially satisfactory. They require unsafe blocks which must be very carefully checked and are not ergonomic. Surely we can do better in Rust!

We can abstract our counter into a safe interface which can be safely used anywhere else in our code. For this example, we'll use the critical-section counter, but you could do something very similar with atomics.

use core::celclass="underline" :UnsafeCell;

use cortex_m::interrupt;

// Our counter is just a wrapper around UnsafeCell<u32>, which is the heart

// of interior mutability in Rust. By using interior mutability, we can have

// COUNTER be `static` instead of `static mut`, but still able to mutate

// its counter value.

struct CSCounter(UnsafeCell<u32>);

const CS_COUNTER_INIT: CSCounter = CSCounter(UnsafeCelclass="underline" :new(0));

impl CSCounter {

pub fn reset(&self, _cs: &interrupt::CriticalSection) {

// By requiring a CriticalSection be passed in, we know we must

// be operating inside a CriticalSection, and so can confidently

// use this unsafe block (required to call UnsafeCelclass="underline" :get).

unsafe { *self.0.get() = 0 };

}

pub fn increment(&self, _cs: &interrupt::CriticalSection) {

unsafe { *self.0.get() += 1 };

}

}

// Required to allow static CSCounter. See explanation below.

unsafe impl Sync for CSCounter {}

// COUNTER is no longer `mut` as it uses interior mutability;

// therefore it also no longer requires unsafe blocks to access.

static COUNTER: CSCounter = CS_COUNTER_INIT;

#[entry]

fn main() -> ! {

set_timer_1hz();

let mut last_state = false;

loop {

let state = read_signal_level();

if state && !last_state {

// No unsafe here!

interrupt::free(|cs| COUNTER.increment(cs));

}

last_state = state;

}

}

#[interrupt]

fn timer() {

// We do need to enter a critical section here just to obtain a valid

// cs token, even though we know no other interrupt could pre-empt

// this one.

interrupt::free(|cs| COUNTER.reset(cs));

// We could use unsafe code to generate a fake CriticalSection if we

// really wanted to, avoiding the overhead:

// let cs = unsafe { interrupt::CriticalSection::new() };

}

We've moved our unsafe code to inside our carefully-planned abstraction, and now our application code does not contain any unsafe blocks.

This design requires that the application pass a CriticalSection token in: these tokens are only safely generated by interrupt::free, so by requiring one be passed in, we ensure we are operating inside a critical section, without having to actually do the lock ourselves. This guarantee is provided statically by the compiler: there won't be any runtime overhead associated with cs. If we had multiple counters, they could all be given the same cs, without requiring multiple nested critical sections.

This also brings up an important topic for concurrency in Rust: the Send and Sync traits. To summarise the Rust book, a type is Send when it can safely be moved to another thread, while it is Sync when it can be safely shared between multiple threads. In an embedded context, we consider interrupts to be executing in a separate thread to the application code, so variables accessed by both an interrupt and the main code must be Sync.

~ 22 ~