|
| 1 | +.. _isr_rules: |
| 2 | + |
| 3 | +Writing interrupt handlers |
| 4 | +========================== |
| 5 | + |
| 6 | +On suitable hardware MicroPython offers the ability to write interrupt handlers in Python. Interrupt handlers |
| 7 | +- also known as interrupt service routines (ISR's) - are defined as callback functions. These are executed |
| 8 | +in response to an event such as a timer trigger or a voltage change on a pin. Such events can occur at any point |
| 9 | +in the execution of the program code. This carries significant consequences, some specific to the MicroPython |
| 10 | +language. Others are common to all systems capable of responding to real time events. This document covers |
| 11 | +the language specific issues first, followed by a brief introduction to real time programming for those new to it. |
| 12 | + |
| 13 | +This introduction uses vague terms like "slow" or "as fast as possible". This is deliberate, as speeds are |
| 14 | +application dependent. Acceptable durations for an ISR are dependent on the rate at which interrupts occur, |
| 15 | +the nature of the main program, and the presence of other concurrent events. |
| 16 | + |
| 17 | +Tips and recommended practices |
| 18 | +------------------------------ |
| 19 | + |
| 20 | +This summarises the points detailed below and lists the principal recommendations for interrupt handler code. |
| 21 | + |
| 22 | +* Keep the code as short and simple as possible. |
| 23 | +* Avoid memory allocation: no appending to lists or insertion into dictionaries, no floating point. |
| 24 | +* Where an ISR returns multiple bytes use a pre-allocated ``bytearray``. If multiple integers are to be |
| 25 | + shared between an ISR and the main program consider an array (``array.array``). |
| 26 | +* Where data is shared between the main program and an ISR, consider disabling interrupts prior to accessing |
| 27 | + the data in the main program and re-enabling them immediately afterwards (see Critcal Sections). |
| 28 | +* Allocate an emergency exception buffer (see below). |
| 29 | + |
| 30 | + |
| 31 | +MicroPython Issues |
| 32 | +------------------ |
| 33 | + |
| 34 | +The emergency exception buffer |
| 35 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 36 | + |
| 37 | +If an error occurs in an ISR, MicroPython is unable to produce an error report unless a special buffer is created |
| 38 | +for the purpose. Debugging is simplified if the following code is included in any program using interrupts. |
| 39 | + |
| 40 | +.. code:: python |
| 41 | +
|
| 42 | + import micropython |
| 43 | + micropython.alloc_emergency_exception_buf(100) |
| 44 | +
|
| 45 | +Simplicity |
| 46 | +~~~~~~~~~~ |
| 47 | + |
| 48 | +For a variety of reasons it is important to keep ISR code as short and simple as possible. It should do only what |
| 49 | +has to be done immediately after the event which caused it: operations which can be deferred should be delegated |
| 50 | +to the main program loop. Typically an ISR will deal with the hardware device which caused the interrupt, making |
| 51 | +it ready for the next interrupt to occur. It will communicate with the main loop by updating shared data to indicate |
| 52 | +that the interrupt has occurred, and it will return. An ISR should return control to the main loop as quickly |
| 53 | +as possible. This is not a specific MicroPython issue so is covered in more detail :ref:`below <ISR>`. |
| 54 | + |
| 55 | +Communication between an ISR and the main program |
| 56 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 57 | + |
| 58 | +Normally an ISR needs to communicate with the main program. The simplest means of doing this is via one or more |
| 59 | +shared data objects, either declared as global or shared via a class (see below). There are various restrictions |
| 60 | +and hazards around doing this, which are covered in more detail below. Integers, ``bytes`` and ``bytearray`` objects |
| 61 | +are commonly used for this purpose along with arrays (from the array module) which can store various data types. |
| 62 | + |
| 63 | +The use of object methods as callbacks |
| 64 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 65 | + |
