flash: ignore SPM executed outside the boot loader section#581
Open
ZsoltSaskovy wants to merge 1 commit into
Open
flash: ignore SPM executed outside the boot loader section#581ZsoltSaskovy wants to merge 1 commit into
ZsoltSaskovy wants to merge 1 commit into
Conversation
On real parts SPM only executes when the program counter is inside the boot loader section; executed from the application (RWW) section it is a no-op. simavr executed SPM from any address, so firmware that misplaces its bootloader (e.g. linked at 0x3C000 on the ATmega2560, where the boot section starts at 0x3E000) passed simulation but failed silently on real hardware. Add an opt-in bls_start field to avr_flash_t: when non-zero, SPM with avr->pc below it is ignored with a warning log. Cores that do not set the field keep the old permissive behaviour. Enable it for the ATmega2560 using the largest possible boot section (BOOTSZ=00, byte address 0x3E000). This is the most permissive legal boundary, so no valid fuse configuration is rejected, while SPM from the application section is caught. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Author
|
Build is failing as "install dependencies" is failing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
On real AVR silicon, the SPM instruction only executes when the program counter is inside the boot loader section; executed from the application (RWW) section it is a no-op. simavr currently executes SPM from any address.
This gap bit us in practice: an ATmega2560 bootloader accidentally linked at 0x3C000 (the boot section starts at 0x3E000 with BOOTSZ=00) passed a full simavr-based integration test suite — including complete STK500v2 and TFTP firmware-upload flows — while on real hardware every SPM was silently ignored and nothing was ever written to flash.
Change
avr_flash_tgets an opt-inbls_startfield: when non-zero, SPM issued withavr->pcbelow it is ignored and a warning is logged.Modelling the actual BOOTSZ fuse decoding would be more precise; this conservative boundary already catches the realistic failure mode (bootloader linked below the boot section) without touching fuse handling.
Validation
boot_page_erase/boot_page_fill/boot_page_writevia<avr/boot.h>: flash stays 0xFF after the patch (it was silently written before).🤖 Generated with Claude Code