WIP: firmware: guard I2C transactions with timeouts.

whitequark · whitequark · commit 0744b81e7aa8 · 2019-03-01T09:45:38.000Z
If we don't add timeouts on I2C transactions, then the USB request
that caused it (for reads) or the next USB control request (for
writes) will silently hang forever until the device is power cycled.

This is clearly undesirable. However, this does not happen at all
during normal operation, and although it hardens the device, the FX2
firmware size comes at a premium, and blindly spraying these guard
conditions adds a nontrivial increase.

Therefore this code, although tested, is not currently used.
diff --git a/firmware/main.c b/firmware/main.c
@@ -284,6 +284,26 @@ static bool reset_status_bit(uint8_t bit) {
   return false;
 }
 
+volatile uint8_t i2c_timeout;
+
+void isr_TF0() __interrupt(_INT_TF0) {
+  i2c_timeout++;
+  // About 256 ms at 48 MHz clock.
+  if(i2c_timeout == 16) {
+    led_err_set(1);
+    i2c_cancel = true;
+  }
+}
+
+#define I2C_PROTECT(code) \
+  do {                    \
+    i2c_timeout = 0;      \
+    T0 = 0;               \
+    TR0 = true;           \
+    code                  \
+    TR0 = false;          \
+  } while(0)
+
 // We perform lengthy operations in the main loop to avoid hogging the interrupt.
 // This flag is used for synchronization between the main loop and the ISR;
 // to allow new SETUP requests to arrive while the previous one is still being
@@ -771,6 +791,10 @@ int main() {
   SYNCDELAY;
   EP1OUTCFG = 0;
 
+  // Use timer 0 in 16-bit timer mode for I2C timeout.
+  TMOD = _M0_0;
+  ET0 = true;
+
   // Use timer 2 in 16-bit timer mode for ACT LED.
   T2CON = _CPRL2;
   ET2 = true;