| 66 | +MicroPython supports this powerful technique which enables an ISR to share instance variables with the underlying |
| 67 | +code. It also enables a class implementing a device driver to support multiple device instances. The following |
| 68 | +example causes two LED's to flash at different rates. |
| 69 | + |
| 70 | +.. code:: python |
| 71 | +
|
| 72 | + import pyb, micropython |
| 73 | + micropython.alloc_emergency_exception_buf(100) |
| 74 | + class Foo(object): |
| 75 | + def __init__(self, timer, led): |
| 76 | + self.led = led |
| 77 | + timer.callback(self.cb) |
| 78 | + def cb(self, tim): |
| 79 | + self.led.toggle() |
| 80 | +
|
| 81 | + red = Foo(pyb.Timer(4, freq=1), pyb.LED(1)) |
| 82 | + greeen = Foo(pyb.Timer(2, freq=0.8), pyb.LED(2)) |
| 83 | +
|
| 84 | +In this example the ``red`` instance associates timer 4 with LED 1: when a timer 4 interrupt occurs ``red.cb()`` |
| 85 | +is called causing LED 1 to change state. The ``green`` instance operates similarly: a timer 2 interrupt |
| 86 | +results in the execution of ``green.cb()`` and toggles LED 2. The use of instance methods confers two |
| 87 | +benefits. Firstly a single class enables code to be shared between multiple hardware instances. Secondly, as |
| 88 | +a bound method the callback function's first argument is ``self``. This enables the callback to access instance |
| 89 | +data and to save state between successive calls. For example, if the class above had a variable ``self.count`` |
| 90 | +set to zero in the constructor, ``cb()`` could increment the counter. The ``red`` and ``green`` instances would |
| 91 | +then maintain independent counts of the number of times each LED had changed state. |
| 92 | + |
| 93 | +Creation of Python objects |
| 94 | +~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 95 | + |
| 96 | +ISR's cannot create instances of Python objects. This is because MicroPython needs to allocate memory for the |
| 97 | +object from a store of free memory block called the heap. This is not permitted in an interrupt handler because |
| 98 | +heap allocation is not re-entrant. In other words the interrupt might occur when the main program is part way |
| 99 | +through performing an allocation - to maintain the integrity of the heap the interpreter disallows memory |
| 100 | +allocations in ISR code. |
| 101 | + |
| 102 | +A consequence of this is that ISR's can't use floating point arithmetic; this is because floats are Python objects. Similarly |
| 103 | +an ISR can't append an item to a list. In practice it can be hard to determine exactly which code constructs will |
| 104 | +attempt to perform memory allocation and provoke an error message: another reason for keeping ISR code short and simple. |
| 105 | + |
| 106 | +One way to avoid this issue is for the ISR to use pre-allocated buffers. For example a class constructor |
| 107 | +creates a ``bytearray`` instance and a boolean flag. The ISR method assigns data to locations in the buffer and sets |
| 108 | +the flag. The memory allocation occurs in the main program code when the object is instantiated rather than in the ISR. |
| 109 | + |
| 110 | +The MicroPython library I/O methods usually provide an option to use a pre-allocated buffer. For |
| 111 | +example ``pyb.i2c.recv()`` can accept a mutable buffer as its first argument: this enables its use in an ISR. |
| 112 | + |
| 113 | +Use of Python objects |
| 114 | +~~~~~~~~~~~~~~~~~~~~~ |
| 115 | + |
| 116 | +A further restriction on objects arises because of the way Python works. When an ``import`` statement is executed the |
| 117 | +Python code is compiled to bytecode, with one line of code typically mapping to multiple bytecodes. When the code |
| 118 | +runs the interpreter reads each bytecode and executes it as a series of machine code instructions. Given that an |
| 119 | +interrupt can occur at any time between machine code instructions, the original line of Python code may be only |
| 120 | +partially executed. Consequently a Python object such as a set, list or dictionary modified in the main loop |
| 121 | +may lack internal consistency at the moment the interrupt occurs. |
| 122 | + |
| 123 | +A typical outcome is as follows. On rare occasions the ISR will run at the precise moment in time when the object |
