cancel
Showing results for 
Search instead for 
Did you mean: 

Bug (possible data loss) in STM32F4xx_EEPROM_Emulation (AN3969)

Posted on June 18, 2014 at 17:57

Regarding stsw-stm32066.zip downloaded from the ST website.

In the file

/STM32F4xx_AN3969_V1.0.0/Project/STM32F4xx_EEPROM_Emulation/src/eeprom.c

, lines 138 and 229, there is a possibility that the system remains in an invalid state if power loss occurs right after the execution of these lines.

On the next power up, when

EE_Init()

is called the next time, this invalid state will be treated by ''formatting'' both flash sectors involved, thereby deleting all contained data. This is of course not desirable.

The fix seems easy enough in this case: at both of the mentioned lines, the order should be swapped to 1) erase the old page, 2) mark the new page as VALID_PAGE.

#eeprom-emulation #an3969 #eeprom-flash-emulation
2 REPLIES 2
Posted on July 09, 2014 at 11:56

Hi wiredancer,

Thank you for bringing this limitation to our attention. We've noted this as a rarely encountered bug, and is very difficult that it occurs.

We’ll pass along your suggestion to our STM32CubeF4 team. Keep an eye out for the next update!

With regards.

Posted on July 27, 2015 at 16:07

I have another issue with this library:

According to the reference manual for the STM32F407, paragraph 3.6,

The contents of the Flash memory are not guaranteed if a

device reset occurs during a Flash memory operation.

We specifically observed that after losing power during a call to FLASH_EraseSector(), a page can be filled with 0 values from the beginning, which seems to be an intermediate state before all bytes read 0xff after completion of the erasure.

It is not improbable that this happens, as FLASH_EraseSector() is called at every single startup in EE_Init(), and erasing one flash sector can take a long time, like tens of milliseconds. Depending on how often the device is switched on, and on the chatter of the power switch, the probability of an interruption can be quite high.

The problem is that 0x0000 is also the marker for VALID_PAGE. So when power is lost during an erase, it can happen that BOTH of the pages are detected as VALID_PAGE at the next start, which is an invalid state.

I see two possible amendments:

a) use a different value than 0x0000 for VALID_PAGE

b) minimize the calls to FLASH_EraseSector(): only call it right before transferring data in EE_PageTransfer(). This would greatly reduce the risk of a power loss during that call.

Best regards.

P. S.: I am not sure whether or when the ST code will ever be updated, but in any case, it would be nice to get some sort of notification when it does.