cortex-m icon indicating copy to clipboard operation
cortex-m copied to clipboard
verified publisher icon rust-embedded

New static mutable storage for the entry function

Open jonathanpallant opened this issue 2 months ago • 3 comments

We carefully ensure the #[entry] function cannot be called other than after a reset (and after the start-up code has initialised everything).

Currently we use this knowledge to 'safely' replace static mut FOO: T = T::new() with code that uses an unsafe block to create &mut T reference to the static, which is passed in as an argument.

That is:

#[cortex_m_rt::entry]
fn main() -> ! {
    static mut FOO: u32 = 123;

    loop {}
}

becomes:

#[doc(hidden)]
#[export_name = "main"]
pub unsafe extern "C" fn __cortex_m_rt_main_trampoline() {
    #[allow(static_mut_refs)]
    __cortex_m_rt_main({
        static mut FOO: u32 = 123;
        unsafe { &mut FOO }
    })
}
fn __cortex_m_rt_main(#[allow(non_snake_case)] FOO: &'static mut u32) -> ! {
    loop {}
}

It is widely accepted that this kind of sleight of hand is not good. However, RTIC shows us a syntax that could work:

#[task(local = [state: u32 = 0])]
async fn foo(c: foo::Context) {
    let old_state: u32 = *c.local.state;
    *c.local.state += 1;
}

So, what if we wrote a new macro, called entry_with_context:

#[cortex_m_rt::entry_with_context(context = [state: u32 = 0])]
fn main(c: main::Context) -> ! {
    let old_state: u32 = *c.state;
    *c.state += 1;

    loop {}
}

The advantage here is that is clear some 'magic' is happening to create a static resource and pass it to the main function.

It would expand to something like:

mod main {
    pub(crate) struct Context {
        state: &mut u32
    }
}

#[doc(hidden)]
#[export_name = "main"]
pub unsafe extern "C" fn __cortex_m_rt_main_trampoline() {
    static STATE: RacyCell<u32> = RacyCell::new(123);
    __cortex_m_rt_main(main::Context {
        state: unsafe { STATE.get_mut_ref() },
    })
}

fn main(c: main::Context) -> ! {
    let old_state: u32 = *c.state;
    *c.state += 1;

    loop {}
}

We don't even need to hide the actual fn main() function anymore, because you cannot call it without creating the context object.

jonathanpallant avatar Oct 09 '25 17:10 jonathanpallant

I don't have much to add beyond general agreement. A: This would be a nice convenience. B: Each slight-of-hand, you put it, like this, when done in a fundamental lib like cortex-m, is potentially worrying. Overall, I'm 50/50 on if this is a good plan. If this were a higher-level lib, I would "do it".

David-OConnor avatar Oct 09 '25 17:10 David-OConnor

It's worth noting what you'd have to write if you didn't have this:

struct RacyCell<T>(UnsafeCell<T>);

// SAFETY: We promise to only ever use this inside a non-reentrant main function
unsafe impl<T> Sync for RacyCell<T>;

#[cortex_m_rt::entry]
fn main() -> ! {
    // Do static init
    static STATE: RacyCell<u32> = RacyCell(UnsafeCell::new(123));
    // SAFETY: main() is not callable except by reset, so we cannot
    // create two references here
    let state = unsafe { &mut *STATE.0.get() };

    // Do rest of function
    let old_state: u32 = *state;
    *state += 1;

    loop {}
}

thejpster avatar Oct 09 '25 18:10 thejpster

Nice idea, I like it.

therealprof avatar Oct 09 '25 19:10 therealprof