| 124 | +is partially updated. When the ISR tries to read the object, a crash results. Because such problems typically occur |
| 125 | +on rare, random occasions they can be hard to diagnose. There are ways to circumvent this issue, described in |
| 126 | +:ref:`Critical Sections <Critical>` below. |
| 127 | + |
| 128 | +It is important to be clear about what constitutes the modification of an object. An alteration to a built-in type |
| 129 | +such as a dictionary is problematic. Altering the contents of an array or bytearray is not. This is because bytes |
| 130 | +or words are written as a single machine code instruction which is not interruptible: in the parlance of real time |
| 131 | +programming the write is atomic. A user defined object might instantiate an integer, array or bytearray. It is valid |
| 132 | +for both the main loop and the ISR to alter the contents of these. |
| 133 | + |
| 134 | +MicroPython supports integers of arbitrary precision. Values between 2**30 -1 and -2**30 will be stored in |
| 135 | +a single machine word. Larger values are stored as Python objects. Consequently changes to long integers cannot |
| 136 | +be considered atomic. The use of long integers in ISR's is unsafe because memory allocation may be |
| 137 | +attempted as the variable's value changes. |
| 138 | + |
| 139 | +Overcoming the float limitation |
| 140 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 141 | + |
| 142 | +In general it is best to avoid using floats in ISR code: hardware devices normally handle integers and conversion |
| 143 | +to floats is normally done in the main loop. However there are a few DSP algorithms which require floating point. |
| 144 | +On platforms with hardware floating point (such as the Pyboard) the inline ARM Thumb assembler can be used to work |
| 145 | +round this limitation. This is because the processor stores float values in a machine word; values can be shared |
| 146 | +between the ISR and main program code via an array of floats. |
| 147 | + |
| 148 | +Exceptions |
| 149 | +---------- |
| 150 | + |
| 151 | +If an ISR raises an exception it will not propagate to the main loop. The interrupt will be disabled unless the |
| 152 | +exception is handled by the ISR code. |
| 153 | + |
| 154 | +General Issues |
| 155 | +-------------- |
| 156 | + |
| 157 | +This is merely a brief introduction to the subject of real time programming. Beginners should note |
| 158 | +that design errors in real time programs can lead to faults which are particularly hard to diagnose. This is because |
| 159 | +they can occur rarely and at intervals which are essentially random. It is crucial to get the initial design right and |
| 160 | +to anticipate issues before they arise. Both interrupt handlers and the main program need to be designed |
| 161 | +with an appreciation of the following issues. |
| 162 | + |
| 163 | +.. _ISR: |
| 164 | + |
| 165 | +Interrupt Handler Design |
| 166 | +~~~~~~~~~~~~~~~~~~~~~~~~ |
| 167 | + |
| 168 | +As mentioned above, ISR's should be designed to be as simple as possible. They should always return in a short, |
| 169 | +predictable period of time. This is important because when the ISR is running, the main loop is not: inevitably |
| 170 | +the main loop experiences pauses in its execution at random points in the code. Such pauses can be a source of hard |
| 171 | +to diagnose bugs particularly if their duration is long or variable. In order to understand the implications of |
| 172 | +ISR run time, a basic grasp of interrupt priorities is required. |
| 173 | + |
| 174 | +Interrupts are organised according to a priority scheme. ISR code may itself be interrupted by a higher priority |
| 175 | +interrupt. This has implications if the two interrupts share data (see Critical Sections below). If such an interrupt |
| 176 | +occurs it interposes a delay into the ISR code. If a lower priority interrupt occurs while the ISR is running, it |
| 177 | +will be delayed until the ISR is complete: if the delay is too long, the lower priority interrupt may fail. A |
| 178 | +further issue with slow ISR's is the case where a second interrupt of the same type occurs during its execution. |
| 179 | +The second interrupt will be handled on termination of the first. However if the rate of incoming interrupts |
| 180 | +consistently exceeds the capacity of the ISR to service them the outcome will not be a happy one. |
| 181 | + |
| 182 | +Consequently looping constructs should be avoided or minimised. I/O to devices other than to the interrupting device |
| 183 | +should normally be avoided: I/O such as disk access, ``print`` statements and UART access is relatively slow, and |
| 184 | +its duration may vary. A further issue here is that filesystem functions are not reentrant: using filesystem I/O |
| 185 | +in an ISR and the main program would be hazardous. Crucially ISR code should not wait on an event. I/O is acceptable |
| 186 | +if the code can be guaranteed to return in a predictable period, for example toggling a pin or LED. Accessing the |
| 187 | +interrupting device via I2C or SPI may be necessary but the time taken for such accesses should be calculated or |
| 188 | +measured and its impact on the application assessed. |
| 189 | + |
| 190 | +There is usually a need to share data between the ISR and the main loop. This may be done either through global |
| 191 | +variables or via class or instance variables. Variables are typically integer or boolean types, or integer or byte |
| 192 | +arrays (a pre-allocated integer array offers faster access than a list). Where multiple values are modified by |
| 193 | +the ISR it is necessary to consider the case where the interrupt occurs at a time when the main program has |
| 194 | +accessed some, but not all, of the values. This can lead to inconsistencies. |
| 195 | + |
| 196 | +Consider the following design. An ISR stores incoming data in a bytearray, then adds the number of bytes |
| 197 | +received to an integer representing total bytes ready for processing. The main program reads the number of bytes, |
| 198 | +processes the bytes, then clears down the number of bytes ready. This will work until an interrupt occurs just |
| 199 | +after the main program has read the number of bytes. The ISR puts the added data into the buffer and updates |
| 200 | +the number received, but the main program has already read the number, so processes the data originally received. |
| 201 | +The newly arrived bytes are lost. |
| 202 | + |
| 203 | +There are various ways of avoiding this hazard, the simplest being to use a circular buffer. If it is not possible |
| 204 | +to use a structure with inherent thread safety other ways are described below. |
| 205 | + |
| 206 | +Reentrancy |
| 207 | +~~~~~~~~~~ |
| 208 | + |
| 209 | +A potential hazard may occur if a function or method is shared between the main program and one or more ISR's or |
| 210 | +between multiple ISR's. The issue here is that the function may itself be interrupted and a further instance of |
| 211 | +that function run. If this is to occur, the function must be designed to be reentrant. How this is done is an |
| 212 | +advanced topic beyond the scope of this tutorial. |
| 213 | + |
| 214 | +.. _Critical: |
| 215 | + |
| 216 | +Critical Sections |
| 217 | +~~~~~~~~~~~~~~~~~ |
| 218 | + |
| 219 | +An example of a critical section of code is one which accesses more than one variable which can be affected by an ISR. If |
| 220 | +the interrupt happens to occur between accesses to the individual variables, their values will be inconsistent. This is |
| 221 | +an instance of a hazard known as a race condition: the ISR and the main program loop race to alter the variables. To |
| 222 | +avoid inconsistency a means must be employed to ensure that the ISR does not alter the values for the duration of |
| 223 | +the critical section. One way to achieve this is to issue ``pyb.disable_irq()`` before the start of the section, and |
| 224 | +``pyb.enable_irq()`` at the end. Here is an example of this approach: |
| 225 | + |
| 226 | +.. code:: python |
| 227 | +
|
| 228 | + import pyb, micropython, array |
| 229 | + micropython.alloc_emergency_exception_buf(100) |
| 230 | +
|
| 231 | + class BoundsException(Exception): |
| 232 | + pass |
| 233 | +
|
| 234 | + ARRAYSIZE = const(20) |
| 235 | + index = 0 |
| 236 | + data = array.array('i', 0 for x in range(ARRAYSIZE)) |
| 237 | +
|
| 238 | + def callback1(t): |
| 239 | + global data, index |
| 240 | + for x in range(5): |
| 241 | + data[index] = pyb.rng() # simulate input |
| 242 | + index += 1 |
| 243 | + if index >= ARRAYSIZE: |
| 244 | + raise BoundsException('Array bounds exceeded') |
| 245 | +
|
| 246 | + tim4 = pyb.Timer(4, freq=100, callback=callback1) |
| 247 | +
|
| 248 | + for loop in range(1000): |
| 249 | + if index > 0: |
| 250 | + irq_state = pyb.disable_irq() # Start of critical section |
| 251 | + for x in range(index): |
| 252 | + print(data[x]) |
| 253 | + index = 0 |
| 254 | + pyb.enable_irq(irq_state) # End of critical section |
| 255 | + print('loop {}'.format(loop)) |
| 256 | + pyb.delay(1) |
| 257 | +
|
| 258 | + tim4.callback(None) |
| 259 | +
|
| 260 | +A critical section can comprise a single line of code and a single variable. Consider the following code fragment. |
| 261 | + |
| 262 | +.. code:: python |
| 263 | +
|
| 264 | + count = 0 |
| 265 | + def cb(): # An interrupt callback |
| 266 | + count +=1 |
| 267 | + def main(): |
| 268 | + # Code to set up the interrupt callback omitted |
| 269 | + while True: |
| 270 | + count += 1 |
| 271 | +
|
| 272 | +This example illustrates a subtle source of bugs. The line ``count += 1`` in the main loop carries a specific race |
| 273 | +condition hazard known as a read-modify-write. This is a classic cause of bugs in real time systems. In the main loop |
| 274 | +MicroPython reads the value of ``t.counter``, adds 1 to it, and writes it back. On rare occasions the interrupt occurs |
| 275 | +after the read and before the write. The interrupt modifies ``t.counter`` but its change is overwritten by the main |
| 276 | +loop when the ISR returns. In a real system this could lead to rare, unpredictable failures. |
| 277 | + |
| 278 | +As mentioned above, care should be taken if an instance of a Python built in type is modified in the main code and |
| 279 | +that instance is accessed in an ISR. The code performing the modification should be regarded as a critical |
| 280 | +section to ensure that the instance is in a valid state when the ISR runs. |
| 281 | + |
| 282 | +Particular care needs to be taken if a dataset is shared between different ISR's. The hazard here is that the higher |
| 283 | +priority interrupt may occur when the lower priority one has partially updated the shared data. Dealing with this |
| 284 | +situation is an advanced topic beyond the scope of this introduction other than to note that mutex objects described |
| 285 | +below can sometimes be used. |
| 286 | + |
| 287 | +Disabling interrupts for the duration of a critical section is the usual and simplest way to proceed, but it disables |
| 288 | +all interrupts rather than merely the one with the potential to cause problems. It is generally undesirable to disable |
| 289 | +an interrupt for long. In the case of timer interrupts it introduces variability to the time when a callback occurs. |
| 290 | +In the case of device interrupts, it can lead to the device being serviced too late with possible loss of data or |
| 291 | +overrun errors in the device hardware. Like ISR's, a critical section in the main code should have a short, predictable |
| 292 | +duration. |
| 293 | + |
| 294 | +An approach to dealing with critical sections which radically reduces the time for which interrupts are disabled is to |
| 295 | +use an object termed a mutex (name derived from the notion of mutual exclusion). The main program locks the mutex |
| 296 | +before running the critical section and unlocks it at the end. The ISR tests whether the mutex is locked. If it is, |
| 297 | +it avoids the critical section and returns. The design challenge is defining what the ISR should do in the event |
| 298 | +that access to the critical variables is denied. A simple example of a mutex may be found |
| 299 | +`here <https://github.com/peterhinch/micropython-samples.git>`_. Note that the mutex code does disable interrupts, |
| 300 | +but only for the duration of eight machine instructions: the benefit of this approach is that other interrupts are |
| 301 | +virtually unaffected. |
| 302 | + |
0 commit comments